Many network managers are unaware that the desktops, laptops and servers they've installed over the past several
years contain a Trusted Platform Management (TPM) chip that can be used to strengthen user login authentication, protect against unauthorized software modification, and fully encrypt hard disks and removable media.
The TPM chip specification was developed by the Trusted Computing Group, a consortium of most of the major system and chip vendors, including AMD, HP, IBM, Intel, Microsoft and Sun. The group was formed in 2003 to create open standards to protect against thefts of passwords, data, and encryption keys and against installation of malicious software.
TPM chips have been installed in almost all of the laptops, desktops and servers sold in the past two to three years. The chips are also expected to be installed in devices such as cell phones and PDAs.
The TPM specification is often supplied as an individual chip but can be implemented as part of another chip such as an Ethernet interface. It contains a processing engine with firmware implementing the RSA, SHA-1 and HMAC algorithms and a random number generator. The chip also contains a limited amount of internal storage.
Each TPM chip contains an RSA key pair called the Endorsement Key (EK), which is burned in at the time of manufacture. No two TPM chips carry the same EK. The pair is maintained inside the chip and cannot be accessed by software. A key derived from the EK can be used to uniquely identify the TPM chip and hence the system on which it is installed.
The Storage Root Key (SRK) is created when a user or administrator takes ownership of the system. This key pair is generated by the TPM based on the EK and an owner-specified password. A change in ownership creates a new SRK, which then makes unavailable to the new owner any data encrypted with the initial owner's SRK.
The Attestation Identity Key (AIK) protects against unauthorized firmware and software modification. At each system startup, the TPM uses the AIK and the SHA-1 algorithm to hash critical sections of firmware and software before they are executed. The bootloader, BIOS and operating system kernel are typically hashed. The hashes are then stored inside the TPM chip in platform configuration registers (PCRs).
When the system attempts to connect to the network, the hashes are sent to a server that verifies that they match expected values. If any of the hashed components has been modified since last started, the match will fail, and the system will not gain entry to the network.
Software products utilize TPM
The primary reason that network managers have been unaware of TPM capabilities has been the lack of widely available software support. This problem is now being addressed with a variety of software products, including:
BitLocker Drive Encryption, available in Microsoft Vista Enterprise and Ultimate and in Windows Server 2008. BitLocker encrypts the entire Windows volume, including all system and user files, the swap file and the hibernation file.
Full disk encryption, which protects against data theft from stolen systems or systems that have been decommissioned without thorough erasure of the disk. The TPM chip performs all encryption and decryption without slowing system operation. BitLocker also utilizes the AIK and PCRs to protect against unauthorized firmware and software modification.
Softex Incorporated, Ultimaco Safeware AG and Wave Systems Corp. all offer products for Windows Vista and Windows XP Professional that utilize the TPM chip to provide multifactor user login authentication and full disk encryption. In addition to Windows, several Unix and Linux versions provide support for the chip.
Controversies surrounding TPM
Controversies about the chip arose early in the development process and include:
- Open software advocates' concern that the chip would lock out software not licensed by Trusted Computer Group members and that Linux implementations would not be possible. These suspicions have largely been laid to rest: The specification is public, and the chip does not prevent an authorized system owner from installing any desired software.
- A possible security flaw announced prior to the July 2007 Blackhat Conference by two security researchers who cancelled a conference presentation on the topic at the last minute without explanation. They have made no further claim since.
- A method to bypass protections in Microsoft BitLocker described in February 2008 by a group led by researchers at Princeton University. Their method took advantage of the fact that keys derived from the EK and SRK are stored in DRAM. An attacker with access to a running system or a system in standby mode can retrieve these keys. In its response, the Trusted Software Group countered that the researchers had not accessed the EK or SRK, that full system shutdown and Hibernate mode both remove power from DRAM and eliminate the danger, and that systems should not be left in standby.
Despite questions raised in the past, the TPM chip has proven to be a valuable tool for network managers who have taken advantage of it. Increased awareness of its capabilities is expected to lead to wider use.
About the author:
David B. Jacobs of The Jacobs Group has more than 20 years of networking industry experience. He has managed leading-edge software development projects and consulted to Fortune 500 companies as well as software startups.