Wednesday, September 7, 2022

TPM: What Is It and How Does It Work?

Before Windows 11 was released, few paid attention to TPM or even knew what it was. So, I thought I would share some knowledge and explain what it is.

TPM stands for Trusted Platform Module. It is also known as ISO/IEC 11889. This is a specification for hardware-based storage of digital certificates, cryptographic keys, and hashed passwords. Essentially, TPM established a root of trust.

TPM is usually a dedicated chip on a motherboard. Each TPM micro-processor is hard coded with a unique key, known as the "endorsement key". This is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM. During the boot process, the TPM compares hashes of key system state data (system firmware, boot loader, and OS kernel) to ensure they have not been tampered with.

TPM has what is known as "anti-hammering protection". This is designed to protect against brute force attacks or complex dictionary attacks. When too many authorization failures occur, a global lockout is initiated. However, it is important to note that TPM is designed to forget after a period of time. This anti-hammering protection is implemented by the manufacturer and the logic varies. This version of TPM is 1.2

Now, you have TPM 2.0. The difference between this version and 1.2 is that 2.0 has well-defined anti-hammer protection. For example, TPM is configured by Windows to lock after 32 authorization failures and forget 1 every 10 minutes. In some enterprise situations, the TPM owner authorization value is configured to be stored centrally in Active Directory, and it is not stored on the local system. An administrator can launch the TPM MMC and choose to reset the TPM lockout time. With BitLocker, the encryption keys can be stored in TPM.

Another huge difference between TPM 1.2 and 2.0 is which algorithms are required for hashing.

TPM 1.2

  • SHA 1 - Required
  • RSA - Required
  • AES - Optional
TPM 2.0
  • SHA 1 - Required
  • SHA 256 - Required
Another big difference is that Windows Defender System Guard, Autopilot, and SecureBIO are available only with TPM 2.0. 

So, in a nutshell, Windows 11 requires TPM 2.0 because it raised its security baseline.

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Basics of Windows Registry

There are many things that will scare a system administrator, and one of those things is messing with the Registry. In this article, I will ...