TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store authentication artefacts (your PC or laptop).
Passwords, certificates, and encryption keys are examples of these artefacts. A TPM can also be used to store platform measures that assure the platform’s reliability.
To enable safer computing in all situations, authentication (ensuring that the platform can establish that it is what it purports to be) and attestation (a method that helps to prove that a platform is trustworthy and has not been breached) are required stages.
Other computing devices, such as mobile phones or network equipment, can use trusted modules.
Because of the nature of hardware-based cryptography, data saved in hardware is more safeguarded against external software attacks.
A wide range of applications that store secrets on a TPM can be created. These programmes make accessing information on computer devices without proper authorization significantly more difficult (e.g.,
if the device was stolen). Access to data and secrets can be restricted and sealed off using these applications if the platform configuration has changed as a result of unwanted actions.
It’s crucial to note, however, that TPM has no control over the software on a computer. TPM can save pre-run configuration parameters, but it is up to other applications to decide and implement rules based on this data.
Implementing a TPM
A TPM can improve the security of processes that require the protection of secrets, such as digital signing. When implementing a TPM, mission-critical applications that require stronger security,
such as secure email or secure document management, can provide a higher level of protection. For example, if a PC is considered to be untrustworthy at startup time due to unexpected configuration changes,
access to highly secure programmes can be restricted until the problem is resolved (if a policy has been set up that requires such action).
With a TPM, you can be more confident that software attacks haven’t harmed the artefacts needed to sign encrypted email messages.
With the use of remote attestation, other platforms in the trusted network can determine how much information from another PC they can trust.
Attestation and other TPM features do not send personal information about platform users.
These features can increase security in a variety of computer sectors, including e-commerce, citizen-to-government applications,
online banking, confidential government communications, and a variety of other fields. VPN, wireless networks, file encryption (like in Microsoft’s BitLocker), and password/PIN/credential management can all benefit from hardware-based security.
The TPM specification is OS-independent, and software stacks for a variety of operating systems are available.
The cryptographic algorithms used by TPMs (current version 1.2) are RSA, SHA1, and HMAC.
The Trusted Computing Group (TCG) is an international de facto standards body of of over 120 firms dedicated to developing specifications for PC TPMs,
trusted modules for other devices, trusted infrastructure requirements, APIs, and protocols required to operate in a secure environment.
Specifications are published to the technological community after completion and can be downloaded from the TCG Web site.
Components of the trusted environment cannot interoperate without common security methods and standardised specifications, and trusted computing applications cannot be built to run on all platforms.
Due to limited access to cryptographic and security knowledge and lower availability for a rigorous review procedure, a proprietary solution cannot ensure global compatibility and cannot provide a comparable level of assurance.
In terms of cryptography, trusted modules must be able to use the same cryptographic methods as the rest of the platform, other platforms, and infrastructure in order to communicate with them. Although publicly available algorithms may contain flaws, they are rigorously evaluated and gradually replaced or improved as vulnerabilities are uncovered. In the case of patented algorithms, this is not the case.
In 2007, about 100 million branded PCs and laptops with TPMs were shipped, according to market research sources.
Servers are starting to ship, and TCG specifications have been used to develop a number of TPM-based applications, such as secure email and file encryption.
TNC (Trusted Network Connect) devices that leverage TCG principles to improve communication security are also available.
Storage (for hard drives) and mobile trusted modules (for mobile phones) draught specifications have been released.