Trusted Platform Module
Encyclopedia
In computing
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...

, Trusted Platform Module (TPM) is both the name of a published specification detailing a secure cryptoprocessor
Secure cryptoprocessor
A secure cryptoprocessor is a dedicated computer on a chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance....

 that can store cryptographic
Cryptography
Cryptography is the practice and study of techniques for secure communication in the presence of third parties...

 keys
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...

 that protect information, as well as the general name of implementations of that specification, often called the "TPM chip" or "TPM Security Device" (as designated in certain Dell
Dell
Dell, Inc. is an American multinational information technology corporation based in 1 Dell Way, Round Rock, Texas, United States, that develops, sells and supports computers and related products and services. Bearing the name of its founder, Michael Dell, the company is one of the largest...

 BIOS settings). The TPM specification is the work of the Trusted Computing Group
Trusted Computing Group
The Trusted Computing Group , successor to the Trusted Computing Platform Alliance , is an initiative started by AMD, Hewlett-Packard, IBM, Intel, and Microsoft to implement Trusted Computing...

. The current version of the TPM specification is 1.2 Revision 116, published on March 3rd, 2011.
This specification is also available as the international standard ISO
International Organization for Standardization
The International Organization for Standardization , widely known as ISO, is an international standard-setting body composed of representatives from various national standards organizations. Founded on February 23, 1947, the organization promulgates worldwide proprietary, industrial and commercial...

/IEC
International Electrotechnical Commission
The International Electrotechnical Commission is a non-profit, non-governmental international standards organization that prepares and publishes International Standards for all electrical, electronic and related technologies – collectively known as "electrotechnology"...

 11889.

Overview

The Trusted Platform Module offers facilities for the secure generation of cryptographic keys, and limitation of their use, in addition to a hardware
Hardware
Hardware is a general term for equipment such as keys, locks, hinges, latches, handles, wire, chains, plumbing supplies, tools, utensils, cutlery and machine parts. Household hardware is typically sold in hardware stores....

 pseudo-random number generator. It also includes capabilities such as remote attestation and sealed storage.
  • "Remote attestation" creates a nearly unforgeable hash-key
    Cryptographic hash function
    A cryptographic hash function is a deterministic procedure that takes an arbitrary block of data and returns a fixed-size bit string, the hash value, such that an accidental or intentional change to the data will change the hash value...

     summary of the hardware and software configuration. The program encrypting the data determines the extent of the summary of the software. This allows a third party to verify that the software has not been changed.
  • "Binding" encrypts data using the TPM endorsement key, a unique RSA key burned into the chip during its production, or another trusted key descended from it.
  • "Sealing" encrypts data in similar manner to binding, but in addition specifies a state in which the TPM must be in order for the data to be decrypted (unsealed).


Software can use a Trusted Platform Module to authenticate hardware devices. Since each TPM chip has a unique and secret RSA key burned in as it is produced, it is capable of performing platform authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

. For example, it can be used to verify that a system seeking access is the expected system.

Generally, pushing the security down to the hardware level in conjunction with software provides more protection than a software-only solution. However even where a TPM is used, a key is still vulnerable while a software application that has obtained it from the TPM is using it to perform encryption/decryption operations, as has been illustrated in the case of a cold boot attack
Cold boot attack
In cryptography, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine from a completely "off" state...

.

The TPM sometimes goes by the name of the former United States Senator
United States Senate
The United States Senate is the upper house of the bicameral legislature of the United States, and together with the United States House of Representatives comprises the United States Congress. The composition and powers of the Senate are established in Article One of the U.S. Constitution. Each...

 Ernest "Fritz" Hollings. The name "Fritz chip" was coined by Professor Ross Anderson, author of Security Engineering and Professor at the University of Cambridge
University of Cambridge
The University of Cambridge is a public research university located in Cambridge, United Kingdom. It is the second-oldest university in both the United Kingdom and the English-speaking world , and the seventh-oldest globally...


Platform Integrity

The primary scope of a TPM (in combination with other TCG implementations) is to assure the integrity of a platform. In this context "integrity" means "behave as intended" and a "platform" is generically any computer platform - not limited to PCs or just Windows: Start the power-on boot process from a trusted condition and extend this trust until the OS has fully booted and applications running.

