TRUSTED PLATFORM COMPUTING

OBJECTIVES

• Define Trusted Platform Module

• What is Trusted Computing
• Define Trusted Computing Group
• Identify the Trusted Platform module and how they work
• Identify the Windows 10 components that leverage and need a TPM Module to work
What is Trusted Computing

Standards-based Trusted Computing technologies developed by TCG

members now are deployed in enterprise systems, storage systems,
networks, embedded systems, and mobile devices and can help secure cloud
computing and virtualized systems.

Trusted Computing Group announced that its TPM 2.0 (Trusted Platform
Module) Library Specification was approved as a formal international standard
under ISO/IEC (the International Organization for Standardization and the
International Electrotechnical Commission).
https://trustedcomputinggroup.org/
Trusted Computing Group (TCG)

Through open standards and specifications, Trusted Computing

Group (TCG) enables secure computing. Benefits of TCG
technologies include protection of business-critical data and
systems, secure authentication and strong protection of user
identities, and the establishment of strong machine identity and
network integrity. Trusted hardware and applications reduce
enterprise total cost of ownership and support regulatory
compliance.
https://trustedcomputinggroup.org/
TRUSTED PLATFORM MODULE

• TPM is fundamentally a secure crypto-processor hardware module that exists or you plug into your
motherboard
• Generates, stores and limits the use of cryptographic keys
• TPM’s include multiple physical security mechanisms to make it tamper resistant
• Traditionally,TPM’s were discrete chips soldered on to a computers motherboard
• TPM version 2.0 allowed new implementations
• TPM functionality built into the chipset (Intels PTT)
• ARM SoC

• Firmware TPM’s – software only solutions that run in a CPU’s trusted execution environment
• Version 2 also allows for vTPM
COMPONENTS OF A TPM
TPM

• Are responsible for generating, storing

and limiting the user of cryptographic
keys
TRUSTED COMPUTING GROUP (TCG)

• Behind the Trusted Platform Module is the

TCG
• The TCG is an alliance of companies,
academic institution
• This alliance and membership is
responsible for everything going on with
the TPM
• The TCG Alliance provides the
architecture and the design and the
implementation of all TPM Products
SO WHY IS TPM SO IMPORTANT?

• TPM can protect your identity

• Validate your operating system
• Can initiate a rollback to a known good state
• Provide secure two factor and 3 factor authentication
• Can dramatically reduce your attack surface
TPM EXAMPLE

• Google chromebook use TPM and

hashed values to validate proper boot
files and system files
TPM

• Juniper Networks allows their routers to

use TPM and hashed values to validate
proper boot files and system files
TPMS

• Because TPMs are typically a discrete

chip on a motherboard or device they
must be tamper resistant
• These are hardened physical devices that
provide a root trust
FTPM

• fTPM is a software based version of TPM

• fTMP provides mobile two factor authentication services
• Microsoft Authenticator
• Google’s authenticator
• SemanticsVIP Access

• This version runs on millions of Mobile Devices!

TPM’S

• Traditionally a discrete chip

• With TPM 2.0 can now be integrated into the CPU itself
• For example the Intel Chipsets
• Easy to check if your intel chipset supports the PPT (Platform Trust Technology)
• All AMD Ryzen PRO cpu have TPM included
• TPM 2.0 also supports fTPM which is a software based version of TPM
• Runs on millions of mobile devices!
VIRTUAL TPM

• Datacenter TPM technology is also

important and is based on Virtual TPM
• Linux,Vmware, Microsoft Hyper-V
• Must have a hardware TPM to support
vTPM
VTPM

• vTPM is cloud security platform

• It is foundational for google cloud platform, AWS, Microsoft Azure
TPM VERSION 1.2 VS VERSION 2.0

• TPM 2.0 allows different implementations of the trusted platform module and it offers a
more consistent experience
• TPM 2.0 is available as a discrete (dTPM)
• Some of the intel chipselts
• Integrated into a SoC
• vTPM
• Supports hashing: SHA-256
• Achieved ISO standardization
TPM

• TPM was developed for all kinds of hardware in mind

• Routers
• Storage
• Switches
• VPN
• Computers
• Servers IoT devices
• Automotive
• Mobile platforms
• Medical devices
• Anywhere you need fundamental trust in a hardware platform
WINDOWS 10
WINDOWS 10 AND TPM

• The security features of windows 10 combined with the benefits of TM offer practical security and
privacy benefits
• Major TPM related security features in Windows 10
• Platform Crypto Provider
• Windows Hello for Business
• Bitlocker Drive Encryption
• Device Encryption – consumer version of Bitlocker
• Measured boot – juniper and chromebook uses this as well
• Virtual smart cards
• Credential guard
How Windows uses the TPM - Microsoft 365 Security | Microsoft Docs
WINDOWS FEATURES AND TPM
WINDOWS HELLO FOR BUSINESS

• A new type of user credential that is tied to a device and uses biometric or PIN
• Hardware protected (TPM) two factor credential that enables single sign on to Azure AD or AD
• Replaces password with strong two-factor authentication
• Ability to add 3 factor
• Designed to replace passwords!
• A user never types in their password
• Never changes their password
• User does not know their password
WINDOWS HELLO

• Can be used on nearly every Windows 10 device in the world natively with a PIN
• Why is a pin better than a password?
• A hello PIN is tied to the specific device on which it was setup
• If you want to sign in on multiple devices, you have to set up a hello POIN on each device
• Is local to the device and isn’t stored on a server
• Backed by a TPM chip
• Brings in two factor authentication and gets rid of all the risks and problems associated with password
• Tied to the device
• pin
WINDOWS HELLO AND FIDO2

• Windows hello support FIDO2 USB Security keys

• This will provide strong three factor authentication to many web-based applications
• Windows Hello only currently works with 2 vendors
• Yubico
• Feitian
WINDOWS HELLO FOR BUSINESS

• Can be used in a cloud only deployment

• Microsoft Azure Account
• Azure Active Directory
• Azure Multi-factor authentication

• Hybrid Deployments
• Active Directory
• Hybrid Azure

• On premises Deployments
BITLOCKER

• Provides full-volume encryption to protect data

at rest
• Relies on TPM to allow the use of a key only
when startup occurs in an expected way
• You can enable Bitlocker without TPM
• With the right hardware, Bitlocker can be userd
with the “TPM-Only configuration” giving users
a single-signon experience without having to
enter a PIN or USB key during boot
MEASURED BOOT

• How to trust the entire operating system

• Every vendor struggles with the problem of ensuring the operating system from the time
it boots to full runtime state has not been compromised and has not had malicious code
inserted
• Microsoft accomplishes this using TPM and Measured Book
UNSECURED BOOT VS MEASURED BOOT
HEALTH ATTESTATION
HEALTH ATTESTATION

• Is the future
• Taking measured boot to “real time”
• Monitoring every device real time and providing seconds to respond to any given threat
• Think of how important this would be in a DataCenter where you have a large number
of servers and storage devices that are not rebooted on a frequent basis
• You need this type of technology to validate the integrity and security of your devices
VIRTUAL SMART CARDS

• With the support of virtual smart cards, enterprises can now roll out virtual smart cards
and replace all the physical devices and still have 2FA
• Windows 10 virtual smart card emulate the functionality of physical smart cards but they
use the TPM module
• You need Application developers and IT admins can deploy vSmartCards on Windows 10
Mobiles Devices as an Example

https://trustedcomputinggroup.org/wp-content/uploads/TCG-Guidance-for-
TPM-2.0-Mobile-Specification-Implementations.pdf
QUESTIONS?