TPM functionality

Welcome back, before I can proceed with either Windows Boot Process or Secure Certificate (TPM Attested Certificate) usage I need to explain a bit more about the TPM Chip.

The TPM Chip, also known as the Trusted Platform Module is a hardware security module on your motherboard, designed by the Trusted Computing Group Consortium.

What does it do, really?

See the TPM as a mythical pyramid with lots of rooms and doors, where you want to safely get into the Treasure room. Each room and door has a an exam/game you need to play and win before you can get go closer to the treasure room. Each door can cause a trap, resulting in eventually being thrown out by the mummy of the entire pyramid, the door being closed and locked for a few hours. It will probably leave you bruised. the Pyramid gets closed. Game over.

If you manage to play the game/exam correctly in each room, you get a piece of the puzzle. If you pass all the rooms, the puzzle pieces will you give the map to the treasure!

Each method you use has its own gameplay. The ones I will be explaining is the BitLocker-Game and TPM Attestation-Game.

As for the specs… let’s have a look at the pyramid from the inside:

TPM Architecture

To make the TPM Chip operational you need to go through a few steps. First you need to make sure it is enabled in the BIOS. Then the TPM is enabled, yet not operational. Next step is initializing it. Once the TPM is initialized you can start using it. Why these steps? Well, first of all, like any other device listed in the BIOS you can decide if you want to use or not. if you enable it, your OS can retrieve its details. Enabling the TPM chip is not enough, it will not act if you don’t proceed initializing it. Initializing it means you will tell the TPM chip you own the device and therefor you are allowed to compute against it. Owning a device will result in generating an Owner Password on the chip. This will allow us to use its features. If your TPM has no password, you cannot pass through the Secure Input/Output. Period. So, basically, there is a mummy in front of the only entrance into the pyramid, asking you for the secret word, before it allows you in. if you don’t know the pyramid, the mummy will not allow you in. if you don’t initialize the TPM, the only door into the pyramid is basically closed, the mummy resting inside the first room, locked away.

TPM States:
– Disabled:

  • The TPM chip is disabled, you need to enable it in the BIOS.
  •  Basically the Pyramid is hidden in the sand, and all mummies in a hybrid sleep.

– Enabled, Not Ready:

  • No owner password is set, you need to initialize the TPM
  •  The Pyramid is visble, but the mummy is safely inside, behind the only door inside, with the door closed of course
  • When you initialize the TPM, basically you show the mummies you have recently purchased the Pyramid and the only way to get in is to use a specific secret word. this specific secret word is then agreed upon and as of then the mummies will start guarding your pyramid and treasure on your behalf.

– Enabled, Ready:

  • a Password is set and is ready for use.
  •  the mummies are safeguarding your pyramid and its treasures, and the only way to allow anyone into the pyramid is when you whisper the secret word.

BitLocker will try to facilitate, and do this for you if not done yet.

Secured I/O: The mummies Hall way! here you will find your door-keeping mummy and you have to tell him the secret word.

In order to use or read anything inside the TPM chip, you need to authenticate first, this with your Owner Password, to proof you own this device. Only one Owner can exist, resulting in one Owner Password. This is the gatekeeper. if you share the owner password, consider your entire device as compromised. The Owner Password is also non-exportable. Once it is set you cannot retrieve it anymore. So if your MBAM or AD did not save it during the initialization of the TPM there is no way of retrieving it ever again.

If you try too many times telling the mummy the wrong secret word, the mummy gets angry and kicks you out, closing that one single door for x amount of time. This is the TPM’s anti-hammering feature, depending on TPM version 1.2 or 2.0 it will close for a given period of time.

Cryptographic Processor: this is a zone with mathematical compute + cryptographic compute. The “Certification Exam Room”. When you do your exam for Microsoft Certification you need to show your ID card (Crypto), that will allow you into a secure room to do your exam. In this case a mathematical exam.

– RSA Key Generator: generates secure data encryption 2048bit keys

When starting the exam, you have x amount of time to pass the exam before it expires.

–  SHA-1 Hash generator: generates a 20byte digest hash.

When signing up to start your exam, you need to read out your IDCard when it is digital. This one will make sure the mummy behind the desk can read your IDCard.

–  Crypto Engine: HMAC: Keyed-Hash Message Authentication Code: Message Type authentication code involving a cryptographic hash function and a secret cryptographic key: This Code simultaneously verifies both data integrity and authentication of a message.

Basically here, the mummy can already read a part of your IDCard, but needs to decypher a bit more so the mummy can validate if this one is not a fake. So this one makes it readable and let’s the mummy behind the desk sign with his signature that he agrees this person is who he or she claims to be. Game passed! you can proceed!

It functions alike a PKI, this allowing to encrypt (Seal), decrypt (unseal) and sign (TPM verified) data required by applications. If your application is TPM aware it can use its Crypto Engine to encrypt the data, only allowing this specific device to decrypt the data and actually sign its sensitive data with the TPM’s crypto engine. This makes your information a lot more secure. On the down side, it makes the TPM your single point of failure and prone to attacks.
– RNG : Random Number Generator: Most of your methods within the TPM requiring to Sign/Encrypt/Decrypt will require a challenge or a nonce. This generator is responsible to generate your Challenge. Using an RNG gives you the advantage to prevent replay of old signature. if your generator ‘s challenge is expired, you can no longer use it to proceed with your current transaction forcing you to start this transaction again.

