Trusted Platform Module

Plug-in TPM unit in the TPM slot of an Asus main board

The Trusted Platform Module ( TPM ) is a chip based on the TCG specification that extends a computer or similar device with basic security functions. These functions can, for example, serve the objectives of license protection or data protection, or also objectives of the intelligence control of computer security features . The chip behaves like a built-in smart card in some respects , but with the important difference that it is not linked to a specific user (user instance ), but to the local computer (hardware instance). In addition to its use in PCs and notebooks , the TPM can be integrated into PDAs , cell phones and consumer electronics. A device with TPM, a specially adapted operating system and the corresponding software together form a Trusted Computing Platform (TC platform). Such a “trustworthy platform” can no longer be used against the interests of the manufacturer, provided that the manufacturer has specified restrictions. A possible advantage for a normal user of such a system lies in the protection against manipulation on the software side by unauthorized third parties.

The chip is currently mostly passive and cannot directly influence the boot process or the operation. It contains a unique cryptographic key and can therefore be used to identify the computer. However, this is only possible if the owner has allowed this information to be read out. With x86-based PCs, the TPM could previously be completely deactivated in the BIOS , so that none of its functions are available. However, it is possible - and quite likely - that a TC platform with activated TPM will be required to run certain applications in the future.

Basic keys of a TPM

Endorsement Key (EK)

The EK is clearly assigned to exactly one TPM. The key length is set to 2048 bits and the algorithm is set to the RSA method. On the one hand for security reasons and on the other hand for data protection reasons , the private part must never leave the TPM - a backup of the EK is therefore also excluded. The generation of this key can be done externally. Deletion and re-generation of the key is now permitted.

According to the current TPM specification, the public part can be TPM_ReadPubekread with the command . Reading can, however TPM_DisablePubekRead, be blocked with the command . The block is permanent and can no longer be removed.

Storage Root Key (SRK)

The Storage Root Key (SRK) is an RSA key with a length of 2048 bits. Its sole purpose is to encrypt other keys used (e.g. private keys for a user's e-mail communication) and thus represents the root of the TPM key tree. If the owner of the computer changes, a new SRK is created . The SRK cannot be migrated.

Attestation Identity Keys (AIK)

Attestation Identity Keys (AIKs) are RSA keys with a fixed length of 2048 bits and a fixed public exponent . They cannot be migrated and may only be used by the TPM to sign values that are stored in the Platform Configuration Register (PCR) (attestation). PCR are part of the volatile memory in the TPM and are responsible for storing status images of the current configuration of software and hardware. ${\ displaystyle e = 2 ^ {16} +1}$

The concept of attestation identity keys was introduced because the endorsement key of a TPM cannot be used directly for the authentication of platform integrity (attestation). Since this key is always unique, user privacy would be compromised. This is why AIKs (quasi as a pseudonym for the EK) are used in such authentication processes. Any number of them can be generated by the TPM owner. In order to ensure that only compliant TC platforms create valid AIKs, the keys must be confirmed by a trustworthy third party (often referred to here as a privacy CA ). This confirmation takes the form of an AIK certificate (credential).

Security functions of the TPM

Sealing ( sealing )

By creating a hash value from the system configuration (hardware and software), data can be linked to a single TPM. The data is encrypted with this hash value. A decryption succeeds only if the same hash value is determined again (which can only succeed on the same system). If the TPM is defective, according to Intel, the application that uses the sealing functions must ensure that the data is not lost.

Outsourcing ( binding / wrapping )

The TPM can also store keys outside of the trust storage (e.g. on the hard drive). These are also organized in a key tree and their roots are encrypted with a "key" in the TPM. This means that the number of securely stored keys is almost unlimited.

Protection of cryptographic keys

Keys are generated, used and securely stored within the TPM. So you never have to leave it. This protects them from software attacks. There is also a relatively high level of protection against hardware attacks (the security here is comparable to that of smart cards). Some chips are manufactured in such a way that physical manipulation results in the inevitable destruction of the stored key.

Certificate ( remote attestation )

A 'certification' can be used to convince a remote party that the Trusted Computing Platform has certain capabilities and is in a well-defined state (corresponding PCR values). This TPM functionality has a significant impact on the privacy of a user, which is why the EK is never used directly to certify platform conformity (i.e. capabilities and status), but only a newly generated AIK if possible. Furthermore, a certificate always requires the explicit consent of the TPM owner.

