Integration of Field Devices in Azure IoT Infrastructure: X.509 Authentication and TPM Modules

Re-generating TPM Endorsement Keys for Securing IoT Field Devices

Question

After the acquisition of an environment monitoring infrastructure from a local operator, you need to integrate hundreds of their field devices into your company's IoT infrastructure.

Most of the devices use X.509 authentication but there are some device types that are secured with TPM modules.

After all the devices have been transferred to your ownership, you need to ensure that the previous owner won't have any access to the devices.

You decide to re-generate the TPM endorsement keys of the devices.

Is that the action you should take?

Answers

Explanations

Click on the arrows to vote for the correct answer

A. B.

Correct Answer: B.

Option A is incorrect because the endorsement key (EK) is unique to the TPM and cannot be re-generated.

Changing it means actually changing the device itself.

Option B is CORRECT because it is the storage root key (SRK) that is used to identify the owner of the device.

It works like a password that can be (and should be) changed when a TPM device is sold to a new owner.

The new owner can take ownership of the TPM by generating a new SRK, thus ensuring that the previous owner can't use the TPM.

Reference:

Yes, re-generating the TPM endorsement keys of the devices is the action that should be taken to ensure that the previous owner won't have any access to the devices.

TPM (Trusted Platform Module) is a hardware-based security component that provides secure storage for sensitive data, such as encryption keys and digital certificates. TPM endorsement keys are used to establish trust between the TPM and other entities, such as a server or a device. The endorsement key is unique to each TPM and is used to sign attestation data, which provides proof of the device's identity and integrity.

Regenerating the TPM endorsement keys of the devices will prevent the previous owner from accessing the devices because the keys are used to establish trust between the TPM and other entities. By generating new keys, the previous owner's trust relationship with the devices will be broken, and they will no longer have access to the devices.

In addition, regenerating the keys will also provide increased security for the devices. If the previous owner had access to the old keys, they could potentially use them to compromise the devices or steal sensitive data. By generating new keys, any potential security risks associated with the old keys will be mitigated.

Therefore, it is recommended to regenerate the TPM endorsement keys of the devices to ensure the security and integrity of the IoT infrastructure.