Infineon Technologies has claimed the first OPTIGA Trusted Platform Module (TPM) with a post-quantum cryptography (PQC) protected firmware update mechanism using XMSS signatures. The SLB 9672 OPTIGA TPM is used to establish the identity and software status of PCs, servers, networking equipment, computing and data storage, and any connected devices, and to protect their data.
Click for a larger image. (Source: Infineon)
Called a “future-proof solution,” Infineon’s latest addition to the OPTIGA TPM family is claimed as the first TPM to offer a firmware update mechanism with a 256-bits key length, along with an additional check based on PQC. The firmware update mechanism is said to counteract the threat of firmware corruption by attackers using quantum computers and increases the survivability of the device with the “quantum-resistant firmware upgrade path.”
Standardized hardware-based security provides the highest level of security and offers benefits beyond strong security including time to market, logistics, and scalability, said Guillaume Raimbault, senior manager, TPM product marketing & management of Infineon’s Connected Secure Systems Division, during an online presentation.
Click for a larger image. (Source: Infineon)
“Discrete TPM is seen as a key root of trust for multiple applications and it does plenty of things such as offering a standardized solution in terms of security, and also allows us to trust and secure our communications and protect valuable data on your computers, servers, or systems,” said Raimbault. “The TPM needs to support the current security requirements, but also the future ones, and it’s important to update this device in the field to implement new solutions and new features.”
With the development of the new generation of TPM, Infineon had to take into account future challenges and one of them is the security threat that could be created by quantum computers, Raimbault said. In 10 to 20 years, Infineon expects that quantum computers will impact the performance of the current cryptographic algorithms and the security level of the current solutions will decrease, he added.
With the threat to existing cryptographic algorithms, Infineon had to take into account that this component will be used in applications, for example, industrial equipment, in the field for up to 20 years, he said.
Click for a larger image. (Source: Infineon)
Quantum computers can potentially calculate the cryptographic keys that will be used during transactions, said Raimbault. “If we consider the two types of cryptographic algorithms that we have in place the impact will be different. In a quantum computer world within 10 to 20 years, we already know that the asymmetric cryptographic algorithm in place will no longer be valid to safely protect the exchange of data, and the symmetric solutions will be affected in a way that the level of security will be decreased. Only the newest algorithm will remain efficient in such a type of situation.”
Click for a larger image. (Source: Infineon)
Key features
During the design phase of the new TPM, Infineon focused on three main pillars – a future-proof solution, robust security, and easy integration – to address the quantum threat.
For future-proofing, Infineon added the PQC-protected firmware update mechanism, extended the memory, and added stronger cryptographic algorithms. The TPM comes with an extended temperature range of -40°C to 105°C and expanded non-volatile memory (51 kB) to store new features such as additional certificates and cryptographic keys. It supports a variety of cryptographic algorithms (up to RSA-4096, AES-256, ECC NIST P384, SHA2-384).
The security of the TPM depends on the quality of the firmware, and the firmware update mechanism is the most crucial and critical operation Infineon had to focus on, which is why this PQC-ready approach was implemented, Raimbault said.
The firmware package will be signed with two signatures and one of those will be PQC, and in the field the OPTIGA TPM SLB 9672 is able to transparently check the XMSS key thanks to the PQC algorithm and validate, or not, the transferred payload, he added.
Click for a larger image. (Source: Infineon)
In terms of security, the TPM offers improved computational performance, adds resiliency features (based on NIST requirements), and is compliant with the Trusted Computing Group (TCG) requirements with related certifications. The TPM is said to deliver two to four times faster cryptographic operations, depending on the functions.
The OPTIGA TPM SLB 9672 can still be updated if the standard algorithms are no longer trusted, said Infineon, and is designed for improved computing performance with fail-safe features that counteract the effects of corrupted firmware. One example cited is built-in fail-safe features that enable TPM firmware recovery in accordance with the NIST SP 800-193 Platform Firmware Resiliency Guidelines.
For easy integration, the TPM is a standardized product, compliant to TCG requirements as well the new NIST SP 800-90B , and supports the latest versions of Windows and Linux, said Raimbault. In addition, Infineon provides all of the necessary tools for design and testing.
Security evaluation and certification are performed by independent bodies according to the Common Criteria and FIPS requirements. The new TPM also fully complies with the TCG requirements (TPM 2.0 standard version 1.59) and is certified according to the latest TPM 2.0 standard.
Available now, the OPTIGA TPM SLB 9672, housed in a thin UQFN-32 package, comes in two variants (standard, FW 15.xx) and enhanced security (FW 16.xx) and is part of Infineon’s long-term availability program. An evaluation kit is offered for testing and validation of the TPM
Advertisement
Learn more about Infineon Technologies
