Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


07:30 PM

A Tipping Point For The Trusted Platform Module?

To achieve widespread adoption, TPM must overcome challenges to encryption key management.

While a Trusted Platform Module chip could be applied to DRM, it's far from the most common use-case of the technology today. More important in the TPM ecosystem are the other possibilities it affords. The Trusted Computing Group encompasses a variety of platforms, including working groups dedicated to Authentication, Mobile, Software Stack, Storage, Trusted Network Connect, and Virtualized Platform.

The most widespread use of TPM today is Microsoft's BitLocker drive encryption technology. BitLocker can operate with or without the TPM hardware, though the recommended and most secure method of operation requires a 1.2 TPM chip, and it's able to offer significantly more security than non-TPM modes of operation. That's because the keys are secured in the hardware rather than in software, making them harder to tamper with or steal.

Also teaming up with TPM for data encryption are hard drives capable of handling data encryption and decryption internally, such as Seagate Momentus FDE.2 drives. This is one of the few full-disk encryption architectures that would not be vulnerable to the recently publicized "cold-boot" attacks that are able to extract the contents of a computer's memory after it's been powered off and seek out encryption keys.

While disk encryption is a popular use for the TPM chip, it may be the user and machine identification features that steal the show in the long run. With support for multifactor authentication features such as an additional PIN or biometric authentication, TPM can serve as the one-stop shop not only for authenticating a user to a machine, but also as an authentication mechanism for Web applications and business applications that would benefit from strong cryptographic authentication.

The Web is one reason the Trusted Computing Group repurposed itself from the original goals of Trusted Computing Platform Alliance back in 2003. Instead of creating a platform for trusted PC computing, it wanted to be able to integrate the same techniques across a wide variety of uses and platforms.

Of course, integrating TPM into the authentication process for a Web application negates one of the values of Web apps in the first place--they're accessible from any Internet-enabled PC.

This problem may be solved by cell phones, which could act as a soft token to authenticate users. For example, if a user wants to access an online banking application from a strange machine, the bank can send a one-time password to the user's phone. The user would enter this password into the banking app. Meanwhile, the entire process is secured against tampering by TPM's hardware-enabled trusted connection from the server to the PC being used.

Trustworthy computing was supposed to usher in a new era of secure computing, but it got off to a rocky start. Despite that, the latest iteration of hardware-enabled trust promises secure identification, authentication, and encryption, with even more possibilities for the future.

The Trusted Computing Group (successor to the Trusted Computing Platform Alliance) developed and maintains the TPM Specification and is made up of a variety of both software and hardware companies. The current list of core companies includes AMD, HP, IBM, Infineon, Intel, Lenovo, Microsoft, and Sun, though well over 100 other vendors are involved.

TCG has done the right thing, starting ahead of consumer demand and developing an open solution to a problem most customers didn't know they had. A TPM chip enhances a variety of existing security functions with a secure root of trust. The downside is key management complexities, which limit the number of organizations taking advantage of the technology.
Imagine a software-as-a-service vendor able to leverage a secure hardware token in mobile devices for user authentication. The additional layer would provide a level of security analogous to a secure hardware token with a cost approaching the more inexpensive software token. This assumes, of course, that the SaaS vendor was able to develop a manageable process for enrolling the customer's mobile devices into its encryption infrastructure.

This leads directly into the weak spot for TPM--key management. Managing the keys protected by a TPM chip is almost identical to any other encryption platform. Not only must those TPM-generated keys support the usual enterprise key management features--such as enrollment and revocation, and key recovery in case of lost PINs--but there are issues unique to TPM, such as maintaining system state when upgrading, as changes may upset the ability of the module to produce a valid key for an encrypted system.

Some standalone software tools already are available for IT to manage the Trusted Platform Module. For example, Microsoft offers some free TPM management tools. And a large number of OEMs that manufacture PCs and laptops ship Wave Systems' Embassy Trust Suite, which is capable of providing a variety of services to maintain the module itself. However, more powerful management capabilities might require an upgrade to one of Wave's enterprise-level products.

Even without an enterprise management platform, however, some organizations may be able to take advantage of the number of TPM chips deployed in their environment right now. The Trusted Computing Group Web site offers a series of white papers on using TPM with existing enterprise systems such as wireless networks, VPNs, and network access control.

While it's important to consider the extra management effort involved, it's definitely worth examining what you can use for free with the built-in tools along with the module.

Continue to the sidebar:
TPM: A Matter Of Trust

2 of 2
Comment  | 
Print  | 
More Insights
Oldest First  |  Newest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.