By Sven Gossel, charismathics
While smart card use seems a widely accepted method to authenticate the user to the secured environment of the enterprise, people are questioning the sense of the Trusted Platform Module built onto PC motherboards. Companies bought it with practically any of the computers in use today, but hardly make use of it. Originally designed for Digital Rights Management, applications tend to be expensive and not always worth to be invested in. And handling is quite difficult. But there are other ways to use the TPM – when using software designed to enable other security features of the client operating system. And saving loads of budget, too.
In a regular enterprise environment, users need to be authenticated when accessing the company´s databases. A good 80% of the world´s work force may still use the good old username and password doing so. Confronted with more and more complex password policies, a culture of on-screen and below-keyboard post-it stickers has widely taken ground. The other 20% have invested in more secure ways to process the user logon in the morning: mostly PKI smart cards, but also using physical access memory cards with some sophisticated software add-ins. And even one-time-password tokens seem to have their market place. Although technically possible, and for some weird commercial reasons, the all available Trusted Platform Module (TPM) isn´t used for this at all.
At the same time, wireless networks are more and more replacing LAN cables in standard office environments. As such cable infrastructure is expensive, whereas meanwhile hot spots, repeaters are common and power line adapters in the consumer market are used as a cheaper alternative. Not everybody however knows that with the latest Windows operating system versions, the system administrators are able to configure those hotspots with the same security level typical of smart cards in their standard configuration. Thus, all the most recent WIFI firmware versions support the so-called 802.1X authentication (see picture), even inside the inexpensive hardware available in the electronic store around the corner. Those are enabled to accept a certificate based logon for all accessing computers – this way people could be empowered to leverage their smart cards in another way.
Alright – but why is this important? A smart card authenticates the user. A TPM however authenticates the machine. Whereas, when already having a smart card in your hands, such WIFI feature seems a straight forward way to also secure your hot spots, we need to think about all those 80% of users that do not have a smart card or other tokens. But what they have is most likely an unused TPM sleeping without “ownership” on their computer motherboards. Those mostly smaller enterprises fear the investment into a large scale PKI smart card scheme – not even to think about all the readers, USB sticks or new keyboards that need to be invested in. Hence, what if there is a way to make use of the TPM for this exact market not owning a smart card and what does it take to invest into such a scheme?
A TPM in practice is nothing different from a smart card wired to your motherboard. It may store its credentials in a different way, it carries little different firmware, its main purpose may still be dissimilar to what a smart card is designed for. And you may argue that it only represents a single factor authentication over a smart card being two-factor. However, logically the distinction in between the two is the authentication of a piece of hardware against the authentication of a specific user. And in a WIFI system, the first step is the authentication of the machine – the user logon is a separate logical step. Therefore, when authenticating against a WIFI hotspot, a TPM certificate is an even better way to move forward increasing the security of such infrastructure.
It remained being a burden to actually perform such a step. You needed TPM connector software that not only accesses your TPM to perform those operations. Moreover, this software also should not interfere with existing standard applications written for TPM hardware and should be interoperable with the TPM Security Stack (TSS). Last and ideally, it also needed to support other hardware related applications and their authentication, e.g. hard disk encryption software that usually is being controlled in pre-boot environments.
Such software would show that the biggest of all markets is not the 100% scheme that enables everything at the same time – companies are all too different, and all have individual security requirements. And they are of different size and budget. Software like this serves one of hundreds of niches that all need to be addressed, if IT security is not supposed to stay a privilege to bigger enterprises. And such solutions are available.
With its TPM connector to their Smart Security Interface, Charismathics now enables the millions of TPM machines in the field to get out of their sleep mode and enhance the security of IT systems without an immediate requirement for an investment into smart cards and other hardware. WIFI hotspots can be secured appropriately, LAN infrastructure can be made redundant. And – most of all: all those certificates can be handled by standard directory services. There is no need for TPM specific applications to this extent. And enterprises are offered a migration path into a full PKI scheme with a first step.
TPM vendors out there – say thank you.