Trusted Platform Module Specification v1.2 Enhances Security
June 2004
The Trusted Platform Module (TPM) Specification v1.2 provides several enhancements to
hardware-based trusted computing standards beyond those previously defined in version 1.1 of
the specification. The Trusted Platform Module and related Trusted Platform Module Software
Stack (TSS) specifications are developed and promulgated by the Trusted Computing Group
(TCG) in order to promote interoperable, vendor-neutral standards for trusted computing.
TCG is an industry standards body formed in 2003 to develop, define, and promote open
standards for robust security technologies and trusted computing across multiple platforms—
including desktop and notebook computers, servers, peripherals, and other devices such as
PDAs and digital phones. The TPM Specification defines hardware building blocks and software
interfaces that enable the development and deployment of computing and network platforms with
truly robust security features. Several members of TCG—including Atmel, Fujitsu, HewlettPackard, IBM, Infineon, Intel, National Semiconductor, NTRU, Softex, STMicroelectronics,
Utimaco, and Wave Systems have developed integrated circuits (ICs), systems and subsystems,
as well as software, which comply with TPM and TSS specifications. Many popular software
packages run on TPM-compliant systems without modification or upgrade. Some IC vendors are
now sampling TPM v1.2 chips with production expected in the fall of 2004 and Q1 of 2005.
Four major functions were defined in TPM Specification v1.1, in April 2003:
ƒ Public key functions for on-chip key pair generation
ƒ Storage of hashes of pre-runtime configurations for attestation of the machine
ƒ An Endorsement Key (EK)
ƒ Initialization and management functions
TPM Specification v1.2, announced in November 2003, provides these notable additions:
ƒ Direct Anonymous Attestation (DAA) and the ability to run and generate a new Attestation
Identity Key (AIK)
ƒ Locality
ƒ Delegation
ƒ Non-Volatile storage
ƒ Optimized Transport Protection
ƒ Monotonic Counters
ƒ Tick Counter
The World at Risk
Computing and connectivity innovations provide enterprises and institutions with an amazing
array of capabilities and conveniences that make it easier to get work done in our fast-paced,
mobile, and interdependent world. Indeed, electronic computing and communications systems
and networks—and the data they contain—form an essential structure for the daily operations
and primary work of many businesses and organizations. This diversity of users, tools, systems,
and connectivity options presents security challenges that must be addressed with robust
solutions if the innovations are to be realized without diminishing users’ experiences or burdening
the administrators.
Copyright© 2004 Trusted Computing Group—Other names and brands are properties of their respective owners.
1
A security risk can be as simple as the theft of a notebook computer or PDA that contains vital
business information, personal identity details, corporate secrets, and network access pathway
information. As smarter computing appliances become more abundant, the security of their
contents becomes more crucial. Even desktop computers and servers located in secure facilities
are not immune to theft. Unprotected contents on any of these computing resources pose a
significant security risk. Computing and networked resources are also vulnerable to attack from
viruses and email worms, Trojan horses, denial of service attacks, and other threats that take
many forms and have many consequences.
Malicious hacking starts with inappropriate and unauthorized access to a device, a system, or a
network. The consequences of unauthorized access include theft of funds and other financial
assets (including intellectual property), damage to valuable equipment and the cost of
replacement, expenses for troubleshooting and restoring normal operations, and loss of business
from compromised systems. The vulnerabilities stem from the sheer number of computing
devices; the complexity of operating systems, utilities, and applications programs; and the
diversity of communication protocols and interfaces.
Keeping electronic infrastructures and their contents truly secure has become very difficult and
expensive—with threats and attacks that seem to escalate daily. The revenue lost and expenses
incurred can be devastating to a company. So-called cyberterrorism can also jeopardize private
and public safety. Unfortunately, an inaccurate or incomplete understanding of the robustness of
deployed security solutions can lead to a false sense of security. The best of intentions can lead
to catastrophic failures. Misunderstanding how a given solution works and misjudging its
weaknesses can have serious consequences. Expecting a solution to do something that it cannot
is dangerous at best.