Together with the BIOS, the TPM forms a Root of Trust: The TPM contains several PCRs (Platform Configuration Registers) that allow a secure storage and reporting of security relevant metrics. These metrics can be used to detect changes to previous configurations and derive decisions how to proceed. A good example can be found in Microsoft's BitLocker Drive Encryption (see below).

Therefore the BIOS and the Operating System have the primary responsibility to utilize the TPM to assure platform integrity.
Only then applications and users running on that platform can rely on its security characteristics such as secure I/O "what you see is what you get", uncompromised keyboard entries, memory and storage operations.

Disk encryption

Full disk encryption
Full disk encryption
Disk encryption uses disk encryption software or hardware to encrypt every bit of data that goes on a disk or disk volume. Disk encryption prevents unauthorized access to data storage. The term "full disk encryption" is often used to signify that everything on a disk is encrypted, including the...

 applications, such as the BitLocker Drive Encryption
BitLocker Drive Encryption
BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft's Windows Vista and Windows 7 desktop operating systems, as well as the Windows Server 2008 and Windows Server 2008 R2 server platforms. It is designed to protect data by...

 feature of Microsoft
Microsoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

's Windows Vista Ultimate, Windows Vista Enterprise, Windows Server 2008, and the Windows 7 Enterprise and Windows 7 Ultimate operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...

s, can use this technology to protect the keys used to encrypt the computer's hard disks and provide integrity authentication
Authentication
Authentication is the act of confirming the truth of an attribute of a datum or entity...

 for a trusted boot pathway (i.e. BIOS
BIOS
In IBM PC compatible computers, the basic input/output system , also known as the System BIOS or ROM BIOS , is a de facto standard defining a firmware interface....

, boot sector
Boot sector
A boot sector or boot block is a region of a hard disk, floppy disk, optical disc, or other data storage device that contains machine code to be loaded into random-access memory by a computer system's built-in firmware...

, etc.). A number of third party full disk encryption products also support the TPM chip.

Password Protection

Access to keys, data or systems is often protected and requires authentication by presenting a password
Password
A password is a secret word or string of characters that is used for authentication, to prove identity or gain access to a resource . The password should be kept secret from those not allowed access....

. If the authentication mechanism is implemented in software only, the access typically is prone to 'dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...

s'.
Since the TPM is implemented in a dedicated hardware module, a dictionary attack prevention mechanism was built in, which effectively prevents from guessing or automated dictionary attacks, while still allowing the user for a sufficient and reasonable number of tries.
With this hardware based dictionary attack prevention, the user can opt for shorter or weaker passwords which are more memorable. Without this level of protection, only passwords with high complexity would provide sufficient protection.

Other uses and concerns

Almost any encryption-enabled application can in theory make use of a TPM, including:
  • Digital rights management
    Digital rights management
    Digital rights management is a class of access control technologies that are used by hardware manufacturers, publishers, copyright holders and individuals with the intent to limit the use of digital content and devices after sale. DRM is any technology that inhibits uses of digital content that...

  • Software license protection & enforcement


Other uses exist, some of which give rise to privacy
Privacy
Privacy is the ability of an individual or group to seclude themselves or information about themselves and thereby reveal themselves selectively...

 concerns. The "physical presence" feature of the TPM addresses some of these concerns by requiring BIOS-level confirmation for operations such as activating, deactivating, clearing or changing ownership of the TPM by someone who is physically present at the console of the machine.

TPM hardware

Starting in 2006, many new laptop computers have been sold with a Trusted Platform Module chip built-in. In the future, this concept could be co-located on an existing motherboard
Motherboard
In personal computers, a motherboard is the central printed circuit board in many modern computers and holds many of the crucial components of the system, providing connectors for other peripherals. The motherboard is sometimes alternatively known as the mainboard, system board, or, on Apple...

 chip in computers, or any other device where a TPM's facilities could be employed, such as a cell phone. On PC the LPC
Low Pin Count
The Low Pin Count bus, or LPC bus, is used on IBM-compatible personal computers to connect low-bandwidth devices to the CPU, such as the boot ROM and the "legacy" I/O devices . The "legacy" I/O devices usually include serial and parallel ports, PS/2 keyboard, PS/2 mouse, floppy disk controller...

 bus is used.

