A Trusted Platform Module (TPM) is a hardware chip included on many laptops and mobile devices. If you’re planning to take the Security+ SY0-501 exam, you should have a basic understanding of several hardware elements such as a TPM.
For example, can you answer this question?
Q. Your organization recently purchased some laptops that include a TPM. Which of the following BEST identifies what the TPM provides?
A. Detection of unauthorized data transfers
B. A hardware root of trust
C. Sandboxing
D. An external security device used to store cryptographic keys
More, do you know why the correct answer is correct and the incorrect answers are incorrect? The answer and explanation are available at the end of this post.
Trusted Platform Module
A Trusted Platform Module (TPM) is a hardware chip on the computer’s motherboard that stores cryptographic keys used for encryption. Many laptop computers include a TPM and you may see them on many mobile devices, too. However, if the system doesn’t include a TPM, it is not feasible to add one. Once enabled, the TPM provides full disk encryption capabilities. It keeps hard drives locked, or sealed, until the system completes a system verification and authentication process.
A TPM supports secure boot and attestation processes. When the TPM is configured, it captures signatures of key files used to boot the computer and stores a report of the signatures securely within the TPM. When the system boots, the secure boot process checks the files against the stored signatures to ensure they haven’t changed. If it detects that the files have been modified, such as from malware, it blocks the boot process to protect the data on the drive.
A remote attestation process works like the secure boot process. However, instead of checking the boot files against the report stored in the TPM, it uses a separate system. Again, when the TPM is configured, it captures the signatures of key files, but sends this report to a remote system. When the system boots, it checks the files and sends a current report to the remote system. The remote system verifies the files are the same and attests, or confirms, that the system is safe.
The TPM ships with a unique Rivest, Shamir, Adleman (RSA) private key burned into it, which is used for asymmetric encryption. This private key is matched with a public key and provides a hardware root of trust, or a known secure starting point. The private key remains private and is matched with a public key. Additionally, the TPM can generate, store, and protect other keys used for encrypting and decrypting disks.
If the system includes a TPM, you use an application within the operating system to enable it. For example, many Microsoft systems include BitLocker, which you can enable for systems that include the TPM.
BitLocker uses the TPM to detect tampering of any critical operating system files or processes as part of a platform verification process. Additionally, users provide authentication, such as with a smart card, a password, or a personal identification number (PIN). The drive remains locked until the platform verification and user authentication processes are complete.
If a thief steals the system, the drive remains locked and protected. An attacker wouldn’t have authentication credentials, so he can’t access the drive using a normal boot process. If the attacker tries to modify the operating system to bypass security controls, the TPM detects the tampering and keeps the drive locked. If a thief moves the drive to another system, the drive remains locked because the TPM isn’t available.
Remember this
A Trusted Platform Module (TPM) is a hardware chip included on many laptops and mobile devices. It provides full disk encryption and supports a secure boot process and remote attestation. A TPM includes a unique RSA asymmetric key burned into the chip that provides a hardware root of trust.
Q. Your organization recently purchased some laptops that include a TPM. Which of the following BEST identifies what the TPM provides?
A. Detection of unauthorized data transfers
B. A hardware root of trust
C. Sandboxing
D. An external security device used to store cryptographic keys
Answer is B. A Trusted Platform Module (TPM) includes an encryption key burned into the chip, and this key provides a hardware root of trust.
Data loss prevention (DLP) systems detect unauthorized data transfers.
Sandboxing provides an isolated area on a system, typically used for testing.
A hardware security module (HSM) is an external security device used to store cryptographic keys, but a TPM is a chip within the system.
See Chapter 5 of the CompTIA Security+: Get Certified Get Ahead: SY0-501 Study Guide for more information on implementing secure systems.