![]() ![]() The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate. It can also send the Measured Boot logs to a remote server for evaluation. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Measured Boot with support for attestation The following topic describes the TPM Services that can be controlled centrally by using Group Policy settings: The following sections provide an overview of the technologies that support the TPM: For more info, see the Trusted Platform Module page on the Trusted Computing Group website: Trusted Platform Module. The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.įor info about which versions of Windows support which versions of the TPM, see Trusted Platform Module technology overview. The TPM uses its own internal firmware and logic circuits to process instructions. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met. The TPM can also seal and unseal data that is generated outside the TPM. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.Ĭomputers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. You can specify whether encryption keys that are created by the TPM can be migrated or not. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. This process, often called wrapping or binding a key, can help protect the key from disclosure. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus.Ĭomputers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.Ī Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |