Page 534 - (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide
P. 534

some of its associated risks are covered in Chapter 9 along with cloud
               computing.)



               Trusted Platform Module

               The Trusted Platform Module (TPM) is both a specification for a
               cryptoprocessor chip on a mainboard and the general name for
               implementation of the specification. A TPM chip is used to store and
               process cryptographic keys for the purposes of a hardware

               supported/implemented hard drive encryption system. Generally, a
               hardware implementation, rather than a software-only
               implementation of hard drive encryption, is considered to be more
               secure.

               When TPM-based whole-disk encryption is in use, the user/operator
               must supply a password or physical Universal Serial Bus (USB) token
               device to the computer to authenticate and allow the TPM chip to

               release the hard drive encryption keys into memory. While this seems
               similar to a software implementation, the key difference is that if the
               hard drive is removed from its original system, it cannot be decrypted.
               Only with the original TPM chip can an encryption be decrypted and
               accessed. With software-only hard drive encryption, the hard drive can
               be moved to a different computer without any access or use
               limitations.


               A hardware security module (HSM) is a cryptoprocessor used to
               manage/store digital encryption keys, accelerate crypto operations,
               support faster digital signatures, and improve authentication. An HSM
               is often an add-on adapter or peripheral or can be a Transmission
               Control Protocol/Internet Protocol (TCP/IP) network device. HSMs
               include tamper protection to prevent their misuse even if physical
               access is gained by an attacker. A TPM is just one example of an HSM.


               HSMs provide an accelerated solution for large (2,048+ bit)
               asymmetric encryption calculations and a secure vault for key storage.
               Many certificate authority systems use HSMs to store certificates;
               ATM and POS bank terminals often employ proprietary HSMs;
               hardware SSL accelerators can include HSM support; and Domain
               Name System Security Extensions (DNSSEC)–compliant Domain
   529   530   531   532   533   534   535   536   537   538   539