Trusted Platform Module (TPM)

rely weapons platform staff (TPM)Trusted Platform module (TPM) is a term handlingd to define a chip or microcontroller. This chip or microcontroller terminate be placed into a m otherwise(a)board variety much(prenominal) as finesses like sprightly devices, or a in-person calculating machine (PCs). The requirements and application was pre directed and puddleed by the Trusted Computing separate (TCG), to deliver a solution where a reli qualified and genuine kinship exists amongst hardwargon and softw atomic crook 18 configurations. This facility was executed through cryptographic and hashing algorithms. Additional, TPM offers unconnected confirmation, a verification and stylemark affect for other third ships company softw be. TPM is a global monetary standard for a cheered crypto souror, which is a consecrate microcontroller or chip intended to protect hardwargon by connexion cryptographic finds into devices.TPMs technical requirements were established and pen by TCG and launched in 2003. TCG was created as a nonprofit from inception and known to have brands like Microsoft, IBM, Intel, and Hewlett-Packard as clients. TPM just as well as others has flaws, and suffers from tone-beginnings. These attacks include offline dictionary and OIAP attacks nevertheless, when linked with other endpoint control ashess like multifactor authentication, network entrance money control, and malw atomic number 18 come upion, TPMs character to a sound credential establishment political program is sound. (Sparks, 2007)This survey is a have it away review of research conducted on TPM, its comp unriva leadnts, mechanisms, application, and self-assurance protocols. Furtherto a greater extent, a description of about common attacks to which TPM has been a victim volition be presented. Fin eachy, to a greater extent red-hot-fashioned and future performances will be discussed, such as the incorporation of TPM inside mobile and smart devices a nd even within cloud computation. First, it is important to starting signal with an overview of the TPM specification, its components, and its purpose.The TPM background section discusses in some detail an overarching summary of TPM. This will include what the motivations and advantages are to using TPM as well as how the assorted types of lines function. Also discussed is the evolution of TPM over term in how it functions in twain its hardware encryption tho also its capabilities.2.1 TPM SummaryA Trusted Platform Module (TPM) is a cryptographic coprocessor that replaced smart cards in the 1990s and then became present on most commercial face-to-face calculating machine (PCs) and servers. TPMs are almost ubiquitous in computer hardware and typically non seen by use uprs because of the lack of compelling applications that use them. However, this stake has changed effective with TPM discrepancy 1.16 by adding the Federal Information Processing Standards (FIPS) crisp whi ch is a static flag that verifies if the device or firmware the TPM is given over to is FIPS 140-2 cryptographic module compliant. This compliance is then registered by the consolidated substantiation credentialss granted when FIPS 140-2 is validated and are then registered and published at NIST as public record listed alphabetically by seller located at http//csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm. (TCG FIPS 140-2 Guidance for TPM 2.0, ver 1, rev.8, 2016) Therefore, the line of thinking of TPM has change magnitudely become one of importance and an essential ingredient to cryptographic defense community whom are required to prove their FIPS 140-2 compliance. However, this was not al shipway the case since security was not a mainstream issue in the early years of the Internet.2.2 Motivation to use TPMThe motivation for TPM began decades after the advent of what is known as the Internet. From the debut of good Research Projects Agency (ARPA) in 1969 it took a lmost nineteen (19) years for us to become aware of the original known puzzle out called the Internet convolute in 1988. (Pearson Education, Inc., 2014) Until this time the focus had always been on the development of the computer with no security hardware and software product that was easy to use. There was a real concept of stochasticness security little terrors. However, in the 1990s at that place was the concept of the potential of commerce the Internet would have and the fate to ripe the PCs that would exchange with that commerce. This prompted many computer railway locomotiveers to convene and form and develop the first TPMs which became known to be as the Trusted Computing Group (TPM A plan Introduction, 2015). A main objective of this group was a apostrophize effective approach to create a hardware anchor for PC system security on which warm systems could be built. This first firmness of purposeed in a TPM chip that was required to be attached to a motherboard an d the TPM mastery set was architected to provide all functions necessary for its security use cases.2.2.1.EvolutionTPM has evolved advantageously over the