Categories

Editor's Choice
Tech Jobs Network
News & Events
Access Control & Identity Management
AI & Data Analytics
Asset Management
Associations
Conferences & Events
Facilities & Building Management
Fire & Safety
Information Security
Infrastructure
Integrated Solutions
IoT & Automation
Perimeter Security, Alarms & Intruder Detection
Power Management
Products & Solutions
Security Services & Risk Management
Smart Home Automation 
Surveillance
Training & Education
Videos
Security by Industry Sector ▾








Print this page printer friendly version

Trusted Platform Module explained

May 2017 Editor's Choice, Surveillance, Information Security

By Konrad Simon, product management firmware software, Bosch Security.

As security systems have transitioned into network devices over the last few decades, system vulnerabilities have transitioned as well. This shift in network utilisation brings with it far more vulnerabilities than compared to older analogue systems, and due to the very nature of networking the outer boundary of the surveillance system can be vulnerable to attack.

The ‘arteries’ of an IP system, the physical network connections, need to reach the edge components, namely the cameras, which are often mounted in exposed locations. Thus, these arteries and edge components need intensified protection.

Trusted Platform Module

In this document we focus on the ‘key vault’ inside a device which stores, amongst other private data, the most secret data for authentication and authenticity of a device: the Trusted Platform Module.

For years, Bosch IP cameras, encoders and selected storage systems have come with an onboard security chip – actually a system-on-a-chip which we call our Trusted Platform Module (TPM) – that provides functionality similar to crypto smartcards, like credit or debit cards. Such a Trusted Platform Module secures authenticity and acts like a safe for critical data, protecting certificates, keys, licences, etc. against unauthorised access even when the device is physically opened to gain access.

We consider it a necessity and expect state-of-the art technology to take care of security when referring to our financial transactions in everyday life. Why then should video surveillance equipment and assets be secured less?

The following description applies to all devices equipped with a Trusted Platform Module. For simplicity and according to the highest vulnerability level, we will refer to the device as being a camera.

What a Trusted Platform Module is

A Trusted Platform Module is a self-contained system that acts as a cryptographic co-processor to the camera system, connected to it via a serial interface. The Trusted Platform Module runs its own firmware which is continuously maintained to provide optimal protection against possible threats known from the market. Its firmware is only loaded in a secure production environment, not remotely like firmware for cameras. New Trusted Platform Module versions thus are only deployed with new produced cameras.

Communication between the camera firmware and the Trusted Platform Module chip happens via ‘Secure Apps’ inside the Trusted Platform Module. These provide the interfaces and commands for certain functionalities. There is no possibility for the firmware or operating system to modify anything inside the Trusted Platform Module directly.

The Certificate Store as a functional block in the camera stores less critical data, like certificate bodies and public keys, in a dedicated memory, but outside the Trusted Platform Module. All critical cryptographic activities are handled by specific functions, called Secure Apps, which make use of the Trusted Platform Module’s internal resources.

What a Trusted Platform Module does

As mentioned before, a Trusted Platform Module acts like a co-processor to the camera system. The key vault resembles some volatile and non-volatile memory to store keys and other relevant data during runtime or over power cycles, according to operational requirements.

Private keys, if loaded with a certificate, are stored inside the Trusted Platform Module and then are no longer retrievable. They can then only be used through cryptographic operations provided by the Trusted Platform Module, respectively its Secure Apps. It is recommended to password-protect the private key to keep it a secret until safe storage within the Trusted Platform Module, e.g. using PKCS #12 file format.

Private keys that result from certificate signing requests (CSR) are created internally, kept secret and never revealed to outside the Trusted Platform Module, making certificate enrolment via certificate signing requests the highest level of security.

Its encryption engine provides key handling support for symmetrical encryption like Triple DES or AES with up to 256 bits key length by calculating and producing the encryption key. Once the key is delivered, the Triple DES or AES encryption or decryption itself for video or other payload is then done by the encryption engine (hardware accelerator) in the main CPU.

The PKI engine supports in certificate validation and authentication, handling key lengths of up to 2048 bits, while the Secure CPU helps with any other cryptographic functionality like creating signed hashes for e.g. video authentication.

What a Trusted Platform Module’s benefits are

A camera as the most exposed component of an IP video surveillance system faces the most threats. Besides the many cyber threats, it can also be stolen and hacked. Such might happen as the ultimate attempt by an attacker to retrieve certificate and key to later-on simulate a camera by his/her own equipment, trying to hack deeper into the surveillance system, maybe even beyond.

A device, be it a camera or any other system, without a Trusted Platform Module must store private keys in its file system, where it might reside in an especially encrypted file, but the key to this must also be stored somewhere in the file system.

