WEBVTT 1 00:00:00.090 --> 00:00:01.050 In this lesson, 2 00:00:01.050 --> 00:00:04.530 we're going to talk about the Trusted Platform Module or TPM 3 00:00:04.530 --> 00:00:07.350 and the hardware security module or HSM 4 00:00:07.350 --> 00:00:09.750 that exists as part of your UEFI. 5 00:00:09.750 --> 00:00:11.310 But first, I want to introduce you 6 00:00:11.310 --> 00:00:14.790 to the hardware Root of Trust, known as the RoT. 7 00:00:14.790 --> 00:00:17.070 Now a hardware Root of Trust is the foundation 8 00:00:17.070 --> 00:00:20.850 on which all secure operations of a computing system depend. 9 00:00:20.850 --> 00:00:23.580 It contains the keys used for cryptographic functions 10 00:00:23.580 --> 00:00:26.100 and enables a secure boot process. 11 00:00:26.100 --> 00:00:27.540 This is inherently trusted 12 00:00:27.540 --> 00:00:30.600 and therefore it must be secure by design. 13 00:00:30.600 --> 00:00:32.100 Now a Hardware Root of Trust 14 00:00:32.100 --> 00:00:35.550 is a cryptographic module embedded within a computer system 15 00:00:35.550 --> 00:00:37.470 that can endorse trusted execution 16 00:00:37.470 --> 00:00:40.380 and attest to the boot settings and metrics. 17 00:00:40.380 --> 00:00:42.570 This may sound like a complicated concept 18 00:00:42.570 --> 00:00:45.210 but you use a Root of Trust all the time. 19 00:00:45.210 --> 00:00:48.480 In fact, the TPM module inside your computer's UEFI 20 00:00:48.480 --> 00:00:50.760 is a hardware Root of Trust. 21 00:00:50.760 --> 00:00:53.100 Essentially, a Root of Trust is going to be used 22 00:00:53.100 --> 00:00:55.230 to scan the boot metrics to the system 23 00:00:55.230 --> 00:00:56.850 and the operating system files. 24 00:00:56.850 --> 00:00:57.960 And then the Root of Trust 25 00:00:57.960 --> 00:01:00.300 can send over a report to the processor 26 00:01:00.300 --> 00:01:03.000 that's digitally signed using the Root of Trust certificate 27 00:01:03.000 --> 00:01:05.340 to indicate that they can be trusted. 28 00:01:05.340 --> 00:01:07.410 Essentially, this hardware Root of Trust 29 00:01:07.410 --> 00:01:08.940 is a digital certificate, 30 00:01:08.940 --> 00:01:11.370 but it's embedded inside of your chip 31 00:01:11.370 --> 00:01:13.920 as part of the firmware on your system. 32 00:01:13.920 --> 00:01:16.680 Now the most commonly used hardware Root of Trust 33 00:01:16.680 --> 00:01:19.500 is the Trusted Platform Module or TPM 34 00:01:19.500 --> 00:01:21.570 that exists within your computer. 35 00:01:21.570 --> 00:01:24.570 The TPM is a specification for hardware-based storage 36 00:01:24.570 --> 00:01:27.660 of digital certificates, keys, password hashes, 37 00:01:27.660 --> 00:01:31.080 and other user and platform identification information. 38 00:01:31.080 --> 00:01:33.810 Each TPM microprocessor is hard-coded 39 00:01:33.810 --> 00:01:35.880 with a unique and unchangeable key 40 00:01:35.880 --> 00:01:39.180 that's referred to as the endorsement key or EK. 41 00:01:39.180 --> 00:01:42.120 Your system is going to use this TPM and its key 42 00:01:42.120 --> 00:01:45.420 to ensure the system firmware, boot loader, and OS kernel 43 00:01:45.420 --> 00:01:47.640 have not been tampered with or modified 44 00:01:47.640 --> 00:01:49.440 by using multiple different functions 45 00:01:49.440 --> 00:01:52.230 performed within the Trusted Platform Module. 46 00:01:52.230 --> 00:01:56.340 First, the TPM provides a secure method of input and output. 47 00:01:56.340 --> 00:01:59.430 Second, there is a cryptographic processor within it 48 00:01:59.430 --> 00:02:02.010 that provides a true random number generator. 