Difference between revisions of "Security notes / Unsorted"

From Helpful
Jump to: navigation, search
m (What does TPM not protect?)
m (TPM)
Line 8: Line 8:
 
===What?===
 
===What?===
  
Trusted Platform Module, TPM, is a hardware component, and part of the [http://en.wikipedia.org/wiki/Trusted_Computing Trusted Computing] design.
+
Trusted Platform Module is part of the [http://en.wikipedia.org/wiki/Trusted_Computing Trusted Computing] design.
  
The TPM is the hardware part of that, a module that can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops).
+
The TPM basically the hardware part, which helps give an isolated environment to store some keys in (to avoid leaving them in RAM and on disk) and do certain crypto in (e.g. without having to show keys).
 +
 
 +
It being a separate thing
 +
: makes attack surface much smaller and certain attacks much harder to do remotely,
 +
: makes it harder to steal keys,
 +
:: The way the TPM stores keys means you can't move keys out -- except the ones marked migratable, which various uses will require.
 +
: lets you tie keys to the specific TPM (and details of your computer, if you wish)
 +
:: which alleviates certain physical attacks - like tying an encrypted drive, which means someone stealing just the drive separates it from the key that would read it
 +
: Or booting something that wasn't previously approved (as protection against malware that alters the boot).
 +
:: note that secure boot ''only'' covers boot, only as much has the OS integrates with it, and stops there - it does nothing to to protect you against malware once booted.
 +
 
 +
 
 +
 
 +
Physically, TPM is often a hardware module that can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops). One can also be part of a CPU.
 +
 
 +
{{comment|(You could also implement it in code, but doing so means you lose the trusted environment and the isolated storage which defeats half the point)}}
 +
 
 +
<!--
 +
https://docs.microsoft.com/en-us/windows/security/information-protection/tpm/how-windows-uses-the-tpm
 +
-->
  
 
<!--
 
<!--

Revision as of 17:02, 24 July 2021

Security related stuff.

Practical


Theory / unsorted

how to do a login system badly
how to do encryption badly
Disk and file encryption notes
  • unsorted
This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)


TPM

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

What?

Trusted Platform Module is part of the Trusted Computing design.

The TPM basically the hardware part, which helps give an isolated environment to store some keys in (to avoid leaving them in RAM and on disk) and do certain crypto in (e.g. without having to show keys).

It being a separate thing

makes attack surface much smaller and certain attacks much harder to do remotely,
makes it harder to steal keys,
The way the TPM stores keys means you can't move keys out -- except the ones marked migratable, which various uses will require.
lets you tie keys to the specific TPM (and details of your computer, if you wish)
which alleviates certain physical attacks - like tying an encrypted drive, which means someone stealing just the drive separates it from the key that would read it
Or booting something that wasn't previously approved (as protection against malware that alters the boot).
note that secure boot only covers boot, only as much has the OS integrates with it, and stops there - it does nothing to to protect you against malware once booted.


Physically, TPM is often a hardware module that can be plugged into PC motherboards and laptops, and may be built into laptops (fairly common in business laptops). One can also be part of a CPU.

(You could also implement it in code, but doing so means you lose the trusted environment and the isolated storage which defeats half the point)



"Can't detect TPM device"

Means the BIOS knows that you can plug in a TPM module, and is looking for it (being told to or always does), and doesn't find one.

Either tell it not to look for one (if you can), plug one in, or ignore this message. It's often under a header named something like 'Trusted Computing'

Some BIOSes will always look for it(verify), in which case you can just ignore the message.


More acronyms

What does TPM not protect?

Use and criticism, strengths and weaknesses

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

See also

Nonce

Challenge/response

JSON Web Signature, Encryption, Tokens

This article/section is a stub — probably a pile of half-sorted notes, is not well-checked so may have incorrect bits. (Feel free to ignore, fix, or tell me)

JSON Web Signature (JWS)

Signing arbitrary data.

See also:


JSON Web Encryption (JWE)

Syntax for the exchange of encrypted data, and sending it in Base64 within JSON.

See also:


JSON Web Tokens (JWT)

JWT is aimed at sending verifiable claims, building on JWS or JWE

Signed using a shared secret, or a public/private key.

Typically used between identity provider and a service provider, in an SSO-like way.

See also:


-->