HP-UX Trusted Computing Services A.02.00 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Trusted Computing Services (TCS) Software

1 Trusted Computing Systems Overview

Technology Overview

HP-UX Trusted Computing Services (TCS) provides software support for the Trusted Platform

Module (TPM) chip on HP-UX Integrity servers. The TPM is a low cost, embedded security chip

available for selected ZX2-based Integrity servers that provides hardware-enforced key

management. TCS and TPM provide additional protection for cryptographic keys by ensuring

a given private key can be used only with a specific and unique TPM chip mounted on a system

board.

Built according to industry standards, the TPM provides secure key services by securely generating

and storing cryptographic keys. TCS provides application services and commands that allow

users to generate keys using the TPM and to manage these keys. Applications such as HP-UX

Secure Shell (SSH), HP-UX Encrypted Volumes and File Systems (EVFS), and Stunnel can acquire

TPM protection by using TCS to add their cryptographic keys to the TPM key hierarchy.

TCS includes the following elements:

• A kernel driver for base communications with the TPM hardware.

• An industry-standard Trusted Computing Group Software Stack (TSS) implementation

based on the open source TrouSerS product. TrouSerS was created and released by IBM.

More information on TSS is available at http://www.trustedcomputinggroup.org

• A set of management utilities for initial setup and ongoing maintenance of the TPM, including

operations such as key backup and restoration.

• Utilities for on-demand encryption and decryption of user-specified files and directories.

• A utility for generating RSA key pairs with private key components that are secured by the

TPM.

• The TPM OpenSSL engine, a binary executable that enables OpenSSL applications to use

private keys secured by the TPM. This executable is dynamically loadable using the OpenSSL

engine mechanism.

• A module for EVFS that allows the secure storage of EVFS private keys using the TPM.

The TPM serves as an independent processing unit with nonvolatile memory that stores sensitive

information. It contains functions for asymmetric encryption and signing (PKI), cryptographic

key generation, random number generation, and hashing. The TPM, in combination with firmware,

loader, and kernel modifications, builds a chain of protection that can extend across the network.

Figure 1-1 (page 11) shows components of a TPM.

Figure 1-1 Trusted Platform Module (TPM)

Random Number

Generator

Nonvolatile

Memory

I/O

Processor

Memory

Hash

HMAC

Asymmetric

Key

Generation

Signing and

Encryption

Clock/Timer

Power Detection

Technology Overview 11