The Trusted Computing Group (TCG), founded in 2003 by major technology companies to secure computers’ cryptographic keys, announced plans on 13 June to develop the “world’s tiniest Trusted Platform Module (TPM)” for Internet of Things (IoT) devices.
Put most simply, a TPM is a tamper resistant piece of cryptographic hardware – or security coprocessor – built onto the system board of a computer that implements primitive cryptographic functions onto which more complex features can be built.
Among other functions, it can perform public key cryptographic operations and compute hash functions, manage and generate security keys, securely store those keys and other secret data, and generate random numbers.
TPMs are frequently left out of IoT products due to size, budget or space constraints, which is what TCG is hoping to address with this initiative by developing a TPM small enough to be “integrated directly within the host chip,” eliminating space concerns for developers who still want to incorporate the additional security provided by a TPM.
Many manufacturers still want to build devices that include Roots of Trust for Measurement (RTM), Storage (RTS) and Reporting (RTR) so that these devices can work securely within the TCG Measurement and Attestation framework.
Attestation is a mechanism for software to prove its identity, and prove to a remote party that its operating system and application software are intact and trustworthy. The verifier trusts that the attestation data is accurate because it is signed by a TPM whose key is certified by a trusted Certification Authority.
TCG said it had formed a new Measurement and Attestation RootS (MARS) Subgroup to “develop specifications that will enable manufacturers to build compliant chips with very little overhead for them and their customers”.
The company exhibited the first prototype for such a TPM – known as “Radicle” – due the inaugural session of the MARS subgroup at the TCG member’s meeting held this year in Warsaw, Poland, in June.
In a statement, TCG said that the team had also “agreed on the scope of its work, which will focus on the hardware requirements necessary to control and operate the primitives supporting the RTS and RTR, and the software API to access them”.
“As we put greater trust in things like autonomous cars, smart homes and healthcare sensors, and connect them to the Internet, we need to take steps to make sure connected devices are ubiquitously secure to protect them from data breaches and hackers,” Dr Joerg Borchert, President of TCG, said in a statement.
“As an international standard, TCG’s TPM is widely deployed and a proven solution,” he added. “This makes our technologies ideally suited to deliver on the new security needs emerging as we move towards a world where everything is connected. The work undertaken at our latest members’ meeting will ultimately deliver the specifications needed to achieve this.”
“In a nutshell, we want to specify what the tiniest TPM needs to be so it can be integrated directly within the host chip,” Tom Brostrom, Chair of the MARS subgroup, said. “This will ensure that devices that aren’t big enough to integrate a separate TPM will still be able to retain the required RTS/RTR capabilities.
“In turn, this will allow greater reach of trusted computing technologies over a wider set of devices and use cases,” he concluded.