The security of computers and computer transactions is important. Data stored on computers may have high value. The data may include trade secrets and other confidential business data or personal information such as social security numbers and credit card numbers. In addition, computers are increasingly used for electronic business transactions. To improve computer security, the Trusted Computing Group (TCG), a not-for-profit industry-standards organization with the aim of enhancing the security of the computing environment in disparate computer platforms, has formed and adopted specifications for more secure computers.
TCG specifications define trusted computer platforms, computer platforms which may behave in a particular manner for a specific purpose. A trusted platform may provide data security functions such as data encryption and decryption and data storage. A key component of a trusted platform is the trusted platform module (TPM), a module which may perform cryptographic hashings to detect loss of integrity, public and secret key encryption to prevent unauthorized disclosure of data, and digital signing to authenticate transmitted information. The TCG Protected Storage mechanisms, which may be rooted in hardware, may be used to protect keys, secrets and hash values.
A trusted platform may also demonstrate that it operates in a safe configuration when it has access to confidential data by measuring the configuration and sealing the data to the configuration. TCG specifications provide for measuring the components of a computer platform and for storing the results of the measurements. The measurements of a configuration may be hashed and stored in Platform Configuration Registers (PCRs). A trusted platform may allow access to data only under a particular configuration of the trusted platform. The TPM seal operation may encrypt data to a specific set of PCR values or an authorization value. To unseal the data, and thereby gain access to it, the authorization must be presented and the set of values stored in the PCRs must match the set used in the seal operation. Similarly, a signing key may be locked to a set of PCR values during key generation within the TPM.
Changes in a platform configuration may limit the availability of sealed data or PCR locked keys. To gain access to sealed data under a modified configuration, the data may first have to be accessed under the original configuration and resealed to the modified configuration. Gaining access to the data may prove difficult when the data is distributed over multiple computer platforms. Generally, keys locked to a particular platform configuration may not be made available in other configurations. Generating a new signing key would require sending out public notice retracting the original signing key. The retraction process is very cumbersome. Some users of the signing key may not receive the notice. The list of recipients of data signed by the key may not be current. In addition, there may be a delay until the new signing key is available for use. The recipients may not frequently update their list of signing keys.
A trusted platform may issue certifications that configurations may be trusted or arrange for the certifications to be issued. One method involves executing the TPM_CertifyKey function on a key locked to a particular configuration. The result may state and certify the configuration that a key is locked to. When a key is not locked to a particular configuration, it may prove difficult to state and certify a configuration under which access to the key is available.