Results 1 to 8 of 8

Thread: Trusted Platform Modules?

  1. #1
    Anodized. Again. Konrad's Avatar
    Join Date
    Aug 2010
    Location
    Canada
    Posts
    1,060

    Default Trusted Platform Modules?

    I've read Wikipedia's Trusted Platform Module, Secure cryptoprocessor, AES, Public-key cryptography, and tons of other related pages. Not the finest authority, but probably informative enough. I'll happily admit that I'm no sort of cryptography expert whatsoever, beyond some idle (and perhaps unhealthy) fascination with the finer details of crypto history, algorithms, technology, hacks, attacks, and countermeasures.

    My newest motherboard (an Asus X99 R5E) has a 20-pin TPM header. Having a compatible TPM plugged in will allow me to activate BitLocker with a unique hardware crypto token. That's worth twenty bucks to me, and if I can get a TPM part which does a whole lot more for a few dollars more then that's maybe worth it, too.

    Asus recommends part 90-C1B0AU-00XBN0VZ, which appears to be an Infineon part with a cool black PCB, $20 but never in stock. Newegg offers an unnamed FW3.19 part for about $25, which is also never in stock. Amazon also has TPMs listed, but never has any in stock. Supermicro has 20-pin TPMs (which it calls "AOMs" or Add-on-Modules), and again these are never in stock. You really have to dig deep online just to find them for sale. I have found a comparison between the INFINEON SLB9635 TT1.2 (TPM-IN01-R10), SINOSUN SSX35BCB, and WINBOND WPCT200 (TPM-WI01-R10) which suggests the Infineon part is the smartest way to go. Another Infineon part (TPM-IN01-R11) has firmware 3.17, another has firmware 3.19, and one is called the 9655V. There's even Foxconn TPMFOX45CS part (for $12) which doesn't inspire security or confidence. Prices for 20-pin TPM gizmos look to generally be around $10-$25 (sometimes $50, one site actually charges $200!), Alibaba vendors seem to have limitless quantities available but require minimum purchases numbering tens or even hundreds of units.

    So a coupla questions which I'm hoping some of you Enterprise/IT guys might answer:

    Where can I actually buy one of these things? It seems like they aren't illegal or restricted (indeed, they're embedded into many motherboards, laptops, tablets, and even cellphones) but they are certainly not floating around where average consumers can readily get a hold of them. I can understand this might be because properly secure configuration and operation of such stuff actually requires using a brain and most consumers just can't afford such a terrible price. Anyone know of a source? Any recommendations for which TPMs I should want to get or should want to avoid? Is it perhaps best to avoid purchasing possibly compromised hardware of such a security-sensitive nature at places like eBay, or do I misunderstand how they work so as long as it works I'll be fine?

    Having read through the specs and datasheets and brochures for all the parts I could name (at least, all the ones which aren't obfuscated behind proprietary lawyer-assassins, blood oaths, NDAs and such) ... I just got myself more and more confused. Aside from adding another layer of security to BitLocker (and/or other cryptowares), what else can an active TPM actually do or be used for? If the TPM hardware ever fails (or locks itself out, is lost/stolen/exploded/etc), will all of my encrypted data (and equally encrypted backups of that data) become functionally impossible to recover? Can I plug my trusty old TPM and drives into next decade's new motherboard without issue, or is the encryption key (and decrypting of associated data) all locked to a specific platform?
    My mind says Technic, but my body says Duplo.

  2. #2
    Will YOU be ready when the zombies rise? x88x's Avatar
    Join Date
    Oct 2008
    Location
    MD, USA
    Posts
    6,334

    Default Re: Trusted Platform Modules?

    Actually, I think you're just the wrong side of a certain border..
    http://smile.amazon.com/Asus-Accesso.../dp/B0085E4WQQ

    As for the actual function of the things, to be honest I haven't really looked much at them. The applications I remember seeing them used for mainly centered around a) offloading hashing functions, b) key storage, and c) hardware-based, host-identifying, keys.
    That we enjoy great advantages from the inventions of others, we should be glad of an opportunity to serve others by any invention of ours, and this we should do freely and generously.
    --Benjamin Franklin
    TBCS 5TB Club :: coilgun :: bench PSU :: mightyMite :: Zeus :: E15 Magna EV

  3. #3
    Why must hard drives fail together? TheMainMan's Avatar
    Join Date
    May 2008
    Location
    Canada
    Posts
    804

    Default Re: Trusted Platform Modules?

