Trusted Platform Module (TPM)

19th May 2017

Andrés Dorado Hamann

https://evilham.com

Outline

Why does TPM exist?

Why does TPM exist?

[…] if the attacker can control the machine, we must not use that machine to handle our cryptography. If we cannot trust the host, we must look elsewhere for something else to which we can entrust our keys. […]

Handbook of Information Security - Volume 3

Why does TPM exist?

Trust

"Assured reliance on the character, ability, strength or truth of someone or something."

Why does TPM exist? — Trust

Why does TPM exist? — Trust

Why does TPM exist? — Trust

Why does TPM exist? — Trusting computers

But can we trust computers?

Why does TPM exist? — Trusting computers

Can we trust computers?

No, not entirely — human product after all


[…] if the attacker can control the machine, we must not use that machine to handle our cryptography. […]

Handbook of Information Security - Volume 3

Why does TPM exist? — Trusting computers

According to darkreading.com, in 2016:


And 2017 is already not looking good:

What is TPM?

What is TPM?

[…] The idea of a hardware security model is to separate out the cryptographic key storage and processing functions into a device that we do trust. […]

Handbook of Information Security - Volume 3

What is TPM?

A Trusted Platform Module (TPM) is:

[…] a hardware component that uses its own internal firmware and logic circuits for processing instructions. […]

What is TPM?

Brief history of TPM

What is TPM?

Features of TPM

What is TPM?

Crypto TPM facts

How does TPM work?

How does TPM work?

[…] Such a device should have a simple and strictly defined interface, and if physical access is an issue, it should also resist tampering. […]

Handbook of Information Security - Volume 3

How does TPM work?

TPM 2.0 hierarchies

Software
(Firmware,
OS, ...)
TPM
Platform
Storage
Endorsement

How does TPM work?

TPM 2.0 Encryption

Software
(Firmware,
OS, ...)
GenKey(algorithms,
size, policy, type,
unique data)
Key id
Encrypt(algorithms,
key id, data)
Encrypted data
TPM
Platform
Storage
Endorsement

How does TPM work?

TPM 2.0 Decryption

Software
(Firmware,
OS, ...)
GenKey(algorithms,
size, policy, type,
unique data)
Key id
Decrypt(algorithms,
key id,
encrypted data)
Data
TPM
Platform
Storage
Endorsement

How does TPM work?

TPM 2.0 Policies

Policies define key usage. Can be a very complex combination of:

How does TPM work? — BitLocker

BitLocker encryption

Data
Full volume encryption Key
Volume master key
Key protectors

How does TPM work? — BitLocker

BitLocker key protectors

How does TPM work? — BitLocker

BitLocker
Load BitLocker
Read metadata
GenKey(policy,
unique data)
Key id
Decrypt(key id,
encrypted data)
Data
Protector Key = Data + PIN
TPM
Platform
Storage
Endorsement

Issues with TPM

Issues with TPM

Issues with TPM

Questions?

Thank you!

Sources can be found online after this slide

https://evilham.com/en/slides/2017-TPM

Sources

Picture and quote sources can be found in the respective slide.

Researched material:

Sources

Sources