49 00:02:02.010 --> 00:02:04.650 The TPM also has an RSA key generator, 50 00:02:04.650 --> 00:02:06.330 a SHA-1 hash generator, 51 00:02:06.330 --> 00:02:09.570 and both an encryption and decryption signature engine. 52 00:02:09.570 --> 00:02:10.950 In addition to all of that, 53 00:02:10.950 --> 00:02:13.320 the TPM also has a persistent memory 54 00:02:13.320 --> 00:02:16.170 that contains a digital key known as the endorsement key 55 00:02:16.170 --> 00:02:19.680 and a storage root key known as the SRK. 56 00:02:19.680 --> 00:02:22.320 Now the TPM also has a versatile memory 57 00:02:22.320 --> 00:02:24.150 that's located within it and this includes 58 00:02:24.150 --> 00:02:27.180 the Platform Configuration Registers or PCRs, 59 00:02:27.180 --> 00:02:30.090 the Attestation Identity Keys or AIKs 60 00:02:30.090 --> 00:02:31.620 and the storage keys. 61 00:02:31.620 --> 00:02:33.600 Now that is a lot of functionality 62 00:02:33.600 --> 00:02:35.880 within that one little TPM chip. 63 00:02:35.880 --> 00:02:38.310 So you're probably wondering, do I have to memorize 64 00:02:38.310 --> 00:02:40.710 all of these different things for the exam? 65 00:02:40.710 --> 00:02:43.410 Well the good news is no, you don't, 66 00:02:43.410 --> 00:02:45.390 but I wanted to introduce you to this concept 67 00:02:45.390 --> 00:02:47.610 because you're going to see it again and again 68 00:02:47.610 --> 00:02:51.540 as you continue upward in your IT and cybersecurity career. 69 00:02:51.540 --> 00:02:53.040 Instead, for the exam, 70 00:02:53.040 --> 00:02:54.720 I really just need you to remember 71 00:02:54.720 --> 00:02:57.390 that the Trusted Platform Module or TPM 72 00:02:57.390 --> 00:02:58.890 is a hardware Root of Trust 73 00:02:58.890 --> 00:03:00.480 and that it's part of your system. 74 00:03:00.480 --> 00:03:02.760 And it's going to allow you to have the ability to ensure that 75 00:03:02.760 --> 00:03:04.650 when your system is being booted up, 76 00:03:04.650 --> 00:03:06.180 it's being done securely, 77 00:03:06.180 --> 00:03:08.730 because this TPM is attesting to the fact 78 00:03:08.730 --> 00:03:11.700 that our UEFI has not been modified or tampered with 79 00:03:11.700 --> 00:03:14.730 and that TPM can also be used to provide encryption 80 00:03:14.730 --> 00:03:16.470 for your storage devices. 81 00:03:16.470 --> 00:03:19.500 Yes, this is yet another function of the TPM, 82 00:03:19.500 --> 00:03:21.480 because it can be used as the secret key 83 00:03:21.480 --> 00:03:24.240 in conjunction with the full-disk encryption on a system 84 00:03:24.240 --> 00:03:27.090 to protect the contents of your storage device. 85 00:03:27.090 --> 00:03:29.220 For example, if you're using BitLocker 86 00:03:29.220 --> 00:03:31.620 with full-disk encryption on a Windows system, 87 00:03:31.620 --> 00:03:34.470 it's actually using the key inside of your TPM 88 00:03:34.470 --> 00:03:36.480 to make sure the data on your storage device 89 00:03:36.480 --> 00:03:38.400 remains securely encrypted. 90 00:03:38.400 --> 00:03:40.560 The TPM can be enabled or disabled 91 00:03:40.560 --> 00:03:42.990 from within your UEFI configuration tool 92 00:03:42.990 --> 00:03:44.970 or you can manage it using tools 93 00:03:44.970 --> 00:03:46.230 within the operating system, 94 00:03:46.230 --> 00:03:48.660 if your operating system does support that. 95 00:03:48.660 --> 00:03:50.850 For example, the Windows operating system 96 00:03:50.850 --> 00:03:52.920 does allow you to manage the TPM 97 00:03:52.920 --> 00:03:56.970 using the tpm.msc console tool within Windows, 98 00:03:56.970 --> 00:03:59.610 or if you're using Windows Server environment, 99 00:03:59.610 --> 00:04:02.490 you can modify it using the Group Policy Editor. 