0

The primary scope of TPM is to assure the integrity of a platform. In this context, "integrity" means "behave as intended". ~Wiki

I'm learning more about how the TPM performs integrity covering aspects as root of trust, chain of trust, PCRs measurements, remote attestation.

On the other hand, a cloud provider needs to enforce strict security policies, requiring additional trust in the clients. To improve the mutual trust between consumer and cloud provider, so how is the TPM related & applies to security in the cloud?

1 Answers1

0

You've kind of answered your own question. TPM applies to security in the cloud by providing additional trust in the client. As to how this additional trust is provided, part of that answer is in your question as well, as remote attestation is one way of doing that. Multi-level authentication is another. TPM is meant to be used to ensure platform integrity for both hardware and software. There are more, but most importantly, TPM provides secure, hardware based storage of encryption and signing keys.

mnistic
  • 10,866
  • 2
  • 19
  • 33
  • thanks for you answer.but what i can't understand as a client in public cloud how am i supposed to make sure that data isn't tampered just because my platform has a tpm also (is the client who is supposed to have the tpm in his platform or the infrastructure of the cloud or both ?) –  May 23 '18 at 00:12
  • This is what remote attestation is for. First you ensure platform integrity by measuring hardware, software and data and extending the appropriate PCRs, and then you attest to it. Using the TPM adds to security because you know that the attestation key is hardware protected, so it couldn't have been compromised by software means. This is assuming that the TPM is on the client side as it's the cloud that seeks additional trust, but it could be on both sides. Good info on attestation: https://seclab.stanford.edu/pcl/cs259/projects/cs259_final_lavina_jayesh/CS259_report_lavina_jayesh.pdf – mnistic May 23 '18 at 01:29
  • Good info on TPM use cases: https://trustedcomputinggroup.org/wp-content/uploads/TCG-Mobile-Trusted-Module-2-0-Use-Cases-v1-0.pdf Not exactly cloud, but related and you may find it useful. – mnistic May 23 '18 at 01:31
  • that was really helpful thanks a lot mate , one last question "measuring hardware, software and data and extending the appropriate PCRs" what do we really mean by hardware and software ? (every hard/softw running in the platform literally ?) & can we say that a client without a tpm interacting with a public cloud is less secure? –  May 23 '18 at 07:17
  • No, typically just the stuff critical to the application. What exactly is measured depends on specific requirements, but usually you want to make sure that none of the hardware, drivers and other OS critical stuff has been tampered with. Reading through the use cases should give you more ideas. Yes it is generally accepted that hardware based protection is more secure than software based. – mnistic May 23 '18 at 10:52
  • apreciate your answers mate ,final thing : got any documents to read for understanding tpm and ttp aspect? –  May 23 '18 at 23:22
  • Yes I've already linked to them in other comments :) The only real book on the subject I know of is `A Practical Guide to TPM 2.0` – mnistic May 24 '18 at 11:05
  • i have got that book mate plus the links you shared earlier ,it was helpful now i kinda want to understand what does the the TTP (trusted third party) do with the tpm work what's a certification.. thanks. –  May 24 '18 at 13:27