Abstract

Trusted Computing (commonly abbreviated TC) is a technology developed and

romoted by the Trusted Computing Group(TCG). The term is taken from the field of
trusted systems and has a specialized meaning. In this technical sense, "trusted" does not
necessarily mean the same as "trustworthy" from a user's perspective. Rather, it means
that it can be trusted more fully to follow its intended programming with a lower
possibility of activities occurring that are forbidden by its designers and other software
writers.
Trusted Computing is controversial. Advocates of the technology claim that it will make
computers safer, less prone to viruses and malware, and thus more reliable from an enduser perspective. Further, they state that Trusted Computing will allow computers and
servers to offer improved computer security over that which is currently available.
Opponents believe that trust in the underlying companies is not deserved and that the
technology puts too much power and control into the hands of those who design systems
and software. They also believe that it potentially forces consumers to lose anonymity in
their online interactions, as well as mandating technologies that many have no pressing
need for.
A number of prominent security experts have spoken out against Trusted Computing as
they believe it will provide computer manufacturers and software authors with increased
control to impose restrictions on what users are able to do with their computers. There are
concerns that TC would have (or may even covertly be intended to have) a large anticompetitive effect on the free software markets, private software development, and the IT
market in general

TRUSTED PLATFORM MODULE

CHAPTER 1 : New Security Challenges of Today

There has been a great deal of talk about computer security in recent years as more and
more systems gain access to the Internet. Worms, viruses, trojans, spyware, and other
kinds of malware that seem to work their way through many lines of defense can make
using and maintaining a connected computer quite a chore. Due to this, a variety of
companies, consortia, and standards bodies exist with the expressed purpose of
developing solutions to make our computing experience safer and more confidential.
Trusted computing, one of the more contentious realms within this broad field, received a
lot of negative attention with the announcement of Microsoft's Palladium initiative (now
called the Next Generation Secure Computing Base, or NGSCB) a few years ago. The
Trusted Platform Module (henceforth TPM), a hardware chip developed by the Trusted
Computing Group (henceforth TCG), provides many of the security and confidentiality
features essential to the initiative.
Business and commerce depend on trust. With the growth of the Internet, wireless
communication technologies and connected mobile computing, trust has become a
pivotal issue for e-Commerce. Since notebook PCs are increasingly used for eCommerce, there is a growing need to make the notebook platform more trustworthy. As
the mobility of the platform increases, it becomes more and more susceptible to theft.
Stolen data is often regarded as being more valuable than the notebook hardware itself.
Thus, the need to protect user data and secrets is underscored in a mobile computing
environment.

TRUSTED PLATFORM MODULE

Chapter 2 : Need For a Trusted Platform

A Trusted Platform is a computing platform that has a trusted component,

probably in the form of built-in hardware, which it uses to create a foundation
of trust for software processes. The computing platforms listed in the TCPA
pecification are one such type of Trusted Platform. Although different types of
Trusted Platforms could be built, we oncentrate in particular on the (version 1.1)
instantiation specified by the TCPA industry standard.
In the Spring of 1999, the Trusted Computing Platform Alliance (TCPA) was
chartered to encourage industry participation in the development and adoption
of an open specification for an improved computing platform. The TCPA
participants agreed that the specification for the trusted computing PC platform
should focus on two areas ensuring privacy and enhancing security. TCPA
members include Intel*, Microsoft*, Infineon*, National*, Atmel*, and a large
number of other organizations.
The objective of the TCPA is to complement existing capabilities, including the
X.509 standard for digital certificates, IPSEC (Internet Protocol Security
Protocol), IKE (Internet Key Exchange), VPN (Virtual Private Network), PKI
(Public Key Infrastructure), PC/SC Specification for smart cards, biometrics,
S/MIME (Secure Multi-purpose Internet Mail Extensions), SSL, SET (Secure
Electronic Transaction), IEEE 802.11 WEP, IEEE 802.1x, etc. The TCPA
provides for a platform root of trust, which uniquely identifies a particular
platform, and provides various crypto capabilities including hardware-protected
storage. The Trusted Platform Module (TPM) is defined as a hardware

TRUSTED PLATFORM MODULE

instantiation of the TCPA specification. The current revision of the TCPA main
specification is version 1.1a.