    Not sure if they are vendor specific or not but CDW.ca carries a bunch. I might be able to get you a better price than what's listed if you're interested; postage from me to you shouldn't be big deal for something that size.
    TheMainMan

  4. #4
    Yuk it up Monkey Boy! Airbozo's Avatar
    Join Date
    Jun 2006
    Location
    In the Redwoods
    Posts
    5,272

    Default Re: Trusted Platform Modules?

    I work for a company that sells custom systems into the security space. The TPM's are the send lowest level of encryption and used on only the cheapest security devices due to the ease of which they can be broken. The are only slightly better than running a software key generator sort of application. TPM's can be had all over the place and specifically Supermicro always has them in stock (at least for us). Knowing what I do about Supermicro, I would not use one of their TPM's any anything but a Supermicro motherboard. While we do not resell the TPM's by themselves, I may be able to point you to a vendor that does. x88x is right though, trying to purchase a TPM (or any other security module for that matter) in thee US from Canada might be tricky sue to export laws and such. We had an issue with one of our customers being able to ship their appliance into Canada due to the security card that was installed into it and it took over 6 months or customs wrangling and hundreds of phone calls to get it to their end user. They use a card from SafeNet (http://www.safenet-inc.com/data-encr...nt/luna-pci-e/) that can actually detect someone trying to hack into it and will erase itself to prevent access to the keys. It will also detect if it is being removed from the system and erase itself. As last resort, it will also detect if someone is trying to physically gain access to the card and destroy the primary key modules Mission Impossible style.

    You are right though, you do get what you pay for. I suggest contacting some of the TPM manufacturers and compare the different modules if you are intent on using one.

    One other note; Most motherboards are designed in such a way that if you install and activate a TPM module, you can never remove it or the motherboard will not work. If the TPM module fails, you have to replace it to gain access to the motherboard and your data.
    "...Dumb all over, A little ugly on the side... "...Frank Zappa...

  5. #5
    Anodized. Again. Konrad's Avatar
    Join Date
    Aug 2010
    Location
    Canada
    Posts
    1,060

    Default Re: Trusted Platform Modules?

    As I understand it, the software/firmware/drivers bundled with the TPM part (by Infineon, etc) typically allow a last-ditch emergency "out" to reenable locked-out TPMs and decrypt locked data. So you need to keep a precious copy of your recovery password/code locked away somewhere else. Which, to me, sort of defeats the whole purpose of having nigh-unbreakable crypto hardware in the first place, unless of course you have multiple TPMs installed in multiple machines so there's no weak link on your failsafe backup/redundancy. Seemingly not the wisest way to go for a single user planning to run a single secured motherboard.

    Airbozo - "you can never remove [an activated TPM module] or the motherboard will not work" ?
    Does this mean the entire motherboard gets locked out and is rendered useless for normal unsecured operation, or just that the special security (and secured data) is impossible to recover without a replacement TPM?

    And yeah, my primary interest is to put a heftier hardware padlock onto my BitLocker (or whatever crypto), for litecoin vault and such stuff, keep it secret keep it safe lol. So long as I still have a way to recover encrypted offsite backups in the event my main unit is stolen/broken/etc (even if that means I must go purchase another - identical? - TPM and mobo combo). Keeping my trusty certs and secure https sessions and sundry password lists under lock seems to be a common add-on feature, not an unwelcome one, but I can as easily continue to do without the frilly bells & whistles.

    Seeing those professional PCIe crypto cards, server-grade crypto blades, and complete $15,000+ dedicated crypto racks really helps put the power and value of my $20 little TPM part into better perspective. I think I sense a bit of dismissive disdain from experts about the merits of these tiny TPMs in the big bad scary world of real data security, lol, and I think that says a lot as well.