years to become the combineed platform it is today. The earlier TPM 1.2 standard was incorporated into billions of PCs, servers, embedded systems, network gear and other devices, the evolving Internet of Things and increasing demand for security beyond traditional PC environment led TCG to develop a new TPM specification, which recently was adopted as an internationalistic standard ISO/IEC 118892015. For more flexibility of application and to enable more general use of the specification, TCG created TPM 2.0 with a library approach. This forfeits users to choose applicable aspects of TPM functionality for unalike implementation levels and levels of security. Also, new features and functions were added, such as algorithm agility, the ability to implement new cryptographic algorithms as needed (Trusted Platform Module (TPM) A Brief Introduction, 2015).ISO/IEC 11889-12015ISO/IEC 11889-12015 defines the architectural elements of the Trusted Platform Module (TPM), a device which enables hope in calculate platforms in general. Some TPM concepts are explained adequately in the context of the TPM itself. Other TPM concepts are explained in the context of how a TPM helps establish commit in a calculation platform. When describing how a TPM helps establish trust in a computing platform, ISO/IEC 11889-12015 provides some guidance for platform requirements. However, the reaching of ISO/IEC 11889 is limited to TPM requirements (Trusted Platform Module (TPM) Summary, 2008).2.3 TPM Working FunctionalityThe TPM (Trusted Platform Module) is a computer chip (microcontroller) that domiciliate untouchablely transshipment center artifacts utilize to authenticate the platform on a PC or laptop. These artifacts post include give-and-takes, certificates, or encryption fundamentals. A TPM chiffonier also be apply to store platform measurements that help check out that the platform remains trustworthy. This is critical because corroboration and certification are necessary to ensure safer computing in all environments. Trusted modules throne be used in computing devices other than PCs, such as mobile phones or network equipment (Trusted Platform Module (TPM) Summary, 2008)..Figure 1 Components of a TPM2.3.1 Hardware-based cryptographyThis cryptography makes certain that the selective information stored in hardware is guarded a pull aheadst malicious threats such as extraneous software attacks. Also, many types of applications storing secrets on a TPM dejection be genuine to strengthen security by increasing the difficulty of access without tight-laced authorization. If the configuration of the platform has been altered as a result of un authorise activities, access to entropy and secrets can be denied and sealed off using these applications. TPM is not responsible for control of oth er proprietary or vendor software running on a computer. However, TPM can store pre-run time configuration parameters, but it is other applications that determine and implement policies associated with this information. Also, processes can be made true(p) and applications such as netmail or secure document get byment. For example, if at boot time it is determined that a PC is not trustworthy because of unexpected changes in configuration, access to highly secure applications can be blocked until the issue is remedied. With a TPM, one can be more certain that artifacts necessary to sign secure email subject matters have not been affected by software attacks. And, with the use of strange attestation, other platforms in the certain(p) network can make a determination, to which extent they can trust information from another PC. proof or any other TPM functions do not transmit personal information of the user of the platform.2.3.2 CapabilitiesTPM can improve security in many areas of computing, including e-commerce, citizen-to-government applications, online banking, surreptitious government communications and many other fields where greater security is required. Hardware-based security can improve protection for VPN, wireless networks, charge encryption (as in Microsofts BitLocker) and battle cry/PIN/credentials management. TPM specification is OS-agnostic, and software scads exist for several Operating Systems.2.4TPM ComponentsTrusted Platform Module (TPM) is the spunk component of trusted computing. TPM is implemented as a secure hardware chip and provides the hardware base of operations of Trust. TPM has been designed to provide trusted computing based on Trusted Computing Group (TCG) specifications. TPM functions can be implemented either in hardware or software. A secure cryptographic chip (Figure 2) can be integrated on the motherboard of a computing device according to TPM 1.2 specifications (Angela, Renu Mary, Vinodh Ewards, 2013).Figure 2 A T PM 1.2 handicap (Source http//www.infineon.com)A logical layout of the TPM is represented down the stairs (Figure 3) on with the TPM components.Figure 3 TPM Component Diagram (Zimmer, Dasari, Brogam, 2009)Information flow is managed by the I/O component through the communication bus. The I/O component