book

A Practical Guide to TPM 2.0: Using the New Trusted Platform Module in the New Age of Security Will Arthur & David Challener

Name: A Practical Guide to TPM 2.0: Using the New Trusted Platform Module in the New Age of Security Will Arthur & David Challener
ISBN: 9781430265849

by Will Arthur, David Challener, Kenneth Goldman

January 2015

Intermediate to advanced

392 pages

10h 21m

English

Apress

Read now

Unlock full access

Cover
Title
Copyright
About ApressOpen
Dedication
Contents at a Glance
Contents
About the Authors
About the Technical Reviewers
Acknowledgments

Introduction
Chapter 1: History of the TPM
Why a TPM?History of Development of the TPM Specification from 1.1b to 1.2How TPM 2.0 Developed from TPM 1.2History of TPM 2.0 Specification DevelopmentSummary
Chapter 2: Basic Security Concepts
Cryptographic AttacksBrute ForceAttacks on the Algorithm ItselfSecurity DefinitionsCryptographic FamiliesSecure Hash (or Digest)Hash ExtendHMAC: Message Authentication CodeKDF: Key Derivation FunctionAuthentication or Authorization TicketSymmetric-Encryption KeyNonceAsymmetric KeysPublic Key CertificationSummary
Chapter 3: Quick Tutorial on TPM 2.0
Scenarios for Using TPM 1.2IdentificationEncryptionKey StorageRandom Number GeneratorNVRAM StoragePlatform Configuration RegistersPrivacy EnablementScenarios for Using Additional TPM 2.0 CapabilitiesAlgorithm Agility (New in 2.0)Enhanced Authorization (New in 2.0)Quick Key Loading (new in 2.0)Non-Brittle PCRs (New in 2.0)Flexible Management (New in 2.0)Identifying Resources by Name (New in 2.0)Summary
Chapter 4: Existing Applications That Use TPMs
Application Interfaces Used to Talk to TPMsTPM Administration and WMIThe Platform Crypto ProviderVirtual Smart CardApplications That Use TPMsApplications That Should Use the TPM but Don’tBuilding Applications for TPM 1.2TSS.Net and TSS.C++Wave Systems Embassy SuiteRocks to Avoid When Developing TPM ApplicationsMicrosoft BitLockerIBM File and Folder EncryptionNew Manageability Solutions in TPM 2.0Summary
Chapter 5: Navigating the Specification
TPM 2.0 Library Specification: The PartsSome DefinitionsGeneral DefinitionsDefinitions of the Major Fields of the Command Byte StreamDefinitions of the Major Fields of the Response Byte StreamGetting Started in Part 3: the CommandsData DetailsCommon Structure ConstructsStructure with UnionCanonicalizationEndiannessPart 2: Notation SyntaxPart 3: Table DecorationsCommonly Used Sections of the SpecificationHow to Find Information in the SpecificationStrategies for Ramping Up on TPM 2.0WillKenDaveOther TPM 2.0 SpecificationsSummary
Chapter 6: Execution Environment
Setting Up the TPMMicrosoft SimulatorBuilding the Simulator from Source CodeSetting Up a Binary Version of the SimulatorRunning the SimulatorTesting the SimulatorSetting Up the Software StackTSS 2.0TSS.netSummary
Chapter 7: TPM Software Stack
The Stack: a High-Level ViewFeature APISystem APICommand Context Allocation FunctionsCommand Preparation FunctionsCommand Execution FunctionsCommand Completion FunctionsSimple Code ExampleSystem API Test CodeTCTITPM Access Broker (TAB)Resource ManagerDevice DriverSummary
Chapter 8: TPM Entities
Permanent EntitiesPersistent HierarchiesEphemeral HierarchyDictionary Attack Lockout ResetPlatform Configuration Registers (PCRs)Reserved HandlesPassword Authorization SessionPlatform NV EnableNonvolatile IndexesObjectsNonpersistent EntitiesPersistent EntitiesEntity NamesSummary
Chapter 9: Hierarchies
Three Persistent HierarchiesPlatform HierarchyStorage HierarchyEndorsement HierarchyPrivacyActivating a CredentialOther Privacy ConsiderationsNULL HierarchyCryptographic PrimitivesRandom Number GeneratorDigest PrimitivesHMAC PrimitivesRSA PrimitivesSymmetric Key PrimitivesSummary
Chapter 10: Keys
Key CommandsKey GeneratorPrimary Keys and SeedsPersistence of KeysKey CacheKey AuthorizationKey DestructionKey HierarchyKey Types and AttributesSymmetric and Asymmetric Keys AttributesDuplication AttributesRestricted Signing KeyRestricted Decryption KeyContext Management vs. LoadingNULL HierarchyCertificationKeys UnraveledSummary
Chapter 11: NV Indexes
NV Ordinary IndexNV Counter IndexNV Bit Field IndexNV Extend IndexHybrid IndexNV Access ControlsNV WrittenNV Index Handle ValuesNV NamesNV PasswordSeparate CommandsSummary
Chapter 12: Platform Configuration Registers
PCR ValueNumber of PCRsPCR CommandsPCRs for AuthorizationPCRs for AttestationPCR Quote in DetailPCR AttributesPCR Authorization and PolicyPCR AlgorithmsSummary
Chapter 13: Authorizations and Sessions
Session-Related DefinitionsPassword, HMAC, and Policy Sessions: What Are They?Session and Authorization: Compared and ContrastedAuthorization RolesCommand and Response Authorization Area DetailsCommand Authorization AreaCommand Authorization StructuresResponse Authorization StructuresPassword Authorization: The Simplest AuthorizationPassword Authorization LifecycleCreating a Password Authorized EntityChanging a Password Authorization for an Already Created EntityUsing a Password AuthorizationCode Example: Password SessionStarting HMAC and Policy SessionsTPM2_StartAuthSession CommandSession Key and HMAC Key DetailsGuidelines for TPM2_StartAuthSession Handles and ParametersSession VariationsHMAC and Policy Sessions: DifferencesHMAC AuthorizationHMAC Authorization LifecycleHMAC and Policy Session Code ExampleUsing an HMAC Session to Send Multiple Commands (Rolling Nonces)HMAC Session SecurityHMAC Session Data StructurePolicy AuthorizationHow Does EA Work?Policy Authorization Time IntervalsPolicy Authorization LifecycleCombined Authorization LifecycleSummary
Chapter 14: Extended Authorization (EA) Policies
Policies and PasswordsWhy Extended Authorization?Multiple Varieties of AuthenticationMultifactor AuthenticationHow Extended Authorization WorksCreating PoliciesSimple Assertion PoliciesCommand-Based AssertionsMultifactor AuthenticationExample 1: Smart card and PasswordCompound Policies: Using Logical OR in a PolicyMaking a Compound PolicyExample: A Policy for Work or Home ComputersConsiderations in Creating PoliciesEnd User RoleAdministrator RoleUnderstudy RoleOffice RoleHome RoleUsing a Policy to Authorize a CommandStarting the PolicySatisfying a PolicyIf the Policy Is CompoundIf the Policy Is Flexible (Uses a Wild Card)Certified PoliciesSummary
Chapter 15: Key Management
Key GenerationTemplatesKey Trees: Keeping Keys in a Tree with the Same Algorithm SetDuplicationKey DistributionKey ActivationKey DestructionPutting It All TogetherExample 1: Simple Key ManagementExample 2: An Enterprise IT Organization with Windows TPM 2.0 Enabled SystemsSummary
Chapter 16: Auditing TPM Commands
Why AuditAudit CommandsAudit TypesCommand AuditSession AuditAudit LogAudit DataExclusive AuditSummary
Chapter 17: Decrypt/Encrypt Sessions
What Do Encrypt/Decrypt Sessions Do?Practical Use CasesDecrypt/Encrypt LimitationsDecrypt/Encrypt SetupPseudocode FlowSample CodeSummary
Chapter 18: Context Management
TAB and the Resource Manager: A High-Level DescriptionTABResource ManagerResource Manager OperationsManagement of Objects, Sessions, and SequencesTPM Context-Management FeaturesSpecial Rules Related to Power and Shutdown EventsState DiagramsSummary
Chapter 19: Startup, Shutdown, and Provisioning
Startup and ShutdownStartup InitializationProvisioningTPM Manufacturer ProvisioningPlatform OEM ProvisioningEnd User ProvisioningDeprovisioningSummary
Chapter 20: Debugging
Low-Level Application DebuggingThe ProblemAnalyze the Error CodeDebug Trace AnalysisMore Complex ErrorsLast ResortCommon BugsDebugging High-level ApplicationsDebug ProcessTypical BugsSummary
Chapter 21: Solving Bigger Problems with the TPM 2.0
Remote Provisioning of PCs with IDevIDs Using the EKTechnique 1Technique 2Technique 3Data BackupsSeparation of PrivilegeSecuring a Server’s LogonLocking Firmware in an Embedded System, but Allowing for UpgradesSummary
Chapter 22: Platform Security Technologies That Use TPM 2.0
The Three TechnologiesSome TermsIntel® Trusted Execution Technology (Intel® TXT)High-Level DescriptionHow TPM 2.0 Devices Are UsedARM® TrustZone®High-Level DescriptionImplementation of TrustZoneAMD Secure Technology™Hardware Validated BootTPM on an AMD PlatformSKINITSummary
Index

