Trusted Computing

[Bull_Dolphin]

TPM delivers a hardware root of trust for IT security

Mon, 2012-05-21 05:13 PM

By: Brian Berger

http://www.gsnmagazine.com/article/26405/tpm_delivers_hardware_root_trust_it_security?page=0,1&c=cyber_security

Today, with increasing electronic communications and transactions, trust in the hardware used for these purposes has never been more important. To establish and ensure trust, the U.S. and other governments around the world have taken advantage of the trusted hardware and process for establishing trust that leading technology companies have developed through a not-for profit organization, called the Trusted Computing Group (TCG).

TCG’s hardware-based root of trust process relies on open standards -- not proprietary processes. It starts with a Trusted Platform Module or TPM. Typically a secure cryptographic integrated circuit inside an enterprise-grade computer or server, the TPM is an integral part of these units and has been installed in over half a billion end products.

The hardware-based root of trust is a significant improvement over software-only protection schemes, since software is vulnerable to the same attacks from the malware that it attempts to thwart. In contrast, the more robust hardware-based TPM approach can manage user authentication, network access, data protection and more. The root of trust has a minimum set of functions to establish the trustworthiness of the host platform. Attestation or vouching for the accuracy of information, as well as authentication, or proof of identity, are among the tasks enabled by the root of trust established by the TPM.

With the TPM, users can set passwords and store digital credentials, including passwords in a hardware-based vault. The TPM can manage keys and can be used in conjunction with self-encrypting drives to restrict access to sensitive data.

The TPM has progressed from its first level over 10 years ago to the TPM 1.2 version today. The TPM and its associated specifications were designed to provide a high level of security to Commercial Off-The-Shelf (COTS) and other products used by government agencies.

As part of its High Assurance Platform (HAP) Program, the National Security Agency (NSA) uses the TPM in a virtualized approach to run multiple secure environments. Today, almost all computers acquired by the Department of Defense (DoD) are required to include a TPM.

This advanced level of trust and security has prompted the National Security Agency (NSA) to sponsor two Trusted Computing Conferences and Expositions. The most recent conference was held September 20-22, 2011 in Orlando, FL. In addition to demonstrating current successes from the use of the TPM in national security programs, presenters discussed the necessity to take these efforts even further.

Taking advantage of a hardware root of trust

In its as-delivered condition, the TPM in computers, servers and other products are in a ready-state to be activated. For government, business entities or individuals to obtain the improved security that the TPM offers, it simply requires security policy processes to be followed. This process is usually described in the operation manuals for the equipment, and is easy for trained information technology personnel to implement.

Once activated, the TPM provides increased security through linkage to other TCG specifications that have been developed for networks, such as the Trusted Network Connect (TNC) and self-encrypting drives (SEDs).

TNC provides trusted network access for fixed and remote mobile devices used enterprise-wide, so authorized users can safely interact with network systems. The National Institute of Standards and Technology (NIST) and the Trusted Computing Group (TCG) worked together to integrate Security Content Automation Protocol (SCAP) developed by NIST and TNC standards developed by TCG. The combination provides a powerful automated compliance and network access and enforcement tool set. The use of SCAP’s ability to manage the security integration of devices, including desktop PCs, servers, laptops and more, with TNC’s complementary set of network capabilities provides users a level of security that was very difficult, expensive or impossible to deliver previously.

TPM used with the newest self-encrypting drives (SEDs) can take the encryption security to a higher level. While a TPM is not required for users to benefit from the automatic encryption that an SED provides, the TPM can prevent unauthorized access to the network or computer systems. Microsoft has step-by-step instructions for enabling and using the BitLocker disk encryption leveraging the TPM included in Windows Vista and Windows 7.

Extending TPM security

With TPM-based security readily available to protect computers and servers, the transition is already well underway to use mobile devices including smart phones to access the restricted information in government and other networks. TCG’s Mobile Trusted Module (MTM) is a secure element and specification developed for use in mobile and embedded devices. The market requirements for these wireless devices dictate a reduced feature set from the traditional PC TPM developed for a wired computing environment, but can work cooperatively with TPMs in other devices for complete system security. The effort to develop the complete functionality required for mobile trust continues with the ongoing development of MTM 2.0. With these specifications, network service providers, third-party service providers and end-users all benefit from establishing trustworthy behavior.

TCG’s recent formation of an Embedded Work Group will provide additional tools to embedded system developers. With these specifications, devices that are increasingly connected to the Internet can benefit from the same approach to security that TCG has provided to computer, servers, drives and networks. With this protection, embedded devices can avoid becoming the weak link entry point for network malware.


Moving forward


The supply chain realizes the importance of hardware-based security and continues to embrace TPM technology with implementations in hardware and improved software and services. Upcoming Windows’ releases from Microsoft are anticipated to require TPM. As self- encrypting drives continue to proliferate that also take advantage of the TPM, Microsoft is just one of the examples that can be cited.

Acceptance of improved TPM-based trustworthiness by U.S. Government agencies has been demonstrated as well. With NIST and TCG’s initial collaboration viewed as quite successful, expanded use of SCAP and TNC technologies can be expected.

While there are few guarantees in life, one thing is for certain, a non-activated TPM cannot deliver the added security it was designed for. So, the admonition to government as well as business organizations is: let’s use what we own, turn on the TPM and use it.