A Trusted Platform Module (TPM) is a specialized chip on a laptop or desktop computer that is designed to secure hardware with integrated cryptographic keys. A TPM helps prove a user's identity and authenticates their device. A TPM also helps provide security against threats like firmware and ransomware attacks.
A TPM is used for digital rights management (DRM) to protect Windows-based systems and to enforce software licenses. It can also store passwords, certificates or encryption keys. TPM chips can be used with any major operating system and work best in conjunction with other security technologies, such as firewalls, antivirus software, smart cards and biometric verification.
A TPM chip is located on a computer's motherboard as a dedicated processor. Cryptographic keys store Rivest-Shamir-Adleman (RSA) encryption keys specific to the host system for hardware authentication.
Each TPM chip contains an RSA key pair called the Endorsement Key (EK). The pair is maintained inside the chip and cannot be accessed by software. The Storage Root Key is created when a user or administrator takes ownership of the system. This key pair is generated by the TPM based on the EK and an owner-specified password.
A second key, called an Attestation Identity Key (AIK), protects the device against unauthorized firmware and software modification by hashing critical sections of firmware and software before they are executed. When the system attempts to connect to the network, the hashes are sent to a server that verifies they match expected values. If any of the hashed components have been modified, the match fails, and the system cannot gain entry to the network.
The term TPM is sometimes used in reference to the set of specifications applicable to TPM chips. The nonprofit Trusted Computing Group (TCG) publishes and maintains TPM specifications.
TPMs provide the following benefits:
Windows 7, 8, 10 and 11 all support Trusted Platform Modules. Microsoft combines the security features found in Windows with the benefits of TPMs to offer more practical security benefits. For example, Windows uses TPMs to provide the following security features:
TPM 2.0 was created by TCG to better improve Trusted Platform Modules with new features. For example, the new algorithm interchangeability feature enables TPMs to use different algorithms in case one does not work against specific threats. Prior to this, TPM 1.2 was limited to using Secure Hash Algorithm 1. Basic verification signatures were also improved with the added support of personal identification numbers and biometric and Global Positioning System data. Improved key management enables keys to now be handled for limited and conditional use.
The new and updated features of TPM 2.0 offer more flexibility, enabling the chip to be used in more resource-constrained devices. TPM 2.0 can run on new PCs on any version of Windows 10 for desktop and on Windows 11 devices that support TPMs.
The following Trusted Platform Modules differ by how they are implemented:
TCG developed TPMs and have updated them over time. One notable update was version 1.2, which became standardized as International Organization for Standardization/International Electrotechnical Commission 11889 in 2009. TCG continues to work on the standard, integrating new additions and features. Its most recent update, version 2.0, was released in 2019. This version adds new features to increase the security of TPM. Version 2.0 works for Windows 10 and only some versions of Windows 11.
Learn more about TPMs and how they augment protection in internet of things systems.
14 Feb 2022