Microsoft recently announced that the new Windows 11 operating system requires TPM 2.0 as part of its new hardware requirements. These inherently trusted hardware components help to make your organization’s endpoint and overall network defenses more secure. We’ll break down what a TPM is and the role it plays in software-based security for your business
A trusted platform module, or TPM module, is a godsend to some within the cybersecurity community. The term refers to both an integral piece of hardware that wears a surprising number of hats as well as a set of device security standards. A TPM is a hardware component that ensures your device is running optimally while also serving as a secure storage mechanism for essential security artifacts (think cryptographic keys and digital certificates). This is essential in establishing trust in an otherwise insecure digital world.
So, why is Microsoft requiring the use of TPM 2.0? Microsoft recently published an article indicating that trusted hardware components (like TPMs) make devices more secure. Their data shows that 60% more active malware reports came from machines that enabled hardware-based security protections (such as secure boot, disk encryption, and Windows Hello) than those operating without them.
Which brings us back to this article. We understand that learning about TPMs can be a bit confusing because they’re often referred to in different ways. For example, you’ll sometimes see a TPM module referred to as a TPM chip, TPM computer, or TPM device. But there’s more to TPM modules than just that. There’s an entire area of the IT hardware sector that’s dedicated to TPM security!
This is why we’re dedicating this article to answering the question “what is a TPM?” We’ll explore the value of TPMs in terms of what TPM modules do, why they’re useful, and what value TPM security brings to your business.
Let’s hash it out.
What we’re hashing out…
- Microsoft recently announced that the new Windows 11 operating system requires TPM 2.0 as part of its new hardware requirements. These inherently trusted hardware components help to make your organization’s endpoint and overall network defenses more secure. We’ll break down what a TPM is and the role it plays in software-based security for your business
- What Is a TPM? Two Important Definitions for One Term…
- TPM Definition 1: A TPM Module Is a Hardware Device
- TPM Definition 2: A TPM Module Refers to a Set of Standards for Hardware-Based Security
- Who Created TPM Devices and Standards and Why?
- TPMs Are Hardware Components That Establish Trust
- Why TPM Security Matters to Your Business
- How TPMs Protect Your Encryption Keys
- TPM Security Drawbacks: TPMs Aren’t Perfect and They Don’t Work Everywhere
- Final Thoughts on TPM Security
What Is a TPM? Two Important Definitions for One Term…
Encryption is useless if your encryption key isn’t private and secure. A trusted platform module, or TPM, is a component in your computer that’s designed to securely store encryption keys used for everything from disk encryption to signing digital certificates. TPM is a cryptographic chip installed on your computer’s motherboard that keeps cryptographic functions & key storage separate from your device’s hard disk and memory. As such, TPMs are one of the tools you’ll find at the heart of modern cybersecurity and authentication.
Jason Soroko, Chief Technology Officer of PKI at Sectigo, says the following about trusted platform modules:
“Simplistically, a secure element is a secure place to put a secret. In our case, that secret is a private key. The reason it’s secure is because the ‘element’ in secure element means that there is a dedicated piece of hardware somewhere in the computer that has its own isolated memory and microcontroller to be able to retrieve the secret that’s not associated with the main computing system which could be compromised. In the case of a TPM, that element is a separate chip on the motherboard of a traditional computer like a laptop or a desktop computer. Many other types of secure elements exist, including on mobile devices and IoT devices and they come in different form factors. What they all have in common is that concept of isolation from the main computing system.”
In this way, a TPM is like a drive-up window at a bank. There’s bullet-proof glass between you and the bank representative, and you can only access the bank’s services via the microphone, speakers, and transaction drawer. You can send input and get output, but you can’t access the bank (private key) directly.
Moreover, a TPM is a dedicated hardware component that bolsters your security capabilities in multiple other ways. A quick overview of TPM uses include:
- Enhancing device security and your software-based security capabilities,
- Enabling strong user authentication by keeping your credentials, passwords and keys secure,
- Facilitating full disk encryption to secure your sensitive data,
- Protecting cryptographic operations by running them in an isolated environment, and
- Performing key attestation to prove your cryptographic keys are secure and uncompromised.