The Magnitude of the Problem
Some consulting groups, such as London-based Mi2g, estimate damages caused by viruses like
Sobig or Klez to be in the billions of dollars. The Blaster virus alone is reported by Mi2g as having
infected more than 300,000 computers in 24 hours and having caused $525 million worth of
damages. According to some surveys, more than 7,000 new viruses were discovered in 2003.
The threat of even more sophisticated and more frequent attacks motivates TCG members to
build a standards-based framework for better protection.
Software Isn’t Enough
Application-level, user-defined log-in IDs and passwords, nested IDs and passwords, and
passwords that must be changed on the first of the month—these are the most commonly used
software-only solutions for keeping out intruders. Even security solutions that use encryption
keys, digital certificates, and firewalls are not as safe as they appear to be because they
generally store the security information on an unprotected hard drive that is very vulnerable to
unauthorized access. If that isn’t enough, user names and passwords are vulnerable to keystroke
loggers that capture information typed by a user when logging into to a system or network.
Most enterprises rely on software-only solutions because of the low cost, simplicity of
configuration, flexibility of deployment, and ease of management. These are often the very
features that make a software-only solution so vulnerable to an ardent attack. If it’s simple to
configure, it’s also simple to hack into the configuration. Flexibility of deployment to many
platforms and users in many locations means that all of the access points are equally vulnerable
without extra effort by the hacker. Ease of management really means Supervisor Mode is not
significantly more secure than User Mode. Having multiple computing devices usually means
having multiple log-in IDs and passwords. Users may also have accounts on several networks,
each with its own identity requirements. Users with multiple IDs and passwords may write out the
usernames and passwords as a memory aid—probably in electronic files. Or, users visit so many
web sites on a regular basis; it’s just easier to let the site remember the usernames and
passwords. Isn’t that what the screen prompt recommends as the default? Software-only security
solutions may seem affordable and convenient at the time, but may prove fatal.
Copyright© 2004 Trusted Computing Group—Other names and brands are properties of their respective owners.
2
Towards a Better Balance
Network administrators face the difficult task of developing and enforcing unified security policies
for network access amid constant pressure to support access for new products and services and
new classes of users they will never see. The need for access must be balanced with the
responsibility to maintain network, service, and data integrity. Adding security methodologies that
are rooted in hardware can significantly improve this balance. This hardware-tempered approach
can also streamline user experiences without compromising security.
Goals of Robust Security
Access
Protect
Ease of use
E-commerce & E-life
Anonymous & Mobile
Value-added services
Administration
Restrict & Ensure
Privacy & Control
Sustainable
Security Needs and Interoperability Efforts
Security Requirements
ƒ Permit only authenticated users and devices to
connect to the network
ƒ Enable administrator to establish of security policies
for anti-virus, patch levels, software versions, etc.
ƒ Measure device configuration against security policies
before its connection to the network is allowed
ƒ Identify devices that are not compliant
ƒ Quarantine non-compliant devices
ƒ Remediate non-compliant devices to ensure
compliance to security policies
Interoperability Standards
IEEE 802.1x, IETF RADIUS,
IETF EAP
Focus of TCG Efforts
TPM: Hardware-Based Integrity
The TPM specifications provide mechanisms to proactively establish more trusted relationships
for remote or local access through secure user authentication, machine authentication, and/or
attestation. TPM-compliant ICs protect encryption keys and digital signature keys to maintain data
confidentiality. TPM chips are designed to protect key operations and other security tasks that
would otherwise be performed on unprotected interfaces in unprotected communications.
Especially important, TPM security ICs are specifically designed to protect platform and user
authentication information and unencrypted keys from software-based attacks.
The TPM special-purpose ICs are designed to enhance platform security above-and-beyond the
capabilities of today’s software-only solutions. Defined by the open standards and specifications
of the Trusted Computing Group, TPM ICs provide a hardware-based authentication mechanism
to strengthen existing access controls.
Copyright© 2004 Trusted Computing Group—Other names and brands are properties of their respective owners.
