What is a trusted platform module? How It Drastically Boosts Security

What is a trusted platform module? How It Drastically Boosts Security

If a hacker can get physical access to a computer, they can bypass any locks and passwords to get access to the computer’s data.

That is why encrypting your computer is so important.

But keeping up with a decryption key is another inconvenience.

Using a trusted platform module (TPM) chip can be a lifesaver.

Let’s look at what a trusted platform module is and how it works.

What is a trusted platform module chip?

A Trusted Platform Module (TPM) is a tamper resistant hardware chip on endpoint devices that handles cryptographic tasks. It can create, store, and protect passwords or cryptographic keys and has several features that make it tamper resistant. Full-Disk encrypted computers often use TPMs for authentication during the boot process.

TPM chips are a hardware based security component that are mounted on the motherboard of a computer or device.

In most cases, hardware level security controls are stronger than software based ones.

Trusted platform modules have quickly grown in popularity over the last decade.

In fact, the United States Department of Defense mandates that any new computers they purchase must have TPM chips version 1.2 or later.

What does the TPM chip do?

The trusted platform module actually increases computer security in several ways.

Of course, one of the more well known uses is for handling encryption keys, but there are more.

What TPMs do will depend on what you are using it for.

Here are some of the ways Windows 10 began using Trusted Platform Modules:

Security Feature	Benefits if used with TPM
Platform Crypto Provider	Keeps private key for certificate from being read even if device is compromised. Protects from dictionary attacks
Virtual Smart Card	Creates same level of security as physical smart cards do
Windows Hello For Business	Credentials can't be copied from device. Verifies the TPM before credentials are provisioned.
Bitlocker Drive Encryption	Can be configured to secure various kinds of devices storing data-at-rest.
Device Encryption	Simple data-at-rest encryption
Measured Boot	Boot security measurements that detect malware
Health Attestation	MDM solutions can verify health before giving access to resources and services.
Credential Guard	Protects from malware with administrative access to a single machine in an environment

Let's dive into each of these a little deeper:

Platform Crypto Provider

Windows has a built-in cryptography framework used for various security tasks.

It was designed to allow applications to access it through an API.

This framework adds special security capabilities that a software cryptographic tool could not.

It uses the Platform crypto provider to interact with the trusted platform module and adds these properties:

Key protection - Hackers and malware can get security keys from memory. For example, a hard drive that is encrypted would require that the key be kept in memory while the drive is open. When keys are created and maintained by the TPM, though, the keys don’t have to go to memory where they are vulnerable.
Dictionary Attack protection - A dictionary attack is one in which an attacker tries passwords over and over until they get a hash that matches the one they are trying to break. When Trusted Platform Modules require a PIN to access the keys (like Bitlocker does), it can block guesses after a set number of failed attempts. This works better than similar software solutions because the TPM will remember this even after rebooting.

Virtual smart cards

Smart cards can add a strong layer of security to an organization’s defenses.

Basically, when an employee needs to access an encrypted drive, they plug in a USB smart card, press a button, and enter a PIN.

If correct, the computer can access a certificate stored on the USB to decrypt the drive.

Virtual smart cards use the trusted platform module to copy this multi-factor authentication.

The TPM stores the key and the user still has to enter a PIN to access it - still requiring two forms of authentication.

Something they have and something they know

Windows Hello for business

For the past 5 years or so, technology providers like Microsoft have been on a quest to replace passwords.

When people are forced to remember passwords, they tend to form bad habits - password reuse, short passwords, easy to guess, etc.

Windows Hello is one of the solutions that Microsoft has been developing.

It allows you to use other forms of authentication like face scans, fingerprints, PINs, Active Directory accounts, and third party Identity management solutions.

The data is combined with a cryptographic key and stored in the TPM where it is protected from tampering and malware.

Bitlocker drive encryption

BitLocker is the native solution inside of Windows for handling disk and drive encryption.

Basically, if the disk is encrypted, when someone logs in, they receive a prompt requesting the key to decrypt the hard drive.

When your device has a trusted platform module, though, you won’t have to put this password in.

The TPM will store this key and provide it for you.

It may sound risky, but the TPM does a few things to ensure security:

Hardware root of trust - certain components of a computer like firmware could theoretically be compromised, right? To avoid an attacker being able to compromise the system’s firmware and bypass encryption, the TPM creates a root of trust. Essentially, hashes are run of important components like firmware. Then, when it’s time to enter the disk encryption key, the TPM will check the firmware to be sure everything is ok before proceeding.
Key is provided only when boot measures are correct - like with the hardware root of trust, the TPM checks Windows boot process to be sure that nothing is amiss before providing the decryption key.

Dive Deeper: Windows 10 Encryption Strategies: The Definitive Guide [2020]

Device encryption

Much like BitLocker for business versions of Windows, device encryption can work with the trusted platform module to check hardware before decrypting a drive.

Device encryption relies more on software code signing that the business version, BitLocker.

Measured boot

Rootkits often place code that fires off during the boot process.

Measured boot is a method for running measurements of firmware and the kernel at various steps in the boot process to identify malicious software.

When a device has a trusted platform module, remote attestation becomes possible.

This means that Windows will sign a certificate of the measurements that can be used for later comparison.

Health attestation

Mobile device management software (MDM) needs to validate the configuration of the devices being managed.

When combined with the trusted platform module, it can have greater confidence in the state of a device and take the necessary actions when a device is compromised.

process-to-create-evidence-of-boot-software-and-configuration-using-tpm

Credential guard

For years, hackers targeting active directory domains could fool a device into giving a hash of the users’ credentials.

The attacker could then “pass the hash” and authenticate without knowing what those credentials were.

Credential guard isolates credentials in memory so they are less accessible to attackers.

When combined with TPM, a much greater measure of security is achieved.

The credentials become nearly unreachable.

Conclusion

The trusted platform module is part of an initiative to make Windows much more secure.

When combined with a layered approach to security, it can really help harden a system.

You should definitely consider using TPMs as part of your security strategy.