Difference between revisions of "Security notes / Unsorted"

From Helpful
Jump to: navigation, search
m (Laptop hard drive encryption)
m (TPM)
 
Line 10: Line 10:
 
Trusted Platform Module, TPM, is a hardware component, and part of the [http://en.wikipedia.org/wiki/Trusted_Computing Trusted Computing] design.
 
Trusted Platform Module, TPM, is a hardware component, and part of the [http://en.wikipedia.org/wiki/Trusted_Computing Trusted Computing] design.
  
TPM can support public key operations and (temporary) key storage, make storage of keys a little more secure,
+
 
and offload some encryption details.
+
TPM can support public key operations and (temporary) key storage, make storage of keys a little more secure, and offload some encryption details.
  
 
It can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).
 
It can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).
Line 17: Line 17:
  
 
As a platform, TC and TPM may (eventually) help avoid some boot based exploits, which is also necessary to resist some physical attacks, such as some defeating full-drive encryption. {{verify}}
 
As a platform, TC and TPM may (eventually) help avoid some boot based exploits, which is also necessary to resist some physical attacks, such as some defeating full-drive encryption. {{verify}}
 +
  
 
==="Can't detect TPM device"===
 
==="Can't detect TPM device"===
Line 26: Line 27:
  
 
Some BIOSes will always look for it{{verify}}, in which case you can just ignore the message.
 
Some BIOSes will always look for it{{verify}}, in which case you can just ignore the message.
 +
  
 
===More acronyms===
 
===More acronyms===
Line 68: Line 70:
 
-->
 
-->
  
===Use and criticism===
+
 
 +
===What does TPM not protect?===
 +
<!--
 +
 
 +
In general, TPM can be seen to protect BIOS contents and boot contents (which is great to have), and little else.
 +
 
 +
Because you can protect boot, it can also make the boot part of full drive encryption more secure, which is also great.
 +
 
 +
 
 +
But realize that this is all it does.
 +
 
 +
It basically does not protect against ''anything'' while your computer is running.
 +
 
 +
Any exploit aimed at a running system (which is most exploits) can get just as much of your data as before.
 +
(Including the keys in the TPM that are marked migratable, which some uses will require)
 +
 
 +
 
 +
For example
 +
: It does not protect against preinstalled backdoors.
 +
: It does not protect against manufacturer backdoors.
 +
: It does not protect against hardware misdesign (see e.g. the {{search|USB-C DMA attack}}).
 +
: It does not protect against a hardware keylogger, or OS-level keylogger (malware)
 +
: ...and
 +
 
 +
 
 +
For example, on one side it's ''great'' that TPM can store part of the key used in hard drive encryption, as it means stealing/duplicating just the hard drive has little value.
 +
 
 +
At the same time, the disk encryption software basically needs a key in RAM to work, which TPM fundamentally can do nothing about.  Not that attacks on that are simple. Also, various software is designed so only a derived keys are in memory, never the master key, but how much difference that makes varies.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
 
 +
Sure, if if tries to affect boot, secure boot will notice (well, next boot), and this is useful in the sense that you want to know about malware. It can e.g. mean you never have to worry about a software keylogger ''at this level''.
 +
 
 +
 
 +
'''Secure boot''' means it (typically meaning UEFI) won't boot unless everything is signed correctly.
 +
 
 +
'''Authenticated/measured boot''' means it will boot, but will be recorded and reported (by the TPM{{verify}}).
 +
 
 +
 
 +
 
 +
 
 +
https://en.wikipedia.org/wiki/Trusted_Platform_Module#Password_protection
 +
 
 +
https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/tpm-fundamentals
 +
 
 +
-->
 +
 
 +
 
 +
 
 +
 
 +
===Use and criticism, strengths and weaknesses===
 
{{stub}}
 
{{stub}}
 
<!--
 
<!--

Latest revision as of 17:17, 8 January 2021

Security related stuff.

Practical


Theory


Unsorted


This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


TPM

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

What?

Trusted Platform Module, TPM, is a hardware component, and part of the Trusted Computing design.


TPM can support public key operations and (temporary) key storage, make storage of keys a little more secure, and offload some encryption details.

It can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).


As a platform, TC and TPM may (eventually) help avoid some boot based exploits, which is also necessary to resist some physical attacks, such as some defeating full-drive encryption. (verify)


"Can't detect TPM device"

Means the BIOS knows that you can plug in a TPM module, and is looking for it, and you don't have one.

Either plug one in, tell it not to look for one (if you can), or ignore this message. It's often under a header named something like 'Trusted Computing'

Some BIOSes will always look for it(verify), in which case you can just ignore the message.


More acronyms

What does TPM not protect?

Use and criticism, strengths and weaknesses

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

See also

Challenge/response

JSON Web Signature, Encryption, Tokens

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

JSON Web Signature (JWS)

Signing arbitrary data.

See also:


JSON Web Encryption (JWE)

Syntax for the exchange of encrypted data, and sending it in Base64 within JSON.

See also:


JSON Web Tokens (JWT)

JWT is aimed at sending verifiable claims, building on JWS or JWE

Signed using a shared secret, or a public/private key.

Typically used between identity provider and a service provider, in an SSO-like way.

See also:


-->