This is your promocode, which is only valid for a given time, if you don’t sign up in time you will have to pay full price (resulting in being kicked out by the mummy), and no… you cannot share your promocode after that specific time with the rest of the world because by the time they are at the desk of the mummy the period has passed resulting having to pay the full price again( resulting again in being kicked out by the mummy… damned mummy!)
Persistent Memory/Non-Volatile Memory:

this is a place containing the sensitive data we need for tools to operate, of course non-exportable: The treasure room! One pitfall about this treasure room, you will receive a few keys allowing you to access the jewels in the treasure room but you cannot take them out of the room, because they are glued to the shiny desk and floors…

Treasure no1:

the Pharaoh’s validation to any request you like. If he signs your request everyone in the kingdom needs to obey the request.

– Endorsement Keys: This is used for TPM Attestation. This method allows you to seal a piece of data with the 2048bit RSA TPM Certificate. A better name would be Endorsement Key Certificate Keyset. a TPM has a Public Certificate and a Private Certificate (Keyset) also known as the :

  • Endorsement Key Private (EKPriv): the candle grease and the official sign stamp of the pharao
  • Endorsement Key Public (EKPub): the actual stamp itself that will end up on your request. “Request read and approved by Pharaoh X”
  • there is no SubCA or RootCA chain inside the TPM Chip! If you need to use it you need to import this chain into your PKI. This is mandatory in order to use the TPM Certificate Keyset!  Basically if you have the stamp on your document and you wouldn’t have any organization knowing or understanding this sign and the empowered Pharaoh, nobody will be inclined to fulfill your request. If you go to the body guards of the pharaoh ,who understand the stamp, they will validate your request as an official request by the Pharaoh forcing the footmen to execute your request!

I learned it the hard way 🙂 this Keyset is created at manufacturing time, and EKPriv will never leave the TPM Chip, this, in PKI terms, implies mainly your EKPriv is non-exportable. This we will explore more into details in the TPM Attestation article.

Treasure no2:
– Storage Root Key: this is also a 2048bit RSA key, and for the Windows engineers commonly used for BitLocker. This key is generated after taking ownership (Initialization) of the TPM. This also implies each time you clear the TPM, your TPM will go back to Not-Ready and will trigger BitLocker Recovery Mode because the decryption key is either missing or no longer the same. The Storage Root Key is also non-exportable. This we will explore more into details in the BitLocker Using TPM Article

Versatile Memory:

  • Platform Configuration Registers (PCRs): This is a table / database with items split into 2 categories: Hardware Items and Software items, commonly used for many items including BitLocker. This we will explore more into details in the BitLocker Using TPM Article
  • Attestation Identity Keys (AIK): used for TPM Attestation. This is the same principle as the Endorsement Keys however you don’t work directly with them. This we will explore more into details in the TPM Attestation article.

 

Now, before going any further, I need to explain a few fundamental things:

I will be using terms like TPM Signing, TPM Binding, TPM Sealing and TPM Sealed-Signing. The TPM was designed to protect and proof authenticity/Integrity. This is pure PKI 1:1!

Binding [Protection]

In short: TPM Binding means you encrypt the message with 1 Key.

Binding is the traditional operation of encrypting a message using a public key. That is, the sender uses the public key of the intended recipient to encrypt the message. The message is only recoverable by decryption using the recipient’s private key. When the private key is managed by the TPM as a non migratable key only the TPM that created the key may use it. Hence, a message encrypted with the public key, “bound” to a particular instance of a TPM. It is possible to create migratable private keys that are transferable between multiple TPM devices. As such, binding has no special significance beyond encryption.
Signing [Proof Integrity/Authenticity]

In short: TPM Signing means the TPM tags a key, allowing it to be considered integer to whoever asks for it. “it is integer, because the TPM said so.”

Signing also in the traditional sense, associates the integrity of a message with the key used to generate the signature. The TPM tags some managed keys as signing only keys, meaning these keys are only used to compute a hash of the signed data and encrypt the hash. Hence, they cannot be misconstrued as encryption keys.
Sealing [Protection]:

In short: TPM Sealing means you encrypt the message with multiple keys.

Sealing takes binding one step further. Sealed messages are bound to a set of platform metrics specified by the message sender. Platform metrics specify platform configuration state that must exist before decryption will be allowed. Sealing associates the encrypted message (actually the symmetric key used to encrypt the message) with a set of PCR register values and a non-migratable asymmetric key.

A sealed message is created by selecting a range of PCR register values and asymmetrically encrypting the PCR values plus the symmetric key used to encrypt the message. The TPM with the asymmetric decryption key may only decrypt the symmetric key when the platform configuration matches the PCR register values specified by the sender. Sealing is a powerful feature of the TPM. It provides assurance that a protected messages are only recoverable when the platform is functioning in a very specific known configuration.

 
Sealed-Signing [Proof and Protect]

In short: “This item is integer, because the TPM said so.” If this item or a PCR changes the integrity may be lost and the TPM will no longer consider this as “integer”

For example: BitLocker

Signing operations can also be linked to PCR registers as a way of increasing the assurance that the platform that signed the message meets a specific configuration requirement. The verifier mandates that a signature must include a particular set of PCR registers. The signer, during the signing operation, collects the values for the specified PCR registers and includes them in the message, and as part of the computation of the signed message digest. The verifier can then inspect the PCR values supplied in the signed message, which is equivalent to inspecting the signing platform’s configuration at the time the signature was generated.