Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Trusted Platform Module Overview and Functions

Trusted Platform Module (TPM) is a hardware-based chip, unique to your device, encrypts and securely stores data on the disk, enhancing protection against unauthorized access.

What is a Trusted Platform Module?

Use Feature Explorer to confirm platform and release support for specific features.

With the growing customer's network infrastructure, it is becoming critical to the operation of a broad range of devices and services. It is also important to preserve the integrity and security of network equipment (Routers, Switches, and Firewalls) to protect against attacks.

To increase the security for customers network infrastructure, Juniper manufactured a product Trusted Platform Module (TPM) to enable trust in computing platforms and to ensure products delivered from Juniper Networks are secure and are not compromised. This is achieved through the concept of the Root-of-Trust (RoT).

RoT is a security component that provides hardware or software functions that the rest of the device or system can use to establish security.

TPM is a secure crypto-processor which is attached to a device to establish secure operations.

You can safeguard sensitive data (such as private keys, certificates, and configuration files) stored in the file systems using the TPM, thereby reinforcing the integrity and confidentiality of your device's operations.

TPM Components

TPMs are implemented on physical resources that are dedicated to the TPM. TPM has the following components:

  • Processor

  • RAM, ROM, and Flash memory

What Does a TPM Provide?

Following are the types of software using TPM:

  • Device Identity (ID) and Authentication: To identify and authenticate the device using the cryptographic Device ID.

  • Data Encryption: To generate, store, and limit the use of cryptographic keys.

  • Attestation: To verify that the device is booting from a trusted set of hardware and software.

  • Secure Key Storage: To store private keys and sensitive data to prevent theft and modification.

Why Use a TPM?

TPM is used to protect a user's identity and sensitive data by storing the relevant keys for encryption, decryption and authentication.

TPM is used for the identification and authentication of a device on the network and to ensure the software loaded on the system is in the correct state when it started up.

Using TPM on the device, the hard disk drive cannot be connected and accessed outside to another device.

What is a Device Identity?

Device Identifier (DevID) identifies the serial number of the device cryptographically. It is unique per Routing Engine. In dual Routing Engine system, each Routing Engine has its own TPM and its own serial number. DevID is supported on TPM2.0. TPM provides protection for private keys, preventing use of keys from one device to another or with another TPM.

What is a DevID Certificate?

Before the device is shipped to the customers, Juniper installs DevID keys and certificates during manufacturing. This DevID is signed by Juniper (Certificate Authority). DevID is a X.509 cryptographic certificate which contains a unique public key whose corresponding private key is stored in the TPM during manufacturing. For example, when setting up a TLS session, use the key in the TPM to authenticate the session to prove that you are communicating to the device you intend.

The certificate includes a serial number of the device and identifies the manufacturer.

A certificate from a platform manufacturer provides assurance that the TPM was properly installed on a platform so that the Root of Trust provided by the platform is trusted.

A TPM certificate securely proves a device's identity. Applications (Secure Zero Touch Provisioning (SZTP) and advanced anti-malware (AAMWD) must use it when secure device identity is required.

Benefits of TPM

  • Enhances your device's security protections at the hardware level to prevent attacks.

  • Compliance with TPM 2.0 contributing to the overall security.

Table 1: Supported Features using TPM
TPM Version Supported Features
TPM 1.2

  • Using Master Password for Encryption of Files.

  • Remote Integrity Verification
TPM 2.0

  • DevID for sZTP and AAMWD

  • File system Encryption

See Also

File System Encryption with Trusted Platform Module

Encryption protects sensitive information stored in private keys, configuration files, logs, and system-generated files on disk drive file systems.

Encryption also prevents unauthorized access to data stored in files on a disk or disk volume.

File system encryption is supported on devices for bulk encryption of file names, folder names, file contents, and other meta-data that operates on an entire volume. In this method, the data is automatically encrypted when written to disk and decrypted when read from it. The encryption key is enclosed to the Trusted Platform Module (TPM) 2.0 device. The files are accessible immediately after the encryption key is provided. The data stored on the encrypted file system is read using the encryption keys.

Use Feature Explorer to confirm platform and release support for specific features.

Benefits of File System Encryption

  • Prevents revealing of confidential information from offline attacks.

  • Provides data destruction for secure data erasure by destroying the cryptographic keys.

  • All files are automatically encrypted, by default without any user action.

See Also

Remote Integrity Verification

One of the features of the Trusted Platform Module (TPM) is to measure various software components during device boot. The data is stored as a cryptographic hash in the TPM's Platform Configuration Registers (PCR). You can use PCR as proof of the integrity of the devices software version. The chip includes multiple physical security mechanisms to make it tamper resistant and the malicious software cannot tamper the security functions of the TPM.

Remote Integrity Verification (RIV) defines a set of protocols and procedures to determine whether a particular device is launched with an untampered software version. The roles involved in the RIV process are Attester and Verifier.

The Attester provides evidence of identity and software state to the Verifier on demand. The Verifier verifies the evidence and makes a judgment about the integrity of the software image running on the Attester.

Benefits

  • Provides the integrity of the host platform and ensures that the host platform is not hacked.

  • Provides restricted access to the stored secrets (keys).

  • Stores data that is not secret such as public keys used for platform identity. You cannot change the public keys without authorization.

  • Creates and manages a TPM key used to sign the evidence

See Also