Trusted Platform Module microcontrollers are currently produced by:
  • Atmel
    Atmel
    Atmel Corporation is a manufacturer of semiconductors, founded in 1984. Its focus is on system-level solutions built around flash microcontrollers...

  • Broadcom
    Broadcom
    Broadcom Corporation is a fabless semiconductor company in the wireless and broadband communication business. The company is headquartered in Irvine, California, USA. Broadcom was founded by a professor-student pair Henry Samueli and Henry T. Nicholas III from the University of California, Los...

  • Infineon (Infineon TPM)
  • Sinosun
  • STMicroelectronics
    STMicroelectronics
    STMicroelectronics is an Italian-French electronics and semiconductor manufacturer headquartered in Geneva, Switzerland.While STMicroelectronics corporate headquarters and the headquarters for EMEA region are based in Geneva, the holding company, STMicroelectronics N.V. is registered in Amsterdam,...

  • Nuvoton
    Nuvoton
    Nuvoton Technology Corporation is a Taiwan-based semiconductor company established in 2008. It spun off from Winbond Electronics Corp. as a wholly owned subsidiary.-Overview:...

     (formerly Winbond
    Winbond
    Winbond Electronics Corporation is a Taiwan-based corporation founded in 1987 that produces semiconductors and several types of integrated circuits, most notably Dynamic RAM, Static RAM, microcontrollers, and personal computer ICs...

    )
  • ITE
    ITE
    ITE or Ite may refer to:* ITE, LLC a Product Development Services Company located in Cincinnati, Ohio, USA* Information Technology Equipment* Institute of Technical Education * Institute of Transportation Engineers* In-the-ear hearing aids...

     (ITE TPM)
  • Toshiba
    Toshiba
    is a multinational electronics and electrical equipment corporation headquartered in Tokyo, Japan. It is a diversified manufacturer and marketer of electrical products, spanning information & communications equipment and systems, Internet-based solutions and services, electronic components and...

  • Intel

Criticism

The Trusted Computing Group, the developers of the specification, has faced resistance in some areas to deploy this technology, especially in academia, where some authors still see possible uses not specifically related to Trusted Computing, which may raise privacy concerns. The concerns include the abuse of remote validation of software (where the manufacturer — and not the user who owns the computer system — decides what software is allowed to run) and possible ways to follow actions taken by the user being recorded in a database.

Countries where TPM cannot be legally deployed

  • China
    China
    Chinese civilization may refer to:* China for more general discussion of the country.* Chinese culture* Greater China, the transnational community of ethnic Chinese.* History of China* Sinosphere, the area historically affected by Chinese culture...

  • Russia
    Russia
    Russia or , officially known as both Russia and the Russian Federation , is a country in northern Eurasia. It is a federal semi-presidential republic, comprising 83 federal subjects...

  • Belarus
    Belarus
    Belarus , officially the Republic of Belarus, is a landlocked country in Eastern Europe, bordered clockwise by Russia to the northeast, Ukraine to the south, Poland to the west, and Lithuania and Latvia to the northwest. Its capital is Minsk; other major cities include Brest, Grodno , Gomel ,...

  • Kazakhstan
    Kazakhstan
    Kazakhstan , officially the Republic of Kazakhstan, is a transcontinental country in Central Asia and Eastern Europe. Ranked as the ninth largest country in the world, it is also the world's largest landlocked country; its territory of is greater than Western Europe...


Spread

Currently TPM is used by nearly all PC and Notebook manufacturers, primarily offered on professional product lines.

TPM is supported by several vendors:
  • Acer, Asus
    ASUS
    ASUSTeK Computer Incorporated is a multinational computer technology and consumer electronics product manufacturer headquartered in Taipei, Taiwan. Its product range includes motherboards, desktops, laptops, monitors, tablet PCs, servers and mobile phones...

    , Dell, Inc., LG
    LG Electronics
    LG Electronics is a global electronics and telecommunications company headquartered in Yeouido, Seoul, South Korea. The company operates its business through five divisions: mobile communications, home entertainment, home appliance, air conditioning and business solution...

    , Fujitsu
    Fujitsu Siemens Computers
    Fujitsu Siemens Computers B.V. was a Japanese and German IT vendor. The company was founded in 1999 as a 50/50 joint venture between Fujitsu Limited of Japan and Siemens AG of Germany...

