TPM 2.0 specification for rising cyber security threats

The challenges facing the cyber security industry are unprecedented, with technological advances creating a greater risk than ever before as newer threats evolve and emerge. The NotPetya malware attack in 2017 demonstrates the severity attacks can have; global logistics and shipping firm Maersk became critically affected and worldwide damage to other organisations totaled $10bn. According to Gartner, global spending for protecting software and systems from attacks is forecasted to reach US $133.7bn in 2022, highlighting the need for new ways of tackling them.

The newest version of the TPM 2.0 specification is an essential tool that developers and manufacturers can utilise in their fight against cyber threats to safeguard devices not just from conception of the product, but throughout their lifecycle.

It provides enhancements for authorisation mechanisms, extends the availability of the Trusted Platform Module (TPM) to new applications allowing for more platform specifications to be built, simplifies management, supports additional cryptographic algorithms and provides additional capabilities to improve the security of TPM services.

“With attacks becoming increasingly more complex in their nature and more devices getting connected, creating new vulnerabilities such as the possibility of everyday items like smart fridges becoming hacked, it is critical that the industry has an effective way of tackling them now and into the future,” said Rob Spiger, Vice President of Trusted Computing Group. “As technology advances, more personal data is being used and can be intercepted or accessed easily if devices are not suitably safeguarded. Our latest revision of the TPM 2.0 Library Specification, gives system engineers and software developers a brand new way to ensure the longevity of a device by utilising technologies of the TPM in the best way possible.”

One of the newest features is the Authenticated Countdown Timer (ACT) which enables a way of regaining control of a compromised machine by configuring a TPM ACT that restarts a platform when it reaches zero. This is hugely beneficial for remotely managed IoT devices with a TPM. If the device is determined as healthy by a cloud management service, the cloud can cryptographically create a ticket that adds more time to the ACT, preventing healthy systems from being restarted.

However, if the device is deemed infected, it will not obey instructions to start recovery. At this point, the ACT will eventually reach zero and force a restart – allowing for boot firmware to kick in with recovery. 

The latest specification also includes a new x509Certify command which simplifies access to TPM functions in cryptography. This allows a TPM to use internal keys to make statements about other keys by signing x509 certificates about them. This ensures secure communications with another party and is more recognisable for people not used to working with TPMs and more used to working with x509 certificates.

In addition, an Attached Component API command facilitates the secure transferring of a TPM object to an externally attached device such as a Hardware Security Module (HSM) or self-encrypting device, providing more security. By doing this, TPM 2.0 authorisation mechanisms can be combined with the performance power of an HSM. Added support for symmetric block cipher MACs and AES CMAC is also built in, aiding with integration between TPMs and low capability devices with encryption.

“The release of this latest TPM 2.0 Library specification brings added security, enhancements and features that can be added to a whole range of devices with TPMs, strengthening systems against cyber attacks and securing businesses,” Spiger added. “We are looking forward to advancing our work further, as our TPM, Device Identifier Composition Engine (DICE) and other workgroups continue to develop standards which will continue to protect billions of systems worldwide as the expansion of IoT devices grows.”

Trusted Computing Group published its initial TPM 2.0 Library Specification as an International Standard in 2015, through the International Organisation for Standardisation. TCG will apply for the features in this latest revision to also achieve the same status as a global standard, by starting a new submission to ISO at the end of this year.