Media Room - FAQs

What is TCG’s position on the reported TPM hack at the Black Hat Conference in January 2010?

TPM's are designed to resist software attacks and some hardware attacks, not those that require detailed expertise, highly sophisticated equipment, and long periods of time.

What was the philosophy behind the design of the TPM specification?

The TPM specification and strategy is and was intended to deliver a security product that could be manufactured and deployed at very high volume, and provide a high commercial grade of protection. The actual level of protection necessary to defend against hardware attacks is a continual race between manufacturers and attackers, and will evolve over time.

Is this Black Hat Conference hack applicable to all TPM’s as a widespread hack?

No, the single successful attack compromises only the data protected by a single TPM, not all TPM's (or all Infineon TPM's).

What is TCG’s position in regards to the comments about Infineon’s TPM?

Only Infineon can respond to questions about their design implementations of security protection.

What is the Trusted Computing Group (TCG)?

The Trusted Computing Group was formed in 2003 to develop and support open industry specifications for trusted computing across multiple platform types. To enable open specification development, the group is incorporated, has a patent policy and provides industry advocacy programs, including marketing programs. Information on how to join the TCG can be found at www.trustedcomputinggroup.org/join_now/.

TCG has approximately 100 members from across computing, including component vendors, software developers, systems vendors and network and infrastructure companies. A complete list is online at www.trustedcomputinggroup.org/members.

What is the organizational structure of TCG?

TCG is an incorporated organization. Membership is open to a wide range of organizations and TCG invites active member participation. The organization has a majority rule structure to facilitate progress. The group provides for marketing programs, democratic organizational management and independent advocacy. Finally, the organization provides a reasonable and non-discriminatory (RAND) patent licensing policy. These terms typically streamline adoption of industry standards.

How do I join TCG? What are the dues for each type of membership?

Potential members can obtain a TCG Membership Agreement and related documents by completing the online request form here, www.trustedcomputinggroup.org/join_now/request_membership_information.

The web site contains additional information on the dues structure and membership benefits for each membership type at www.trustedcomputinggroup.org/join_now/.

What is available from TCG?

The organization has developed specifications for the Trusted Platform Module (TPM) used in PCs and other systems; a software interface specification to enable application development for systems using the TPM; a Trusted Server specification; the Trusted Network Connect architecture to enable protection of the network; and a specification for the Mobile Trusted Module for mobile phone security. Another work group is preparing a specification to address storage security.

What has the TCG done to preserve privacy?

TCG believes that privacy is a necessary element of a trusted system. The system owner has ultimate control and permissions over private information and must "opt-in" to utilize the TCG subsystem. Integrity metrics can be reported by the TCG subsystem but the specification will not restrict the choice and options of the owner preserving openness and the ability of the owner to choose.

The TCG specifications support privacy principles in a number of ways:

  1.  The owner controls personalization.
  2. The owner controls the trust relationship.
  3. The system provides private object storage and digital signature capability.
  4. Private personalization information is never exposed.
  5. Owner keys are encrypted prior to transmission.

It is also important to know what the solutions are not:

  1. They are not global identifiers.
  2. They are not personalized before user interaction.
  3. They are not fixed functions-they can be disabled permanently.
  4. They are not controlled by others (only the owner controls them).

How does a TCG-enabled system protect against malicious and unknown use of its functions by an unauthorized user?

The TPM capabilities that deal with sensitive or private information require the presentation of authorization data. Authorization data adds a layer of protection to sensitive or private information.

Was TCG formed to specify Digital Rights Management (DRM) technologies?

TCG specifications do not provide all the necessary technical elements required for DRM. It is conceivable that developers could build their own DRM solutions that would operate on systems with Trusted Platform Modules, but TCG specifications alone are not DRM solutions.  Furthermore, TCG Best Practices require that deployments support established principles and practices of data ownership: "While respecting a data owner's rights, protection sought by a content owner must not be allowed to constrain the modality of the user's interaction with the data."

What applications and services will benefit from systems with TPMs?

Systems with TPMs offer improved, hardware-based security in numerous applications, such as file and folder encryption, local password management, S-MIME e-mail, VPN and PKI authentication and wireless authentication for 802.1x and LEAP.

Are systems with TPMs available?

Desktop, notebook and tablet PCs with TPMs are available from Dell, Fujitsu, Gateway, HP, Intel, Lenovo, Toshiba and others - virtually all enterprise systems now include the TPM. Trusted servers also have started shipping.

How do TPMs compare with smart cards or biometrics?

