Defeating the Rise of Cyber Threats with Latest TPM 2.0 Specification

September 25, 2020 Rob Spiger, Vice President, Trusted Computing Group

With more than 21 billion Internet of Things (IoT) devices expected to be in use by 2025, all with varying use-cases and increasing levels of dependency, it is critical the cyber security industry has the right tools to fight off the growing sophistication of worldwide threats. According to Gartner, global spending for protecting software and systems is forecast to reach US $133.7 billion in 2022, highlighting the need for new ways of tackling them.

The Trusted Computing Group (TCG) addresses these newly emerging attacks and vulnerabilities in its latest release “TPM 2.0 Library specification Revision 1.59” which adds critical new features and necessary updates to the previously published TPM specification. This newest version of the TPM 2.0 specification gives developers and manufacturers the best chance of safeguarding devices from development of the product and throughout their lifecycle.

Importance of IoT protection

With a growth in the use of everyday items like smart fridges or baby monitors, the risk of getting hacked becomes greater. Even seemingly simple connected devices provide access to large amounts of personal data stored on their network, making them an enticing target for attackers. This means it is essential that IoT devices are suitably safeguarded.

The NotPetya malware attack in 2017 highlights the importance of protecting IoT systems. Global shipping and logistics firm Maersk was severely affected, while worldwide damage to other organizations totaled $10 billion.

TCG provides the answer

Providing essential protection, TPMs can already be found in a whole host of devices. They take the form of a chip consisting of a secure crypto-processor which provides hardware-based security for the whole system mainly through a boot or authentication.

The latest TPM 2.0 Specification can be utilized further in the fight against cyber-attacks to give devices and systems security throughout their lifecycle. Building on previous developments, this revision contains enhancements for authorization mechanisms to ensure the safety and integrity of the TPM and extends its availability for new applications allowing for more platform specifications to be built. It also simplifies management of the TPM, supports additional cryptographic algorithms and provides extra capabilities to improve the security of TPM services.

Future-proof features are key

To protect devices now and in the future, TCG has also developed new features as part of this release.

The Authenticated Countdown Timer (ACT) will be integral to the security of IoT software and systems which include a TPM by enabling a way of regaining control of compromised machines. For future architectures that give the TPM control over the power supply for a device, it can turn the TPM into an active component that restarts compromised devices.  This will be especially beneficial for remotely managed devices, with the configuration of a TPM ACT restarting a platform when it reaches zero. If a device is determined as healthy by a cloud management service, the same cloud can be used to cryptographically create a ticket that adds more time to the ACT, preventing healthy systems from being restarted unnecessarily. But if a system is deemed as infected, it will not obey instructions to start recovery and will also not be able to obtain a ticket to delay reaching zero. Eventually, the ACT reach zero and force a restart from which boot firmware can initiate recovery.

To enable more people to use the TPM, a new x509Certify command simplifies access to TPM functions in cryptography. This allows for the TPM to use internal keys to make statements about other keys by signing them with x509 certificates. It lets those more familiar with x509 and less familiar with TPMs work with them, as well as secure communication with another party.

Another feature is the Attached Component API Command which facilitates the transferring of a TPM secret to an externally attached device such as a Hardware Security Module (HSM) securely or other self-encrypting device. Through this, TPM 2.0 authorization mechanisms can be combined with the performance power of an HSM. Enhanced support for symmetric block cipher MACs and AES CMAC is included, aiding the seamless integration of TPMs and low capability devices with encryption.

The future of TPM 2.0 Specification

TCG is constantly working to expand its specifications to ensure the cybersecurity ecosystem remains strong in the fight against cyber-attacks. With the TPM 2.0 specification providing an essential tool for developers and manufacturers, TCG will make a submission for its latest revision to become a global standard through the International Organization for Standardization later this year. Previously the TPM 2.0 Library specification achieved that status in 2015 as ISO/IEC 11889:2015 and has had huge success in securing billions of IoT devices.

About the Author

Mr. Rob Spiger is a Principal Security Strategist at Microsoft on the Digital Diplomacy team inside the Customer Security and Trust organization.  Previously Rob was a Senior Program Manager at Microsoft, responsible for technical program management of Windows security features as a part of the Security and Identity Team in the Windows Division. Rob is an industry security expert with in-depth understanding of the trusted computing technology and standard development. He has participated for over a decade in the Trusted Computing Group, a global standards organization. He enjoys collaboration with global technologists from industry, government and academic institutions who are devoted to advancing security technology research and innovation.  Rob’s substantial industry experience also include his contributions at Avanade, Advanced Technical Resources, and Lockheed Martin.   He has degrees in Computer Science with Honors and Electrical Engineering from the University of Washington.

Previous Article
MIPI Alliance Announces Availability of MIPI Debug for I3C v1.0
MIPI Alliance Announces Availability of MIPI Debug for I3C v1.0

The MIPI Alliance announced the availability of MIPI Debug for I3C v1.0, a scalable debug and test specific...

Next Article
How 5G and Digital Transformation Will Impact Storage
How 5G and Digital Transformation Will Impact Storage

The arrival of 5G is expected to bring a dramatic increase in speeds, low latencies, and an unforeseen leve...