If hacking into a camera’s certificate store does not reveal what is being looked for, a side-channel attack may do. Such an attack uses analytic hardware equipment to listen to the data bus of the system while this is performing its tasks. When triggering the authentication process, at some point, the key will appear unencrypted.

With sufficient criminal energy, time and appropriate equipment, the attacker will eventually succeed. A compromised private key can cripple the whole Public Key Infrastructure.

Having a Trusted Platform Module integrated, no such attempt will become successful as any activities involving a private key occur only inside the Trusted Platform Module. The Trusted Platform Module’s chip technology is even protected against light and laser attacks if someone would afford to grind off the chip’s housing.

For more information contact Bosch Security Systems – South Africa & sub-Saharan Africa, +27 (0)11 651 9600, [email protected],

http://africa.boschsecurity.com



Credit(s)

Tel: +27 11 651 9600
Email: [email protected]
www: www.boschsecurity.com/xf/en
Articles: More information and articles about Bosch Building Technologies



Share this article:
Share via emailShare via LinkedInPrint this page


Further reading:

Human-centric control rooms
Iritron Integrated Solutions Surveillance Residential Estate (Industry)
Iritron and Oculus show that when it comes to control rooms, people, not just technology, are at the centre of the most significant performance differentiators today, not just how efficiently the technology works.

Read more...
Local-first data security is South Africa's new digital fortress
Infrastructure Information Security
With many global conversations taking place about data security and privacy, a distinct and powerful message is emerging from South Africa: the critical importance of a 'local first' approach to data security.

Read more...
Smarter security for safer estate living
neaMetrics Suprema Integrated Solutions Surveillance Access Control & Identity Management Residential Estate (Industry)
The expansion of residential estates has led to many communities being constructed with security as an afterthought. Unfortunately, fencing, cameras, and a guard at the gate only create a false sense of safety, which vanishes after the first incident.

Read more...
Making drone security more accessible
Editor's Choice Integrated Solutions Residential Estate (Industry) AI & Data Analytics IoT & Automation
Michael Lever discusses advances in drone technology, focusing on cost reductions and the implementation of automated services, including beyond line of sight capabilities, for residential estates with SMART Security Solutions.

Read more...
Private fire services becoming the norm?
Technews Publishing SMART Security Solutions Editor's Choice
As the infrastructure and service delivery in many of South Africa’s major cities decline, with a few, limited exceptions, more of the work that should be done by the state has fallen to private companies.

Read more...
View from the trenches
Technews Publishing SMART Security Solutions Editor's Choice Integrated Solutions Security Services & Risk Management Residential Estate (Industry)
There are many great options available to estates for effectively managing their security and operations, but those in the trenches are often limited by body corporate/HOA budget restrictions and misunderstandings.

Read more...
Secure, long-distance thermal from Keenfinity
Products & Solutions Surveillance Residential Estate (Industry)
The DINION thermal 8100i camera is a bullet thermal camera built for mission-critical applications, prioritising long-distance monitoring and reliable perimeter intrusion detection with built-in Intelligent Video Analytics (IVA) Pro Perimeter video analytics.

Read more...
IVA AI Pro Visual Gun Detection
Products & Solutions Surveillance Security Services & Risk Management Residential Estate (Industry)
Bosch has announced the launch of the IVA AI Pro Visual Gun Detection analytics based on deep learning. It is designed for automatic detection and classification of people and brandished firearms.

Read more...
IP-based horn loudspeakers
Products & Solutions Surveillance Security Services & Risk Management Residential Estate (Industry)
Bosch has announced the launch of its new IP-based horn loudspeakers and amplifier module: the high-output LHN-UC15L-SIP horn (for long-throw applications), the compact LHN-UC15W-SIP horn (for wide-angle coverage) and the AMN-P15-SIP amplifier module.

Read more...
SMART Estate Security Conference KZN 2025
Arteco Global Africa OneSpace Technologies SMART Security Solutions Technews Publishing Editor's Choice Integrated Solutions Security Services & Risk Management Residential Estate (Industry)
May 2025 saw the SMART Security Solutions team heading off to Durban for our annual Estate Security Conference, once again hosted at the Mount Edgecombe Country Club.

Read more...











SMART Security Business Directory


While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.

Published by Technews

»  Dataweek Electronics & Communications Technology
»  Electronics Buyers' Guide (EBG)

»  SMART Security Solutions
»  SMART Security Business Directory

»  Motion Control in Southern Africa
»  Motion Control Buyers' Guide (MCBG)

»  South African Instrumentation & Control
»  South African Instrumentation & Control Buyers' Guide (IBG)



© Technews Publishing (Pty) Ltd. | All Rights Reserved.