- Why Are Trusted Platforms Being Developed?
- The Trusted Computing Platform Alliance and the TCPA Specification
- What Is a Trusted Platform?
- Basic Concepts in the Trusted Platform Model
- Basic Functionalities of a Trusted Platform
- Benefits of Using Trusted Computing Technology
- Summary of TCPA Technology
Basic Functionalities of a Trusted Platform
A Trusted Platform is a normal open computer platform that has been modified to maintain privacy. It does this by providing the following basic functionalities:
A mechanism for the platform to show that it's executing the expected software
A mechanism for the platform to prove that it's a Trusted Platform while maintaining anonymity (if required)
Protection against theft and misuse of secrets held on the platform
We'll consider each of these requirements in turn.
Integrity Measurement and Reporting
Starting from a root of trust in hardware, a Trusted Platform performs a series of measurements that record summaries of software that has executed (or is executing) on a platform. This process is illustrated in Figure 2. Starting with the CRTM, there's a boot-strapping process by which a series of Trusted Subsystem components measure the next component in the chain (and/or other software components) and record the value in the TPM. By these means, each set of software instructions (binary code) is measured and recorded before it's executed. Rogue software cannot hide its presence in a platform because, after it's recorded, the recording cannot be undone until the platform is rebooted. The platform uses cryptographic techniques to communicate the measurements to an interested party, so the recorded values cannot be changed in transit.
Figure 2 The measurement process for a Trusted Platform.
Creation of Trusted Identities
It remains, therefore, to prove that the measurements were made reliably. This is the same as proving that a platform is a genuine Trusted Platform. That proof is provided by cryptographic attestation identities, and the process is illustrated in Figure 3. Each identity is created on the individual Trusted Platform, with attestation from a PKI Certification Authority (CA). Each identity has a randomly generated asymmetric cryptographic key and an arbitrary textual string used as an identifier for the pseudonym (chosen by the owner of the platform). To obtain attestation from a CA, the platform's owner sends the CA information that proves that the identity was created by a genuine Trusted Platform. This process uses signed certificates from the manufacturer of the platform and uses a secret installed in the new (in the sense of unique) hardware in a Trusted Platform; that is, the Trusted Platform Module (TPM). That secret is known only to the Trusted Platform and is used only under control of the owner of the platform. That secret never needs to be divulged to arbitrary third parties; the cryptographic attestation identities are used for such purposes.
Figure 3 Obtaining proof that a platform is a Trusted Platform.
A TPM is a secure portal to potentially unlimited amounts of protected storage, although the time to store and retrieve particular information could eventually become large. The portal is intended for keys that encrypt files and messages, keys that sign data, and for authorization secrets. For example, a CPU can obtain a symmetric key from a TPM and use it for bulk encryption, or can present data to a TPM and request the TPM to sign that data. The portal operates as a series of separate operations on individual secrets. Together, these operations make a tree (hierarchy) of TPM protected objects (also referred to in the TCPA specification as "blobs of opaque information," which could either be "key blobs" or "data blobs"), each of which contains a secret encrypted ("wrapped") by the key above it in the hierarchy. But the TPM knows nothing of this hierarchy. It's simply presented with a series of commands from untrusted software that manages the hierarchy. An example of such a hierarchy is illustrated in Figure 4.
Figure 4 A storage hierarchy.
An important feature that's peculiar to Trusted Platforms is that a TPM protected object can be "sealed" to a particular software state in a platform. When the TPM protected object is created, the creator indicates the software state that must exist if the secret is to be revealed. When a TPM unwraps the TPM protected object (within the TPM and hidden from view), the TPM checks that the current software state matches the indicated software state. If they match, the TPM permits access to the secret. If they don't match, the TPM denies access to the secret.