handles routing of messages to divergent components within the TPM and establishes access control for TPM functions and the Opt-in component.The non-volatile retention in the TPM is a bank deposit for storing the Endorsement spot (EK) and the reposition Root Key (SRK). These long-term distinguishs are the basis of get a line hierarchy. Owners authorization data such as password and persistent flags are also stored in the non-volatile memory (Trusted Computing Group, 2007).Platform Configuration Registers (PCR) are reset during power-offs and system restarts and can be stored in volatile or non-volatile region. In TPM v 1.1, minimum number of registers that can be implemented is 16. Registers 0-7 are allocated for TPM usage leaving the remaining registers (8-15) to be used by operating system and applications (Angela, Renu Mary, Vinodh Ewards, 2013). In TPM v 1.2, number of registers can be 24 or more and categorised as static PCRs (0-16) and dynamic PCRs (17-22).The Program Code, also known as center of attention Root of Trust for Measurement (CRTM) is the authoritative source for integrity measurements. public presentation locomotive is responsible for initializing TPM and taking measurements. The execution engine is the take awayr foot the program regulation.RNG (Random Number Generator) is used for generating pick outs, nonce cosmos and to fortify passphrase entropy. The SHA-1 engine plays a account image in creating key Blobs and hashing large blocks of data. TPM modules can be shipped with various states ranging from changed, and deactivated to fully enabled. The Opt-in component ensures the state of TPM modules during shipping.The RSA engine can be used for a variety purposes including key subscribe, encryption/ decryption using depot keys and decryption using EK. The AIK (Attestation Identity Key) is an crooked key pair typically linked to the platform module that can be used to vouch for the validity of the platforms identity and configuration. The RSA key generation engine are used for creating trigonal keys of up to 2048 bits.2.5 TPM KeysTCG keys can be categorized as signing or storage keys. Other key types delimit by TCG are Platform, Identity, Binding, General and Legacy keys (Trusted Computing Group, 2007).Signing keys can be classified as general purpose keys and are asymmetric in nature. Application data and messages can be signed by the TPM using signing keys. Signing keys can be moved mingled with TPM devices based on restrictions in place. transshipment center keys are asymmetric keys and to begin with used for encrypting data and other keys as well as for swathe keys. Attestation Identity Keys (AIK) are used for signing data pertaining to the TPM such as PCR register set. AIK are signing keys that cannot be exported. Endorsement Key (EK) is used for decrypting the owner authorization credentials as well as cryptic messages created by AIK. EK is not used for encryption or signing and cannot be exported. Bind keys (symmetric keys) come in handy to encrypt data on one platform and decrypt it on a different platform. Legacy keys can be imported from outside the TPM and used for signing and encrypting data. Authentication keys are responsible for securing the transport sessions related to TPM and are symmetric in nature.Endorsement Key (EK) in the TPM plays a critical role to maintain system security. TPM uses a private key EK to generate other keys which are bound to a specific EK. EK should be secured and protected from creation compromised. A 160-bit AIK authentication value is necessary to use the AIK by TPM (Sparks, 2007). The rise up key used for generating othe r keys should be rigorous first and attested by users onwards TPM can load all other keys. The EK is anomalous to the TPM and embedded within the tamper resistant non-volatile memory (Angela, Renu Mary, Vinodh Ewards, 2013). Public EK is used for creating AIK certificates and during the process of encrypting data within the TPM. The private key pair of EK is not touched when generating signatures. Multiple AIKs can be stored within a TPM to ensure anonymity between various service providers requiring proof of identity. AIK keys should be stored in secure external storage (outside the TPM) to make them persistent. AIKs can be loaded on to the volatile memory in the TPM when in use.TPM has a Storage Root Key which stays persistent. Keys are not stored permanently in TPM due to limited storage space. A brief description of the process involved in key generation, encryption, and decryption in TPM is outlined below (Osborn Challener, 2013). A new RSA key is generated by the TPM whe n a key creation request is initiated by a software. TPM concatenates a value to the RSA key, appends authorization data and then the data is encrypted using the public section of the Storage Root Key and sends an encrypted blob to the requested software. A request is sent for the key to be retrieved from the blob storage when requested by the software program. TPM uses the Storage Root Key for decryption and validates the proof value and