Understanding the Trusted Platform Module

“Trust” is what was the starting point of the discussion on PKI. The public key infrastructure is based on the premise to enable trust between unknown parties to ensure the secure transmission of information. Another element that ensures trust is the Trusted Platform Module.

The previous discussion ended with questions about key management and key security. Keys are one of the PKI's most critical components; hence, keeping them secure and maintaining their history is of paramount importance. What would you do if you have to keep a piece of information ( in this case - keys) secure? Keep it under lock and key (pun intended).

Whenever we face such difficult questions, intelligent minds have always come to our rescue. Trusted Platform Module (TPM) was conceived by a computer industry consortium called Trusted Computing Group (TCG), and was standardized by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) in 2009 as ISO/IEC 11889. A Trusted Platform Module (TPM) is a specialized chip on an endpoint device that stores RSA encryption keys specific to the host system for hardware authentication. Each TPM chip contains an RSA key pair called the Endorsement Key (EK). The pair is maintained inside the chip and cannot be accessed by software.

Trusted Platform Module provides:

  • A random number generator
  • Facilities for the secure generation of cryptographic keys for limited uses.
  • Remote attestation: Creates a nearly unforgeable hash key summary of the hardware and software configuration. The software in charge of hashing the configuration data determines the extent of the summary. This allows a third party to verify that the software has not been changed.
  • Binding: Encrypts data using the TPM bind-key, a unique RSA key descended from a storage key[clarification needed.
  • Sealing: Similar to binding, but in addition, specifies the TPM state[clarification needed] for the data to be decrypted (unsealed).

Computer programs can use a TPM to authenticate hardware devices since each TPM chip has a unique and secret RSA key burned in as it is produced. Pushing the security down to the hardware level provides more protection than a software-only solution.

In simple terms, a microcontroller chip acts as a safety deposit box where your most precious items such as keys, passwords, and digital certificates are stored. Are you wondering can’t I just hack into this chip and steal all the passwords and the stored keys? Well, you can and cannot. You can after putting in a humungous amount of effort and that too doesn’t guarantee success. You cannot if you will be tired after running a few open-source hacking tools available on the dark web.

To appreciate the workings of the TPM, we must understand the inner structure of this chip. The TPM is essentially a securely designed microcontroller with added modules to perform cryptographic functions.

TPM’s internal memory is divided into two different segments: persistent (static) and versatile (dynamic) memory modules as shown in the diagram below.

From a CISSP perspective, one must be aware of what a TPM does and why is it used. It’s one of the essential topics that is questioned in the exam. However, the exam does not want you to write a research paper about it. Hence, the mentioned information is enough from an exam perspective.


You may also like to read...

Identification, Authentication, Authorization, and Accountability

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

How to Pass SSCP Exam in the First Attempt

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

Cloud Computing - The Logical Model