Muddled and confused about how to start using the TPM? At TCG’s recent RSA session, member MITRE explained the process for strong enterprise security requirements.

From MITRE’s demo: Before TPMs can be used in an enterprise for machine identification, remote state verification (attestation), or authentication, we must establish trust in the hardware; and, in particular, in the TPM’s Endorsement Key. (We call the establishing of initial trust, along with other necessary prerequisites for enterprise use of the TPM, “provisioning”.) Although ideally these keys would be created and certified by the TPM manufacturer, this is not the case today; and in some enterprise environments, trust in the manufacturer’s key handling is not necessarily a good assumption. In these cases, the enterprise must establish its own trust in each device it owns.

The best tools for provisioning TPMs today rely on software support, either local via the operating system, or remote via scripting. In either case, this means that we are establishing trust in our hardware by trusting the software; in both cases, a standard. While these approaches are highly time-efficient in deployed environments, they create a potentially significant security hole. In this demonstration, we show a prototype approach for high security TPM provisioning, discuss its advantages and disadvantages, and show its feasibility in enterprise settings when used in combination with existing enterprise processes.

Demonstration code is available by contacting Ariel Segall, .

For more background on the TPM, please see the video course from Ariel and the team at OpenSecurity Training. It’s available here: http://www.youtube.com/playlist?list=PLUFkSN0XLZ-kBgdLhorJD6BR66D5kGoUV&goback=.gmp_4555624.gde_4555624_member_204367637.