TPM - a well kept secret for strong authentication
What if a secure storage device for authentication factors was already in your PC? In most cases, there is. It is the not-commonly known Trusted Platform Module (TPM). It is in most business-class laptops, except Macs. TPM stores cryptographic keys that can protect issued digital certificates, and can perform secure cryptographic functions such as trusted startup, random number generation, and digital signatures. TPM is FIPS 140-2 certified. If you're considering strengthening your authentication processes and mechanisms, learning more about TPM will add another option worth taking into account.
TPMs introduce a lower cost authentication alternative with strong enterprise and system integrity. When using the TPM to protect digital certificates, there is no need for new hardware (e.g. smart cards, tokens, or smart card readers). The TPM ensures known devices on the network and known software on devices. A private key is placed on the TPM by the manufacturer, which never leaves the tamper-resistant hardware. The public key can be used to authenticate the machine identity to authenticate to a VPN or wireless access point. To ensure only known software is running on a device, the boot sequence of the operating system is modified to produce trusted measurement log which can be validated with TPM register values. If the measurement log is validated, the TPM restricts access (e.g. access to encrypted data and to cryptographic functions).
Not all is perfect in the TPM world. Certificate portability, user administration, certificate protection level, and password authentication are some of the challenges TPM users face.
User certificates attached to a machine can be problematic. In many cases, users interact with multiple computing environments (e.g. business PC, personal PC, tablet, and smartphone) to get their work done. In order for the user to be able to perform all their tasks on each environment, they will need their certificate on every platform. There may be times when the certificate is unavailable due to a machine in repair or maintenance. There are ways to address portability issues, such as maintaining a server which holds a TPM with a copy of the user's certificate.
User administration can become intractable. In some business environments, multiple users may need to use the same platform. The TPM can store multiple user certificates, but it has limited storage space. For example, the Atmel Trusted Platform Module AT97SC3201 has on-chip storage for up to 20 user keys. When users are storing multiple certificates (VPN access, email encryption), the number of users that can use a single platform diminishes quickly.
TPM protection covers mostly software attacks. It is highly unlikely that a TPM could withstand a malicious user who has physical access. User certificates are more sensitive and require a higher level of protection than platform credentials. It is unlikely that a computer will have the same access as an IT Administrator. Therefore, the TPM protection level would be inadequate for some user credentials.
Authenticating to the TPM is usually done with a password, therefore possesses many of the same weaknesses as simple userid/password does. These weaknesses can be diminished by limiting the number of login attempts and having the enterprise server act as a proxy owner, which enables the use of complex passwords. From my experience, in most business environments the best practice is to use a smart chip / smart card to authenticate. Smart cards are physically secure, unable to be cloned, protected by a Personal Identification Number (PIN), and would allow the use of truly random authentication data.
TPM can be found in many or most business PCs, but are neither well known nor popularly used. With the need and popularity of strong authentication rising, TPM introduces an alternative to strong authentication worth considering.
View All 
