Difference between revisions of "Security notes / Unsorted"

From Helpful
Jump to: navigation, search
m (Challenge/response)
m (TPM)
Line 9: Line 9:
  
 
Trusted Platform Module, TPM, is a hardware component, and part of the [http://en.wikipedia.org/wiki/Trusted_Computing Trusted Computing] design.
 
Trusted Platform Module, TPM, is a hardware component, and part of the [http://en.wikipedia.org/wiki/Trusted_Computing Trusted Computing] design.
 +
 +
The TPM is the hardware part of that, a module that can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).
 +
 +
<!--
 +
'''Why is it useful at all?'''
 +
 +
 +
'''Key storage''' is one good reason.
 +
 +
In practical terms, consider that all cryptography needs a key.
 +
 +
While being used, that needs to sit somewhere as long as we ''might'' need it.
 +
 +
For your most central important keys (say, hard drive encryption keys), that means 'as long as the computer is on'.  For  a completely temporary session-specific one it's shorter -- but still basically as long as adversaries will be interested in it.
 +
 +
 +
Also, aside from being in RAM for most of that time, it needs to be a place to be stored permanently.
 +
Put it on your hard drive, though, and someone just needs to steal your hard drive.
 +
 +
Hard drive encryption may reduce that problem, sure, but cannot solve that, because you can, at best, reduce it to many keys to just key with this problem - the key used to encrypt that hard drive.
 +
 +
 +
 +
'''Secure boot''' is another.
 +
 +
Secure boot is roughly the idea that your system will not boot until something checks out according something you signed previously.  And you can spend a lot of time talking about the implementation being strong cryptograhic hashes or whatnot, but you are just moving the problem around.
 +
 +
You may reduce it, but in the end you have to trust some code to do what it pretends it does.
 +
That will typically be the bootloader -- but if that's on your hard drive, or even in your BIOS,
 +
that's code that can be changed.
 +
 +
 +
 +
In both cases, part of the thing that TPM does is ''store'' a key and ''contain'' a key and ''check'' according to that key, but make it really hard to ever read out that key again.
 +
 +
It then supports
 +
 +
 +
 +
 +
 +
Keeping it in RAM, the memory protection unit should protect it, sure. But that relies all parts of the OS to work as intended, and implies means most of the OS is potential [[target surface]] for exploits.
 +
 +
  
  
 
TPM can support public key operations and (temporary) key storage, make storage of keys a little more secure, and offload some encryption details.
 
TPM can support public key operations and (temporary) key storage, make storage of keys a little more secure, and offload some encryption details.
  
It can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).
 
  
  
As a platform, TC and TPM may (eventually) help avoid some boot based exploits, which is also necessary to resist some physical attacks, such as some defeating full-drive encryption. {{verify}}
+
Why is it useful?
 +
 
 +
 
 +
 
 +
The idea is that since only the OS can directly access it and you can only ''ask''.
 +
 
 +
 
 +
As an ida, TC and TPM may (eventually) help avoid some boot based exploits, some physical attacks such as some that might defeat full-drive encryption. {{verify}}
 +
-->
  
  
 
==="Can't detect TPM device"===
 
==="Can't detect TPM device"===
  
Means the BIOS knows that you ''can'' plug in a TPM module, and is looking for it, and you don't have one.
+
Means the BIOS knows that you ''can'' plug in a TPM module, and is looking for it (being told to or always does), and doesn't find one.
  
Either plug one in, tell it not to look for one (if you can), or ignore this message.
+
Either tell it not to look for one (if you can), plug one in, or ignore this message.
 
It's often under a header named something like 'Trusted Computing'  
 
It's often under a header named something like 'Trusted Computing'  
  

Revision as of 23:22, 23 July 2021

Security related stuff.

Practical


Theory


Unsorted


This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


TPM

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

What?

Trusted Platform Module, TPM, is a hardware component, and part of the Trusted Computing design.

The TPM is the hardware part of that, a module that can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).


"Can't detect TPM device"

Means the BIOS knows that you can plug in a TPM module, and is looking for it (being told to or always does), and doesn't find one.

Either tell it not to look for one (if you can), plug one in, or ignore this message. It's often under a header named something like 'Trusted Computing'

Some BIOSes will always look for it(verify), in which case you can just ignore the message.


More acronyms

What does TPM not protect?

Use and criticism, strengths and weaknesses

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

See also

Nonce

Challenge/response

JSON Web Signature, Encryption, Tokens

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

JSON Web Signature (JWS)

Signing arbitrary data.

See also:


JSON Web Encryption (JWE)

Syntax for the exchange of encrypted data, and sending it in Base64 within JSON.

See also:


JSON Web Tokens (JWT)

JWT is aimed at sending verifiable claims, building on JWS or JWE

Signed using a shared secret, or a public/private key.

Typically used between identity provider and a service provider, in an SSO-like way.

See also:


-->