Trusted Platform Module

The Trusted Platform Module (TPM) is a chip according to the TCG specification, which expands a computer or similar device to provide basic security functions. These functions can for example serve the objectives of the license protection or where data protection. The chip behaves in some respects like a built smart card, but with the important difference that it is not a particular user ( user instance), but to the local computer ( hardware instance ) bound. Besides its use in PCs and notebooks, the TPM in PDAs, mobile phones and consumer electronics can be integrated. A device with TPM, specially adapted operating system and appropriate software together a trusted computing platform ( TC platform). Such a "trusted platform " can not be used against the interests of the owner or administrator, provided that the restrictions laid down. One possible advantage for a normal user of such a system is to protect against software-based manipulation by unauthorized third parties.

The chip is currently predominantly passive and can affect neither the boot process or operation directly. It contains a unique cryptographic key and thus can be used to identify the computer. However, this is only possible if the owner has the read-out of this information also allowed. For x86 -based PCs, the TPM previously could be completely disabled in the BIOS, so that none of its functions is available. However, it is possible - and quite likely - that to run certain applications in the future a TC platform will be provided with TPM enabled.

• 2.1 sealing ( sealing )
• 2.2 swap ( binding / wrapping )
• 2.3 Protection of cryptographic keys
• 2.4 Certification (remote attestation )
• 2.5 Secure random

Basic key of a TPM

Endorsement Key (EK )

The EK is uniquely associated with exactly one TPM. The key length is set to 2048 bits and the algorithm based on the RSA algorithm. Firstly, for safety, for other reasons of data protection of the private portion must never leave the TPM - even a backup of the EK is excluded. The generation of this key, however, can be done externally. Allowed is now the deletion and re- creation of the key.

According to the current TPM specification, the public part of the command TPM_ReadPubek be read. Reading can also be blocked with the command TPM_DisablePubekRead. The blocking is final and can no longer be canceled.

Storage Root Key ( SRK )

The Storage Root Key ( SRK ) is an RSA key with a length of 2048 bits. It is intended solely for the purpose of further key used (eg private keys for the e -mail communication of a user) to encrypt and thus represents the root of the TPM key tree dar. Changes the owner of the computer, a new SRK is generated. The SRK is not migrated.

Attestation Identity Keys ( AIK)

Attestation Identity Keys ( AIK ) are RSA key with a fixed length of 2048 bits and a fixed public exponent. You are not migrated and must be used by the TPM only for the signature of values ​​which are stored in Platform Configuration Register (PCR ) ( Attestation ).

The concept of Attestation Identity Keys was introduced because of the endorsement key of a TPM is not just for the certification of the platform integrity ( Attestation ) can be used. Because this key is always unique, the privacy of the users would be affected. Therefore AIKs be (quasi as an alias for the EK ) used in such certification processes. They can be generated by the TPM owner in any number. In order however to ensure that only compliant TC platforms create valid AIK, the keys must be by a trusted third party ( trusted third party, often referred to herein as a Privacy -CA) are confirmed. Such confirmation shall be in the form of AIK certificate ( credential ).

Security functions of the TPM

Sealing ( sealing )

By forming a hash value of the system configuration (hardware and software), data can be bound to a single TPM. Here, the data having that hash value may be encrypted. Decryption is possible only if the same hash value is determined again (which can only succeed on the same system ). In the TPM defect must, according to Intel, the application that uses Sealing functions, ensure that the data is not lost.

Outsourcing ( binding / wrapping )

The TPM can store (for example, on disk ) key and outside the Trust Storage. These will also be organized in a tree - key and encrypts the root with a "Key" in the TPM. Thus, the number of secure keys stored is virtually unlimited.

Protection of cryptographic keys

Keys are generated inside the TPM, used and stored safely. So you never need to leave this. Thus they are protected against software attacks. Before hardware attacks, there is also a relatively high level of protection ( security is here with Smart Cards comparable). Some chips are manufactured so that a physical manipulation has the inevitable destruction of the stored key result.

Certificate (remote attestation )

By ' certificate ', a remote party to be convinced that the Trusted Computing Platform has certain skills and in a well-defined state ( corresponding PCR values ​​). This TPM functionality has a significant impact on the privacy of a user, which is why (ie, skills and state) is never used the EK directly to the certificate of conformity of the platform as possible but only a newly generated AIK. Further, a certificate always requires the explicit consent of the TPM owner.

Currently, two different Attestationsverfahren are provided:

• Privacy CA ( Trusted Third Party )
• Direct Anonymous Attestation

The originally proposed solution (TPM Specification Version 1.1) requires a trusted third party. This Privacy CA signs all AIKs newly obtained provided that the platform meets certain specified policies, such as proven by valid certificates (EK Credential, TCPA Conformity Certificate, Platform Credential ). The disadvantages lie in the necessary high availability and the central point of attack with respect to the privacy of the user.

Therefore, it was introduced called the Direct Anonymous Attestation (DAA ) technology with the TPM Specification Version 1.2. Through a complex cryptographic method (special group signature scheme ) you can save on the trusted third party and perform authentication directly between the parties. One important component of this technique form so-called zero-knowledge protocols. They show a verifier ( service provider) the validity of a generated AIK, without compromising knowledge is revealed about the corresponding EK. An Intel employee compared with the principle of solving a Rubik's cube: He assumes that an observer at first the disordered and later the parent cube shows. So you can make it clear to a third party at any time to know the approach without having to explain this way.

However, limitations exist with respect to the DAA granted anonymity: For example, there is a specific mode of operation (Named base pseudonym, Rogue tagging ), which allows the verifier to request the recognition of a repeated or improper use. Therefore a concatenation of service requests carried out is possible, of course, restricts the anonymity. The standard also provides for an optional Anonymity Revocation Authority to comply with the legal regulations of some states.

Secure random

The TCG specification ensures a secure random number generator on the TPM. This is a general problem of computer science in the extraction of random values ​​will be addressed by software. The trodden paths as random rating system states or the analysis of user behavior are problematic. However, the TCG has achieved no wonder algorithm, nevertheless, they guarantee to solve the problem in hardware adequately.

Dissemination

The TPM is already being offered by almost all major PC and laptop manufacturers in the product series for professional applications.

On the software side supports TPM from different vendors:

• Acer, Asus, Dell, Fujitsu Technology Solutions, HP, Lenovo, LG, Samsung, Sony and Toshiba offer an integration on your computers.
• Apple built from 2006 with the introduction of Intel architectures on MacBooks temporarily TPMs. In current models 2009-2011 no TPM are available. There is also no drivers from Apple, only one port under GPL.
• Infineon as the manufacturer of the TPM chip also provides a comprehensive software solution that is delivered both as an OEM version with new computers as well as separately by Infineon for computers with a TPM, which corresponds to the TCG standard.
• Microsoft's operating systems Windows Vista and Windows 7 and Microsoft Windows Server from Windows Server 2008 to use the chip in conjunction with the included Drive Encryption BitLocker.
• The firm Wave Systems provides comprehensive client and server software that runs on all TPM chip. This software is pre-installed, for example, in many models of Dell and Gateway.

There are also mixed forms, for example, when the TPM module is integrated into the Ethernet chip (Broadcom ) and the software " on-top " is based on Infineon.