When people talk about TPM security, the common trusted platform module definition refers to a device that provides device-level security. But there’s a second meaning to consider when it comes to defining these security devices. The second definition refers to a set of standards that manufacturers globally must abide by.
We’ll discuss both TPM definitions more in depth shortly, but here’s a quick summary of each:
- A TPM typically describes a small computer chip inside your device. In most cases, a TPM is a tamper-resistant microcontroller that’s physically part of your device’s physical motherboard. However, the term also describes software- and cloud-related tools that serve many purposes that we’ll discuss shortly. This physical device definition is what most people mean when they talk about TPM modules. In a nutshell, a TPM device:
- Serves as a dedicated piece of hardware that allows you to carry out cryptographic operations (such as generating and storing cryptographic keys) in a secure environment without bogging down your device’s CPUs.
- Verifies your device is functioning properly and is trustworthy. (Basically, it stores platform data that lets you know whether it’s been altered or compromised somehow.) This trust helps to form something known as a hardware root of trust, which we’ll speak more about a little later.
- The term TPM also describes a set of standards for global manufacturers. TPM security standards are a set of international, shared specifications that serve as the framework TPM security. They’re vendor-neutral standards, which aids interoperability across many platforms and are integral to the secure generation and store of cryptographic keys. These standards revolve around the concept of creating trust in computer security (trust computing) that’s based on trusted hardware components.
Let’s explore each of these definitions more in depth to better understand what TPM modules do and what TPM security is all about.
TPM Definition 1: A TPM Module Is a Hardware Device
A trusted platform module is a hardened computer chip (more specifically, a cryptoprocessor) that lives inside your computer, mobile device, or network hardware components. It’s a cute little device that enables you to use and store cryptographic keys securely while also enabling several important device security-related functions.
The functions and applications of TPM vary depending on the specific type you use. (We’ll speak more to the different types momentarily). However, in general, TPM chips enable you to:
- Securely generate, use and store your cryptographic keys on your device. Securely generate, sign, exchange, and store sensitive authentication-related artifacts (i.e., hardware keys and X.509 cryptographic key pairs — like what you use in public key infrastructure) — all within an individual device’s internal environment. Some keys that you can store on TPMs include those relating to:
- Code signing certificates,
- Document signing certificates, and
- Email signing certificates.
- Securely store other security-related components. In addition to storing cryptographic key pairs, TPMs also allow you to store many other security artifacts, including:
- Digital certificates,
- AD login hashes,
- Passwords, and
- Symmetric tokens.
- Generate pseudo-random numbers. This is another great benefit of using TPMs, which is integral to secure key generation.
- Prevent unauthorized users from accessing sensitive device-related info. Say, your device gets stolen or someone in your office tries messing with it when you go to lunch. If they try to remove or tamper with your TPM, the device will no longer function properly.
- Securely store your device-specific configuration parameters and run secure boot. When your computer boots up, there’s a digital signature check that takes place. If the known and trusted digital signatures don’t match, which indicates that your software or hardware has been altered, then the device won’t boot. This helps to ensure that your Windows or Linux device is operating the way it should and hasn’t become compromised. The process is a bit different for Apple or MacOS devices (which rely on a similar implementation), but it has the same type of result.
In addition to providing secure storage, measurement, and reporting capabilities, TPMs also show promising results for cloud security applications.
The Evolution of TPMs in the 2000s
Technology is always evolving based on industry needs and changes. Nowadays, the world is using TPM 2.0 but that wasn’t always the case. There have been three versions of TPMs that have come into play over the last two decades. A great resource by Will Arthur and David Challener, “A Practical Guide to TPM 2.0: Using the Trusted Platform Module in the New Age of Security,” breaks down the history of TPMs as the following:
- TPM 1.1b: This was the first type of trusted platform module, and its specification was published back in 2003. It offered basic keygen and storage, device-health attestation and secure authorization capabilities. However, some hardware-related incompatibility issues reared their heads that, among other reasons, led to the development of TPM 1.2 a few years later.
