Attacks on computers and networks continue to proliferate in spite of extensive software approaches designed to prevent these attacks. Establishing a strong digital identity for both the user and the computer system through hardware-based security is a significant step beyond software-only strategies. To provide users the tools for improved security, the computer industry has expended considerable effort to implement a standards-based hardware security module known as the Trusted Platform Module (TPM). The TPM can enable network administrators to employ higher levels of security, especially as its presence in computers becomes ubiquitous.

The root of trust

Recognizing that products and services require an improved level of trust, several companies formed the TCG to develop industry standards that protect information assets such as data passwords, keys, and more from external software attacks and physical theft. Today, TCG consists of more than 140 member companies involved in hardware, components, software, services, networking, and mobile phones. The basis of establishing trust was a specification for a TPM, which was approved in 2000 with subsequent TPM shipments for installation in computers. As a result, more than 100 million of today’s enterprise-class PCs have a TPM.

TPM availability has not necessarily led to its implementation for improved security. A February 2008 report by the Aberdeen Group found that enterprise awareness about trusted computing and the TPM is still relatively low despite a high percentage of trusted computing-ready devices and infrastructure available today. Study respondents estimated that more than half of existing desktop and laptop PCs already have support for trusted computing and that more than three-fourths of existing network endpoints and policy enforcement points could support trusted computing.

The report recommended that "to achieve best-in-class performance, companies should increase their awareness about the trusted computing model and security solutions that leverage TPMs and identify applications that take advantage of the trusted computing-ready devices and infrastructure that already exist within their enterprise."

With this recommendation in mind, the following discussion becomes even more relevant. The basis of trusted computing as defined by TCG is a collection of one or more security devices that can be embedded within a trusted computing platform. The foundation or root of trust is the TPM, typically a microcontroller unit (MCU) that provides security services and mounts on the motherboard. However, the TPM can also embed functionality within another IC. The TPM provides protected storage for keys and certificates, unambiguous identity, shielded locations for operations free from external interference, and a means for reporting its status. Difficult to attack virtually or physically, a good TPM implementation uses tamper-resistant hardware to safeguard against physical attacks.

In contrast to alternative proprietary hardware security systems, the TPM is a flexible, standards-based turnkey solution based on internal firmware that does not require programming. The module possesses strong security from third-party certification that can be quantifiably measured (for example, Common Criteria EAL, 3+, 4+, 5+).

Essential TPM features include asymmetrical key pair generation using a hardware random number generator, public key signature, and decryption to securely store data and digital secrets. Hash storage, an endorsement key and initialization, and management capabilities provide further security and user capabilities. The latest version of the TPM, called TCG 1.2 or TPM version 1.2, adds transport sessions, a real-time clock, locality, save and restore context, direct anonymous attestation, volatile store, and delegation to the TPM’s capabilities.

The TPM does not control events; it merely observes and tracks system activity and communicates with the system CPU on a nonsystem bus. The TPM’s key and certificate features are essential for strong identification.

Learning from other industries

The need for a strong identity has been addressed successfully in other applications. For example, the cable modem industry resolved the problem of illegitimate cable modems by mandating that a cable modem compliant to the DOCSIS 1.2 specification must be assigned a unique RSA key pair and X.509 certificate by its manufacturer. The cable modem certificate is then used as a device identity in the authentication handshake with the cable modem termination system or head-end device upstream.

As the governing cable operator organization, Louisville, Colorado-based CableLabs has established a certificate hierarchy rooted at CableLabs itself. Each cable modem manufacturer obtains a Manufacturer Certificate Authority from CableLabs, which is used to issue (sign) the unique modem certificates. The modem key pair and certificate are "burned" into the modem’s hardware.

Using strong device identities in the form of device certificates has enabled the industry to sell cable modems to the retail market, allowing individual consumers to buy and own cable modems. This has eliminated the need for cable operators to serve as the distribution channel for cable modem products. As testament to the success of this approach, the IEEE 802.16 community is considering adopting the cable modem authentication protocol for WiMAX wireless broadband.

TPM functions

From a network identity perspective, the benefits of integrating TPM hardware into network devices are best demonstrated by understanding the TPM’s role in keys and certificates. Five specific areas provide a more detailed explanation of the TPM’s capabilities: cryptographic functions, platform configuration registers, TPM-resident keys, TPM key life-cycle services, and initialization and management functions.

