Cosc 4765

Trusted Platform Module

What is TPM

• The TPM hardware along with its supporting software and firmware provides the platform root of trust. – It is able to extend its trust to other parts of the

platform by building a chain of trust, where each link extends its trust to the next one.

Hardware Crypto Capabilities

• RSA Accelerator– contains a hardware engine to perform up to 2048

bit RSA encryption/decryption.– uses its built-in RSA engine during digital signing

and key wrapping operations.• Engine for SHA-1 hash algorithm

– uses its built-in hash engine to compute hash values of small pieces of data.

– Large pieces of data (such as an email message) may be hashed outside of the TPM, for performance reasons.

Hardware Crypto Capabilities

• Random Number Generator– used to generate keys for various purposes

Allows

• Remote attestation – creates a hash key for summary of the

hardware and software. • Depends on the encryption software

– This allows a third party to verify that the software has not been changed.

Allows (2)

• Sealing • encrypts data in such a way that it may be decrypted

only if the TPM releases the right decryption key,– which it only does if the exact same software is present as

when it encrypted the data.

– Binding • encrypts data using the TPM's endorsement key, a

unique RSA key burned into the chip during its production, or another trusted key.

Allows (3)

• Authentication of hardware devices. – Since each TPM chip has a unique and secret

RSA key burned in during the production, it is capable of performing platform authentication.

– For example• it can be used to verify that the system seeking the

access is the expected system.

• So we can verify the correct computer is attempting to access “something”.

Vista

• With Ultimate and Enterprise editions– Includes BitLocker software.

• Encrypts the boot volume.– Provides integrity authentication for trusted

boot pathway (from BIOS to boot sector to start up)

Example with MS Outlook

Example with MS Outlook (2)

File Encryption

• A file can be encrypted using a standard RSA key pair, stored by the TPM.

• And again The file can be encrypted using the TPM chip’s unique and secret RSA key.

• Now the file can only be decrypted by the system that encrypted it. Bonded to that system.

Problems?

• Issues with the File Encryption?

• Issues with Updates?

• General issues of privicy?

References

• http://en.wikipedia.org/wiki/Trusted_Platform_Module

• http://buytough.com/tb_pdf/TPM_WP.pdf• http://www.techworld.com/storage/features/

index.cfm?featureid=1777• https://www.trustedcomputinggroup.org/faq/

TPMFAQ/• http://www.microsoft.com/whdc/system/platform/

hwsecurity/default.mspx• http://www.msnbc.msn.com/ID/10441443/

QA&