- TPM 1.2: This version of the TPM specification was published in the late 2000s. Unlike its predecessor, it featured a standardized, vendor-neutral interface that provided interoperability. This updated standard also required dictionary attack protections. TPM 1.2, which supported SHA-1 and RSA asymmetric algorithms, was succeeded by TPM version 2.0 in 2015.
- TPM 2.0: The goal of TPM 2.0 was to build upon the advantages that TPM 1.2 offered while adding other enhancements. As such, TPM 2.0 is significantly more flexible in terms of application than its predecessor. They adopted a “TPM 2.0 Library” approach that enables you to pick and choose security levels and functionalities. TPM 2.0’s increased functionality and flexibility makes it useful for many embedded applications, including smart devices. It also supports a wider range of hash and public key algorithms (including elliptic curve cryptography, or ECC), as well as some limited symmetric key algorithms.
5 Types of Trusted Platform Modules
The Trusted Computing Group identifies five types of TPMs, which offer varying levels of security. The first two are hardware-based while the remaining three are software- or cloud-based implementations.
- Discrete TPMs. This is, by far, the most secure type of trusted platform module. When people talk about TPMs in the sense of being physical devices, this is what they’re frequently talking about. A discrete TPM is tamper-resistant — if someone tries to remove the device or change it, it’ll prevent the device it’s attached to from operating. (This way, an attacker can’t steal data or do anything else they shouldn’t.) This makes it ideal for protecting critical systems.
- Integrated TPMs. This is the second type of hardware-based TPM. However, unlike discrete TPMs, integrated TPMs are called such because they’re integrated into a chip. Although it’s not tamper-resistant, it is resistant to software issues. This is ideal for network gateways and wireless applications.
- Firmware TPMs. Unlike the previous two, firmware TPMs are code that executes within a protected software environment (called a TEE, or trusted execution environment). This environment runs separately from CPU-based programs, which offers it some protection from software-based attacks. An example of where you might find a firmware TPM is in entertainment systems.
- Software TPMs. This type of TPM is a software TPM emulator that seems promising but, frankly, has a lot of vulnerabilities and security-related issues. This makes it great for prototyping and testing but too insecure for external applications. As such, it should never, ever be utilized in public-facing environments!
- Virtual TPMs. Don’t worry, we aren’t going to leave you cloud lovers out… Virtual TPMs are tools that use virtual machines to integrate within your cloud environment. They provide the same commands as their hardware-based counterparts but operate differently.
TPM Module vs TPM Platforms
Ever heard of TPM platforms? Yes, they’re related to trusted platform modules but they’re not quite the same. Devices that contain both a TPM module and a trusted building block are known as trusted platforms. ISO/IEC 11889-1:2009 Part 1 states that these platforms are useful for:
- Managing local passwords,
- Encrypting files and folders,
- Encrypting email communications (S/MIME), and
- PKI and VPN authentication.
TPM Module vs Hardware Security Modules — Aren’t They the Same?
Cue the buzzer sound. This is where things can get a bit confusing. People sometimes refer to TPMs as hardware security modules, or HSMs. While similar in functionality — in the sense that both are useful for cryptographic key generation and secure storage — TPMs and HSMs are two different types of hardware that serve different purposes from a 30,000-foot perspective.
Soroko defines HSMs and TPMs in the following way:
“Both HSMs and TPMs are two different examples/types of Hardware Roots of Trust. HSMs are dedicated hardware devices meant to store and retrieve a lot of certificates and keys at very high speed. TPMs are small chipsets that exist on a computer motherboard meant to handle a much lower volume of leaf certificates related to the device.”
