Signing Aauthentication tokens using TPM API PROXY

Abstract

This thesis proposes a solution for the abuse of stolen initial access information, by developing ways to bind the authentication information to a specific device. The thesis introduces two deployment models to cryptographically sign authentication tokens in order to mitigate the issue. A local deployment model is developed for a single machine use, and a shared network proxy for handling multiple clients. The models are analyzed regarding the security and suggestions for the deployments are given based on the performance testing results. The local deployment with one security chip can be used for a single machine. The performance of the local deployment is sufficient for the traffic from a single client. Results from the performance testing indicate, that the shared network deployments performance would benefit significantly when multiple security chips are deployed in parallel. This increases the deployment models capability of handling multiple concurrent clients within a network.

With the proposed models, reselling stolen information becomes harder, since authentication token refresh requires hardware based signing. This limits the time window and scalability of selling the valid stolen authentication information.