2.1 Notebook Security Threats

Notebook computers are exposed to several security threats. Notebook security threats
can be broadly classified into:
2.1.1 Physical data theft :
This threat arises from the fact that notebook computers are more susceptible to be stolen
than their desktop counterparts. Once stolen, notebooks can be subject to a variety of
hardware as well as software attacks. It is often found that the stolen data is more
valuable than just the cost of the notebook hardware.
2.1.2 Data communication attack :
Notebooks often operate outside of corporate firewalls. Also, they use various means of
communication to access the corporate network or the Internet. There are a number of
ways in which a determined hacker can attack the communication channel used by the
notebook to steal the data being transceived. This poses a threat to sensitive data resident
on the notebook as also sensitive data resident on the network. Furthermore, this poses a
threat to the entire network, as a compromised communication channel can be vulnerable
to various types of attacks on different critical pieces of the network infrastructure.

TRUSTED PLATFORM MODULE

Chapter 3 : Trusted Platform Module

The Trusted Platform Module is a component on the desktop board that is
specifically designed to enhance platform security above-and-beyond the
capabilities of today s software by providing a protected space for key
operations and other security critical tasks. Using both hardware and software,
the TPM protects encryption and signature keys at their most vulnerable stages
operations when the keys are being used unencrypted in plain-text form.
The TPM is specifically designed to shield unencrypted keys and platform
authentication information from software-based attacks.

3.1 System Requirements :

Intel Desktop Board D865GRH

Microsoft Windows Professional (SP4) or Micrsoft Windows XP (SP1)

NTFS File System is Required

Microsoft Internet Explorer 5.5 or above

3.2 Security Precautions

S ecurity, like any other aspect of computer maintenance requires planning.
What is unique about security has to do with understanding who are "friends"
and who are adversaries.

The TPM provides mechanisms to enable the

owner/user to protect their information from adversaries.

To provide this

protection the TPM effectively puts "locks" around the data. Just like physical

TRUSTED PLATFORM MODULE

ocks, if keys or combinations are lost, the assets (i.e., data) may be inaccessible
not only to adversaries, but also to asset owner/user.
The TPM provides two classes of keys: migratable and non-migratable.
Migratable keys are designed to protect data that can be used (i.e.,
unencrypted) on more than one platform. This has the advantage of allowing
the key data to be replicated (backed-up and restored) to another platform.
This may be because

of user convenience (someone uses more than one

platform, or the data needs to be available to more than one person operating
on different platforms). This type of key also has the advantage in that it can
be backed-up and restored from a defective platform onto a new platform.
However, migratable keys may not be the appropriate level of protection (e.g.,
the user wants the data restricted to a

single platform) needed for the

application. This requires a non-migratable key. Non-migratable keys carry

with them a usage deficit in that while the key may be backed-up and restored
(i.e., protected from hard disk failure) they are not protected against system or
TPM failure. The very nature of a non-migratable key is that they can be used
on one and only one TPM. In the event of a system or TPM failure, all nonmigratable keys and the data associated with them will be inaccessible and
unrecoverable.

TRUSTED PLATFORM MODULE

3.3 Enabling the Trusted Platform Module :

The Trusted Platform ships disabled by default to ensure that the ownr/end
customer of the system initializes the TPM and configures all security
passwords.The owner/end customer should use the following steps
enable the TPM:
1.While the PC is displaying the splash screen (or POST screen),press the <F2>
key to enter BIOS.
2. Use the arrow keys to go to the advanced menu, select Peripheral
Configuration, and then press the <Enter> key.
3. Select the Trusted Platform Module , press <Enter> , and select Enabled and
press <Enter> again (Display should show : Trusted Platform Module
[Enabled]).
4. Press the <F10> key , select Ok and press <Enter>.
5. System should reboot and start Micrisoft Windows.