3
Functions, Risks, and TPM Secure Solutions
Function
Platform
Authentication
User
Authentication
E-mail
Digital
Signatures
Data and File
Protection
Security Risk
Spoofing through the operating
system and application software on
the platform and then into valued
networks/sensitive data.
Unprotected User IDs and userdefined passwords are child’s play
to a hacker. Multiple log-ins cause
users to be careless.
Easy to hack even with softwareonly private decryption keys.
Private signature keys are stored in
system memory. A hacker can
generate legally binding forgeries.
Unencrypted: access to the platform
gains access to files.
TPM Hardware Solution
Provides greater assurance that only
authorized platforms can access
networks or services.
Helps protect the integrity and
confidentiality of user login credentials.
Acts as the “something you have” for
multi-factor authentication.
Protects the keys. Keys are stored in
the TPM, not in system memory.
Protects the private signature keys.
Keys are stored inside the TPM and
are not exposed on system memory
during signing operations.
Protects the platform Uses a strong
random number generator to create
strong encryption keys.
TPM Specification Fundamentals
The basic functionality of the TPM specification was defined in version 1.1, in April 2003.
—Asymmetric key functions enable more secure storage of files and digital secrets. On-chip
key pair generation using a hardware random number generator; private key signatures; and
public key encryption and private key decryption of keys provide better security than software
alone. These functions provide hardware-based protection for symmetric keys associated with
software-encrypted files—such as data, passwords, credit card numbers, etc.—and private keys
used for digital signatures. The TPM random number generator creates keys and performs
operations on private keys created by the TPM in the TPM. Private keys created in the TPM are
protected even when in use.
—Secure storage and secure reporting of HASH values representing platform configuration
information—as authorized by the platform’s owner—enable verifiable attestation of the platform’s
configuration based on a chain of trust in creating the HASH values. This includes creation of
Attestation Identity Keys (AIKs) that cannot be used unless a Platform Control Register (PCR)
value is the same as it was when the AIK was created.
An Endorsement Credential can be used in conjunction with Conformance and Platform
Credentials, as authorized by the owner to create Attestation Identity Key Credentials
—An Endorsement Key can be used by the platform’s owner to anonymously establish that
identity keys were generated in a TPM. This makes it possible to confirm the quality of the keys
without identifying which TPM generated the identity key.
—Initialization and management functions allow the platform’s owner to turn functionality on or
off, reset the chip, and take ownership while maintaining strong controls to protect the privacy of
the user. The owner must be trusted and must “opt-in”. The user (if different from the owner) may
“opt-out”, if desired.
TPM Enhancements in v1.2
While v1.1 was focused on basic foundation of robust security—primarily in untrusted
circumstances—TPM Specification v1.2, announced in November 2003, provides additions and
optimizations in support of trusted software processes. Significant improvements have also been
made to privacy protection.
—Direct Anonymous Attestation (DAA) reliably communicates information about the static or
dynamic capabilities of a computer using a TPM. This capability does not require disclosure of
personally identifiable information and is under the platform owner’s control (either an individual
Copyright© 2004 Trusted Computing Group—Other names and brands are properties of their respective owners.
4
or the IT department). DAA complements attestation functions in TPM v1.1b and has the
advantage that it can be implemented with or without a trusted third party.
—Locality allows users of TPMs to assign permissions to external software processes, such as a
trusted operating system. Locality assumes that there are hardware or software processes
outside the TPM that have different levels of trustworthiness.
—Delegation allows platform owners to delegate software, an object or other entity, to use
specific owner-authorized commands without allowing access to other commands in the TPM.
For example, owners can without passwords from untrusted entities or software for sensitive
functions, but can allow access to non-sensitive functions. The combination of Locality and
Delegation promise to simplify platform management, and allow platform management to remain
under control of the owner, without compromise to the security level.
—Non-Volatile Storage may be used by system software or firmware to store information on the
TPM. This storage is user-defined and has controlled access. One likely use will be to ease
technology deployment with certificates stored on the TPM.
More New Features in TPM v1.2
Other new features of TPM Specification v1.2 provide further benefits and add to the
completeness of the new open standard.