Let’s add to this delineation a bit more:
- TPMs are integrated motherboard chips that are unique to individual computers and mobile devices. They operate internally and don’t interact with external devices. They’re also resistant to dictionary attacks.
- HSMs are external or removable cards or devices that companies use to store their sensitive keys together in a single, secure location. HSMs useful for large IT environments and can be used for cryptographic operations at scale.
Certificate authorities typically use HSMs to store their root CA private keys. Of course, they also store those HSM devices in secure locations as well and employ other security-related procedures to keep their PKI secrets secret.
As such, the TPMs and HSMs are terms that shouldn’t be used interchangeably. (We have another article coming out within the next few weeks that will explore HSMs more in depth, so stay tuned to Hashed Out for that.) All of this brings us to our next definition of TPM modules…
TPM Definition 2: A TPM Module Refers to a Set of Standards for Hardware-Based Security
If you work in cybersecurity or you’ve been following Hashed Out for a while, then you likely know by now how much the IT security community loves its standards. In the case of trusted platform modules, the standards that come to mind are versions one and two of ISO/IEC 11889.
If you haven’t already guessed, it’s time for a little history lesson. The first TPM security standard, ISO/IEC 11889-1:2009, came out in May 2009. The purpose of these standards was to provide an overview of TPM chips, how they work, and the roles they play in establishing trust and measuring and reporting device integrity.
ISO/IEC 11889-1:2009 is divided into the following four components:
- Part 1: Overview,
- Part 2: Design Principles,
- Part 3: Structures, and
- Part 4: Commands.
The latest standard, ISO/IEC 11889-2:2015, was revised in 2015. ICO/IEC 11889-2:2015, which also comprises four sections, shakes things up a bit. It eliminates its predecessor’s overview section and adds a new section on supporting subroutines at the end while keeping the three remaining sections. This second version of the standard, which was last reviewed in October 2020 and confirmed in May 2021, is valid until 2025.
Want to read them more in depth? Both the 2009 and 2015 versions of the standard are available on the ISO website.
Who Created TPM Devices and Standards and Why?
Trusted platform modules have been around in one form or another since 2003. The devices were created by the Trusted Computing Group (TCG), a nonprofit that was known as the Trusted Computing Platform Alliance, or TCPA, in its previous life.
I’m sure we’re all familiar with the phrase “it takes a village.” Well, the concept definitely applies here. TCG is a global entity that has more than 100 member organizations. It’s a veritable Who’s Who of numerous big-name developers, vendors, and manufacturers, including:
- GE, and
The TCG later collaborated with the Joint Technical Committee 1 (JTC1) of the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC). But what led to the creation of these HRoT-imbuing devices and standards? According to a December 2020 TCG blog post, it boils down to wanting to improve the concept of security as the world knew it:
“Before the TPM, security was generally based in software and whichever software ran first on a system was the one in control of it. With this in mind, the Trusted Computing Group (TCG) developed the TPM, to provide a hardware root of trust for software which is essentially a foundational bridge between hardware and software that helps software protect secrets from attackers and provide evidence about the integrity of a system. The TPM is a dedicated component designed to be built into a variety of platforms, to enable strong user authentication and machine attestation – essential to prevent unwarranted access to confidential and sensitive information and to protect against compromised networks.”
TPMs Are Hardware Components That Establish Trust
Remember earlier when we mentioned the idea of trust computing? Trusted platform modules help to bridge the gap between hardware and software and is one type of root of trust (RoT). (Or, more specifically, the hardware root of trust (HRoT). The root of trust is about using inherently trusted hardware to ensure the trustworthiness and integrity of the items it stores (keys, certificates, etc.).
Are you wondering why they’re considered “inherently trusted” devices? Each TPM comes equipped with hard-coded identifiers (i.e., keys) that serve as the computer hardware equivalent of your government passport. But instead of coming from a government entity, TPM device keys are issued by the trusted OEM manufacturers (companies like Microsoft and IBM).