3.4 Binding Information to the Platform :

Certain types of critical data can be logically bound to the platform on which they can be
used. Data that is bound to a particular platform is only accessible by that platform if the
conditions specified in the binding are met. If this data migrates to a different platform, or
if the specific binding conditions on the same platform are not met, the data cannot be
accessed.
Specific hardware and/or software configuration information about the platform can be
used to implement the logical binding of critical information to it. Such information about

TRUSTED PLATFORM MODULE

the platform is calculated by the TPM software stack and stored into the Platform
Configuration Registers (PCR) available within the TPM. While binding secret data to
the platform, the TPM merges the data together with the values contained in one or more
PCR registers and then encrypts the combination as a whole. At a later time, when the
secret data needs to be accessed, the values of the necessary platform configurations are
calculated and the data is released for use only if the calculated and stored values match.

TRUSTED PLATFORM MODULE

3.5 Example Application (Microsoft* Outlook)

The illustration below shows how the TPM can be used through Microsoft* Outlook to
acquire an email signing/encryption certificate from a TTP such as Verisign*, and carry
out email signing and encryption.

TRUSTED PLATFORM MODULE

Chapter 4 : Architecture of TPM

The TPM itself consists of several major components, as depicted below. A rief
description of each follows, with a more detailed explanation of each part available from
the specification itself.
I/O Controller The I/O Controller is a fairly simple component and has a fairly loose specification. It
manages the TPM's interface and communication to the outside platform as well as
controlling and routing internal signals. Additionally, it enforces all the access control
required by the opt-in mechanism and other components.

10

TRUSTED PLATFORM MODULE

Cryptographic Co-Processor The Cryptographic Co-Processor (CCP), a major subdivision of the TPM, contains the
various cryptographic engines used by the TPM as well as the Random Number
Generator vital to these components. Its functionality must include at least RSA key
generation, RSA encryption/decryption, SHA-1 hashing, and random number generation
for the sake of interoperability. However, the specification explicitly allows other
asymmetric algorithms such as DSA or elliptic curve. All storage keys and identity keys
must at least match the strength of a 2048 bit RSA key, which should be enough to offer
sufficient protection from malicious access. One important distinction to make is that the
CCP is not a cryptographic accelerator, and no minimum throughput numbers appear at
any point in the specification.
RSA Engine The RSA Engine must support 512, 768, 1024, and 2048 bit keys, with a minimum
recommended size of generated keys being 2048 bits. The specification does not require
any particular implementation of RSA, which allows the implementer some flexibility. It
does specify a public exponent of 216 + 1. All signing done within the TPM must use
RSA encryption or risk the signature not being accepted by other TPM devices.
SHA-1 Engine The SHA-1 Engine provides the primary hash algorithm used by the TPM and requires
160-bit keys. The HMAC Engine, whose implementation is dictated in RFC 2104 and
involves turning a keyless hash function into a keyed hash by incorporating a
cryptographic key, allows the chip to detect proof of knowledge of AuthData (discussed
later) and proof that incoming requests are authorized and have not been tampered with
prior to arriving.

11

TRUSTED PLATFORM MODULE

Key Generator The Key Generator does not have a strict specification, except that it should not use data
that has existed in a non-protected location as a key and all nonces need to be taken from
the TPM's Random Number Generator (RNG).
Random Number Generator The RNG itself consists of a state register, a collector of either entropy or unpredictable
data such as thermal noise or clock offsets, and a post-processor with a hashing function.
The state register is a protected location inside the TPM's nonvolatile memory that stores
the current state of the machine. It can also be implemented as a combination of one
volatile register and one non-volatile register, which is a bit of clever design allowing
developers to use flash RAM (which wears out after a certain number of writes) as the
non-volatile storage. The volatile register is simply written to the non-volatile register
when the TPM detects a power-down. The entropy collector filters the input data to make
sure there is no bias and makes an attempt to correct it if there is. This allows the TPM to
produce good random numbers without needing a dedicated source of hardware entropy.
Opt-In Component The Opt-In Component maintains the state of various flags, such as whether the TPM is
enabled or disabled. An important part of this is tied to the fact that the platform operator
must be physically present at the machine in order to change the state of these flags. The
particular method of asserting physical presence is left up to the implementation, but an
example of requiring local keyboard input (which can be verified by establishing a
trusted path between the keyboard and the platform) is given.

12

TRUSTED PLATFORM MODULE

Execution Engine The Execution Engine does just that: executes the function calls (stored in the Program
Code section of the chip) that the chip receives on its I/O bus. The EE makes sure the
security and integrity of the chip and the data it protects is properly maintained. The TPM
ships with both volatile and non-volatile RAM for storing secret data and computational
variables.
Platform Configuration Registers (PCR) Finally, the Platform Configuration Registers (PCR) are 160-bit storage locations for
integrity measurements. There are at least 16 PCRs on the TPM. There are a large number
of values to be measured and stored, and the result of the new measurement cannot
overwrite the old measurement (or a malicious user could overwrite a value that indicated
tampering with a known good value, subverting the detection mechanism). Thus, the
TCG came up with a clever trick to deal with the fact that each measurement must be
individually stored. As you may have noticed, the PCR contain the same number of bits
as the output of the SHA-1 Engine. This is because the PCR holds a hash of all the
previous updates, and when a new metric must be stored it just hashes the value of the
new measurement concatenated onto the old measurement. This makes it a very difficult
system to break into, as you would have to somehow reverse the hash computation
(something that is currently infeasible) to determine the input message.

13

TRUSTED PLATFORM MODULE

4.1 Certificate Chain

4.2 Endorsement Key (EK)

The Endorsement Key (EK) is a public/private key-pair. The size of the key-pair
is mandated to have a modulus (a.k.a. key size) of 2048 bits. The private
component of the key-pair is generated within the TPM and is never exposed
outside the TPM . The EK is unique to the particular TPM and therefore the

14

TRUSTED PLATFORM MODULE

particular platform. There are two ways to generate the EK. The first method is
to

use

the

TPM

command

specified

for

this

purpose

(TPM_CreateEndorsementKeyPair). The second method is called squirting, in

which the TPM manufacturer can squirt an externally generated EK into the
TPM during the manufacturing process.
Note that much of the value (or trust) associated with the TPM comes from the
fact that the EK is unique and that it is protected within the TPM at all times.
This property is certified by the Endorsement Certificate (Cert). The same party
that provides the EK may not provide the Endorsement Cert..

4.3 Attestation Identity Key (AIK)

AIKs are used to provide platform authentication to a service provider. This is
also called pseudo-anonymous authentication and is different from user
authentication.

4.4 Certificates
Three types of certificates that may be stored in the TPM are: Endorsement
Certificate (Endorsement Cert), Platform Cert, and Conformance Cert. The
Endorsement Cert contains the public key of the EK. The purpose of the
Endorsement Cert is to provide attestation that the particular TPM is genuine,
i.e. that the EK is protected.
The Platform Cert is provided by the platform vendor and provides attestation
that the security components of the platform are genuine.

15

TRUSTED PLATFORM MODULE

Chapter 5 : Trusted Computing

Trusted Computing (TC) is a generic term that describes a technology which, through a
combination of software and hardware enhancements, aims to provide a way to prove that
a platform is in a software state that it claims it is in. It is an ambitious initiative that
would allow users and third parties to verify a platform is in a state that is known to be
secure. TC encompasses several initiatives including Next-Generation Secure Computing
Base (NGSCB) by Microsoft, LaGrande by Intel Corporation and Trusted Computing
Platforms by the Trusted Computing Group (TCG). In essence, all these initiatives strive
to achieve a similar objective. In this paper, TC refers to Trusted Computing Platforms
initiative driven by the TCG.
The TCG is an organization, formerly known as the Trusted Computing Platform Alliance
(TCPA), which promotes and develops specification for trusted computing and security
technologies [3]. With its promoting members including big name players such as
Microsoft, Intel Corporation, AMD and IBM to name a few, TC is making sure footed
progress towards the mass market, with some products already available.
As with most initiatives of such a scale, TC has been at the center of controversies. There
have been numerous accusations, one of the infamous being that by Ross Anderson of
Cambridge University [1] accusing TC as being an anticompetitive technology designed
to lock-in users and to enforce DRM. While some accusations represent various potential
misuses of the technology including privacy issues, many remain as subjective
speculations. Thus, an objective analysis of TC is necessary so as to inform the potential
users the prospective implications of the technology. The paper focuses on potential
implications on its users privacy, both its promises and limitations.

