Security notes / Unsorted

Security related stuff. Linux - PAM notes · SELinux Securing services Public key encryption; SSL and TLS SSH: tunnels, X forwarding · keypair logins · SSH jails · loose notes · agent Apache config and .htaccess - security A little more practical security for the everyday person not-so-formal notes Ingredients that might be useful to know - MFA / 2FA · One-Time Passwords; also, authenticators More techincal waffling Message signing notes · Hashing notes · Auth - identity and auth notes Encryption - Encryption notes · public key encryption notes · data-at-rest encryption ·pre-boot authentication · encrypted connections Unsorted - · Anonymization notes · website security notes · integrated security hardware · Glossary · unsorted

TPM

What is it?

tl;dr:

it's a hardware module that assists a few security needs

in a few ways it allows for more secrecy than is easy to guarantee otherwise -- if used well, that is

other things it does is more of a coprocessor thing, and arguably makes less difference

Separate ...or not

Part of its job is 'encryption and key stuff'.

Part of its job is just to be separate -- except when it isn't.

Physically, TPM started as a clearly separate extra chip/module, that might be built into laptops (fairly common in business laptops), and for PC motherboards started as a plug-in module that was originally very optional -- and now, years later, Microsoft is pushing very hard on the concept, in that they refuse to run Windows 11 if it's not there or it's an older version[1].

These days, you also find TPM is integrated into CPUs (Intel calls it PTT, AMD calls it fTPM). This is functionally similar to a separate TPM - it has its own storage, it can't be altered, only talked to via the same specific protocol.

Upsides

• saves having to deal with one more component
• and helps against some physical attacks

Arguables:

• it's possible that some attacks might be possible due to being integrated.

Yes, it's isolated by a communication channel - that was part of the point - and TPM(1) communication is more easily sniffed if it's an exposed trace because that is itself unencrypted

I wouldn't be surprised if there are side-channel attacks due to being on the same silicon.

Downsides:

• it is now harder to upgrade the CPU (not a thing in laptops, but surely so in desktops)

What does it do?

The TPM is a different thing to different people/needs.

Used well, it makes attack surface smaller, and certain attacks much harder to do remotely.

Used poorly it changes little. And there is also the concept of blind trust leading to riskier behaviour.

More technically, it e.g.

• helps store some keys,
• can creates derived keys without revealing the original,
• can do certain encryption/decryption for you

A little more practically

it being separate hardware makes it harder to steal certain keys

it being separate hardware means there are some cases where you can use a key it stored without every transporting it out.

Keys can not only be used in there, but they can also marked as "never allow these keys to be copied out" - which effectively tie certain keys to specific TPM hardware permanently

this great for a select few uses, and alleviates certain physical attacks, because now only a single piece of hardware can do a thing

complete show stoppers for others

and risky for some others yet

For example, you can force an encrypted drive to only work on the computer you encrypted it on. Note that if you ever lose that TPM, you can never read that data again.

you can prevent running boot code that wasn't previously approved

as protection against malware that alters the boot

again, with footnotes. Like - who does the approving?

On secure boot

"Can't detect TPM device"

Means the BIOS knows that you can plug in a TPM module, and is looking for it (configured to do so, or always does), and doesn't find one.

So tell it not to look for one (if you can), plug one in, or ignore this message. It's often under a header named something like 'Trusted Computing'

Some BIOSes will always look for it(verify), in which case you can just ignore the message.

More acronyms

What does TPM not (necessarily) protect?

TPM versus TPM2

Use and criticism, strengths and weaknesses

TPM related errors

See also

• http://en.wikipedia.org/wiki/Trusted_Platform_Module

Nonce

Challenge/response

JSON Web Signature, Encryption, Tokens

GSSAPI notes

GSSAPI is a IETF standard to make it easier for various software to do various strong auth, e.g. Kerberos.

It also allows various other auth schemes to be plugged into it.

Which also makes it potentially interesting for SSO setups within an organisation.

(not unlike SASL, which can include GSSAPI)

It's used by things like OpenSSH,

NaCl

There are two security related things called NaCl - which are completely unrelated to each other.

(There are also other things called salt, like automation software Salt (a.k.a. Saltstack)

NaCl as in libsodium

Google NaCl