    Still, it's cheap and can't really hurt, yes? I might as well just keep pestering Asus until they cough a TPM part up from their inventory pits. I do actually like how the black PCB would match my mobo, lol, and it seems that TPM parts in this category are more or less interchangeable in how much (or how little) added security value they might provide.

    Encryption software obviously has a real-time performance hit, if you run crypto then there's just no way around it. Would adding a dedicated hardware TPM component have any significant impact, positive or negative, on crypto speed/load performance in practice? I gots some games which would run pretty sweet on my miner, too, lol.
    My mind says Technic, but my body says Duplo.

  6. #6
    Anodized. Again. Konrad's Avatar
    Join Date
    Aug 2010
    Location
    Canada
    Posts
    1,060

    Default Re: Trusted Platform Modules?

    Quote Originally Posted by x88x View Post
    Actually, I think you're just the wrong side of a certain border..
    http://smile.amazon.com/Asus-Accesso.../dp/B0085E4WQQ
    I think I heartily agree, lol. If any of you American folks wanna volunteer to purchase/ship this part for me then please PM so we can arrange some way for me to pay you. *Hurry! Only 19 pieces left in stock!* (Well, no actual need to Hurry! - ignore the urging of Amazon's rampant consumer marketing hype - it seems like this niche item probably sells maybe 2 pieces per year, lol.)
    My mind says Technic, but my body says Duplo.

  7. #7
    Yuk it up Monkey Boy! Airbozo's Avatar
    Join Date
    Jun 2006
    Location
    In the Redwoods
    Posts
    5,272

    Default Re: Trusted Platform Modules?

    Quote Originally Posted by Konrad View Post

    Airbozo - "you can never remove [an activated TPM module] or the motherboard will not work" ?
    Does this mean the entire motherboard gets locked out and is rendered useless for normal unsecured operation, or just that the special security (and secured data) is impossible to recover without a replacement TPM?

    From my testing and information from others, if you setup a motherboard using TPM, you cannot at a later date disable the TPM and expect the motherboard to work. There are ways around this, but I think it involves removing a chip on the board and replacing it with a new one. This was a couple of years ago, so there may be another method. Still, the keys are lost, but the motherboard itself will be useable again. This was originally done so that if some one using a TPM had their system stolen, physically removing the TPM and disabling it in the BIOS would not allow access to the system and hence the data.

    And yeah, my primary interest is to put a heftier hardware padlock onto my BitLocker (or whatever crypto), for litecoin vault and such stuff, keep it secret keep it safe lol. So long as I still have a way to recover encrypted offsite backups in the event my main unit is stolen/broken/etc (even if that means I must go purchase another - identical? - TPM and mobo combo). Keeping my trusty certs and secure https sessions and sundry password lists under lock seems to be a common add-on feature, not an unwelcome one, but I can as easily continue to do without the frilly bells & whistles.

    Seeing those professional PCIe crypto cards, server-grade crypto blades, and complete $15,000+ dedicated crypto racks really helps put the power and value of my $20 little TPM part into better perspective. I think I sense a bit of dismissive disdain from experts about the merits of these tiny TPMs in the big bad scary world of real data security, lol, and I think that says a lot as well.

    LOL! I agree. That Luna PCIe card is NOT cheap and in order to become a vendor, certain folks in the company had to have a pretty thorough back ground check. Nothing like I went through in the Navy, but still invasive just to sell the card to a customer. We almost just asked them to buy it themselves and we would integrate it into their systems.

    Still, it's cheap and can't really hurt, yes? I might as well just keep pestering Asus until they cough a TPM part up from their inventory pits. I do actually like how the black PCB would match my mobo, lol, and it seems that TPM parts in this category are more or less interchangeable in how much (or how little) added security value they might provide.

    It cannot hurt and IMO is worth more than the $20 spent, just in peace of mind. I am looking into the same thing for my home server setup, but since I am running that server in a VM, I am out off luck right now unless I move the data to another, smaller server. We are an ASUS partner and if you like I can "nudge" them to see if we can get one for you.


