Security notes / Unsorted

From Helpful
Jump to: navigation, search
Security related stuff.

Practical


Theory


Unsorted


This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


TPM

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

What?

Trusted Platform Module, TPM, is a hardware component, and part of the Trusted Computing design.


TPM can support public key operations and (temporary) key storage, make storage of keys a little more secure, and offload some encryption details.

It can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).


As a platform, TC and TPM may (eventually) help avoid some boot based exploits, which is also necessary to resist some physical attacks, such as some defeating full-drive encryption. (verify)


"Can't detect TPM device"

Means the BIOS knows that you can plug in a TPM module, and is looking for it, and you don't have one.

Either plug one in, tell it not to look for one (if you can), or ignore this message. It's often under a header named something like 'Trusted Computing'

Some BIOSes will always look for it(verify), in which case you can just ignore the message.


More acronyms

What does TPM not protect?

Use and criticism, strengths and weaknesses

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

See also

Challenge/response

JSON Web Signature, Encryption, Tokens

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

JSON Web Signature (JWS)

Signing arbitrary data.

See also:


JSON Web Encryption (JWE)

Syntax for the exchange of encrypted data, and sending it in Base64 within JSON.

See also:


JSON Web Tokens (JWT)

JWT is aimed at sending verifiable claims, building on JWS or JWE

Signed using a shared secret, or a public/private key.

Typically used between identity provider and a service provider, in an SSO-like way.

See also:


-->