100 00:04:02.490 --> 00:04:03.810 Now for the exam, 101 00:04:03.810 --> 00:04:07.290 you do not need to know how to modify or configure the TPM, 102 00:04:07.290 --> 00:04:09.510 but in the real world, as a technician, 103 00:04:09.510 --> 00:04:12.510 you may be asked to work with the Trusted Platform Module. 104 00:04:12.510 --> 00:04:14.250 If you are, you can always look up 105 00:04:14.250 --> 00:04:16.890 the latest documentation at microsoft.com 106 00:04:16.890 --> 00:04:20.400 for how to modify and configure the TPM properly. 107 00:04:20.400 --> 00:04:22.140 Another form of hardware Root of Trust 108 00:04:22.140 --> 00:04:23.100 that we have to look at 109 00:04:23.100 --> 00:04:27.030 is known as the hardware security module or HSM. 110 00:04:27.030 --> 00:04:29.550 Now a hardware security module is an appliance 111 00:04:29.550 --> 00:04:31.920 for generating and storing cryptographic keys 112 00:04:31.920 --> 00:04:34.830 that is less susceptible to tampering and insider threats 113 00:04:34.830 --> 00:04:37.050 than using storage-based solutions. 114 00:04:37.050 --> 00:04:38.700 Now hardware security modules 115 00:04:38.700 --> 00:04:41.490 are used to protect our systems using encryption pass, 116 00:04:41.490 --> 00:04:42.870 because they are much more secure 117 00:04:42.870 --> 00:04:46.050 than using a traditional password or secret key. 118 00:04:46.050 --> 00:04:48.150 Instead, a hardware security module 119 00:04:48.150 --> 00:04:50.700 contains a trusted and protected digital key 120 00:04:50.700 --> 00:04:52.680 that can be used with an encryption device. 121 00:04:52.680 --> 00:04:53.820 There are many different ways 122 00:04:53.820 --> 00:04:55.680 to create hardware security modules, 123 00:04:55.680 --> 00:04:58.710 and they are produced in different form factors as well. 124 00:04:58.710 --> 00:05:00.570 For example, here on the screen, 125 00:05:00.570 --> 00:05:03.270 you can see the nCipher hardware security module 126 00:05:03.270 --> 00:05:05.400 and it has three different models here. 127 00:05:05.400 --> 00:05:07.170 There is one that is an internal card 128 00:05:07.170 --> 00:05:09.060 that can be put inside of your system, 129 00:05:09.060 --> 00:05:11.040 there is one that's a rack mounted system, 130 00:05:11.040 --> 00:05:11.873 and then there's one, 131 00:05:11.873 --> 00:05:14.370 that's more of an Internet of things type of solution. 132 00:05:14.370 --> 00:05:16.560 The real advantage of these types of systems 133 00:05:16.560 --> 00:05:17.760 is that they are automated, 134 00:05:17.760 --> 00:05:20.010 and that means that the keys cannot be compromised 135 00:05:20.010 --> 00:05:21.480 by human involvement. 136 00:05:21.480 --> 00:05:23.400 By removing the person from the equation, 137 00:05:23.400 --> 00:05:25.620 we can have better security for our systems 138 00:05:25.620 --> 00:05:27.630 and ensure they're more secure. 139 00:05:27.630 --> 00:05:29.790 Another form of hardware security module 140 00:05:29.790 --> 00:05:33.060 is a device that looks like a USB thumb drive or flash drive 141 00:05:33.060 --> 00:05:34.410 that can contain a digital key 142 00:05:34.410 --> 00:05:37.560 that's used to encrypt a hard drive or other storage device. 143 00:05:37.560 --> 00:05:39.870 Then, to decrypt and read that drive, 144 00:05:39.870 --> 00:05:42.570 you would need to insert the HSM into the system, 145 00:05:42.570 --> 00:05:44.760 have that digital key read and verified, 146 00:05:44.760 --> 00:05:47.610 and then the storage device could be decrypted. 147 00:05:47.610 --> 00:05:50.130 This is actually a very common way of encrypting hard drives 148 00:05:50.130 --> 00:05:52.950 before the Trusted Platform Module was commonly included 149 00:05:52.950 --> 00:05:54.633 as part of our modern computers.