16

TRUSTED PLATFORM MODULE

Chapter 6 : Key Concepts of Trusted computing

Trusted computing encompasses five key technology concepts, of which all are required
for a fully trusted system.
a) Endorsement Key
b) Secure Input and Output
c) Memory curtaining / Protected execution
d) Sealed storage
e) Remote attestation
Endorsement Key

"The endorsement key is a 2,048-bit RSA public and private key pair, which is created
randomly on the chip at manufacture time and cannot be changed. The private key never
leaves the chip, while the public key is used for attestation and for encryption of sensitive
data sent to the chip, as occurs during the TPM_TakeOwnership command."
( David Safford , This key is used to allow the executions of secure transactions : every
TPM is required to sign a random number in order to ensure its compliance of the TCG
standard and to prove its identity ; this makes impossible for a software TPM emulator to

17

TRUSTED PLATFORM MODULE

start a secure transaction with a 'trusted' entity . The TPM is designed to avoid the
extraction of this key by hardware analysis .
Secure I/O

Secure input and output ( I/O ) refers to a protected path between the computer user and
the software with which they believe they are interacting. On current computer systems
there are many ways for malicious software to intercept data as it travels between a user
and a software process - for example keyboard loggers and screen-scrapers. Secure I/O
reflects a hardware and software protected and verified channel, using checksums to
verify that the software used to do the I/O has not been tampered with. Malicious
software injecting itself in this path could be identified.
Although protecting against software attacks, Secure I/O doesn't assist in protection
against hardware-based attack such as a key capture device physically inserted between
the user's keyboard and the computer.
Memory curtaining

Memory curtaining extends the current memory protection techniques to provide full
isolation of sensitive areas of memory for example locations containing cryptographic

18

TRUSTED PLATFORM MODULE

keys. Even the operating system doesn't have full access to curtained memory, so the
information would be secure from an intruder who took control of the OS.
Sealed storage

Sealed storage protects private information by allowing it to be encrypted using a key

derived from the software and hardware being used. This means the data can be read only
by the same combination of software and hardware. For example, users who keep a
private diary on their computer do not want other programs or other computers to be able
to read it. Currently, a virus can search for the diary, read it, and send it to someone else.
The Sircam virus did something similar to this. Even if the diary were protected by a
password, the virus might run a dictionary attack. Alternately the virus might modify the
user's diary software to have it leak the text once he unlocked his or her diary. Using
sealed storage, the diary is securely encrypted so that only the unmodified diary program
on his or her computer can read it.

19

TRUSTED PLATFORM MODULE

Remote attestation

Remote attestation allows changes to the user's computer to be detected by him and
others. That way, he can avoid having private information sent to or important commands
sent from a compromised or insecure computer. It works by having the hardware generate
a certificate stating what software is currently running. The user can present this
certificate to a remote party to show that their computer hasn't been tampered with.

20

TRUSTED PLATFORM MODULE

Remote attestation is usually combined with public-key encryption so that the

information sent can only be read by the programs that presented and requested the
attestation, and not by an eavesdropper.

To take the diary example again, the user's diary software could send the diary to other
machines, but only if they could attest that they were running a secure copy of the diary
software. Combined with the other technologies, this provides a more secured path for
the diary: secure I/O protects it as it is entered on the keyboard and displayed on the
screen, memory curtaining protects it as it is being worked on, sealed storage protects it
when saved to the hard drive, and remote attestation protects it from unauthorized
software even when it is used on other computers.

21

TRUSTED PLATFORM MODULE

Chapter 7 : Software Stack

The figure below illustrates the TPM software stack. At the lowest level is the TPM
hardware device, which is accessed via the TPM device driver library.

Applications can utilize the TPM either through the MS-CAPI standard interface, or by
directly implementing a communication interface with theTSS, especially for certain
TCPA functions that may not be supported by MS-CAPI.

