Trusted Platform Module

From Wikipedia, the free encyclopedia

In computing, Trusted Platform Module (TPM) is both the name of a published specification detailing a microcontroller that can store secured information, as well as the general name of implementations of that specification. The TPM specification is the work of the TPM Work Group, under the auspices of the Trusted Computing Group. The current version of the TPM specification is 1.2 Revision 94, published on March 29, 2006.

In a more general sense, the Trusted Platform Module is part of a broader move towards the controversial concept of Trusted Computing.

1 TPM microcontroller manufacturers
2 What it does
3 Uses
4 See also
5 External links

[edit] TPM microcontroller manufacturers

Trusted Platform Module microcontrollers are produced by:

[edit] What it does

Several manufacturers are producing microchips that will be built onto a PC or laptop's motherboard during manufacturing. A Trusted Platform Module offers facilities for secure generation of cryptographic keys, the abilities to limit the use of keys (to either signing / verification or encryption / decryption), as well as a hardware Random Number Generator. Its three most controversial features are remote attestation, binding, and sealing. Remote attestation creates an unforgeable summary of the software on a computer, allowing a third party (such as a digital music store) to verify that the software has not been compromised. Sealing encrypts data in such a way that it may be decrypted only in the exact same state (that is, it may be decrypted only on the computer it was encrypted running the same software). Binding encrypts data using the TPM Endorsement Key (a unique RSA key put in the chip during its production) or another 'trusted' key . The first feature is seen as a potential threat to privacy by many, while the second and the third are often seen as a herald to Digital Rights Management systems of unprecedented restrictiveness. Direct anonymous attestation improves privacy, but is still considered insufficient by some.

Trusted Platform Module is a hardware chip embedded on the motherboard that can be used to authenticate a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform authentication. It can be used to verify that the system seeking the access is the expected system.

TPM does NOT replace a USB cryptographic key device / token. They complement each other. A USB token/smart card authenticates the user whereas a TPM authenticates a machine.

[edit] Uses

Microsoft's new desktop operating system Windows Vista will use this technology as part of the feature BitLocker Drive Encryption. BitLocker will encrypt the entire computer's volume for security.

The Enforcer is a Linux Security Module designed to improve integrity of a computer running Linux by ensuring no tampering of the file system. It can interact with 'trusted' hardware to provide higher levels of assurance for software and sensitive data. The Enforcer can also work with the TPM to store the secret to an encrypted loopback file system, and unmount this file system when a tampered file is detected; the secret will not be accessible to mount the loopback file system until the machine has been rebooted with untampered files. This allows sensitive data to be protected from an attacker.

Generally, pushing the security down to the hardware level in conjunction with software is a better solution than just using software that can be compromised by an attacker. Currently this technology uses a separate chip for computers. As of 2006, many new laptop computers are sold with TPM built in. In the future, this concept could be co-located on an existing motherboard chip in computers, not to mention any other device to secure it, such as a cell phone.