Home / Blog / Trusted Platform Module

Trusted Platform Module

Posted on 06/18/2015, by Miguel Herrero (INCIBE)
TPM

In this article, in which the concept of security through hardware was introduced, we mentioned two of the main lines of research that are followed to certify the hardware on which an application runs, speaking specifically about the research and theory behind physical unclonable functions, or PUF.

Leaving aside the one focussed on PUF, the industry has developed and incorporated some microprocessors dedicated to security into the systems. These follow the specifications of the Trusted Platform Module standard (TPM). The creation of this standard began in 1999, and its most important milestones and evolution over time can be observed in the following figure, with the most recent event being the 2013 publication of the second version of the TPM library (TPM 2.0).

milestones TPM

TPM milestones. (Source KU LEUVEN)

The standard TPM, amongst other functions, generates cryptographic keys and random numbers. A TPM chip is therefore composed of the modules indicated below:

TPM components

- TPM components (Source Wikipedia) -

The basic TPM components are as follows:

  • Secured input/output: this component manages the information flow along the communications bus. It encrypts and decrypts the information transmitted between the internal and external buses and directs it to the appropriate TPM component.
  • Key generation: a function that manages the generation of keys and nonces.
  • Cryptographic engine: a component that is in charge of the SHA-1 generator and also incorporates the HMAC and RSA engines.
  • Random number generator: the source of the TPM entropy. It is used to generate nonces and keys, and to incorporate randomness into digital signatures. It consists of a state machine that compiles and mixes random data along with a post-processor that implements a one-way function, such as SHA-1.
  • Up counter: a hardware counter whose value, once increased, cannot be decreased. The TPM must be able to support four concurrent counters, although only one might be active in each boot cycle.
  • Non-volatile memory: where the platform keys are stored.
  • Execution engine: the component that runs the TPM program code. It also ensures that the protected locations are protected and the operations are adequately segregated.

An important key is stored in the non-volatile memory of the TPM: the Endorsement Key (EK). The EK is a pair of public and private 2048-bit RSA keys that are incorporated into the chip during the manufacturing process by the manufacturer or vendor. This key is generated by the TPM chip and it is not possible to generate it a second time or insert another pair of keys into the TPM chip. Whoever generated them (chip or computer manufacturer) must certify that the key created is valid and that the process was carried out in a specific manner. The private part of this key can never leave the TPM chip and the public part is that which helps recognise an authentic TPM. It is a non-exportable key and it can only be used in controlled TPM mechanisms, such as the creation of Attestation Identity Keys (AIK).

AIK is an alias for EK, which are only used for creating digital signatures and not for encrypting information. It is like this since, for reasons of security and privacy, the use of EK for information signatures is not permitted. The creation of the AIK can be carried out at any time and there is no limit to their number.

As well as the EK, in a TPM we can also find the Storage Root Key (SRK), which is a non-exportable public/private key whose private part never leaves the TPM. This key is the key to secure TPM storage. The TPM has a limited storage capacity, which allows it to store some keys and other information that it requires in order to be protected. This secure storage can be extended cryptographically outside the TPM so that it can only be decrypted again inside the TPM. Each key created in the TPM is encrypted using the SRK or another non-exportable key and is stored in the computer outside the TPM, with it only being possible to decrypt it inside the TPM when it is necessary.

Currently, most computers that are sold incorporate TPM that can be activated or de-activated from the operating system (since Windows 7 or Windows Server 2008 R2) and/or since the BIOS. Manufacturers such as HP and Lenovo include them in most of their computers.

At the operating system level, Bitlocker, the native Windows hard drive encryption feature, uses TPM (if it exists, if not, encryption can be carried out by storing a personal identification number on an external USB memory stick). Microsoft makes the information necessary for these operations available to users on its Web page.

TPM chips and their operations are not security risk-free. Physically, being included on a massive scale in computer architecture makes them accessible and vulnerable to attacks by physical means. Their first versions, in which the chips were assembled separately from the rest of the board and connected via a ribbon cable, could be damaged by TPM reset attacks (which worked with TPM version 1.1b), negating the protection offered by the TPM.

Currently, to avoid this, current TPM chips are assembled on the surface of the motherboard, which makes it difficult for non-professionals to desolder and replace them. There are also various articles in which TPM is used to hide malware, using the key structure, thus preventing malware analysis.