Two different attestation procedures are currently planned:

Privacy CA (Trusted Third Party)
Direct Anonymous Attestation

The originally proposed solution (TPM specification version 1.1) requires a trustworthy third party. This Privacy CA signs all newly created AIKs, provided the platform meets certain specified guidelines, e.g. B. evidenced by valid certificates (EK Credential, TCPA Conformity Certificate, Platform Credential). The disadvantages are the necessary high availability and the central point of attack with regard to the privacy of the user.

For this reason, a technique known as Direct Anonymous Attestation (DAA) was introduced with the TPM specification version 1.2. A complex cryptographic process (special group signature scheme) can save the trustworthy third party and carry out authentication directly between the parties involved. So-called zero knowledge protocols are an important component of this technology . They show a verifier (service provider) the validity of a generated AIK without disclosing knowledge of the corresponding EK. An Intel employee compared the principle with the solution of a Rubik's cube : He assumes that one shows a viewer first the disordered and later the ordered cube. In this way you can make it clear to a third party at any time that you know the solution without having to explain this way.

However, there are also restrictions with regard to the anonymity granted with DAA: For example, there is a certain operating mode (named-base pseudonym, rogue tagging) which, at the request of the verifier, allows the recognition of repeated or improper use. This makes it possible to link the service requests carried out, which of course limits anonymity. The standard also provides an optional anonymity revocation authority in order to comply with the legal requirements of some states.

Safe random number generator

The TCG specification guarantees a secure random number generator on the TPM. This tackles a general problem in computer science in the extraction of random values using software. The paths taken, such as the evaluation of random system states or the evaluation of user behavior, are problematic.

TPM 2.0

The TPM 2.0 standard was published in 2014. TPM 2.0 is not backwards compatible with TPM 1.2 and is supported from Windows 8 or Linux kernel 4.0.

In the vote on TPM 2.0 as the ISO standard, only Germany and the PR China voted against the standardization.

	TPM 1.2	TPM 2.0
Crypto algorithms	SHA-1 , RSA	Variable, e.g. B. SHA-1, SHA-256 , RSA, Elliptic Curve Cryptography P256
Crypto primitives	RNG , SHA-1	RNG, RSA, HMAC , SHA-1, SHA-256
Hierarchy levels	1 (storage)	3 (platform, storage, endorsement)
Root Keys	1 (SRK RSA-2048)	Different keys and algorithms for each hierarchy level
Authorization	HMAC, PCR, locality, physical presence	Password, HMAC, policy
NVRAM	Unstructured data	Unstructured data, counter, bitmap, extend

distribution

The TPM is currently offered by almost all well-known PC and notebook manufacturers in the product series for professional applications.

software

On the software side, the TPM is supported by various providers:

Acer , Asus , MSI , Dell , Fujitsu Technology Solutions , HP , Lenovo , LG , Samsung , Sony and Toshiba offer integration on your computers.

From 2006 onwards, Apple temporarily installed TPMs on MacBooks with the introduction of the Intel architectures. In older models (2009-2011) there are no TPMs. There is also no driver from Apple, just a port under GPL.

As the manufacturer of the TPM chips, Infineon also offers a comprehensive software solution that is supplied both as an OEM version with new computers and separately via Infineon for computers with a TPM that corresponds to the TCG standard.

Microsoft's Windows Vista and Windows 7 operating systems as well as Microsoft Windows Server from Windows Server 2008 use the chip in connection with the BitLocker drive encryption it contains .

Wave Systems offers comprehensive client and server software that runs on all TPM chips. For example, this software is preinstalled on many Dell and Gateway models.

Charismathics GmbH offers a virtual smart card based on TPM under Windows 7 and higher. Both machine certificates and user certificates are supported.

There are also mixed forms, for example if the TPM module is integrated into the Ethernet chip ( Broadcom ) and the software is based on Infineon "on-top".

hardware

Today practically all mainboards have at least one TPM header into which the TPM module can be plugged.

criticism

So far, TPM chips have only been used to a limited extent, as they severely limit the user's control options. For example, keeping unwanted software away can affect virus software as well as competing software.

In the press release "Statement of the BSI on the current reporting on MS Windows 8 and TPM" of August 21, 2013, the BSI writes that for user groups who "for various reasons cannot take care of the security of their systems [...], but rather the The manufacturers of the system trust [...] "," Windows 8 in combination with a TPM can mean a gain in security ".

However, the BSI also describes that the use of Windows and TPM 2.0 results in a "loss of control over [...] operating system and [...] hardware". "In particular, on hardware that is operated with a TPM 2.0 with Windows 8, unintentional errors by the hardware or operating system manufacturer, but also by the owner of the IT system, can lead to error states that can prevent further operation of the system." this can go so far that even the “hardware can no longer be used permanently”. The BSI describes the same situations for the federal administration and for other users, especially on critical infrastructures, as unacceptable and also criticizes the fact that sabotage is possible in this way.

BSI as well as a key issues paper of the federal government on "Trusted Computing" and "Secure Boot" from August 2012 call for "complete control by the device owner" and "freedom of choice" in "product selection, commissioning, configuration, application and shutdown".

Rüdiger Weis , graduate mathematician and cryptographer, joined this demand on both the 31C3 and the 32C3 . He particularly criticizes the dependency of Secure Boot on Microsoft and the lack of "international control of the TPM manufacturing process". He specifically calls for the disclosure of certification boot codes according to antitrust law, since "the entire computer hardware beyond the Apple world is adapted to Windows". He also described the TPM as the “dream chip for the NSA”, as the key would be generated outside of government agencies.

Web links

Commons : Trusted Platform Module - collection of images, videos and audio files

Software-based TPM emulator for Unix ( Memento from April 19, 2014 in the Internet Archive )
infineon.com
wave.com
Trusted Computing FAQ (German)
Control chips: This is how the PC industry wants to incapacitate customers . Spiegel Online - netzwelt
TPM 2.0 Library Specification FAQ

Individual evidence

↑ Glossary entry on PCR: Institute for Internet Security if (is) of July 31, 2014
↑ Ernie Brickell and Jan Camenisch and Liqun Chen: Direct Anonymous Attestation (PDF; 292 kB) of February 11, 2004
↑ Trusted Platform Module Library; Part 1: Architecture (PDF) Trusted Computing Group. October 30, 2014. Retrieved November 23, 2017.
↑ Windows 8 Boot Security FAQ
↑ [GIT PULL] Security subsystem changes for 3.20
↑ Anna Biselli: We leak: Germany and China against the rest of the world - miraculous unity in Trusted Computing. netzpolitik.org, March 9, 2015, accessed March 11, 2015 .
↑ Amit Singh: Trusted Computing for Mac OS X, October 30, 2006
↑ ^a ^b Experts from the Chaos Computer Club warn of security gaps: Lecture by Rüdiger Weis: There is a warning against Windows 8 from December 29, 2014 and `` heise online '' warning against Secure Boot and Trusted Computing
↑ The ÖFIT trend sonar in IT security - Trusted Platform Module. Fraunhofer FOKUS Competence Center Public IT, April 2016, accessed on May 30, 2016 .
↑ ^a ^b BSI - BSI press releases - BSI statement on current reporting on MS Windows 8 and TPM. March 4, 2016, archived from the original on March 4, 2016 ; accessed on March 10, 2016 .
↑ 32C3: Cryptologist warns of the "botnet" Windows 10 | heise open. March 10, 2016, archived from the original on March 10, 2016 ; accessed on March 10, 2016 .
↑ 31C3: Warning against Secure Boot and Trusted Computing | heise online. March 10, 2016, accessed March 10, 2016 .

[1] Glossary entry on PCR: Institute for Internet Security if (is) of July 31, 2014

[2] Ernie Brickell and Jan Camenisch and Liqun Chen: Direct Anonymous Attestation (PDF; 292 kB) of February 11, 2004

[3] Trusted Platform Module Library; Part 1: Architecture (PDF) Trusted Computing Group. October 30, 2014. Retrieved November 23, 2017.

[4] Windows 8 Boot Security FAQ

[5] [GIT PULL] Security subsystem changes for 3.20

[6] Anna Biselli: We leak: Germany and China against the rest of the world - miraculous unity in Trusted Computing. netzpolitik.org, March 9, 2015, accessed March 11, 2015 .

[7] Amit Singh: Trusted Computing for Mac OS X, October 30, 2006

[:0-8] Experts from the Chaos Computer Club warn of security gaps: Lecture by Rüdiger Weis: There is a warning against Windows 8 from December 29, 2014 and `` heise online '' warning against Secure Boot and Trusted Computing

[9] The ÖFIT trend sonar in IT security - Trusted Platform Module. Fraunhofer FOKUS Competence Center Public IT, April 2016, accessed on May 30, 2016 .

[:1-10] BSI - BSI press releases - BSI statement on current reporting on MS Windows 8 and TPM. March 4, 2016, archived from the original on March 4, 2016 ; accessed on March 10, 2016 .

[11] 32C3: Cryptologist warns of the "botnet" Windows 10 | heise open. March 10, 2016, archived from the original on March 10, 2016 ; accessed on March 10, 2016 .

[12] 31C3: Warning against Secure Boot and Trusted Computing | heise online. March 10, 2016, accessed March 10, 2016 .