    Encryption software obviously has a real-time performance hit, if you run crypto then there's just no way around it. Would adding a dedicated hardware TPM component have any significant impact, positive or negative, on crypto speed/load performance in practice? I gots some games which would run pretty sweet on my miner, too, lol.
    This is why we went with the Luna PCIe card. It takes the load off the processors. If you are only using it for bit-locker and not a transactional database query application or other encryption applications with multiple users, you will probably not see a significant hit using just a TPM. For $20 it is worth trying out. Just make sure you have a plan to back out in case you don't like it.
    "...Dumb all over, A little ugly on the side... "...Frank Zappa...

  8. #8
    Anodized. Again. Konrad's Avatar
    Join Date
    Aug 2010
    Location
    Canada
    Posts
    1,060

    Default Re: Trusted Platform Modules?

    I will need to purchase two of these stupid things then. To install into two Asus mobos running at different sites, with each holding an encrypted backup of the other platform's keys. Hardly the most unbreakably professional data security plan in the grand scheme of super secure things, especially given the low crypto capabilities of these TPMs, but I think probably overkill enough to defeat amateur and casual intrusion attempts. A small price to pay for the peace of mind, especially if I store stuff at a co-lo or other offsite place where there's always a tiny risk of other people mucking around with my toys.

    My humble data and I are (hopefully!) not prominent, valuable, and interesting enough to warrant any serious cryptoanalysis attention from powerful and threatening agencies anyhow. (Besides, if such powerful Illuminati-/MIB-style megaplayers really wanted to break my otherwise-unbreakable code, I'm sure they'd attack the weakest links - namely, my health and sanity and pain threshold - to get into it.)

    I don't seriously believe data encryption is good for long-term protection anyhow. I do believe it's basically "unbreakable" for short-term sensitive information, for server-leased access time-windows, for daily banking, for secure websessions and such stuff. Two reasons:

    1) My decades of experience with computers and data encryption (starting way back with ancient Z80/6502 machinery, stuff like 48K Apple II+ and C64) has been that professional encryption/security technology, the best available at any given time, is more than sufficient for the needs of a small business or single power user. At any given time over the last decades, even today, the argument goes something like this: "statistically, the most powerful supercomputer in the world would need longer than the entire lifespan of the universe to break this code, and even if the entire collective parallel computing resources of every civilization on our world were dedicated to this one task they would still take many aeons to crack the code". But the newer computing engines and cryptomath of next decade always demonstrate that last-decade's best crypto can be broken as a matter of routine. The best crypto from a few decades back is so trivial it can often be broken in seconds, much less time than it takes to write the decryption program itself. Any decent laptop these days can batter open longish passwords and hashes and CRCs and even once-unbreakable 64-bit public keys in half an afternoon. And that's just methodical brute-force, not even bothering to attempt any serious mathematical pattern analysis, logical deconstruction, and fancy-schmancy cryptoscience. Just systematically trying every possible combination of every key on the (rather large) key ring rather than bothering to look closely (if at all) at how the lock works, an unthinking task which gets faster every time unthinking computers get faster.
    (Progress + Innovation + Nerd Legion + Moore's Law) vs (Secure Encryption) = flawless victory.

    2) Any digital data can be copied, and any number of copies of copies can be made and stored indefinitely. I still have copies of data I typed on my ancient Apple II+ more than a quarter of century ago (albeit on very different storage media). I could have been running decrypt on it for a quarter century already. I could continue to run it for many more years. More importantly, I can use today's machinery to decrypt in minutes what was expected to take yesteryear's machinery many aeons. Indeed, I have decrypted old data migrated from old platforms many times over intervening years, never with runtimes exceeding a few days or weeks, and I am just a single half-uninformed dabbling amateur nerd. True, most of the stuff I've recovered has been somewhat banal and is of little interest outside of vintage computing technologies - but it could just as easily have been damning conspiracy secrets, corporate fortunes, plans for world conquest or whatnot, the sorts of data people would naturally expect need to be encrypted.

    True, I mention obsolete Apple II+ examples above, and much has changed in the world of data security since then. But just to emphasize my point. I could as easily mentioned anything from WW2 German military encryption to phone company line encryption to DOS-era PKZip encryption to the latest public-key L3 AES-256. Where they each sit on the technological curve doesn't much matter in the long term, because it seems that it's only a matter of time before that technological curve renders them obsolete.
    My mind says Technic, but my body says Duplo.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •