Wave Systems Corp. (fka WAVXQ)

[wavedreamer]

Trusted Platform Module 2.0


September 2013, Intel Developer Forum, San Francisco—Bill Futral described the latest implementations of the Trusted Computing Group's trusted platform module. The latest TPM specification 00.99 was released in August 2013. {edcs007}

The TPM is an embedded microcontroller that stores keys, passwords, and certificates that is attached to a motherboard. The separate module is more secure from an external software attack and physical theft since it operates pre-boot. Security processes like signatures and key exchange are protected by the TCG subsystem.

The latest release is based on the TPM 2.0 library specification and defines the interface and platform specific requirements for a TPM to be incorporated in client and server platforms. The client spec defines functionality, interfaces, and other requirements to establish a root of trust and chain of trust for the device. Servers provide additional definitions, specifications, guidelines, and other technical requirements for use of TCG in servers. Some of the technologies supporting TPM 2.0 include trusted execution, boot guard, and Windows 8. All of these are included in most of the Intel client and server processors.

The main reason for the use of TPM is government requirements. NIST SP800-131A calls for significant changes in security requirements starting next year. Signature generation cannot use SHA 1 (Secure Hash Algorithm) or RSA < 2048 or EC (Elliptic Curve) < 224 after this year. Signature verification can use these algorithms as legacy only, and must use RSA >= 2048, EC >= 224 SHA 224/256/384/512 in '14. The CNSSP #15 (committee on national Security Systems) requires elliptic curve digital signature algorithm curve P-256 up to Secret, and P-384 for Top Secret level work. The SHA-256 is required of Secret and SHA-384 is required for Top Secret work. TPM 1.2 is not allowed for any government work after this year.


The TPM is a hardened device that provides secure non-volatile storage, Platform Configuration Registers, and encryption to only allow authorized users into that machine. The latest spec supports additional cryptographic algorithms and services and more capabilities for flexibility and ease of use. Other features include authorization hierarchies, and enhanced authorization mechanisms.

The additional algorithms enable greater agility by offering selection capabilities. The algorithm can be selected when creating or specifying an object or policy. The agility also allows for code and data measurement using multiple hash tables. The available hierarchies for TPM allow for domain separation at the platform, owner/storage, and endorsement levels. Each hierarchy is independent.

The TPM has a shielded non-volatile memory with new index types, a special delete for OEM index, and enhanced authorizations. Messaging is the same as TPM 1.2 with a handle area, authorization area that includes encryption, decryption, and auditing, and command parameters. The new levels of authorizations support enhanced mechanisms and variable access policies for greater flexibility.

There are a number of tools for developing and testing TPM devices, including a TXT Toolkit, provisioning tools, and emulators working under Windows. Check for more details at www.trustedcomputinggroup.org or at Intel's website.

http://mandetech.com/2013/11/02/trusted-platform-module-2-0/