Understanding the Trusted Platform Module

“Trust” is what was the starting point of discussion on PKI. The public key infrastructure is based on the premise to enable trust between unknown parties to ensure the secure transmission of information. Another element that ensures trust is the Trusted Platform Module.

The previous discussion ended on questions about key management and key security. Keys is one of the most critical components of the PKI and hence keeping them secure and maintaining their history is of paramount importance. What would you do if you have to keep a piece of information ( in this case - keys) secure? Keep it under lock and key ( pun intended).

Whenever we face such difficult questions, intelligent minds have always come to our rescue. Trusted Platform Module (TPM) was conceived by a computer industry consortium called Trusted Computing Group (TCG), and was standardized by International Organization for Standardization (ISO) and International Electrotechnical Commission (IEC) in 2009 as ISO/IEC 11889. A Trusted Platform Module (TPM) is a specialized chip on an endpoint device that stores RSA encryption keys specific to the host system for hardware authentication. Each TPM chip contains an RSA key pair called the Endorsement Key (EK). The pair is maintained inside the chip and cannot be accessed by software.

Trusted Platform Module provides:

  • A random number generator
  • Facilities for the secure generation of cryptographic keys for limited uses.
  • Remote attestation: Creates a nearly unforgeable hash key summary of the hardware and software configuration. The software in charge of hashing the configuration data determines the extent of the summary. This allows a third party to verify that the software has not been changed.
  • Binding: Encrypts data using the TPM bind-key, a unique RSA key descended from a storage key[clarification needed.
  • Sealing: Similar to binding, but in addition, specifies the TPM state[clarification needed] for the data to be decrypted (unsealed).

Computer programs can use a TPM to authenticate hardware devices since each TPM chip has a unique and secret RSA key burned in as it is produced. Pushing the security down to the hardware level provides more protection than a software-only solution.

In simple terms, a microcontroller chip acts a safety deposit box where your most precious items such as keys, passwords and digital certificates are stored. Are you wondering can’t I just hack into this chip and steal all the passwords and the stored keys? Well, you can and cannot. You can after putting in a humungous amount of efforts and that too doesn’t guarantee success. You cannot if you will be tired after running a few open-source hacking tools available on the dark web.

To appreciate the workings of the TPM, we must understand the inner structure of this chip. The TPM is essentially a securely designed microcontroller with added modules to perform cryptographic functions.

TPM’s internal memory is divided into two different segments: persistent (static) and versatile (dynamic) memory modules as shown in the diagram below.

From a CISSP perspective, one must be aware as to what a TPM does and why is it used. It’s one of the important topics that is questioned in the exam. However, the exam does not want you to write a research paper about it. Hence, the mentioned information is enough from an exam perspective.


You may also like to read...

Access Control Models - DAC, MAC, RBAC , Rule Based & ABAC

Identification, Authentication, Authorization, and Accountability

Understanding Security Modes - Dedicated , System high, Compartmented , Multilevel

How to Pass SSCP Exam in the First Attempt

The Endorsement Process - CISSP, SSCP & other (ISC)2 certifications