العربية
中国
Français
Deutsch
Ελληνική
हिन्दी
Italiano
日本語
Português
Русский
EspañolTRUSTED PLATFORM MODULE
In computing, 'Trusted Platform Module' (TPM) is both the name of a published specification detailing a microcontroller that can store secured information, as well as the general name of implementations of that specification, often called "TPM chip" or "TPM Security Device" (Dell). The TPM specification is the work of the Trusted Computing Group. The current version of the TPM specification is 1.2 Revision 94, published on March 29 2006.[1]
A Trusted Platform Module offers facilities for secure generation of cryptographic keys, the ability to limit the use of keys (to either signing / verification or encryption / decryption), as well as a Hardware Random Number Generator. It also includes capabilities such as remote attestation, binding, and sealed storage. 'Remote attestation' creates an unforgeable summary of the hardware, boot, and host O/S configuration of a computer, allowing a third party (such as a digital music store) to verify that the software has not been changed. 'Sealing' encrypts data in such a way that it may be decrypted only in the exact same state (that is, it may be decrypted only on the computer it was encrypted running the same software). 'Binding' encrypts data using the TPM's endorsement key (a unique RSA key put in the chip during its production) or another trusted key.
A Trusted Platform Module can be used to authenticate a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform authentication. For example, it can be used to verify that the system seeking the access is the expected system.
Microsoft's new desktop operating system Windows Vista uses this technology as part of the feature BitLocker Drive Encryption. Available only in the Ultimate and Enterprise editions of Windows Vista[2], BitLocker encrypts the computer's boot volume and provides integrity authentication for a trusted boot pathway (i.e. BIOS, boot sector, etc.). Other volumes can be encrypted using built-in command-line tools (although not via the GUI currently). Future Windows versions are expected to have increased TPM and BitLocker support for additional cryptographic features and expanded volume encryption. BitLocker requires two NTFS-formatted drive volumes, one for Windows boot code and BitLocker operational code, and the other containing the boot volume (i.e. the volume where the operating system is stored). It should also be noted that contrary to its official name of BitLocker Drive Encryption, BitLocker only encrypts logical volumes (which may or may not be an entire drive).
The Enforcer is a Linux Security Module designed to improve integrity of a computer running Linux by ensuring no tampering of the file system.[3] It can interact with trusted hardware to provide higher levels of assurance for software and sensitive data. The Enforcer can also work with the TPM to store the secret to an encrypted loopback file system, and unmount this file system when a tampered file is detected; the secret will not be accessible to mount the loopback file system until the machine has been rebooted with untampered files. This allows sensitive data to be protected from an attacker.
Generally, pushing the security down to the hardware level in conjunction with software provides more avenues for protection than a software-only solution that can be compromised by an attacker. Starting in 2006, many new laptop computers have been sold with a Trusted Platform Module chip built-in. In the future, this concept could be co-located on an existing motherboard chip in computers, or any other device where a TPM's facilities could be employed, such as a cell phone. Intel is planning to integrate the TPM capabilites into the southbridge chipset in 2008.[4]
Trusted Platform Module microcontrollers are produced by:
★ Atmel
★ Broadcom
★ Infineon
★ Sinosun
★ STMicroelectronics
★ Winbond
★ Cryptography
★ Hengzhi chip
★ Next-Generation Secure Computing Base
★ Trusted Computing
★ Trusted Computing Group
★ Digital Rights Management
1. Trusted Platform Module (TPM) Specifications
2. http://www.microsoft.com/windows/products/windowsvista/editions/choose.mspx
3. Enforcer Homepage
4. https://www.trustedcomputinggroup.org/news/events/pastevents/presentations/GovSec_Presentation_052505.pdf
★ Trusted Computing Group
★ Device Authentication-The answer to attacks launched using stolen passwords?
★ LWN: OLS: Linux and trusted computing
★ GRC podcast: Trusted Platform Module (TPM) ''(TPM content starts 27 minutes 30 seconds in.)''