    , HP
    Hewlett-Packard
    Hewlett-Packard Company or HP is an American multinational information technology corporation headquartered in Palo Alto, California, USA that provides products, technologies, softwares, solutions and services to consumers, small- and medium-sized businesses and large enterprises, including...

    , Lenovo, Samsung
    Samsung
    The Samsung Group is a South Korean multinational conglomerate corporation headquartered in Samsung Town, Seoul, South Korea...

    , Sony
    Sony
    , commonly referred to as Sony, is a Japanese multinational conglomerate corporation headquartered in Minato, Tokyo, Japan and the world's fifth largest media conglomerate measured by revenues....

     and Toshiba
    Toshiba
    is a multinational electronics and electrical equipment corporation headquartered in Tokyo, Japan. It is a diversified manufacturer and marketer of electrical products, spanning information & communications equipment and systems, Internet-based solutions and services, electronic components and...

     provide TPM integration on their devices.
  • Infineon provides both TPM chips and TPM software, which is delivered as OEM
    Original Equipment Manufacturer
    An original equipment manufacturer, or OEM, manufactures products or components that are purchased by a company and retailed under that purchasing company's brand name. OEM refers to the company that originally manufactured the product. When referring to automotive parts, OEM designates a...

     versions with new computers, as well as separately by Infineon for products with TPM technology which complies to the TCG standards.
  • Wave Systems offers a broad range of client and server software, which runs on all TPM chip-sets. For instance, this software is pre-installed on several models from Dell and Gateway.
  • Microsoft
    Microsoft
    Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...

    's operating systems Windows Vista and Windows 7 as well as Microsoft Windows Server starting from Windows Server 2008 use the chip in conjunction with the included disk encryption software named BitLocker
    BitLocker Drive Encryption
    BitLocker Drive Encryption is a full disk encryption feature included with the Ultimate and Enterprise editions of Microsoft's Windows Vista and Windows 7 desktop operating systems, as well as the Windows Server 2008 and Windows Server 2008 R2 server platforms. It is designed to protect data by...

    .
  • In 2006, with the introduction of the first Macintosh models with Intel processors, Apple started to ship Macs with TPMs. Apple never provided an official driver, but there was a port under GPL
    GNU General Public License
    The GNU General Public License is the most widely used free software license, originally written by Richard Stallman for the GNU Project....

     available. In 2009, Apple stopped shipping TPMs.


There are also hybrid types, e.g. where the TPM module is integrated into the Ethernet
Ethernet
Ethernet is a family of computer networking technologies for local area networks commercially introduced in 1980. Standardized in IEEE 802.3, Ethernet has largely replaced competing wired LAN technologies....

 chip, as from Broadcom
Broadcom
Broadcom Corporation is a fabless semiconductor company in the wireless and broadband communication business. The company is headquartered in Irvine, California, USA. Broadcom was founded by a professor-student pair Henry Samueli and Henry T. Nicholas III from the University of California, Los...

, while the software which runs “on top” is based on Infineon.

See also

  • Hengzhi chip
    Hengzhi chip
    The Hengzhi chip is a microcontroller that can store secured information, designed by the People's Republic of China government and manufactured in China. Its functionalities should be similar to those offered by a Trusted Platform Module but, unlike the TPM, it does not follow Trusted Computing...

  • Next-Generation Secure Computing Base
    Next-Generation Secure Computing Base
    The Next-Generation Secure Computing Base , formerly known as Palladium, is a software architecture designed by Microsoft which is expected to implement parts of the controversial "Trusted Computing" concept on future versions of the Microsoft Windows operating system. NGSCB is part of...

  • Trusted Computing
    Trusted Computing
    Trusted Computing is a technology developed and promoted by the Trusted Computing Group. The term is taken from the field of trusted systems and has a specialized meaning. With Trusted Computing, the computer will consistently behave in expected ways, and those behaviors will be enforced by...

  • Hardware Security Module
    Hardware Security Module
    A hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...

  • Unified Extensible Firmware Interface

External links

The source of this article is wikipedia, the free encyclopedia.  The text of this article is licensed under the GFDL.
 
x
OK