Trusted Platform Module (TPM)

From TBP Wiki
Jump to: navigation, search

TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. A TPM can also be used to store platform measurements that help ensure that the platform remains trustworthy. Authentication (ensuring that the platform can prove that it is what it claims to be) and attestation (a process helping to prove that a platform is trustworthy and has not been breached) are necessary steps to ensure safer computing in all environments.

The nature of hardware-based cryptography ensures that the information stored in hardware is better protected from external software attacks. A variety of applications storing secrets on a TPM can be developed. These applications make it much harder to access information on computing devices without proper authorization (e.g., if the device was stolen). If the configuration of the platform has changed as a result of unauthorized activities, access to data and secrets can be denied and sealed off using these applications.

However, it is important to understand that TPM cannot control the software that is running on a PC. TPM can store pre-run time configuration parameters, but it is other applications that determine and implement policies associated with this information. Processes that need to secure secrets, such as digital signing, can be made more secure with a TPM. And mission critical applications requiring greater security, such as secure email or secure document management, can offer a greater level of protection when using a TPM. For example, if at boot time it is determined that a PC is not trustworthy because of unexpected changes in configuration, access to highly secure applications can be blocked until the issue is remedied (if a policy has been set up that requires such action). With a TPM, one can be more certain that artifacts necessary to sign secure email messages have not been affected by software attacks. And, with the use of remote attestation, other platforms in the trusted network can make a determination, to which extent they can trust information from another PC. Attestation or any other TPM functions do not transmit personal information of the user of the platform.

The Trusted Computing Group (TCG) is an international de facto standards body of approximately 120 companies engaged in creating specifications that define PC TPMs, trusted modules for other devices, trusted infrastructure requirements, APIs and protocols necessary to operate a trusted environment. After specifications are completed, they are released to the technology community and can be downloaded from the TCG Web Site.