TCG addresses the rise in cybersecurity threats with critical new features to its TPM 2.0 specification

Cybersecurity is taking a huge stride forward, as the Trusted Computing Group (TCG) today released its TPM 2.0 Library specification Revision 1.59 – providing necessary updates to the previously published TPM specification to combat the growing sophistication of cybersecurity threats worldwide.

The challenges facing the cybersecurity industry are unprecedented, with technological advances creating a greater risk than ever before as newer threats evolve and emerge. The NotPetya malware attack in 2017 demonstrates the severity attacks can have; global logistics and shipping firm Maersk became critically affected and worldwide damage to other organizations totaled US $10 billion. According to Gartner, global spending for protecting software and systems from attacks is forecasted to reach US $133.7 billion in 2022, highlighting the need for new ways of tackling them.

The newest version of the TPM 2.0 specification is an essential tool that developers and manufacturers can utilize in their fight against cyberthreats to safeguard devices not just from conception of the product, but throughout their lifecycle. It provides enhancements for authorization mechanisms, extends the availability of the Trusted Platform Module (TPM) to new applications allowing for more platform specifications to be built, simplifies management, supports additional cryptographic algorithms and provides additional capabilities to improve the security of TPM services.

“With attacks becoming increasingly more complex in their nature and more devices getting connected, creating new vulnerabilities such as the possibility of everyday items like smart fridges becoming hacked, it is critical that the industry has an effective way of tackling them now and into the future,” said Rob Spiger, Vice President of Trusted Computing Group. “As technology advances, more personal data is being used and can be intercepted or accessed easily if devices are not suitably safeguarded. Our latest revision of the TPM 2.0 Library Specification, gives system engineers and software developers a brand new way to ensure the longevity of a device by utilizing technologies of the TPM in the best way possible.”

One of the newest features is the Authenticated Countdown Timer (ACT) which enables a way of regaining control of a compromised machine by configuring a TPM ACT that restarts a platform when it reaches zero. This is hugely beneficial for remotely managed IoT devices with a TPM. If the device is determined as healthy by a cloud management service, the cloud can cryptographically create a ticket that adds more time to the ACT, preventing healthy systems from being restarted. However, if the device is deemed infected, it will not obey instructions to start recovery. At this point, the ACT will eventually reach zero and force a restart – allowing for boot firmware to kick in with recovery.

The latest specification also includes a new x509Certify command which simplifies access to TPM functions in cryptography. This allows a TPM to use internal keys to make statements about other keys by signing x509 certificates about them. This ensures secure communications with another party and is more recognizable for people not used to working with TPMs and more used to working with x509 certificates.

In addition, an Attached Component API command facilitates the secure transferring of a TPM object to an externally attached device such as a Hardware Security Module (HSM) or self-encrypting device, providing more security. By doing this, TPM 2.0 authorization mechanisms can be combined with the performance power of an HSM. Added support for symmetric block cipher MACs and AES CMAC is also built in, aiding with integration between TPMs and low capability devices with encryption.

“The release of this latest TPM 2.0 Library specification brings added security, enhancements and features that can be added to a whole range of devices with TPMs, strengthening systems against cyberattacks and securing businesses,” Spiger added. “We are looking forward to advancing our work further, as our TPM, Device Identifier Composition Engine (DICE) and other workgroups continue to develop standards which will continue to protect billions of systems worldwide as the expansion of IoT devices grows.”

Trusted Computing Group published its initial TPM 2.0 Library Specification as an International Standard in 2015, through the International Organization for Standardization. TCG will apply for the features in this latest revision to also achieve the same status as a global standard, by starting a new submission to ISO at the end of this year.

 

About TCG

TCG is a not-for-profit organization formed to develop, define and promote open, vendor-neutral, global industry specifications and standards, supportive of a hardware-based root of trust, for interoperable trusted computing platforms.  More information is available at the TCG website, www.trustedcomputinggroup.org. Follow TCG on Twitter and on LinkedIn. The organization offers a number of resources for developers and designers at develop.trustedcomputinggroup.org.

Twitter: @TrustedComputin

LinkedIn: https://www.linkedin.com/company/trusted-computing-group/


*** This is a Security Bloggers Network syndicated blog from Trusted Computing Group authored by TCG Admin. Read the original post at: https://trustedcomputinggroup.org/tcg-addresses-the-rise-in-cybersecurity-threats-with-critical-new-features-to-its-tpm-2-0-specification/