Security

Hidden in Plain Sight

You can take advantage of the TPM chip found in most systems to harden desktop and notebook security.

Steve Hanna, a distinguished engineer for Juniper Networks, is co-chairman of the Trusted Network Connect Work Group in the Trusted Computing Group and co-chairman of the Network Endpoint Assessment Working Group in the Internet Engineering Task Force.

The Trusted Platform Module is an integral part of virtually every enterprise-level computer sold today.

The TPM is typically a separate application-specific integrated circuit that provides hardware-based security by establishing a root of trust for subsequent security measures to build upon.

It can be used to implement solutions for network security, data protection and user authentication, including full-disk and file and folder encryption. For example, Microsoft’s BitLocker encryption feature (included in the Windows Vista and Windows 7 operating systems) can use the TPM to secure the encryption key.

Before a TPM can be used, it must be activated and enabled. The process for this varies with different computers, but these three steps provide a basic outline:

Step 1: Activate the TPM. Turn on the computer and enter the BIOS. From the BIOS, change the TPM’s status from inactive to active. Sometimes the BIOS doesn’t say “TPM.” If you don’t find TPM, then look for words such as “security chip” instead. Some computers come with software to automate this step, such as Vista’s TPM Initialization Wizard.

Step 2: Install or initialize TPM utility software. If your computer came with TPM utility software, start it up or install it. Again, the software may say “security chip” instead of TPM. If you can’t find any such software, you’ll need to buy it. Vista and Windows 7 include basic TPM utility software, which may be sufficient.

Step 3: Take ownership of the TPM. Use the TPM utility software to assume control of the TPM. In simple terms, this lets you set a TPM password.

After completing these three steps, you can start using the TPM for specific applications.

Security hardware is an invaluable tool in the constant battle to thwart attackers. Because all new machines (and most that came on the market after 2003) already have TPMs, why not use them?

Using the TPM for Encryption and More

Disk encryption is a wonderful thing — and it’s even better with a TPM.

If someone steals your computer, you don’t have to worry. Unless they know your password, they can’t access your data. The Trusted Platform Module enhances disk encryption by preventing decryption using another computer or with hacked system software. Microsoft has step-by-step instructions for enabling and using the BitLocker disk encryption feature included in Windows Vista and Windows 7.

Encryption is the most obvious application of the TPM, but others are also compelling. The TPM can act like a “smart card on your motherboard,” providing stronger security than a software certificate and without any worry about leaving your smart card at home. Just make sure that your TPM utility software supports your certificate client software (via Microsoft Crypto API or PKCS#11). Then select the TPM as your cryptographic provider when requesting a new certificate. The resulting certificate will be tied to and secured by the TPM.

One special feature of the TPM is that it can verify the integrity of your operating system and security software. You (or your network administrator, if so configured) will be notified of any changes to these files, which might indicate an infection or attack. Access to confidential data can be blocked until the changes have been investigated.

More information on the TPM and self-encrypting drives is available on the Trusted Computing Group website at www.trustedcomputinggroup.org.

Now Playing in a Computer Near You

Almost 300 million computers with TPMs have shipped, so there is an extremely high probability that every agency has several in operation. As part of its High-Assurance Platform Program, the National Security Agency uses the TPM in a virtualized approach to run multiple secure environments. And almost all computers acquired by the Defense Department since July 2007 are required to include a TPM.