What Is a TPM?

A Trusted Platform Module (TPM) is a microchip that provides some basic security-related functions, mostly ones that involve encryption keys. To be considered secure, the TPM is installed permanently on the motherboard of a computer. The TPM uses a hardware bus to talk to the rest of the system.

A classic problem with any software-based security solution is that if an attacker can insert malicious code before the security software, then the security software can be circumvented. It is also difficult to be confident that any software reporting on its own state can be trusted. Think of rootkits, for example. They make the OS lie. Once you can fake out the OS, what can you trust?

So, a TPM helps address this problem because it can build a chain of trust that starts with hardware. Since this trust begins in hardware, there isn't any practical way to insert malicious code "before" the TPM. The TPM actually validates components of the platform (the computer) and the early boot process very reliably, and BitLocker can rely on this validation.

In many ways, a TPM is similar to a smart card. Although a TPM doesn't store certificates, it can create keys for cryptography and also keep private key permanently within the TPM. If a key created in a TPM is never exposed to any other component, software, process, or person, then, since the private key is never released outside the TPM, it's pretty darn hard to compromise. Because the TPM uses its own internal firmware and logic circuits for processing instructions, it does not rely on the operating system and is not exposed to external software vulnerabilities.

The TPM can also encrypt data provided by the OS, such as symmetric keys used to encrypt large blocks of data. When this type of data is encrypted by the TPM, it can only be decrypted again by the same TPM. This process, often called "wrapping" or "binding" a key, can help protect the key from disclosure. (Sometimes the data being wrapped is called a "blob of data," but "blob" can have a lot of meanings.)

Each TPM has a master "wrapping" key, called the Storage Root Key (SRK), which is stored (and kept) within the TPM itself. A TPM must also have an Endorsement Key (EK), which is permanent once set for that TPM. Other keys are derived from or signed by the EK.

Every time the computer starts, certain measurements are made and stored in the TPM's platform control registers (PCRs). PCRs are discussed in more detail later in this chapter. Accordingly, computers that incorporate a TPM can also create a key that has not only been wrapped, but also tied to specific platform measurements in the PCRS. This type of key can only be unwrapped when those platform measurements have the same values that they had when the key was created. This process is called "sealing" the key to the TPM. Decrypting it is called "unsealing." The TPM can also seal and unseal data generated outside of the TPM. With a sealed key and software like BitLocker, you can lock data until specific hardware or software conditions are met. This process is the basis for the pre-OS boot component validation performed by BitLocker.

There is some bad news, though. To use a TPM, BitLocker requires a TPM that meets the version 1.2 standard, set by the Trusted Computing Group (TCG). If your computer is older than 2006, it is very unlikely to have a version 1.2 TPM (most computers existing today don't have a TPM at all). In addition to having a compatible TPM, your computer must also have compatible BIOS. Most computer manufacturers are releasing Vista-compatible BIOS updates for computers that have version 1.2 TPM chips.

For more information about the TPM specifications, you can visit https://www.trustedcomputinggroup.org/specs/TPM. TPM chip manufacturers work with the computer manufacturers, and generally ensure that the TPM meets encryption export requirements, and they may seek certification from various authorities. One example of a TPM chip in common use is the line by Infineon, featured at http://www.infineon.com (http://www.infineon.com/cgi-bin/ifx/portal/ep/channelView.do?channelId=-84648&channelPage=%2Fep%2Fchannel%2FproductOverview.jsp&pageTypeId=17099).

Don't despair: computers that lack a compatible TPM can still use the encryption features of BitLocker, provided their BIOS supports access to a USB flash memory device during the early boot process. There are a lot more of these computers around.


Source of Information : Administering Windows Vista Security The Big Surprises

No comments:

Cloud storage is for blocks too, not just files

One of the misconceptions about cloud storage is that it is only useful for storing files. This assumption comes from the popularity of file...