Cosc 4765

Trusted Platform Module

What is TPM
The TPM hardware along with its supporting software and firmware provides the platform root of trust.
It is able to extend its trust to other parts of the platform by building a chain of trust, where each link extends its trust to the next one.

Hardware Crypto Capabilities

RSA Accelerator
contains a hardware engine to perform up to 2048 bit RSA encryption/decryption. uses its built-in RSA engine during digital signing and key wrapping operations.

Engine for SHA-1 hash algorithm

uses its built-in hash engine to compute hash values of small pieces of data. Large pieces of data (such as an email message) may be hashed outside of the TPM, for performance reasons.

Hardware Crypto Capabilities

Random Number Generator
used to generate keys for various purposes

Allows
Remote attestation
creates a hash key for summary of the hardware and software.
Depends on the encryption software

This allows a third party to verify that the software has not been changed.

Allows (2)
Sealing
encrypts data in such a way that it may be decrypted only if the TPM releases the right decryption key,
which it only does if the exact same software is present as when it encrypted the data.

Binding
encrypts data using the TPM's endorsement key, a unique RSA key burned into the chip during its production, or another trusted key.

Allows (3)
Authentication of hardware devices.
Since each TPM chip has a unique and secret RSA key burned in during the production, it is capable of performing platform authentication. For example
it can be used to verify that the system seeking the access is the expected system. So we can verify the correct computer is attempting to access something.

Vista
With Ultimate and Enterprise editions
Includes BitLocker software.

Encrypts the boot volume.

Provides integrity authentication for trusted boot pathway (from BIOS to boot sector to start up)

Example with MS Outlook

Example with MS Outlook (2)

File Encryption
A file can be encrypted using a standard RSA key pair, stored by the TPM. And again The file can be encrypted using the TPM chips unique and secret RSA key.
Now the file can only be decrypted by the system that encrypted it. Bonded to that system.

Problems?
Issues with the File Encryption? Issues with Updates?
General issues of privicy?

References
http://en.wikipedia.org/wiki/Trusted_Platform_Mod ule http://buytough.com/tb_pdf/TPM_WP.pdf http://www.techworld.com/storage/features/index.cf m?featureid=1777 https://www.trustedcomputinggroup.org/faq/TPMF AQ/ http://www.microsoft.com/whdc/system/platform/h wsecurity/default.mspx http://www.msnbc.msn.com/ID/10441443/

Q&A