System Daquan Secret TPM Security Chip Technology and Encryption Application


Since 2003, important data loss has become a serious information security issue. Despite the different levels of confidentiality deployed by companies, institutions and individuals, leaks are still emerging. From the data on the leaked secret cases publicly released at home and abroad in recent years, we have selected the following classic cases.

In 2010, Assange and his "WikiLeaks" became almost a nightmare for all governments and businesses. All kinds of "explosives" are like a blockbuster, causing an uproar in the whole world. The level of security in the United States is almost the most dense and technical in the world, but Assange proves that it is not seen by actual action. Unbreakable! It can be seen that data leakage is not in the vacuum field.

2011 Nian 12 21 morning, hackers in the online open CSDN site user database, leading to more than 6 million registered accounts leaked online after exposed all networks, End of the World, happy, multi-play, century Users of well-known websites such as Jiayuan, Zhenai, Meikong, Lily, etc. said that the password was publicly disclosed on the Internet. The latest monitoring data found that the number of online account passwords exposed on the Internet currently exceeds 100 million. Therefore, “Left Doors” is a wake-up call for our network security.

First, the development status of security chips

As the security situation becomes more and more severe, more and more attention is paid to the development of security chips at home and abroad, which are mainly divided into foreign TPMs and domestic TCMs. In the two camps, the TPM (Trusted Platform Module) standard chip must first have the function of generating the encryption and decryption keys, and must also be able to perform high-speed data addition and decryption. In China, in order to avoid the control of the core technology of the country's strategic security in the hands of certain countries, China is also simultaneously conducting research and deployment of trusted computing platforms. Among them, cryptography is the most important core technology in deploying trusted computing systems.

Second, TPM security chip

In traditional systems, keys and authorization information are stored on disk, which is very insecure, and in systems with TPM security chips, it is difficult to add A lot bigger, when the attacker only breaks the TPM, it is possible to break the protection of the system. In this way, TPM has become the lowest level of system trust, which provides a credible foundation for the entire system.

So is TPM safe? The trusted basis of TPM comes from the trusted root. The root of trust is unconditionally trusted. The system does not detect the behavior of the trusted root. Therefore, whether the trusted root is truly trustworthy is the key to system trust. . The TPM is a small system with cryptographic components and storage components that can also be used as part of another chip, such as an Ethernet interface.

as shown below, containing respectively the TPM security chip implemented RSA, SHA algorithms hardware processing engine, both a key generator, but also the key management device. By providing key management and configuration management features, TPM is used together with supporting application software to complete reliability certification of computing platforms, prevent unauthorized software modification, user identity authentication, digital signature, and full encryption of hard disks. Wipe and other functions. The TPM is installed in the I/O controller, the bus that connects the external device to the memory, allowing the TPM to monitor every software loaded into memory from external memory. Since the TPM is at the hardware layer, as long as the user chooses to turn on the TCG function, nothing can escape the monitoring.

How does TPM work?

The TPM security chip first verifies the integrity of the current underlying firmware. If it is correct, it completes the normal system initialization. Then the underlying firmware verifies the BIOS and operating system integrity in turn. If it is correct, the operating system runs normally, otherwise it stops. run. After that, the encryption module built in the TPM security chip is used to generate various keys in the system, encrypt and decrypt the application module, and provide a secure communication interface to ensure the security of the upper application module.

TPM monitors the system software and all application software loaded on the computing platform according to the loading order of the entire system and application software stack. The TPM uses the hash expansion algorithm to store all the hash value features. All software that can be loaded by the platform. For example, during the operation of the X86 platform, the TPM will monitor the loading process of the hardware and software system and the application software stack in the following order: BIOS, MBR, OS loader, OS, user application 1-n The TPM records the hash value of the entire software chain on the computing platform, and then reports the software loading status on the platform to the management center. The TPM can digitally sign each report to ensure the authenticity of the report.

After TPM data encryption provides strong protection for the hard disk to store data, it has been hard to prevent the theft of data security.

3. TPM security chip in notebook

The TPM security chip in ThinkPad notebook can be used together with the fingerprint identification module. The fingerprint recognition technology in ordinary notebooks generally stores fingerprint verification information. In the hard disk, the TPM security chip in the ThinkPad directly puts the fingerprint identification information in the security chip. Once violently cracked, the security chip initiates a self-destruct function, which ensures that your personal information will not be compromised. The security chip communicates with the processor through the system management bus under the LPC bus, and the password data of the security chip can only be input but cannot be output. That is, the key encryption and decryption operations will be completed in the security chip, and only the results will be output to the upper layer. The TPM security chip and the fingerprint recognition module on the notebook can achieve the highest level of security, even if the disk is violently dismantled in the dust-free laboratory, no effective information can be obtained.

Copyright © Windows knowledge All Rights Reserved