Overview

A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security is a straight-forward primer for developers. It shows security and TPM concepts, demonstrating their use in real applications that the reader can try out.

Simply put, this book is designed to empower and excite the programming community to go out and do cool things with the TPM. The approach is to ramp the reader up quickly and keep their interest.A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security explains security concepts, describes the TPM 2.0 architecture, and provides code and pseudo-code examples in parallel, from very simple concepts and code to highly complex concepts and pseudo-code.

The book includes instructions for the available execution environments and real code examples to get readers up and talking to the TPM quickly. The authors then help the users expand on that with pseudo-code descriptions of useful applications using the TPM.

Become an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
and much more.

Read now

Unlock full access

More than 5,000 organizations count on O’Reilly

O’Reilly covers everything we've got, with content to help us build a world-class technology community, upgrade the capabilities and competencies of our teams, and improve overall team performance as well as their engagement.

Julian F.

Head of Cybersecurity

I wanted to learn C and C++, but it didn't click for me until I picked up an O'Reilly book. When I went on the O’Reilly platform, I was astonished to find all the books there, plus live events and sandboxes so you could play around with the technology.

Addison B.

Field Engineer

I’ve been on the O’Reilly platform for more than eight years. I use a couple of learning platforms, but I'm on O'Reilly more than anybody else. When you're there, you start learning. I'm never disappointed.

Amir M.

Data Platform Tech Lead

I'm always learning. So when I got on to O'Reilly, I was like a kid in a candy store. There are playlists. There are answers. There's on-demand training. It's worth its weight in gold, in terms of what it allows me to do.

Mark W.

Embedded Software Engineer

Zero Trust Security: An Enterprise Guide

Publisher Resources

ISBN: 9781430265849Purchase book

Cloud Computing

Data Engineering

Data Science

AI & ML

Programming Languages

Software Architecture

IT/Ops

Security

Design

Business

Soft Skills