TPM chips offer a safe haven for media companies as it provides copyright protection for digital media delivered to hardware like a set-top box. By enabling digital rights management, TPM chips allow companies to distribute content without worrying about copyright infringement. Are you curious to find out if your Windows machine has TPM enabled or not?
On most Windows 10 machines, a TPM is usually integrated into the motherboard to securely store the encryption keys when encrypting the hard drive using features like BitLocker. Type in tpm. This will tell you the current status of the TPM chip: activated or enabled. BIOS settings and menus vary between hardware, but this is a rough guide to where you're likely to find the option.
TPM does not only protect regular home computers but offers extended benefits for enterprises and high-end IT infrastructures as well. Here are some TPM benefits that enterprises can achieve:.
Besides investing in software-based security tools, hardware security is just as important and can be achieved by implementing encryption to secure your data. TPM provides countless security features, from generating keys, storing passwords and certificates to encryption keys. For example, consider the cost saving decision to use entirely asymmetric encryption for all data storage, even though a symmetric encryption algorithm such as a block cipher would be better suited.
Of course, this does not mean that the TPM cannot store such keys - simply that it does not perform cryptography using them. Instead, symmetric keys are sealed to a configuration and released for use to a trustworthy OS configuration. TPM internal data storage formats are thus limited by the maximum size of data that can be encrypted using an RSA operation of a particular key length. But how does the TPM deal with false key injection - as the public half of the storage key will be available to all?
The ability to insert false keys may seem irrelevant after all it cannot gain access to existing storage keys which govern protected content , but is crucial as without it, it would be possible to create a key which is designated as non-migrateable can never be removed from a specific TPM , and yet with a value known to the attacker. If a content provider were to issue content to be protected under this key, a breach would occur.
This ensures that false keys cannot be inserted into the key hierarchy: whilst anyone can of course encrypt plaintext under a public key, they do not have access to the clear value of TPM proof. Essentially, the asymmetric crypto system is converted into a symmetric one, with a composite key consisting of the private half of the root storage key and TPM proof.
The TPM does make extensive use of cryptographic hash operations, however, and currently uses the SHA-1 hash algorithm. This hash algorithm is used to "extend" the values in the Platform Configuration Registers PCRs , to detect and prevent data modification, identify keys, and to create "capabilities" used to improve the efficiency of command chaining. Capabilities are created by hashing particular command parameters together with the secret value TPM Proof in order to create a bit capability string which cannot be forged by an adversary.
This is useful in improving the performance of for example third-party approved migration, where the third-party produces an authorisation certificate processed by the TPM. The TPM architecture would be complicated by storing additional state between API commands, but on the other hand, requiring the migration certificate to be verified before the migration of every individual key incurs a performance penalty.
The use of capabilities based on TPM Proof allows the check to be done once only, and a capability issued, which is much quicker to check at subsequent invocations of migrate commands.
Certification programs for TPMs—and technology in general—continue to evolve as the speed of innovation increases. The result is a balance between scenarios used, assurance level, cost, convenience, and availability. The security features of Windows combined with the benefits of a TPM offer practical security and privacy benefits.
The following sections start with major TPM-related security features in Windows and go on to describe how key technologies use the TPM to enable or increase security. Windows includes a cryptography framework called Cryptographic API: Next Generation CNG , the basic approach of which is to implement cryptographic algorithms in different ways but with a common application programming interface API.
Applications that use cryptography can use the common API without knowing the details of how an algorithm is implemented much less the algorithm itself. Underneath the CNG interface, Windows or third parties supply a cryptographic provider that is, an implementation of an algorithm implemented as software libraries alone or in a combination of software and available system hardware or third-party hardware.
If implemented through hardware, the cryptographic provider communicates with the hardware behind the software interface of CNG.
