0 Replies Latest reply on Oct 4, 2007 7:06 PM by steven.sprague

    Leveraging the TPM on your vPro platform to secure all of your software certificates

    steven.sprague

       

      To All,

       

       

      I have been asked to provide some information on how one can leverage the TPM as part of vPro. I thought a great starting point would be to outline how the TPM can help harden any client software certificate on the PC. We have found that this generally works if the other parties have done thier certificates in a standard way.

       

       

      First Why should anyone care?? By using the TPM there are a number of benefits.

       

       

      1. The keys are protected by hardware.

       

       

      2. The password to release the use of a key is matched in hardware with adds true strength to the key access control.

       

       

      3. If all of your apps where to leverage the TPM you start to have centralized key managment by managing the TPM you manage all of your keys. It's like centrally managing networking and having every app just use the connection.

       

       

      Please treat the following list as just enough to get the juices going. There is more detailed examples at www.wave.com under solutions  and we are working on guides for all the major vpn providers. The TPM is a powerful tool it is time to play with it.

       

       

       

       

       

      First Turn on your TPM This is done in bios

       

       

      You must then load your TPM utility software in the case of Wave this is call the Embassy Security Center and is shipped standard on a dell platform

       

       

      You must enable your TPM and then "Take Ownership" This is the password that is used to permission other functions including generate keys.  On Centrally managed systems this is done by your admin.

       

       

      Now you are ready to have the TPM generate Keys for a specific need. For example fetch a VPN Certificate  using the Microsoft CA

       

       

      The  microsoft CA needs to be told which CSP to use in order to leverage the TPM. This can be done by selecting advanced and then selecting the Wave CSP This will cause the Key pair to be generated using the TPM. There are many other settings that will cause other actions and I suggest messing with them to see what works best for you. For example if you select strong Key protection then the TPM will require a Password everytime that key is used. 

       

       

       

       

       

      Check your enterprise you will be suprised to see how many TPMs you have

       

       

      steven