Wave Systems Corp. (fka WAVXQ)

[Countryboy]

Leveraging the TPM on your vPro platform to secure all of your software certificates
Oct 4, 2007 8:06 PM

To All,
I have been asked to provide some information on how one can leverage the TPM as part of vPro. I thought a great starting point would be to outline how the TPM can help harden any client software certificate on the PC. We have found that this generally works if the other parties have done thier certificates in a standard way.

First Why should anyone care?? By using the TPM there are a number of benefits.

1. The keys are protected by hardware.

2. The password to release the use of a key is matched in hardware with adds true strength to the key access control.

3. If all of your apps where to leverage the TPM you start to have centralized key managment by managing the TPM you manage all of your keys. It's like centrally managing networking and having every app just use the connection.

Please treat the following list as just enough to get the juices going. There is more detailed examples at www.wave.com under solutions and we are working on guides for all the major vpn providers. The TPM is a powerful tool it is time to play with it.

First Turn on your TPM This is done in bios
You must then load your TPM utility software in the case of Wave this is call the Embassy Security Center and is shipped standard on a dell platform

You must enable your TPM and then "Take Ownership" This is the password that is used to permission other functions including generate keys. On Centrally managed systems this is done by your admin.

Now you are ready to have the TPM generate Keys for a specific need. For example fetch a VPN Certificate using the Microsoft CA

The microsoft CA needs to be told which CSP to use in order to leverage the TPM. This can be done by selecting advanced and then selecting the Wave CSP This will cause the Key pair to be generated using the TPM. There are many other settings that will cause other actions and I suggest messing with them to see what works best for you. For example if you select strong Key protection then the TPM will require a Password everytime that key is used.

Check your enterprise you will be suprised to see how many TPMs you have
Steven

Did you know all of the cool things that can be done with the TPM on your vPro platform
Sep 27, 2007 9:50 AM


Sep 26, 2007
As a leading developer of software for the TPM I thought it would be valuable to outline a number of cool solutions that can be enhanced with the TPM. TPM 1.2 is a part of the vPro platform and can dramatically enhance the security of any corporate infrastructure. With tens of millions of devices already in the market the tpm technology is in a position to help.

As full disclosure Wave Systems Corp. Builds tools for both client and central management of TPMs. We supply Intel’s motherboard group with software that is bundled for free with their motherboards and has been for the last few years. We are also Dell’s supplier and Gateway’s supplier of TPM software. Finally we support Seagate’s hardware full disk encrypting drives and we demonstrated support for Intel’s new Danbury technology at last weeks IDF. Wave is on the board of the Trusted computing group and we broadly and actively contribute to the specifications and the community.

Let me start with a simple list of things one can do!
Did you know that your TPMs
Can support strong multifactor authentication to the Windows Domain

Can support Strong wireless networking using 802.1x (really 802.11i) for both machine authentication and/or user authentication

Can support 802.1x or IPSec for strong machine authentication (this is a very powerful addition for any NAC implementation including Cisco CNAC)

Can provide a common key management infrastructure for any application needing key services Allowing the enterprise to centralize their desktop key management. This works with Microsoft EFS, Third Party File and Folder encryption and other Signing applications

Can be used to harden integrity measurements in Nac solutions using Microsoft NAP or trusted computing group TNC specs
Can fully support Windows XP and Windows Vista Deployments
Can harden any MSCAPI compatible certificates

Ultimately all of this is done by Leveraging the TPM’s CSP (cryptographic Service Provider) This is how any application can talk to the TPM. The CSP is third party provided software and is supplied by Either Your OEM or a company like Wave and is typically free from the OEM.

Due to a variety of reasons the biggest first step is to turn the TPM on and take ownership. This is done in the BIOS. One the TPM is activated it will ask the user to take ownership and now the device is ready to be used. There are server products that enable central management of Ownership for the corporate customer. Every Enterprise should be turning on their TPMs and taking ownership.

To get a feel for this I have posted an implementation guide for a wireless hot spot on our web site at http://www.wave.com/solutions/Implementation_Guide.pdf this will provide a good flavor as to what needs to be done. If you build this type of bench lab it will give you a good idea of how TPMs could be broadly used.
To long a post but Perhaps a good starting point for discussion.

Steven Sprague
CEO
Wave Systems Corp.