They are complementary to the TPM, which is considered a fixed token that can be used to enhance user authentication, data, communications, and/or platform security. A smart card is a portable token traditionally used to provide more secure authentication for a specific user across multiple systems, while biometrics are providing that functionality in an increasing number of systems. Both technologies can have a role in the design of more secure computing environments.

Is TCG creating specifications for just one operating system or type of platform?

No. Specifications are operating system-agnostic. Several members have Linux-based software stacks available. In addition to our work on the PC platform, we have specifications for Trusted Servers and mobile devices and are working to finalize specifications for other computing devices, including storage and infrastructure.

How does Microsoft’s BitLocker technology relate to the TPM and to the efforts of TCG?

Microsoft BitLocker™ Drive Encryption is designed to make use of a Trusted Platform Module (TPM) 1.2 and the associated PC Client Specifications developed by TCG to protect critical system files and user data and to help ensure that a computer running Windows Vista has not been tampered with while the system was offline.

Why is Trusted Network Connect necessary?

The TNC architecture has been designed to assist network administrators in protecting networks by allowing them to audit endpoint configurations and impose enterprise security policies before network connectivity is established. This can help prevent inappropriate and unauthorized access that can result in viruses and email worms, Trojan horses, denial of service attacks, and other malicious activities.

What is the scope of the TNC specification?

First, the specification focuses on the collection of endpoint configuration data in conjunction with user authentication information, for comparison with a pre-defined set of organization criteria for access to the protected network. This creates a "security" or "safe computing" profile for a system. Second, the specification addresses providing an appropriate level of network access based on the detected level of policy compliance, including full access, partial access or directed access, or no access.

What Trusted Network Connect specifications are available?

In 2006, the TNC made available three new specifications. These specifications are:
  • IF-TNCCS, which specifies interoperability between the TNC Client (TNCC) and the TNC Server (TNCS);
  • IF-T for Tunneled EAP Methods, which is the specification for support of various transports; and,
  • IF-PEP for RADIUS, specifying a standard integration with Policy Enforcement Points (PEP).

These specifications are in addition to the existing TNC specifications - IF-IMC and IF-IMV, which provide standardized APIs for client plug-ins (IMCs) and server plug-ins (IMVs) to enable TNC functionality; and the TNC architecture specification - which were all published in May 2005. All TNC specifications are available free to anyone who wishes to download them from the TCG website, www.trustedcomputinggroup.org.

These specifications are intended to be used in the following manner:

  • IF-TNCCS describes a standard method for the TNC Client (TNCC) and the TNC Server (TNCS) to exchange messages. Since the TNC architecture is layered, IF-TNCCS carries messages from IMCs to IMVs and vice versa. It also carries control messages between the TNCC and TNCS. IFTNCCS is transport-independent so it can be carried over a variety of transports.
  • IF-T for Tunneled EAP Methods specifies how IF-TNCCS should be carried over Extensible Authentication Protocol (EAP) tunneled methods such as EAP-TTLS, EAP-FAST, and EAPPEAP.  Supporting these EAP methods allows the TNC architecture to work with a variety of network technologies that support EAP authentication: 802.1x, IKEv2, etc.
  • IF-PEP for RADIUS specifies how to use the RADIUS protocol for communications between a Network Access Authority (NAA) - typically an AAA/RADIUS server - and a Policy Enforcement Point (PEP). IF-PEP is used to send network access decisions from the NAA to the PEP, enabling the PEP to enforce the access decisions on an endpoint's network traffic. The network access decision will trigger enforcement action by the PEP, such as allowing access, denying access, or granting limited access.
In February 2007, the TCG announced the release of updates to four existing specifications. The new specification names are IF-IMC 1.2, IF-IMV 1.2, IF-TNCCS 1.1, and IF-PEP for RADIUS 1.1. These updated specifications provide valuable enhancements to the original versions, adding features requested by customers and incorporating fixes in response to feedback from implementers.

What features do TNC specifications provide?

The following new features are provided:
  • Java Platform Binding to IF-IMC (integrity measurement collector) and IF-IMV (integrity measurement verifier)
  • Support allowing each IMV to give a human-readable, localized reason string explaining itsrecommendation (in IF-IMV and IF-TNCCS)
  • Support for VLAN-aware endpoints(in IF-PEP (policy enforcement point)

The main benefits of these features are:

  • TNC client software can be deployed more quickly and easily since it can be dynamically downloaded over the network as Java code.
  • TNC client and server software can be developed to run on any system that supports Java 2 Standard Edition version 1.4.2 or later.
  • In case of problems, messages can be presented in the user's native language.
  • Endpoints can employ multiple VLANs for applications like telephony.

View All FAQs

Next