The TPM has several symmetric and asymmetric key cryptographic functions, including on-chip key pair generation (using a hardware random number generator), public key encryption, digital signatures, and hash functions. The TPM version 1.2 utilizes current standard algorithms, including RSA, Data Encryption Standard (DES), Triple DES (3DES), and Secure Hash Algorithm (SHA). In addition, efforts are currently under way to include Suite B cipher suites in the next TPM specification revision.

A Platform Configuration Register (PCR) is typically used to store a hash-and-extend value, in which a new hash value is combined with an existing one (in the PCR) before the combination is passed through the TPM’s hash function. The result of the hash-and-extend operation is placed in the same PCR. The TPM includes at least eight registers that can be used to store hash values and other data.

The TPM allows certain cryptographic keys to be defined as TPM-resident. For example, an RSA key pair is considered TPM-resident if the private key operations for a particular key pair are always executed within the TPM.

Because a computer platform with a TPM could experience hardware failures and other catastrophes, it is crucial that copies of relevant keys and certificates are secure and confidentially backed up. As part of the TPM key life-cycle services, TCG has developed a backup and recovery specification that can ensure business continuity services in the event of a failed platform or unavailable employee. TCG specifies a key migration protocol for keys defined as migratable. The migration specification allows certain types of keys and certificates under proper owner authorization to transfer from one platform to another while restricting accessibility to the original TPM and destination TPM (without human access or the migration authority). These backup, recovery, and migration services can operate with or without a trusted third-party escrow service.

Initialization and management functions allow the owner to turn functionality on and off, reset the chip, and take ownership with strong controls to protect privacy. The system owner is trusted and must opt in, while the user, if different from the owner, can opt out if desired.

Available TPMs

Companies that develop MCU-based TPMs include Winbond Electronics, STMicroelectronics, Infineon Technologies, and Atmel. As shown in Figure 1, the microcontroller is typically packaged in an industry-standard 28-pin Thin-Shrink Small Outline Package (TSSOP). Atmel, which developed the first TPM to meet the TCG specification, uses an AVR 8-bit RISC CPU in its TPM. Figure 2 (page 16) shows the block diagram of common components integrated in a TPM IC.

Another TPM that uses an 8-bit core is STMicroelectronics’ ST19WP18, which is based on an MCU from a family initially developed for smart card and other secure applications. In contrast, Infineon’s TPM v1.2 is based on the company’s family of 16-bit security controllers.

TPMs use the Intel-defined Low Pin Count (LPC) bus found in Intel and AMD-based PCs. As shown in Figure 3, the LPC bus connects the TPM to the Southbridge (I/O controller hub); the Super I/O chip controls the serial and parallel ports as well as the keyboard and mouse.

While meeting the TCG standard requires certain functionality in the TPM, additional features are frequently included to differentiate one company’s TPM from another. For example, the number of general-purpose I/O pins in Figure 2 could be five or six. Atmel offers the AT97SC3203S with a 100 kHz SMBus two-wire protocol for use in embedded systems, including games. Similar to the LPC interface unit, the SMBus interface TPM is packaged in either a 28-pin TSSOP or a 40-lead Quad Flat No lead (QFN) package. In addition to the standard TCG-recommended package (28-pin TSSOP), STMicroelectronics offers the ST19WP18 in a 4.4 mm TSSOP28 and ultra-small QFN packages.

Additional support for the TPM’s operation includes NTRU Cryptosystems’ Core TCG Software Stack and Wave Systems’ Cryptographic Service Provider with either EMBASSY Security Center or EMBASSY Trust Suite. Figure 4 shows these elements in the STMicroelectronics architecture. Other suppliers’ TPM implementations include these components as well.

In addition to discrete TPMs, versions integrated with other functionality are currently available from a variety of semiconductor vendors. Recently, TPM-related applications development has received increasing interest from independent software vendors. Some leading suppliers in the trusted computing area have already begun selling enterprise security systems using the TPM.

Using TPM keys

Different access is allowed depending on the type of TPM key. Working from the bottom up in Figure 5, each TPM has exactly one unique "internal" RSA key pair referred to as the Endorsement Key (EK) pair. Most TPMs include a preprogrammed EK pair, while some implementations can self-generate the EK pair onboard. The TPM has the exclusive ability to use the EK pair for a limited set of operations; entities or processes outside the TPM cannot use it directly.

