As a leading developer of software for the TPM I thought it would be valuable to outline a number of cool solutions that can be enhanced with the TPM. TPM 1.2 is a part of the vPro platform and can dramatically enhance the security of any corporate infrastructure. With tens of millions of devices already in the market the tpm technology is in a position to help.
As full disclosure Wave Systems Corp. Builds tools for both client and central management of TPMs. We supply Intel’s motherboard group with software that is bundled for free with their motherboards and has been for the last few years. We are also Dell’s supplier and Gateway’s supplier of TPM software. Finally we support Seagate’s hardware full disk encrypting drives and we demonstrated support for Intel’s new Danbury technology at last weeks IDF. Wave is on the board of the Trusted computing group and we broadly and actively contribute to the specifications and the community.
Let me start with a simple list of things one can do!
Did you know that your TPMs
Can support strong multifactor authentication to the Windows Domain
Can support Strong wireless networking using 802.1x (really 802.11i) for both machine authentication and/or user authentication
Can support 802.1x or IPSec for strong machine authentication (this is a very powerful addition for any NAC implementation including Cisco CNAC)
Can provide a common key management infrastructure for any application needing key services Allowing the enterprise to centralize their desktop key management. This works with Microsoft EFS, Third Party File and Folder encryption and other Signing applications
Can be used to harden integrity measurements in Nac solutions using Microsoft NAP or trusted computing group TNC specs
Can fully support Windows XP and Windows Vista Deployments
Can harden any MSCAPI compatible certificates
Ultimately all of this is done by Leveraging the TPM’s CSP (cryptographic Service Provider) This is how any application can talk to the TPM. The CSP is third party provided software and is supplied by Either Your OEM or a company like Wave and is typically free from the OEM.
Due to a variety of reasons the biggest first step is to turn the TPM on and take ownership. This is done in the BIOS. One the TPM is activated it will ask the user to take ownership and now the device is ready to be used. There are server products that enable central management of Ownership for the corporate customer. Every Enterprise should be turning on their TPMs and taking ownership.
To get a feel for this I have posted an implementation guide for a wireless hot spot on our web site at http://www.wave.com/solutions/Implementation_Guide.pdf this will provide a good flavor as to what needs to be done. If you build this type of bench lab it will give you a good idea of how TPMs could be broadly used.
To long a post but Perhaps a good starting point for discussion.
Wave Systems Corp.