—Transport Protection for commands sent to the TPM helps to ensure the confidentiality of
data exchanged between the TPM and remote software.
—Monotonic Counters help to prevent common “replay” attacks in which stored data is
compared to current values.
—A Tick Counter allows the TPM to perform time-related transaction sequencing.
Building on Existing Standards
TCG specifications build on existing industry standards. TCG extends these standards to provide
a comprehensive security structure that incorporates fundamental aspects of trusted computing.
This framework is designed to provide customers with interoperable solutions from multiple
vendors—giving them greater choice in selecting components best suited to their requirements.
This framework is an open industry standard that will enable development and deployment of
products for secure heterogeneous environments.
TPM ICs, System Hardware, and Software
Several industry-leading companies manufacture TPM chips, subsystems, motherboards,
computing platforms, and software. OEMs offer desktop and mobile PCs with TPM subsystems
on-board. Motherboards with TPM chips are also available in the reseller channel. Since their
introduction in 2003, over 5 million TPM chips have been sold into systems and subsystems. An
electronic device such as a desktop or laptop computer with TPM hardware on-board can run the
most popular business application software without modification or upgrade. For current
information about TPM-based and TPM-compatible products, visit the TCG web site and link to
the member companies’ product information.
TPM IC Vendors
Manufacturer
Atmel
Infineon Technologies
National Semiconductor
STMicroelectronics
Product
AT97SC3202 and
AT97SC3201
SLD 9630_TT_1.1
Trusted IO - Super IO
with embedded TPM
ST19W18
Contact
www.atmel.com/products/Embedded
www.infineon.com
www.national.com
www.st.com
Copyright© 2004 Trusted Computing Group—Other names and brands are properties of their respective owners.
5
TPM System Vendors
Fujitsu
Hewlett-Packard
IBM
Intel
Lifebook S7000, E8000,
NAH
D530 Desktops; nc4010,
nc6000, nc8000, nw8000
notebooks
ThinkPad
notebooks,NetVista
desktops
D875GRH motherboard
www.futjitsu.com/
www.hp.com
www.pc.ibm.com/security
www.intel.com/platforms/desktop/vision
TPM-Compatible Application Software
Application Type
Description
File/Folder Encryption
Keys protected by TPM
Client-based
Single Login
Protected Information
Repository
E-mail Integration
Username/Password autofill lets users
remember only 1 password and register
others in TPM for autofill as needed.
TPM wrapping/sealing capability
protects sensitive personal or business
information.
Encryption, signature schemes
supporting MS-CAPI or PKCS#11
Digital Signatures
Use digital signature applications in
e-mail, PDF files, e-purchasing, etc.
Enterprise Login
Platform authentication using TPM
Remote Access
TPM-protected remote access
credentials can be used for VPN,
802.1x, etc.
Protect and manage credentials issued
by Certificate Authority using TPM.
Hardened PKI
Vendors
HP, IBM, Infineon,
Information Security Corp.,
Softex, Wave Systems
Cognizance, IBM, Softex,
Wave Systems
IBM, Softex, Wave Systems
Information Security Corp.,
Microsoft (Outlook),
Netscape
Adobe (Acrobat), Microsoft
(Internet Explorer),
Netscape
Cognizance, Wave
Systems (Trust Server)
Checkpoint (VPN-1 Secure
Client), RSA (SecurID)
Checkpoint, PGP, RSA,
VeriSign
Learn More about TCG and TPM
TCG is an industry standards body formed to develop, define, and promote open standards for
trusted computing and security technologies, including hardware building blocks and software
interfaces, across multiple platforms, including desktop and notebook computers, servers,
peripherals, and other devices such as PDAs and digital phones. TCG specifications are
designed to enable more secure computing environments without compromising functional
integrity with the primary goal of helping users to protect their information assets from
compromise due to external software attack and physical theft. Specifications and resulting
products enable more secure data storage, online business practices, and online commerce
transactions while protecting privacy and individual rights. More information on TCG membership
and the organization’s specifications is available at www.trustedcomputinggroup.org.
Copyright© 2004 Trusted Computing Group—Other names and brands are properties of their respective owners.
6