22

TRUSTED PLATFORM MODULE

TCPA Software Stack (TSS)

The TCPA Software Stack (TSS) is comprised of modules and components that provide
the supporting functionality to the TPM. Based on the TCPA specification, certain
functions and services are outside of the scope of the TPM hardware. These functions and
services are delivered using the host CPU and system memory. The TSS provides the
necessary software architecture to support the offloading of security functions from the
TPM to the main CPU and memory resources of the system.
Microsoft* CAPI TPM Crypto Service Provider (CSP)
The Microsoft* Cryptographic API (CAPI) provides services that enable application
developers to add cryptography to their Win32 applications. Applications can use the
functions in CAPI without knowing anything about the underlying implementation of
security hardware. All cryptographic operations are performed by independent modules
known as Cryptographic Service Providers (CSPs). One CSP, the Microsoft* RSA Base
Provider, is bundled with the operating system. Each CSP provides a different
implementation of the CAPI.
Some provide stronger cryptographic algorithms while others contain hardware
components such as smartcards.
TPM CSP
The TPM CSP provides an interface between the CAPI and theTSS. Since the scope of
the TSS is much broader than that of the CAPI, several TSS capabilities are not
accessible through the CAPI. Such advanced capabilities are directly accessed through
the TSS applications needing such capabilities have to directly talk to the TSS.

23

TRUSTED PLATFORM MODULE

BIOS Code
The TCPA specifies the measurement of integrity of BIOS code at system startup. In
order to accomplish such integrity measurement and reporting, the system BIOS has to be
enhanced with integrity measurement functions.
Depending on the existing BIOS architecture, such enhancements can be a complex task.
Platform vendors may wish to provide various pre-boot security functions using the
TPM. The necessary code to provide such functions is either implemented directly within
the system BIOS or provided as an option ROM.

24

TRUSTED PLATFORM MODULE

Chapter 8 : Possible applications for Trusted Computing

1. Digital rights management
Trusted Computing would allow companies to create an almost unbreakable DRM
system. An example is downloading a music file. Remote attestation could be used so that
the music file would refuse to play except on a specific music player that enforces the
record company's rules. Sealed storage would prevent the user from opening the file with
another player or another computer. The music would be played in curtained memory,
which would prevent the user from making an unrestricted copy of the file while it's
playing, and secure I/O would prevent capturing what is being sent to the sound system.
2. Tackling cheating in on-line games
Trusted computing could be used to combat cheating in multiplayer on-line games. Some
players modify their game copy in order to gain unfair advantages in the game; remote
attestation, secure I/O and memory curtaining could be used to verify that all players
connected to a server were running a genuine copy of the software.
3. Protection from identity theft
Trusted Computing could be used to prevent identity theft. Take for example, online
banking. Remote attestation could be used when the user is connecting to the bank's
server and would only serve the page if the server could produce the correct certificates.
Then when the user is sending his encrypted account number and PIN over the Internet,
anyone trying to intercept the information would have to be trusted, as remote attestation

25

TRUSTED PLATFORM MODULE

would only release the digital key used to encrypt the account number and PIN to 'trusted'
entities.

4. Protection of biometric authentication data

Biometric devices used for authentication could use trusted computing technologies
(memory curtaining ,secure I/O )to assure the user that no spyware installed on his/her
PC is able to steal sensitive biometric data . the theft of this data could be extremely
harmful to the user because while a user can change a password if he or she knows that
the password is no longer secure , a user cannot change the data generated by a biometric
device.

26

TRUSTED PLATFORM MODULE

Chapter 9 : Limitations
As Camenisch acknowledges in , with the Privacy CA protocol personal information,
such as a profile of user activities, can be leaked to a third party without users knowledge
if a third party and the Privacy CA collude. As Arbaugh puts it, [the TCG] proponents
may argue, but cannt guarantee that [colluding] will never happen. While the second
protocol is an improvement over the first, it needs to sacrifice users privacy in order to
detect invalid TPMs attestations. The third protocol does claim that even collusion will
not result in a leak; however, it is not even clear whether or not the proposed protocol
will be included in any future TCG specification.
It should also be noted that the TPM cannot protect against many of attacks that threaten
privacy of users. For instance, Ross Anderson protests Most viruses nowadays exploit
the scripting languages in products like [Microsoft] Office. In such a case, the
application may be trusted by TC system however users activities or data could actually
be compromised covertly. Also the TPM does not reduce the threat from the likes of
spywares that could monitor and profile users activities, such as browsing habits, and
send them to a remote party. Additionally, as mentioned in section 4 it is vulnerable to
power analysis which can break tamper-evident property of the TPM by being able to
extract information from protected storage without being detected.
Lastly, while the TCG Best Practices Committee does emphasize the importance of
rivacy of users of TPM-based systems, it provides little to no way of actually enforcing
its guideline to protect users privacy. Without the means to enforce the guideline, the
privacy of users may ultimately end up in the hands of implementers of the TPM
specification.

