NSA Trusted Computing Conference and Exposition, ORLANDO, USA: Trusted Computing Group (TCG) has released new specifications that will make the Trusted Platform Module easier to deploy and will enable attestation of a platform via existing Trusted Network Connect network protocols.
The first specification, the CMC Profile for Attestation Identity Key (AIK) Certificate Enrollment, provides a standard way to request a TCG AIK certificate from a Certificate Authority (CA). The new protocol is built upon an existing IETF standard certificate enrollment protocol known as CMC, adding support for issuance of TPM-resident keys used for attestation. By residing in the TPM, the key is made resistant to common software-based attacks, such as theft by malware.
Attacks or theft of keys stored in software is a leading contributor to compromised systems. With the TPM, keys are protected even in use and are not accessible via the operating system, at boot-up or while the system is otherwise in use.
The second new specification layers upon existing network security protocols in the Trusted Network Connect (TNC) architecture from TCG. The specification, called the TCG Attestation - Platform Trust Services (PTS) Protocol: Binding to TNC IF-M, allows remote parties to obtain TPM-based attestation information using the TCG Platform Trust Services (PTS) software on the system being assessed.
The resulting information, signed by the TPM, can prove that the platform has not been changed or is not under the influence of malware. Combined with existing TNC assessment capabilities, the new PTS protocol increases the level of trustworthiness of a TNC assessment.
The strongSwan open source IPsec VPN software includes an implementation of the new PTS protocol to augment their TNC assessment of the VPN client platform. This assessment leverages the TNC protocols carried within an Extensible Authentication Protocol (EAP) tunnel as part of the Internet Key Exchange (IKE) version 2 protocol. The inclusion of the PTS Protocol allows both TNC software and TPM-based measurements of the client system to be obtained and verified during the establishment of the IPsec tunnel.
“TCG continues to integrate the TPM’s hardware protected capabilities with software used to solve key customer problems. With the AIK enrollment specification, we make it simpler and faster for IT users to obtain certificates associated with TPM-protected keys in a scalable manner,” noted Paul Sangster, co-chair, TCG Infrastructure Work Group. “Also, the TPM can now play a key role, via the PTS Protocol specification, ensuring the TNC architecture can detect systems attempting to get on the network that are trying to misrepresent their software state, thereby preventing compromised systems from connecting.”