A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security is a straight-forward primer for developers. It shows security and TPM concepts, demonstrating their use in real applications that the reader can try out.
Simply put, this book is designed to empower and excite the programming community to go out and do cool things with the TPM. The approach is to ramp the reader up quickly and keep their interest.A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security explains security concepts, describes the TPM 2.0 architecture, and provides code and pseudo-code examples in parallel, from very simple concepts and code to highly complex concepts and pseudo-code.
The book includes instructions for the available execution environments and real code examples to get readers up and talking to the TPM quickly. The authors then help the users expand on that with pseudo-code descriptions of useful applications using the TPM.
Conditions of Use
This book is licensed under a Creative Commons License (CC BY). You can download the ebook A Practical Guide to TPM 2.0 for free.
- Title
- A Practical Guide to TPM 2.0
- Subtitle
- Using the Trusted Platform Module in the New Age of Security
- Publisher
- Apress
- Author(s)
- David Challener, Will Arthur
- Published
- 2015-01-24
- Edition
- 1
- Format
- eBook (pdf, epub, mobi)
- Pages
- 419
- Language
- English
- ISBN-10
- 1430265833
- ISBN-13
- 9781430265849
- License
- CC BY
- Book Homepage
- Free eBook, Errata, Code, Solutions, etc.
Title
Copyright
About ApressOpen
Dedication
Contents at a Glance
Contents
About the Authors
About the Technical Reviewers
Acknowledgments
Introduction
Chapter 1: History of the TPM
Why a TPM?
History of Development of the TPM Specification from 1.1b to 1.2
How TPM 2.0 Developed from TPM 1.2
History of TPM 2.0 Specification Development
Summary
Chapter 2: Basic Security Concepts
Cryptographic Attacks
Brute Force
Attacks on the Algorithm Itself
Security Definitions
Cryptographic Families
Secure Hash (or Digest)
Hash Extend
HMAC: Message Authentication Code
KDF: Key Derivation Function
Authentication or Authorization Ticket
Symmetric-Encryption Key
Nonce
Asymmetric Keys
Public Key Certification
Summary
Chapter 3: Quick Tutorial on TPM 2.0
Scenarios for Using TPM 1.2
Identification
Encryption
Key Storage
Random Number Generator
NVRAM Storage
Platform Configuration Registers
Privacy Enablement
Scenarios for Using Additional TPM 2.0 Capabilities
Algorithm Agility (New in 2.0)
Enhanced Authorization (New in 2.0)
Quick Key Loading (new in 2.0)
Non-Brittle PCRs (New in 2.0)
Flexible Management (New in 2.0)
Identifying Resources by Name (New in 2.0)
Summary
Chapter 4: Existing Applications That Use TPMs
Application Interfaces Used to Talk to TPMs
TPM Administration and WMI
The Platform Crypto Provider
Virtual Smart Card
Applications That Use TPMs
Applications That Should Use the TPM but Don’t
Building Applications for TPM 1.2
TSS.Net and TSS.C++
Wave Systems Embassy Suite
Rocks to Avoid When Developing TPM Applications
Microsoft BitLocker
IBM File and Folder Encryption
New Manageability Solutions in TPM 2.0
Summary
Chapter 5: Navigating the Specification
TPM 2.0 Library Specification: The Parts
Some Definitions
General Definitions
Definitions of the Major Fields of the Command Byte Stream
Definitions of the Major Fields of the Response Byte Stream
Getting Started in Part 3: the Commands
Data Details
Common Structure Constructs
Structure with Union
Canonicalization
Endianness
Part 2: Notation Syntax
Part 3: Table Decorations
Commonly Used Sections of the Specification
How to Find Information in the Specification
Strategies for Ramping Up on TPM 2.0
Will
Ken
Dave
Other TPM 2.0 Specifications
Summary
Chapter 6: Execution Environment
Setting Up the TPM
Microsoft Simulator
Building the Simulator from Source Code
Setting Up a Binary Version of the Simulator
Running the Simulator
Testing the Simulator
Setting Up the Software Stack
TSS 2.0
TSS.net
Summary
Chapter 7: TPM Software Stack
The Stack: a High-Level View
Feature API
System API
Command Context Allocation Functions
Command Preparation Functions
Command Execution Functions
Command Completion Functions
Simple Code Example
System API Test Code
TCTI
TPM Access Broker (TAB)
Resource Manager
Device Driver
Summary
Chapter 8: TPM Entities
Permanent Entities
Persistent Hierarchies
Ephemeral Hierarchy
Dictionary Attack Lockout Reset
Platform Configuration Registers (PCRs)
Reserved Handles
Password Authorization Session
Platform NV Enable
Nonvolatile Indexes
Objects
Nonpersistent Entities
Persistent Entities
Entity Names
Summary
Chapter 9: Hierarchies
Three Persistent Hierarchies
Platform Hierarchy
Storage Hierarchy
Endorsement Hierarchy
Privacy
Activating a Credential
Other Privacy Considerations
NULL Hierarchy
Cryptographic Primitives
Random Number Generator
Digest Primitives
HMAC Primitives
RSA Primitives
Symmetric Key Primitives
Summary
Chapter 10: Keys
Key Commands
Key Generator
Primary Keys and Seeds
Persistence of Keys
Key Cache
Key Authorization
Key Destruction
Key Hierarchy
Key Types and Attributes
Symmetric and Asymmetric Keys Attributes
Duplication Attributes
Restricted Signing Key
Restricted Decryption Key
Context Management vs. Loading
NULL Hierarchy
Certification
Keys Unraveled
Summary
Chapter 11: NV Indexes
NV Ordinary Index
NV Counter Index
NV Bit Field Index
NV Extend Index
Hybrid Index
NV Access Controls
NV Written
NV Index Handle Values
NV Names
NV Password
Separate Commands
Summary
Chapter 12: Platform Configuration Registers
PCR Value
Number of PCRs
PCR Commands
PCRs for Authorization
PCRs for Attestation
PCR Quote in Detail
PCR Attributes
PCR Authorization and Policy
PCR Algorithms
Summary
Chapter 13: Authorizations and Sessions
Session-Related Definitions
Password, HMAC, and Policy Sessions: What Are They?