These identifiers uniquely ID individual TPMs and are part of each device’s persistent (hard-coded) memory. If someone tries to alter the unique identifiers or remove the TPM module altogether, then all the cryptographic keys and protected data tied to those keys will be lost forever. Furthermore, the device itself will no longer be accessible or functional, transforming your device into an expensive paperweight.
Basically, this protective mechanism ensures that unauthorized users can’t gain access to your sensitive keys or data by simply tampering with the device’s security.
Why TPM Security Matters to Your Business
Both TPM modules and their accompanying standards are integral to identity and access management (IAM). Trusted platform modules help organizations:
- Adopt a zero-trust approach within their IT environments by protecting essential certificates and keys. Zero-trust is an approach to security architecture that involves never trusting and continually verifying users’ identities.
- Improve cyber defenses by adding inherently trusted hardware to the equation. Pairing your network and device-level security tools with the HRoT you receive from using inherently trusted hardware adds another layer of security to your cyber defenses.
- Integrate passwordless authentication for greater security. One method of passwordless authentication, known as certificate-based authentication, uses PKI client authentication certificates to authenticate users. One of my colleagues shared in an article last year that when paired with a TPM module, this method of authentication more secure than passwords paired with SMS-based multi-factor authentication (MFA).
Not looking to spend a lot of money buying individual hardware components? No worries — Microsoft may have you covered. That’s because most new Windows 10 computers are equipped with TPM modules in their motherboards right out the gate!
How to Tell If Your Device Has a TPM Chip
But how do you know if you have a trusted platform module on your device? Open your computer’s Device Manager and select Security devices. Under that drop-down menu, there should be a Trusted Platform Module (1.2 or 2.0) listed.
Remember, TPM 2.0 is what’s required to upgrade to Windows 11 (although Microsoft posted a Windows 11 update that indicates they’re allowing some “limited exceptions” for existing Windows Insiders. But they do also warn that running Windows 11 on devices that don’t meet the Windows 11 hardware requirements may experience bugs and other issues.)
If you double-click on the device, it will bring up another menu that will provide you will all sorts of information, including:
- Device operating status (this info is available in the General tab).
- Driver information (you can access this info in the Driver tab).
- Dozens of other types of information about the device (in the Details tab, select the drop-down menu under the Property listing).
- Whether the device has ever been migrated and when (click on the Events tab to access this information).
- Device resource settings (you can find this info in the aptly named Resources tab).
If you want to see whether the TPM module is ready for use, you’ll need to look in the TPM management console. To access that tool:
- In the main Device Manager window, left-click once on the TPM module.
- Press R + Windows on your keyboard and run the following command tpm.msc.
- In the second main box, you’ll see the status of the device, which says it should be available or ready for use.
If you don’t have admin access, you’ll likely receive the following error message:
How TPMs Protect Your Encryption Keys
A TPM is what’s known as a sealed storage device. It protects your keys by keeping them isolated from the rest of your computer’s memory. This ensures that they remain secure even if the computer that the chip is installed in is infected with malware.
Your keys are especially vulnerable when you use them to run cryptographic operations. Restricting the generation, access, and usage of your keys to within that TPM environment ensures that they remain secure even if the computer that the TPM chip is installed has malware. By preventing the keys from copying to the device’s system memory, it protects them from compromise.
But how do you ensure you’re storing your PKI private keys on a TPM and not saving them to your hard drive? Soroko says that you can use an agent software that interacts with the TPM to do that.
“[Storing private keys on the TPM] would be handled by an agent software that would interact with the TPM. The provisioning of the certificate would be automated with certificate management software configured by the enterprise. Sectigo Certificate Manager is an example.”
Some TPMs Enable IoT Devices to Be Issued With Certificates From the Factory
In April 2020, Sectigo announced a partnership with Infineon, which makes the OPTIGA TPM, to integrate Sectigo device certificates within their TPMs. The idea here is to secure IoT devices as early as possible — in this case, during the manufacturing process. Sectigo’s IoT Manager tool allows manufactures to use their public keys to generate certificate signing requests (CSRs) while keeping their matching private keys securely stowed away within TPMs.
