Trusted Platform Module
From Telecomix Crypto Munitions Bureau
The Trusted Platform Module (TPM) is a circuit that makes it possible to
- Certify that the computer is equipped with certain hardware
- Certify that the computer is equipped with certain software
- Certify that the computer has a valid TPM circuit installed
- Identify the computer over a network
The word "Certify" above means that the circuit manufactures digital cryptographic signatures that can be used as "proofs" that the computer actually is equipped with the correct equipment/software. These proofs can be sent over a computer network in order to identify the computer, and verify that it is secure.
Contents |
[edit] What does "secure" mean?
Secure in this context means that an authority can verify the computers hardware and software composition. This authority could for example be you, the government or some hueg megacorporation. The security depends entirely on the chip manufacturer, as they are the only ones that have ever possessed the RSA private key burnt into the circuit. This private key is called the private endorsement key, and the user can not access it, as it would then invalidate the security. It is "that kind" of security. SO DONT TRUST TPM SO BE SECURE, unless you have completely blind faith that the corporations that manufactured the circuit.
Also note that companies need to follow the laws of nations, and companies often does what they are asked by intelligence agencies and the cops, even though they are not forced to legally.
[edit] What TPM makes possible
Most of these has not happened. Yet. (OFC, maybe the top politicians suddenly become nice and stop writing more and more surveillance laws. It would be nice, I guess. Maybe I am too pessimistic? Anyways, this is a list of what is technically possible with the help of TPM.)
- Secure game play. In order to play a game, you need to use an operating system that the game publisher has specified as trusted. In order to decrypt and run the actual game, the game automatically identifies you to the game publishers servers and certifies that you are not running unauthorized software, and that you has payed for your lisence of the game.
- Tardfuck-hard surveillance and/or censorship. If the government decides to impose insane surveillance, they could write laws to force all ISP customers to authenticate the software and hardware used by all users (protocol is named Trusted Network Connect and is a form of AAA-protocol), and only allow users that has government spyware installed. Maybe expect harsh dictatorships to impose such laws. China could enforce useage of Green Dam. In USA, such a law was proposed in but voted against, see below. Similar laws was proposed by Italian EU parliamentarian Motti 2011 (google, or example source).
- No more viruses the computer only allows you to run software that has been authorized by an authority. A hash is made of the binary before it is run, and signed by TPM to form a certificate for that program. The certificate is checked by some remote server, that has a list of allowed software. Nice for huge corporations that need to simplify management of security.
- A combination of the above, or read the specs and add more examples yourself :d
[edit] How does it work?
The TPM circuit is a secure cryptoprocessor, much like a smartcard with some extra functions. The TPM circuit is a piece of physical hardware that contains cipherkeys. These keys are supposed to be difficult to extract from the circuit. It is important to note that the user is NOT allowed to view all cipherkeys. In particular, the private endorsement key is always kept secret from the user. The private endorsement key is however known to the manufacturer of the chip. If the private endorsement key is leaked, much of the security of the chip is broken.
Secure cryptoprocessors have been used in the military and on some financial systems, like ATM-machines and VISA/Master cards. The purpose of a secure cryptoprocessor is to cryptographically verify that a system operates as it is supposed to do (its software has not been modified without permission), even when the hardware is in a hostile environment.
The Trusted Platform Module can be used to verify that the computer in fact runs the software it is supposed to run. This could be used to gain some protection from viruses. It can also protect the computer against the user hacking the software, or running warez'ed versions of Windows.
The TPM can be used over networks to certify that a computer contains certain hardware and software. The protocol that implements this functionality is named Trusted Network Connect (TNC). Trusted Network Connect can be used to prevent computers that are not running software that the network provider has allowed, to access the network. For example, a network provider could limit access to the internet to just a handful of computers that has been identified and is running authorized software.
The TPM is not a perfect system for protection against viruses and hackers. If the software has glitches, like most (all?) software has, it will still be possible to exploit them. The chip does not protect against bad code being run on the computer, and therefor the computer can still be hacked. It might become more difficult to detect successful hacks if the user is not allowed to inspect the software being run on the computer. (Memory curtaining and protected execution are some of the key concepts of the TPM.)
[edit] Key components in the circuit
The words used to describe what type of functions the TPM-circuit makes available has changed numerous times since the TPM-circuit first appeared. Chain of trust is seldom mentioned nowadays, for example.
- Endorsement keys
- Special section below.
- Chain of trust
- Checks the BIOS, boot sector and the operating system has not been changed without permission. If the checks fail, the computer will not be able to boot.
- Secure I/O
- Input and output to the computer is encrypted. If the peripheral device (screen/loudspeaker) is not TPM-compatible, there will be problems. Often, it means that the quality of video/sound will be degraded. The purpose of this is to avoid the analog hole.
- Memory curtaining and protected execution
- Denies access to certain areas of the memory so that the user can not read what is stored there. This makes it very difficult to copy or modify software when it has been loaded to RAM.
- (How are you supposed to know if the computer has been hacked if you are not allowed to read its memory? Also, it would be very difficult to know if the computer is running malware/spyware?)
- Sealed storage
- Hard discs and other storage devices can be encrypted so that a specific TPM-circuit is needed to read the memory. Used in combination with memory curtaining.
- Remote attestation
- Trusted Network Connect.
- Trusted Third Party (for anonymous remote attestation)
[edit] When the computer starts
- UEFI & TNC
- Trusted chain.
[edit] When the computer is running
- Curtailed memory.
- Secure I/O.
[edit] The endorsement keys
- Is the basis for much of the security in the TPM.
- Can not be replaced by the user.
- There are two endorsement keys. One public and one private 2048-bit RSA-key.
- The public key can be read by the user. It is used to encrypt data that can only be decrypted by the private endorsement key. The public key can be copied and sent to others.
- The private key can not be read by the user. It never leaves the circuit after it has been sold. Is used to sign and decrypt data.
- The manufacturer of the TPM circuit has put the keys into the chip, so they know the value of both endorsement keys.
It is possible that the manufacturer will cooperate with various local law enforcement agencies and hand out the private endorsement key when needed. There is no protection against this at all.
[edit] Ernest "Fritz" Hollings
In 2002, the US senator Ernest Hollings tried to legislate for mandatory usage of the TPM-circuit. His bill was named Consumer Broadband and Digital Television Promotion Act.
[edit] TCMB advice
DO NOT USE THE TPM-CIRCUIT.