The Platform Crypto Provider, introduced in the Windows 8 operating system, exposes the following special TPM properties, which software-only CNG providers cannot offer or cannot offer as effectively:. The operating system can load and use the keys in the TPM without copying the keys to system memory, where they are vulnerable to malware. In sharp contrast, software solutions that protect keys from copying are subject to reverse-engineering attacks, in which someone figures out how the solution stores keys or makes copies of keys while they are in memory during use.
With dictionary attack protection, the TPM can prevent attacks that attempt a large number of guesses to determine the PIN. After too many guesses, the TPM simply returns an error saying no more guesses are allowed for a period of time. Software solutions might provide similar features, but they cannot provide the same level of protection, especially if the system restarts, the system clock changes, or files on the hard disk that count failed guesses are rolled back.
In addition, with dictionary attack protection, authorization values such as PINs can be shorter and easier to remember while still providing the same level of protection as more complex values when using software solutions. A practical way to see these benefits in action is when using certificates on a Windows device. Certificate templates can specify that a TPM use the Platform Crypto Provider to protect the key associated with a certificate.
In mixed environments, where some computers might not have a TPM, the certificate template could prefer the Platform Crypto Provider over the standard Windows software provider. If a certificate is configured as not able to be exported, the private key for the certificate is restricted and cannot be exported from the TPM. Smart cards are highly secure physical devices that typically store a single certificate and the corresponding private key. Smart cards are popular because they provide two-factor authentication that requires both something the user has that is, the smart card and something the user knows such as the smart card PIN.
Smart cards are difficult to use, however, because they require purchase and deployment of both smart cards and smart card readers. For TPM-based virtual smart cards, the TPM protects the use and storage of the certificate private key so that it cannot be copied when it is in use or stored and used elsewhere. For users, virtual smart cards are simple to use, requiring only a PIN to unlock. Virtual smart cards support the same scenarios that physical smart cards support, including signing in to Windows or authenticating for resource access.
Windows Hello for Business provides authentication methods intended to replace passwords, which can be difficult to remember and easily compromised. In addition, user name - password solutions for authentication often reuse the same user name — password combinations on multiple devices and services; if those credentials are compromised, they are compromised in many places. Windows Hello for Business provisions devices one by one and combines the information provisioned on each device i.
If a system does not have a TPM, software-based techniques protect the key. The additional information the user supplies can be a PIN value or, if the system has the necessary hardware, biometric information, such as fingerprint or facial recognition.
To protect privacy, the biometric information is used only on the provisioned device to access the provisioned key: it is not shared across devices. The adoption of new authentication technology requires that identity providers and organizations deploy and use that technology. Identity providers have flexibility in how they provision credentials on client devices. For example, an organization might provision only those devices that have a TPM so that the organization knows that a TPM protects the credentials.
An endorsement key certificate, signed by the manufacturer, says that the endorsement key is present in a TPM that the manufacturer made. To protect privacy, most TPM scenarios do not directly use an actual endorsement key. Instead, they use attestation identity keys, and an identity certificate authority CA uses the endorsement key and its certificate to prove that one or more attestation identity keys actually exist in a real TPM.
Here are the main tasks a TPM performs:. Apart from these functions, the TPM also includes a hard-wired, unique, and unalterable encryption key, making it impossible for it to be substituted or tampered with. In a nutshell, the TPM is a dedicated piece of hardware on your motherboard that allows for safe computer use and authentication.
This is where things can become a little complicated. However, since each motherboard brand and model may be different, you should check your motherboard manual for specific instructions on how to activate your firmware TPM. Hopefully, in light of the Windows 11 requirement, most motherboard makers will issue firmware updates for their motherboards, adding the feature.
If not, then you may have to replace your motherboard at the very least. In some cases, it is possible to buy a TPM as an add-on. However, your motherboard needs to explicitly support the upgrade and have the required TPM header.
At the time of writing, TPM upgrades are surprisingly expensive, so do take the time to compare the cost of a TPM module against the cost of a motherboard replacement.
0コメント