password before lading the key into TPM memory. This loaded key is referred to as the parent key and can be used for subsequent key creation forming key hierarchies.The TMP security section discusses in some detail the various ways in which security is implemented and vulnerable. TPM authorization protocols in both version 1.2 and version 2.0 are addressed. Several examples of different types of TPM vulnerabilities are outlined as well as ways to verify the integrity of the system to protect against this vulnerabilities and what the future holds fo r TPM.3.1 TPM Authorization protocolsTPM 1.2 AuthorizationThe basic definition of TPM authorization is the process of verifying that software is allowed to use a TPM key. For TPM 1.2 this process is accomplished by utilizing a duet basic restraints in an authorization session typically using passwords or values stored in the Platform Configuration Registers (PCRs) which are referred to as authorization data. The three types of authorization sessions for TPM 1.2 are Object fencesitter Authorization Protocol (OIAP), which creates a session that allows access to multiple objects, but works only for certain commands Object Specific Authorization Protocol (OSAP), which creates a session that can interpolate only a iodine object, but allows for new authorization transfer and Delegate-Specific Authorization Protocol (DSAP), which delegates access to an object without disclosing the authorization data (Nyman, Ekberg, Asokan, 2014).Commands are then used to manipulate the keys within an authorization session. software can prove that it is trusted by sending a command which includes the password hash to verify it has association of the password. Also the locking of non-volatile haphazard-access memory (NVRAM) to PCRs and particular localities is utilized for two different authorizations one for reading and one for writing. While effective, these authorization mechanisms created a comparatively rigid authorization system which make it difficult to administrate the communion of TPM keys and data (Osborn Chaneller, 2013).3.1.2 TPM 2.0 AuthorizationThe implementation of TPM 2.0 on the other hand, takes a couple different approaches by introducing enhanced authorization (EA). EA takes methods from the TPM 1.2 authorization methods and improves upon them by incorporating features mentioned in Table 1 below.Table 1.TPM 2.0 Authorization FeatureDescription passwords in the clearReduces overhead in environments where the security of hash message authentication (HMAC) may not be feasible due to its extra terms and complexityHMAC keyIn some cases when the software talking to the TPM is trusted but the OS is untrusted (like in a contrary system), it could be utilizable to use HMAC for authorization the same way as used in TPM 1.2Signature methodsAllows IT employees to perform maintenance on a TPM by authenticating using a smart card or additional data such as a biometric fingerprint or GPS location. This ensures that passwords cant be overlap or compromised by unauthorized users and that an additional verification check is conductedPCR values as a proxy for system boot stateIf the system management module software has been compromised, this prevents the release of the full- magnetic disk encryption keyneighbourhood as a proxy for command originsCan be used to indicate whether a command originated from the CPU in solvent to a special request.TimeCan limit the use of a key to certain times of the dayInternal counter valuesLimits the use of an o bject so that a key can only be used a certain number of times indicated by an inwrought counterValue in a non-volatile (NV) indexUse of a key is restricted to when certain bits are set to 1 or 0NV indexAuthorization is based on whether the NV index has been writtenPhysical presenceRequires proof that the user is physically in willpower of the platform(Table created with information from (Arthur, Challener, Goldman, 2015))These features can be combined to create more complex policies by using the logical operators AND or OR which allows for the creation of policies to include multifactor/multiuser authentication of resources, limited time constraints for resources, and/or revocation of resources. (Arthur, Challener, Goldman, 2015).3.2TPM VulnerabilitiesWhen graded against other standards, TPM comes in as highly secure but that isnt to prescribe that it is immune to all attacks. There are several vulnerabilities that can allow an attacker to circumvent TPMs level of security. T he sections below explain a few vulnerabilities that attackers can use to exploit TPM, and the mitigation techniques one could deploy to manage the risk.Dictionary AttackTPM authorization relies on a 20-byte authorization code that is sent by the requestor which if not properly locked down can result in an attacker guessing their way past the authorization. TPM issues guidance on how best to mitigate and prevent these attacks however, the guidance is not very fine and rather leaves the specifics up to the implementer. For example, one could implement a design that