Their IoT Manager integrates with their Sectigo Certificate Manager (SCM) platform as well. According to Soroko: “Sectigo’s Microsoft Agent, part of SCM, interacts with an enterprise implementation of Active Directory and related policies, which can provision TPMs with certificates.”
TPM Keys Need to Be Backed Up or Escrowed
This brings us to a potential hiccup: what do you do if something were to happen to your TPM? Say, someone tries to compromise your computer or the TPM itself. Then the TPM’s security mechanisms will kick in and prevent the device from operating. But if you don’t have access to those keys or your device, it means you also no longer have access to your secure data. This is where backing up your keys is important.
Keeping backups of all the secrets (digital certificates, keys, tokens, etc.) is a good idea because it provides a failsafe in the event of a hardware failure or someone messing with your machine. So, take the time to back up or escrow the digital certificates and key you store in your TPM in advance to avoid headaches down the road. (Just be sure to store your migratable key backups in a secure location such as a key vault.)
Soroko emphasizes the importance of backing up your TPM keys and says that some certificate managers use key vaults to help you do so:
“There is a concept that we call ‘key escrow,’ which acts as a secrets vault and it is part of certificate management software such as Sectigo Certificate Manager. If something goes wrong, Sectigo Certificate Manager retrieves a backed up copy of the necessary certificate or keys from the vault and re-provisions it to the TPM.”
TPM Security Drawbacks: TPMs Aren’t Perfect and They Don’t Work Everywhere
Historically, trusted platform modules were looked at as costly expenses that many companies couldn’t afford to dole out on. But since companies like Microsoft already include TPMs in their newer devices, that isn’t as much of an issue anymore.
There are a couple of other concerns relating to these devices that may give companies reason to pause. The first is that — as is the case with all other types of technologies — some TPM device vulnerabilities have come to light in recent years. For example, at the end of 2019, Worcester Polytechnic Institute researchers discovered a pair of alarming security vulnerabilities they dubbed “TPM-Fail.” The good news, though, is that manufacturers were quick to fix the issues.
But what happens when TPM security fails? If someone with less-than-admirable plans manages to get their hands on your cryptographic keys, it can be disastrous for you and your organization. Bad guys can use those keys to:
- Compromise the affected device’s operating system and security services,
- Access, modify or steal encrypted information,
- Sign fraudulent or malicious documents or software to pass off as legitimate,
But concerns regarding device security isn’t limited to TPMs alone. There can be design flaws or issues that exist in any technology. However, if you actively keep your devices and firmware patched and up to date, you can largely mitigate those vulnerabilities and the risks associated with them.
The second concern regarding to use of trusted platform modules for some businesses or developers has nothing to do with cost or device vulnerabilities — it has to do with your organization’s geographic location. That’s because some countries, such as China and Russia (according to Dell) have regulations that:
- Prevent TPM usage outright,
- Require government authorization prior to use, or
- Require a government-regulated tech alternative (known as a TCM).
Final Thoughts on TPM Security
Alright, it’s time we wrap up this article. Endpoint and network security are major concerns for businesses globally for a good reason. Just look at cybercrime statistics in recent years for examples of why that’s the case! But trying to achieve effective security and manage user authentication can’t be done by relying on software tools alone. Instead, hardware-based security methods can enhance your existing defenses and make you a tougher walnut for cybercriminals to crack.
Incorporating TPM security into your organization’s IT infrastructure is a great way to add another layer to your cyber defenses and cryptographic capabilities. But don’t make your TPM travel the lonely road — pair it with additional protection methods like other device and network-related protections like antivirus and anti-malware tools and firewalls. TPM chips add hardware-based trust that’s useful for keeping tabs on your endpoint devices’ health and security.
And one last important note about TPM security: be sure to keep secure backups of your migratable keys. This way, if anything happens to your platform or TPM, your don’t lose access to your data and cryptographic keys.