BS ISO/IEC 11889-2:2009
Current
The latest, up-to-date edition.
Information technology. Trusted platform module Design principles
Hardcopy , PDF
English
31-08-2009
1 Scope
1.1 Key words
1.2 Statement Type
2 Normative references
3 Abbreviated Terms
4 Conformance
4.1 Introduction
4.2 Threat
4.3 Protection of functions
4.4 Protection of information
4.5 Side effects
4.6 Exceptions and clarifications
5 TPM Architecture
5.1 Interoperability
5.2 Components
5.2.1 Input and Output
5.2.2 Cryptographic Co-Processor
5.2.3 Key Generation
5.2.4 HMAC Engine
5.2.5 Random Number Generator
5.2.6 SHA-1 Engine
5.2.7 Power Detection
5.2.8 Opt-In
5.2.9 Execution Engine
5.2.10 Non-Volatile Memory
5.3 Data Integrity Register (DIR)
5.4 Platform Configuration Register (PCR)
6 Endorsement Key Creation
6.1 Controlling Access to PRIVEK
6.2 Controlling Access to PUBEK
7 Attestation Identity Keys
8 TPM Ownership
8.1 Platform Ownership and Root of Trust for Storage
9 Authentication and Authorization Data
9.1 Dictionary Attack Considerations
10 TPM Operation
10.1 TPM Initialization & Operation State Flow
10.1.1 Initialization
10.2 Self-Test Modes
10.2.1 Operational Self-Test
10.3 Startup
10.4 Operational Mode
10.4.1 Enabling a TPM
10.4.2 Activating a TPM
10.4.3 Taking TPM Ownership
10.4.4 Transitioning Between Operational States
10.5 Clearing the TPM
11 Physical Presence
12 Root of Trust for Reporting (RTR)
12.1 Platform Identity
12.2 RTR to Platform Binding
12.3 Platform Identity and Privacy Considerations
12.4 Attestation Identity Keys
12.4.1 AIK Creation
12.4.2 AIK Storage
13 Root of Trust for Storage (RTS)
13.1 Loading and Unloading Blobs
14 Transport Sessions and Authorization Protocols
14.1 Authorization Session Setup
14.2 Parameter Declarations for OIAP and OSAP Examples
14.2.1 Object-Independent Authorization Protocol (OIAP)
14.2.2 Object-Specific Authorization Protocol (OSAP)
14.3 Authorization Session Handles
14.4 Authorization-Data Insertion Protocol (ADIP)
14.5 AuthData Change Protocol (ADCP)
14.6 Asymmetric Authorization Change Protocol (AACP)
15 ISO/IEC 19790 Evaluations
15.1 TPM Profile for successful ISO/IEC 19790 evaluation
16 Maintenance
16.1 Field Upgrade
17 Proof of Locality
18 Monotonic Counter
19 Transport Protection
19.1 Transport encryption and authorization
19.1.1 MGF1 parameters
19.1.2 HMAC calculation
19.1.3 Transport log creation
19.1.4 Additional Encryption Mechanisms
19.2 Transport Error Handling
19.3 Exclusive Transport Sessions
19.4 Transport Audit Handling
19.4.1 Auditing of wrapped commands
20 Audit Commands
20.1 Audit Monotonic Counter
21 Design Section on Time Stamping
21.1 Tick Components
21.2 Basic Tick Stamp
21.3 Associating a TCV with UTC
21.4 Additional Comments and Questions
22 Context Management
23 Eviction
24 Session pool
25 Initialization Operations
26 HMAC digest rules
27 Generic authorization session termination rules
28 PCR Grand Unification Theory
28.1 Validate Key for use
29 Non Volatile Storage
29.1 NV storage design principles
29.1.1 NV Storage use models
29.2 Use of NV storage during manufacturing
30 Delegation Model
30.1 Table Requirements
30.2 How this works
30.3 Family Table
30.4 Delegate Table
30.5 Delegation Administration Control
30.5.1 Control in Phase 1
30.5.2 Control in Phase 2
30.5.3 Control in Phase 3
30.6 Family Verification
30.7 Use of commands for different states of TPM
30.8 Delegation Authorization Values
30.8.1 Using the authorization value
30.9 DSAP description
31 Physical Presence
31.1 Use of Physical Presence
32 TPM Internal Asymmetric Encryption
32.1.1 TPM_ES_RSAESOAEP_SHA1_MGF1
32.1.2 TPM_ES_RSAESPKCSV15
32.1.3 TPM_ES_SYM_CTR
32.1.4 TPM_ES_SYM_OFB
32.2 TPM Internal Digital Signatures
32.2.1 TPM_SS_RSASSAPKCS1v15_SHA1
32.2.2 TPM_SS_RSASSAPKCS1v15_DER
32.2.3 TPM_SS_RSASSAPKCS1v15_INFO
32.2.4 Use of Signature Schemes
33 Key Usage Table
34 Direct Anonymous Attestation
34.1 TPM_DAA_JOIN
34.2 TPM_DAA_Sign
34.3 DAA Command summary
34.3.1 TPM setup
34.3.2 JOIN
34.3.3 SIGN
35 General Purpose IO
36 Redirection
37 Structure Versioning
38 Certified Migration Key Type
38.1 Certified Migration Requirements
38.2 Key Creation
38.3 Migrate CMK to a MA
38.4 Migrate CMK to a MSA
39 Revoke Trust
40 Mandatory and Optional Functional Blocks
41 1.1a and 1.2 Differences
42 Bibliography
Describes the Trusted Platform Module (TPM), a device that enables trust in computing platforms in general.
Committee |
IST/33
|
DevelopmentNote |
2009 Edition with its corrigendum remains active. Supersedes 14/30302801 DC. (04/2016)
|
DocumentType |
Standard
|
Pages |
156
|
PublisherName |
British Standards Institution
|
Status |
Current
|
SupersededBy | |
Supersedes |
Standards | Relationship |
ISO/IEC 11889-2:2015 | Identical |
ISO/IEC 11889-2:2009 | Identical |
ISO/IEC 11889-1:2015 | Information technology — Trusted platform module library — Part 1: Architecture |
ISO/IEC 15946-1:2016 | Information technology Security techniques Cryptographic techniques based on elliptic curves Part 1: General |
ISO/IEC 14888-3:2016 | Information technology — Security techniques — Digital signatures with appendix — Part 3: Discrete logarithm based mechanisms |
ISO/IEC 11889-3:2015 | Information technology — Trusted Platform Module Library — Part 3: Commands |
ISO/IEC 18033-3:2010 | Information technology Security techniques Encryption algorithms Part 3: Block ciphers |
ISO/IEC 10118-3:2004 | Information technology Security techniques Hash-functions Part 3: Dedicated hash-functions |
ISO/IEC 9797-2:2011 | Information technology Security techniques Message Authentication Codes (MACs) Part 2: Mechanisms using a dedicated hash-function |
ISO/IEC 10116:2017 | Information technology — Security techniques — Modes of operation for an n-bit block cipher |
ISO/IEC 11889-4:2015 | Information technology — Trusted Platform Module Library — Part 4: Supporting Routines |
Access your standards online with a subscription
Features
-
Simple online access to standards, technical information and regulations.
-
Critical updates of standards and customisable alerts and notifications.
-
Multi-user online standards collection: secure, flexible and cost effective.