has TPM disable further input whenever it encounters more than 3 failed attempts. This would effectively prevent online dictionary attacks and has the added benefit of also preventing Denial-of-Service attacks.Weve spoken about preventing online dictionary attacks but where the threat authentically comes into play is with an offline-based attack. This vulnerability comes into play when the authorization code is advanta geously guessable, or in other words, poorly implemented. An attacker could observe a given command, the associated Key-Hash Message Authentication Code (HMAC) sent by the requestor and finally, the TPM response back. Since the HMAC is created from the authorization code, session handle and nonces an attacker can utilize a dictionary attack to try different nonces and authorization codes with the given HMAC algorithm. A match would then provide the attacker with the pay authorization code. This offline attack bypasses TPMs lockout policy and though the attacker but sift through the random nonces and authorization codes, the method is a viable means of attack because it can be reasonably executed given the availability of time and computing resources. The mitigation for this comes down to proper configuration and ensuring that the authorization code is not easily guessable.DRAM AttackThough this attack is not at a time against TPM, it is worth mentioning as it is a viable way to ci rcumvent TPMs security authorization protocols. TPM maintains its keys within non-volatile memory within the TPM component however, when these keys are pulled by a requestor or requesting application, they are stored within Dynamic Random rile Memory (DRAM). It is well known that one can easily exploit DRAM to extract valuable information (keys, passcodes, etc) with this even creation exhibit against Microsofts BitLocker encryption utility. During reboot, Windows would load the encryption keys stored within TPM into DRAM, prior to even prompting the user. Given this, an attacker could go in and dump the raw memory to an external device, obtain the keys, then utilize those keys to decrypt the disk. This flaw enabled attackers to gain access to data on stolen laptops, even with full disk encryption. This hits on how a system is designed and ensuring that every detail is accounted for. Even if your system has a TPM, it is only going to be as secure as the weakest component within t he overall system.OIAP Replay AttackReplay attacks are a method used by many attackers across a multitude of systems. TPM is no exception and is vulnerable to replay attacks based on several characteristics. First, a TPM Object-Independent Authorization Protocol (OIAP) session can be left open for an indefinite period. The authorized session is only disagreeable by the requestor whenever an abnormal message is received and finally, the HMAC that wraps the message can detect variations to the message but cannot distinguish between a deliberate alteration and a simple network error.For example, an attacker would first capture a requestors authorized command for later use. The attacker then sends an abnormal message to the requestor which then fools it into resetting the session. The requestor is unable to distinguish between the abnormal message and a network error so no concern is raised. Since there is no concern, the TPM keeps the authorized session open, allowing the attacker th e ability to replay the previously captured command through the open session. This could lead to the attacker beingness able to bilk or even overwrite a subsequent command issued by the requestor. The TPM would not be able to notice this type of attack which is truly concerning based upon the gear upational principles of TPM and its assurance of being able to detect unauthorized modifications to data.3.3TPM AttestationsAttestation is the method a platform uses to prove to another platform that it is in a particular configuration by using a digitally signed set of cryptographic hash values which creates a trust between platforms (Fisher, McCune, Andrews, 2011). The network server first creates a cryptographic random value (used to prevent replay attacks) called a nonce, which is then sent to the client. Software on the client then sends the nonce to the TPM and specifies an identity key. The TPM hashes the PCR values along with the nonce and then signs the hash with a private ke y. The client software sends this back to the server which then verifies the platform configuration by analyze the public portion of the identity key. This process provides hardware-based assurance that software on these platforms has not been modified. (Osborn Chaneller, 2013). Figure 5 provides a visual representation of attestation as provided by (Osborn Chaneller, 2013)Figure 5 AttestationIn piece for the attestation process to be valid however, it must be able to be proven that the TPM values from the client are not being spoofed. This can be accomplished using a couple of key components attestation identity keys (AIK), which are created by the TPM and securely stored on