trusted platform module (TPM)

What Is a Trusted Platform Module?

Businesses and consumers transitioning to Windows 11 will now enjoy enhanced security features due to new hardware-based security prerequisites that bolster the security of their PCs. One such requirement mandates that all Windows 11-enabled PCs must be equipped with TPM 2.0 to support the operating system.

A trusted platform module, commonly known as TPM, is a physical or embedded security technology in the form of a microcontroller located on a computer's motherboard or within its processor. TPMs utilize cryptographic techniques to securely store critical information on PCs, facilitating platform authentication. This technology safeguards various sensitive data, including user credentials, passwords, biometric data, digital certificates, encryption keys, and other vital documents, behind a hardware-based barrier to protect it from external threats.

While TPM technology has long been integral to enterprise IT systems for over a decade, Microsoft's recent mandate marks one of the initial instances where TPM usage is compulsory for all users, encompassing small and medium-sized businesses as well as individual consumers.

TPM implementations are typically aligned with an international standard established by the Trusted Computing Group (TCG). The TCG, a consortium within the computer industry, developed the foundational TPM standard, which was subsequently adopted by the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC), and formally designated as ISO/IEC 11889.

How Does a TPM Work?

By incorporating a TPM chip, devices elevate their security to a robust hardware-based level, surpassing mere software defenses. This enhancement empowers manufacturers to encrypt disks, thwart firmware and ransomware attacks, and bolster defenses against dictionary attacks, among other protective measures.

Upon device boot-up, the TPM conducts a thorough assessment of the device's health and environment, permitting operation only if it meets predefined trustworthiness criteria. Situated as a specialized processor within the device, the TPM houses an Endorsement Key (EK) impervious to software-based breaches and an Attestation Identity Key (AIK) safeguarding the device against unauthorized alterations. It achieves this by hashing firmware and software segments before execution and transmitting these hashes for server validation during network connection attempts. Any discrepancies halt the boot process, preventing access to the device's stored data.

This approach enhances security by signing and validating incoming data to establish device identity, while fortifying storage for software and platform keys, safeguarding ongoing algorithm computations. Even in the face of successful breaches, unauthorized entities are thwarted from accessing the Root of Trust (RoT) data. Deploying a TPM shifts the responsibility for initializing and maintaining security to the operating system, enabling automated and robust security measures without continuous manual oversight.

With the evolution to TPM 2.0, the chip now supports algorithm interchangeability, enabling dynamic algorithm exchange for heightened cryptographic flexibility. Overcoming constraints of the original specification, TPM 2.0 enhances basic verification signatures, allowing keys to be managed for both restricted and conditional usage. This advancement delivers expanded security features, optimized performance, and accelerated operations, making the chip suitable for deployment in resource-constrained devices.

Practical Implementations

Certificates can be generated or installed on computers utilizing TPM technology. Once a computer is provisioned, the RSA private key associated with a certificate becomes linked to the TPM, preventing its export. Moreover, TPMs can serve as a cost-effective alternative to smart cards, diminishing the expenses tied to the production and distribution of smart cards.

The automated provisioning capabilities of TPMs contribute to cost savings in enterprise TPM deployments. Advanced TPM management APIs can ascertain whether provisioning actions necessitate a physical presence, such as a service technician's approval of TPM state alterations during the boot sequence.

Security solutions like anti-malware software leverage boot measurements of the operating system's initial state to validate the integrity of Windows-based systems. These measurements encompass verifying the launch of Hyper-V to ensure that data centers employing virtualization are not utilizing untrusted hypervisors. Through features like BitLocker Network Unlock, IT administrators can seamlessly deploy updates without worrying about computers awaiting PIN input.

TPMs offer a range of Group Policy settings that prove beneficial in specific enterprise scenarios.

Feature Description

The Trusted Platform Module (TPM) technology is crafted to deliver security functions rooted in hardware. A secure crypto-processor, the TPM chip executes cryptographic operations and incorporates multiple physical security mechanisms to resist tampering, rendering it impervious to malicious software interference. Utilizing TPM technology offers several benefits, such as:

• Creation, storage, and controlled usage of cryptographic keys.

• Leveraging the TPM's unique RSA key, hardcoded into the chip, for device authentication.

• Safeguarding platform integrity by capturing and storing security measurements during the boot sequence.

The primary functions of TPM commonly revolve around system integrity validations and cryptographic key management. Throughout system boot-up, the loaded boot code (comprising firmware and OS components) undergoes measurement and recording within the TPM. These integrity measurements serve as proof of how the system initiated and verify that a TPM-based key was accessed solely under the correct software conditions during boot-up.

Configuration options for TPM-based keys vary. For instance, a TPM-based key can be restricted from external access beyond the TPM, effectively countering phishing attempts by preventing unauthorized key duplication and usage. Additionally, TPM-based keys can be set to necessitate an authorization value for usage. Upon repeated incorrect authorization attempts, the TPM triggers its dictionary attack protection, thwarting further unauthorized access attempts.