trusted computing group Trusted Computing Group Releases TPM 2.0 Specification

[Ian W]

Although this was announced almost 20 days ago, a search for information on the front page of Neowin returned no results.
 

Trusted Computing Group Releases TPM 2.0 Specification for Improved Platform and Device Security
"Portland, Ore., April 9, 2014 ? The Trusted Computing Group (TCG) has announced the availability of the TPM (Trusted Platform Module) 2.0 library specification. TPM 2.0 provides a critical technology response to the global need for a more secure computing environment.

Based on contributions and feedback from TCG member companies and security technology experts representing the world?s leading silicon makers, device makers, software and solution providers as well as researchers, governments and academic institutions, TPMs provide a secure root of trust to protect data in computers and mobile devices from digital and physical attacks, theft or loss.

The TCG also is making available the PC Client Platform TPM Profile (PTP) specification, the first in a series of specifications to enable developers and manufacturers to design TPMs into their products. Specifications for additional platforms, including mobile devices and embedded systems, will follow."

Read more: http://www.trustedcomputinggroup.org/media_room/news/352
Infographics: https://www.trustedcomputinggroup.org/resources/protect_your_data_and_enhance_security

[primexx]

More opaque crypto that nobody can audit?

[Ian W]

More opaque crypto that nobody can audit?

Primexx,

I am not sure what sort of response you are looking for, if any. I can tell you that the design specifications for the Trusted Platform Module are available for review and that users can verify for themselves that the commands do what they are said to do. In addition, the cryptographic algorithms used by the TPM (RSA, AES, etc) are not secrets.

 

This is a topic worthy of further discussion (I love the TPM as it offers its Owner so many benefits), but I am about to go to sleep. Consider that, as of last decade, both the United States Army and Department of Defense require that new computers come equipped with the Trusted Platform Module. Isn't this a testament to the device's intended purpose, namely, to protect the confidentiality and integrity of information?

[vcfan]

you're only as strong as your weakest link,and the silicon is not secure. even infineon's new crypto core is a joke.  their previous SLE series has been broken and molested by hackers for a long time. I wouldn't want to imagine the amount of holes that are being exploited.

[Ian W]

you're only as strong as your weakest link,and the silicon is not secure. even infineon's new crypto core is a joke.  their previous SLE series has been broken and molested by hackers for a long time. I wouldn't want to imagine the amount of holes that are being exploited.

Would you mind providing a source to back up your claims?

[vcfan]

Would you mind providing a source to back up your claims?

 

chris tarnovsky is the first to publicly demonstrate it. he revealed the whole process at blackhat a few years ago,and I believe also at DEFCON. he's already gotten into the new crypto core in no time as well. you don't even need a focused ion beam workstation, or an electron microscope. even guys like karsten nohl(mostly GSM chip hacking) are breaking these chips with equipment easily acquired by any basement hobbyist for minimum funds.

[gohpep]

And of course, thoroughly backdoored by the NSA.

[Ian W]

chris tarnovsky is the first to publicly demonstrate it. he revealed the whole process at blackhat a few years ago,and I believe also at DEFCON. he's already gotten into the new crypto core in no time as well. you don't even need a focused ion beam workstation, or an electron microscope. even guys like karsten nohl(mostly GSM chip hacking) are breaking these chips with equipment easily acquired by any basement hobbyist for minimum funds.

vcvan,

I was aware of the attack by Chris Tarnovsky, but I believe there are a few things that should be taken into account when considering it; I will get back to you. 

I've not read about Karsten Nohl breaking the TPM. Thank you for sharing this information.

 

And of course, thoroughly backdoored by the NSA.

Do you have any proof to support your assertion?

[vcfan]

vcvan,

I was aware of the attack by Chris Tarnovsky, but I believe there are a few things that should be taken into account when considering it; I will get back to you. 

I've not read about Karsten Nohl breaking the TPM. Thank you for sharing this information.

karsten didn't actually break a chip with a TPM implementation on it, but the same chips used for TPM are also the same chips used for a myriad of other purposes,like GSM, bank cards,satellite conditional access. he's hacked the st19 series used in GSM, which is also a chip used for TPM (also broken by tarnovsky).

[gohpep]

Do you have any proof to support your assertion?

http://www.forbes.com/sites/richardstiennon/2013/11/16/trusted-computing-must-repudiate-the-nsa/

[Ian W]

karsten didn't actually break a chip with a TPM implementation on it, but the same chips used for TPM are also the same chips used for a myriad of other purposes,like GSM, bank cards,satellite conditional access. he's hacked the st19 series used in GSM, which is also a chip used for TPM (also broken by tarnovsky).

Thanks for clarifying.

 

http://www.forbes.com/sites/richardstiennon/2013/11/16/trusted-computing-must-repudiate-the-nsa/

 

I understand the author's position, but the article itself (though very convincing and written exceptionally well) is not exactly proof that the TPM is compromised. The same article states: "The Trusted Computing standard is open and good. It offers a solution to all of the issues that plague the Internet today. Device attestation, strong crypto with unbreakable key storage, identity, code signing, Trusted Network Connections, even secure end-to-end communication are all made possible by a little silicon wafer shipped with most business computers. The day is coming when over a billion computers will be equipped with TPMs. Yet, the actual number of TPMs that are utilized is miniscule."

[gohpep]

I understand the author's position, but the article itself (though very convincing and written exceptionally well) is not exactly proof that the TPM is compromised. The same article states: "The Trusted Computing standard is open and good. It offers a solution to all of the issues that plague the Internet today. Device attestation, strong crypto with unbreakable key storage, identity, code signing, Trusted Network Connections, even secure end-to-end communication are all made possible by a little silicon wafer shipped with most business computers. The day is coming when over a billion computers will be equipped with TPMs. Yet, the actual number of TPMs that are utilized is miniscule."

It's kind of suspicious that they are so close with the NSA.

[The_Decryptor Veteran]

Yeah, the TPM is useful (Pretty sure my PC has one), but I don't actually trust it (Same with the hardware RNG in Intel processors actually)

Just because somebody sets out to make something secure, doesn't mean it actually ends up as so (Like how mobile phones have crap security due to governments, IPSec has a mode that stops encryption being used, Dual_EC_DRBG, etc.) One of the biggest issues with HTTP/2 is people who want it to function without encryption.