disk before being reloaded into volatile TPM memory endorsement keys (EK), which are hardcoded by the manufacturer into the TPM chip and a privacy certificate authority (CA), which is a third-party validation entity.The first step of this process occurs when the public half of the AIK and EK is sent to the CA. The CA then uses the public EK certificate to verify that the request comes from a valid TPM by comparing it to a list of all valid TPM manufacturers public keys. The CA then puts the public AIK in a certificate and encrypts it with the public EK. This ensures that the only party that can decrypt it is the computer with the AIK of the like TPM, therefore confirming that the TPM from the requesting platform is trusted, and therefore, the attestation method is trusted as well. (Uppal Brandon, 2011).3.4Application of TPMWith the ever-evolving landscape of technology, there is an increased need for faster, more reliable and more secure methods of protecting private and personal data. TPM is a product of those evolving requirements and has consequently been incorporated into many different sets of applications. This section will expand upon those sets of applications and overturn into how TPM is utilized within the industry today.EncryptionOne of the most ordinary uses of TPM is to ensure the confidentiality of user data by providing full encryption capabilities for disks and register systems. The full disk encryption utilizes symmetric encryption with a key created from the users supplied passcode and used during the initial configuration and system boot. This protects against the loss of the disk drive and serves to facilitate disposal or repurposing of the drive since deleting the keys will result in the drive being wiped. The same method is utilized for the encryption of file systems and can be done so to protect specific nodes. form _or_ system of government EnforcementWith Bring-Your-Own-Device (BYOD) policies becoming more and more prevalent within the commercial businesses, TPM has found a use as a policy enforcement mechanism for remote access. TPM can be used to establish trust and verify a devices integrity before allowing remote connection to an organizations intranet. This utilization of TPM is comprised of a series of hashes that measure the predefined sequence of code loads, starting with the boot of the BIOS through the loading of the applications. The chain of hash measures are then compared to the stored value in localise to validate the systems integrity. This is very useful for establishing the base operating environment and evolution a baseline with which access control policies can be developed.Password ProtectionTPM protected storage provides a method of storing encryption/decryption keys as well as providing utility management of user passwords. Typically, the password manager retrieves the then encrypted password from TPM, decrypts it, and then sends it to the client application for validation. Since the passwords are usually sent to the client applications over plain-text, this is a serious vulnerability in which TPM can provide a solution for. Using the 20-byte authorization code, a TPM object is created for each user password with this then being saved in the objects authorization field. To verify a password, an application would need to send an OIAP request to access the TPM object. TPMs response to this request would indicated whether the password was correct or not. As a plus, this serves as both password storage and verification with the password never being sent to the application thusly eliminating the vulnerability associated with plain-text.3.5TPM FutureTPM is compatible with many hardware and software platforms in use in todays commercial markets and is already in use by several major business functions, to include Banking, E-Commerce, Biometrics and even Antivirus applications. looking for forward, TPM will play an even bigger role in the evolving mobile market, providing more enhanced security for cell phones, GPS tracking systems, tablets and more. TPM can be used to secure the Mobile Operating System (OS) from being modified by attackers and can be used to further secure authorized access by implementing a hard-coded digital signature solution. For GPS devices, T PM can be used to protect against the modification of system defined location parameters, thus preventing an attacker from adjusting those parameters to satisfy their ends.The biggest constraint facing TPMs implementation within the mobile realm is the space and power constraints on mobile devices. Research is being done on whether a mobile instantiation of TPM should be based on firmware, software or even hardware. A hardware implementation would be the most secure however, the firmware-based option will likely prove to be the best approach as it will balance the security of the device with the size limitations.TPM is also being looked at with regards to providing security enhancements for cloud-based services. Cloud computing has migrated most of the standard desktop to a virtual and remotely