Corresponding to the EK pair is the EK certificate. Ideally, the TPM manufacturer creates the EK pair in a TPM and issues a unique EK certificate to the TPM; however, another entity in the supply chain such as the OEM or the IT buyer can issue the EK certificate.

To report its internal state or the status or content of its registers with some degree of assurance to the outside world, the TPM uses a separate RSA key pair for RSA signatures. This key pair, referred to as the Attestation Identity Key (AIK) pair, is also generated internally within the TPM when the authorized owner issues the correct command. As an attestation key pair, the AIK private key can only be used for two purposes: sign (or attest to) the TPM internal state report and sign (or certify) other general-purpose keys.

For strong digital identity, the external world can use the AIK pair to identify one TPM from another. To guard the user’s privacy on a platform with a TPM, a given TPM can generate and operate multiple AIK pairs at any time. This allows the user to direct the TPM to use different AIK pairs for different transactions, making it difficult for an eavesdropper to track and correlate transactions.

Corresponding to the AIK pair is the AIK certificate. An AIK certificate is only issued by an entity that can be trusted to view the EK certificate and not disclose its details. Such an entity is referred to as the Privacy Certificate Authority in trusted computing terminology because it issues AIK certificates and maintains the privacy of the EK certificate information.

The TPM allows general-purpose RSA key pairs like those used for encryption and signing to be generated and used. A general-purpose key pair is considered a Certified Key (CK) when the private key is digitally signed by the AIK private key (a TPM-resident key). Depending on the TPM resources, any number of CK pairs is available.

Using the appropriate protocol, an external entity can verify that a given CK pair is TPM-resident. The ability to prove TPM-resident keys represents one of the TPM’s attractive features because a TPM-protected key is more difficult to steal or modify compared to a software-protected key. The provability feature allows a software application on a platform with a TPM to transact with an external entity and prove (to that external entity) that the keys it is using reside in the TPM and are operated by the TPM, thereby increasing that external entity’s trust.

To prove that a CK pair is TPM-resident, TCG has specified a special attestation extension for the X.509 v3 certificate standard. An X.509 v3 certificate carrying the TCG-specified attestation extension for a CK public key is referred to as a CK certificate. To support broad deployment and compatibility with existing certificate authority products and services, a certificate authority (compliant to the RFC3280 standard) does not need to view the EK certificate in order to issue the CK certificate.

Protecting entry points

Today, worldwide testing to find vulnerabilities and the onslaught of attacks by hackers and thieves continually expose weaknesses in software, hardware, and overall protection strategies. In one recent report, researchers from Princeton University thought they discovered a weakness in the TPM when they froze a computer’s DRAM. On the contrary, the testing process itself made the system susceptible to attack.

Once decrypted keys are passed from the TPM to main system memory (DRAM), the keys might still be intact. Removing power from DRAM memory instead of suspending the system in a sleep mode provides an easily implemented strategy to avoid unauthorized access. This simply requires using the hibernate mode or shutting the computer down. However, the testing in this example demonstrated that improper use can reduce a security tool’s effectiveness.

When used properly, the TPM can add several higher-level security functions through its key and certificate capabilities. Recognizing the TPM’s potential to provide increased security, many companies are including the module in their products. Market research firm IDC anticipates that the TPM market will increase to more than 250 million units in 2010. If achieved, this equals an attach rate of more than 90 percent of all notebooks and desktops. Taking advantage of the TPM to establish strong device identity in locations that provide entry points to the network, such as cell phones and PDAs, will add further protection and close the back doors to hackers and thieves.

Thomas Hardjono is Principal Scientist at Wave Systems Corporation, based in Lee, Massachusetts. Thomas has 15 years of experience in security, including roles as Principal Scientist and security architect at VeriSign, Inc. and Bay Networks, Inc. (Nortel Networks). In addition to writing more than 50 technical papers and three books on security and cryptography, he has authored a number of key specifications in various standards organizations, such as the Trusted Computing Group (TCG), Internet Engineering Task Force (IETF), and Organization for the Advancement of Structured Information Standards (OASIS). Thomas has a PhD in Computer Science from the University of New South Wales and a BS (Honors) in Computer Science from the University of Sydney.

Wave Systems Corporation
408-873-2270
[email protected]
www.wave.com