★ TPM Setup (for Mac OS X)
| Contents |
| Overview |
| Uses |
| TPM microcontroller manufacturers |
| See also |
| References |
| External links |
Overview
A Trusted Platform Module offers facilities for secure generation of cryptographic keys, the ability to limit the use of keys (to either signing / verification or encryption / decryption), as well as a Hardware Random Number Generator. It also includes capabilities such as remote attestation, binding, and sealed storage. 'Remote attestation' creates an unforgeable summary of the hardware, boot, and host O/S configuration of a computer, allowing a third party (such as a digital music store) to verify that the software has not been changed. 'Sealing' encrypts data in such a way that it may be decrypted only in the exact same state (that is, it may be decrypted only on the computer it was encrypted running the same software). 'Binding' encrypts data using the TPM's endorsement key (a unique RSA key put in the chip during its production) or another trusted key.
A Trusted Platform Module can be used to authenticate a hardware device. Since each TPM chip is unique to a particular device, it is capable of performing platform authentication. For example, it can be used to verify that the system seeking the access is the expected system.
Uses
Microsoft's new desktop operating system Windows Vista uses this technology as part of the feature BitLocker Drive Encryption. Available only in the Ultimate and Enterprise editions of Windows Vista[2], BitLocker encrypts the computer's boot volume and provides integrity authentication for a trusted boot pathway (i.e. BIOS, boot sector, etc.). Other volumes can be encrypted using built-in command-line tools (although not via the GUI currently). Future Windows versions are expected to have increased TPM and BitLocker support for additional cryptographic features and expanded volume encryption. BitLocker requires two NTFS-formatted drive volumes, one for Windows boot code and BitLocker operational code, and the other containing the boot volume (i.e. the volume where the operating system is stored). It should also be noted that contrary to its official name of BitLocker Drive Encryption, BitLocker only encrypts logical volumes (which may or may not be an entire drive).
The Enforcer is a Linux Security Module designed to improve integrity of a computer running Linux by ensuring no tampering of the file system.[3] It can interact with trusted hardware to provide higher levels of assurance for software and sensitive data. The Enforcer can also work with the TPM to store the secret to an encrypted loopback file system, and unmount this file system when a tampered file is detected; the secret will not be accessible to mount the loopback file system until the machine has been rebooted with untampered files. This allows sensitive data to be protected from an attacker.
Generally, pushing the security down to the hardware level in conjunction with software provides more avenues for protection than a software-only solution that can be compromised by an attacker. Starting in 2006, many new laptop computers have been sold with a Trusted Platform Module chip built-in. In the future, this concept could be co-located on an existing motherboard chip in computers, or any other device where a TPM's facilities could be employed, such as a cell phone. Intel is planning to integrate the TPM capabilites into the southbridge chipset in 2008.[4]
TPM microcontroller manufacturers
Trusted Platform Module microcontrollers are produced by:
★ Atmel
★ Broadcom
★ Infineon
★ Sinosun
★ STMicroelectronics
★ Winbond
See also
★ Cryptography
★ Hengzhi chip
★ Next-Generation Secure Computing Base
★ Trusted Computing
★ Trusted Computing Group
★ Digital Rights Management
References
1. Trusted Platform Module (TPM) Specifications
2. http://www.microsoft.com/windows/products/windowsvista/editions/choose.mspx
3. Enforcer Homepage
4. https://www.trustedcomputinggroup.org/news/events/pastevents/presentations/GovSec_Presentation_052505.pdf
External links
★ Trusted Computing Group
★ Device Authentication-The answer to attacks launched using stolen passwords?
★ LWN: OLS: Linux and trusted computing
★ GRC podcast: Trusted Platform Module (TPM) ''(TPM content starts 27 minutes 30 seconds in.)''
★ TPM Setup (for Mac OS X)
This article provided by Wikipedia. To edit the contents of this article, click here for original source.
psst.. try this: add to faves