27

TRUSTED PLATFORM MODULE

Chapter 10 : Comparison with Smart Cards

A highly relevant issue is a comparison to available alternatives. The currently most

apparent competitor to the TPM is the smartcard.

10.1 Introduction to Smartcards :

A smartcard or Integrated Circuit Card (ICC) is a flat, plastic body containing integrated
circuitry. Smartcards are normally credit card sized and come in two different kinds;
memory and microprocessor cards. In addition to storage capabilities the microprocessor
cards also includes calculation components like a crypto processor. This discussion
focuses on smartcards used for authentication on a computer platform. These cards are
attached to the computer via a smartcard reader and provide cryptographic functionality
like RSA encryption and key storage. Access to resources on the smartcard is protected
by a secret pin code. A smartcard is only designed to have one user.

28

TRUSTED PLATFORM MODULE

10.2 Main Differences to a TPM

A smartcard is a removable token while the TPM is physically attached to the platform.
This gives the two devices quite different views on users and platforms. In Figure 6.4 the
different mapping structures for the devices are displayed. As was already mentioned
there is a one to one mapping between a smartcard and its user. A single smartcard can
authenticate the same user on many platforms meaning a one to many mapping. Each
platform has only one TPM and a TPM can only be attached to one platform giving a one
to one mapping. Finally a platform must be able to support multiple users meaning that
there is a one to many mapping between a TPM and the users of the platform. From a
security perspective the mobility of the smartcard has both positive and negative sides.
On the one hand it is impractical to need a card every time you log into your computer
and a small card is easy to lose by accident or theft. On the other hand, if the platform is
stolen there is no way to gain access if the smartcard is not present. A TP M is always
present which makes it even more important to protect TPM content.
Another difference is that a smartcard stores all keys on the actual device. A TPM only
stores the SRK and uses it to wrap other data which is then stored on an unprotected
storage device.
A clear advantage for the TPM is its low cost profile and simple use. Smartcards requires
readers which cost money and are not too practical to carry around either. A conceptual
difference is the ability of the TPM to use machine binding of resources.

29

TRUSTED PLATFORM MODULE

Chapter 11 : TPMs IN PCs

30

TRUSTED PLATFORM MODULE

31

TRUSTED PLATFORM MODULE

About 20 million TPM chips shipped in 2005, most of them in notebook PCs. By 2010,
worldwide shipments of TPM modules in PC client systems will reach more than 250
million (Figure 4). However, as categories beyond PCs e.g., mobile phones, storage
systems, embedded applications, and peripherals adopt TPMs, the total number of chips
shipped could rise dramatically, even exponentially.

Chapter 12 : Conclusion
Trusted computing, whether you like it or not, is making its progress towards the mass
market backed by giant corporations. At the heart of the technology resides the TPM. The
paper presented a brief overview of the TPM and its functionalities and discussed the
ways it can aid protecting users privacy and its limitations in doing so.
Also, the paper identified several limitations of the TPM and its remote attestation
protocols in protecting to users privacy. While remote attestation that is possible with the
TPM can be beneficial to security, the paper elicited potential threats to users privacy
resulting from the three remote attestation protocols. Other limitations of the TPM
included vulnerabilities from various threats such as spywares, power analysis and
exploiting of trusted software.

32

TRUSTED PLATFORM MODULE

Bibliography :
URLs :
www.ieeexplore.org
www.infineon.com
www.intel.com/design/mobile/platform/downloads
www.trustedcomputinggroup.org/groups/TCG_Architecture
silicon-trust.com/trends/comp_tpm.asp
Microsoft.com/resources/ngscb/default.mspx

Journals :
Trusted Computing Platform Alliance, TCPA Main Specification Version 1.1, 2001

33