The TPM chip: An unexploited resource for network security

Many network managers are unaware that the desktops, laptops and servers they've installed over the past several years contain a Trusted Platform Management (TPM) chip that can be used to strengthen user login authentication, protect against unauthorized software modification, and fully encrypt hard disks and removable media.

The TPM chip specification was developed by the Trusted Computing Group, a consortium of most of the major system and chip vendors, including AMD, HP, IBM, Intel, Microsoft and Sun. The group was formed in 2003 to create open standards to protect against thefts of passwords, data, and encryption keys and against installation of malicious software.

TPM chips have been installed in almost all of the laptops, desktops and servers sold in the past two to three years. The chips are also expected to be installed in devices such as cell phones and PDAs.

The TPM specification is often supplied as an individual chip but can be implemented as part of another chip such as an Ethernet interface. It contains a processing engine with firmware implementing the RSA, SHA-1 and HMAC algorithms and a random number generator. The chip also contains a limited amount of internal storage.

Encryption keys

Each TPM chip contains an RSA key pair called the Endorsement Key (EK), which is burned in at the time of manufacture. No two TPM chips carry the same EK. The pair is maintained inside the chip and cannot be accessed by software. A key derived from the EK can be used to uniquely identify the TPM chip and hence the system on which it is installed.

The Storage Root Key (SRK) is created when a user or administrator takes ownership of the system. This key pair is generated by the TPM based on the EK and an owner-specified password. A change in ownership creates a new SRK, which then makes unavailable to the new owner any data encrypted with the initial owner's SRK.

The Attestation Identity Key (AIK) prote

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Security Rogue access points: Preventing, detecting and handling best practices Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments OSI: Securing the Stack, Layer 8 -- Social engineering and security policy Network Security Best Practices and Products Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices Network security threats solved by risk management: John Pironti explains How to evaluate and manage UTM for network security Profiling -- and protecting against -- network problem users: The Internet Novice How does a firewall work? Physical network security key to fighting low-tech threats Why are TCP/IP networks considered unsecured? Troubleshooting networks: Can vendor software self-install firewalls?

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary anti-replay protocol  (SearchNetworking.com) dynamic packet filter  (SearchNetworking.com) HELLO packet  (SearchNetworking.com) packet filtering  (SearchNetworking.com) rule base  (SearchNetworking.com) stateful inspection  (SearchNetworking.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

cts against unauthorized firmware and software modification. At each system startup, the TPM uses the AIK and the SHA-1 algorithm to hash critical sections of firmware and software before they are executed. The bootloader, BIOS and operating system kernel are typically hashed. The hashes are then stored inside the TPM chip in platform configuration registers (PCRs).

When the system attempts to connect to the network, the hashes are sent to a server that verifies that they match expected values. If any of the hashed components has been modified since last started, the match will fail, and the system will not gain entry to the network.

Software products utilize TPM

The primary reason that network managers have been unaware of TPM capabilities has been the lack of widely available software support. This problem is now being addressed with a variety of software products, including:

BitLocker Drive Encryption, available in Microsoft Vista Enterprise and Ultimate and in Windows Server 2008. BitLocker encrypts the entire Windows volume, including all system and user files, the swap file and the hibernation file.

Full disk encryption, which protects against data theft from stolen systems or systems that have been decommissioned without thorough erasure of the disk. The TPM chip performs all encryption and decryption without slowing system operation. BitLocker also utilizes the AIK and PCRs to protect against unauthorized firmware and software modification.

Softex Incorporated, Ultimaco Safeware AG and Wave Systems Corp. all offer products for Windows Vista and Windows XP Professional that utilize the TPM chip to provide multifactor user login authentication and full disk encryption. In addition to Windows, several Unix and Linux versions provide support for the chip.

Controversies surrounding TPM

Controversies about the chip arose early in the development process and include:

Despite questions raised in the past, the TPM chip has proven to be a valuable tool for network managers who have taken advantage of it. Increased awareness of its capabilities is expected to lead to wider use.

About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software startups.