Session and Authorization: Compared and Contrasted
Authorization Roles
Command and Response Authorization Area Details
Command Authorization Area
Command Authorization Structures
Response Authorization Structures
Password Authorization: The Simplest Authorization
Password Authorization Lifecycle
Creating a Password Authorized Entity
Changing a Password Authorization for an Already Created Entity
Using a Password Authorization
Code Example: Password Session
Starting HMAC and Policy Sessions
TPM2_StartAuthSession Command
Session Key and HMAC Key Details
Guidelines for TPM2_StartAuthSession Handles and Parameters
Session Variations
HMAC and Policy Sessions: Differences
HMAC Authorization
HMAC Authorization Lifecycle
HMAC and Policy Session Code Example
Using an HMAC Session to Send Multiple Commands (Rolling Nonces)
HMAC Session Security
HMAC Session Data Structure
Policy Authorization
How Does EA Work?
Policy Authorization Time Intervals
Policy Authorization Lifecycle
Combined Authorization Lifecycle
Summary
Chapter 14: Extended Authorization (EA) Policies
Policies and Passwords
Why Extended Authorization?
Multiple Varieties of Authentication
Multifactor Authentication
How Extended Authorization Works
Creating Policies
Simple Assertion Policies
Command-Based Assertions
Multifactor Authentication
Example 1: Smart card and Password
Compound Policies: Using Logical OR in a Policy
Making a Compound Policy
Example: A Policy for Work or Home Computers
Considerations in Creating Policies
End User Role
Administrator Role
Understudy Role
Office Role
Home Role
Using a Policy to Authorize a Command
Starting the Policy
Satisfying a Policy
If the Policy Is Compound
If the Policy Is Flexible (Uses a Wild Card)
Certified Policies
Summary
Chapter 15: Key Management
Key Generation
Templates
Key Trees: Keeping Keys in a Tree with the Same Algorithm Set
Duplication
Key Distribution
Key Activation
Key Destruction
Putting It All Together
Example 1: Simple Key Management
Example 2: An Enterprise IT Organization with Windows TPM 2.0 Enabled Systems
Summary
Chapter 16: Auditing TPM Commands
Why Audit
Audit Commands
Audit Types
Command Audit
Session Audit
Audit Log
Audit Data
Exclusive Audit
Summary
Chapter 17: Decrypt/Encrypt Sessions
What Do Encrypt/Decrypt Sessions Do?
Practical Use Cases
Decrypt/Encrypt Limitations
Decrypt/Encrypt Setup
Pseudocode Flow
Sample Code
Summary
Chapter 18: Context Management
TAB and the Resource Manager: A High-Level Description
TAB
Resource Manager
Resource Manager Operations
Management of Objects, Sessions, and Sequences
TPM Context-Management Features
Special Rules Related to Power and Shutdown Events
State Diagrams
Summary
Chapter 19: Startup, Shutdown, and Provisioning
Startup and Shutdown
Startup Initialization
Provisioning
TPM Manufacturer Provisioning
Platform OEM Provisioning
End User Provisioning
Deprovisioning
Summary
Chapter 20: Debugging
Low-Level Application Debugging
The Problem
Analyze the Error Code
Debug Trace Analysis
More Complex Errors
Last Resort
Common Bugs
Debugging High-level Applications
Debug Process
Typical Bugs
Summary
Chapter 21: Solving Bigger Problems with the TPM 2.0
Remote Provisioning of PCs with IDevIDs Using the EK
Technique 1
Technique 2
Technique 3
Data Backups
Separation of Privilege
Securing a Server’s Logon
Locking Firmware in an Embedded System, but Allowing for Upgrades
Summary
Chapter 22: Platform Security Technologies That Use TPM 2.0
The Three Technologies
Some Terms
Intel® Trusted Execution Technology (Intel® TXT)
High-Level Description
How TPM 2.0 Devices Are Used
ARM® TrustZone®
High-Level Description
Implementation of TrustZone
AMD Secure Technology™
Hardware Validated Boot
TPM on an AMD Platform
SKINIT
Summary
IndexRelated Books
