Windows Security - Trusted Computing Technologies
Windows Security - Trusted Computing Technologies
OBJECTIVES
Trusted Computing Group announced that its TPM 2.0 (Trusted Platform
Module) Library Specification was approved as a formal international standard
under ISO/IEC (the International Organization for Standardization and the
International Electrotechnical Commission).
https://trustedcomputinggroup.org/
Trusted Computing Group (TCG)
• TPM is fundamentally a secure crypto-processor hardware module that exists or you plug into your
motherboard
• Generates, stores and limits the use of cryptographic keys
• TPM’s include multiple physical security mechanisms to make it tamper resistant
• Traditionally,TPM’s were discrete chips soldered on to a computers motherboard
• TPM version 2.0 allowed new implementations
• TPM functionality built into the chipset (Intels PTT)
• ARM SoC
• Firmware TPM’s – software only solutions that run in a CPU’s trusted execution environment
• Version 2 also allows for vTPM
COMPONENTS OF A TPM
TPM
• TPM 2.0 allows different implementations of the trusted platform module and it offers a
more consistent experience
• TPM 2.0 is available as a discrete (dTPM)
• Some of the intel chipselts
• Integrated into a SoC
• vTPM
• Supports hashing: SHA-256
• Achieved ISO standardization
TPM
• The security features of windows 10 combined with the benefits of TM offer practical security and
privacy benefits
• Major TPM related security features in Windows 10
• Platform Crypto Provider
• Windows Hello for Business
• Bitlocker Drive Encryption
• Device Encryption – consumer version of Bitlocker
• Measured boot – juniper and chromebook uses this as well
• Virtual smart cards
• Credential guard
How Windows uses the TPM - Microsoft 365 Security | Microsoft Docs
WINDOWS FEATURES AND TPM
WINDOWS HELLO FOR BUSINESS
• A new type of user credential that is tied to a device and uses biometric or PIN
• Hardware protected (TPM) two factor credential that enables single sign on to Azure AD or AD
• Replaces password with strong two-factor authentication
• Ability to add 3 factor
• Designed to replace passwords!
• A user never types in their password
• Never changes their password
• User does not know their password
WINDOWS HELLO
• Can be used on nearly every Windows 10 device in the world natively with a PIN
• Why is a pin better than a password?
• A hello PIN is tied to the specific device on which it was setup
• If you want to sign in on multiple devices, you have to set up a hello POIN on each device
• Is local to the device and isn’t stored on a server
• Backed by a TPM chip
• Brings in two factor authentication and gets rid of all the risks and problems associated with password
• Tied to the device
• pin
WINDOWS HELLO AND FIDO2
• Hybrid Deployments
• Active Directory
• Hybrid Azure
• On premises Deployments
BITLOCKER
• Is the future
• Taking measured boot to “real time”
• Monitoring every device real time and providing seconds to respond to any given threat
• Think of how important this would be in a DataCenter where you have a large number
of servers and storage devices that are not rebooted on a frequent basis
• You need this type of technology to validate the integrity and security of your devices
VIRTUAL SMART CARDS
• With the support of virtual smart cards, enterprises can now roll out virtual smart cards
and replace all the physical devices and still have 2FA
• Windows 10 virtual smart card emulate the functionality of physical smart cards but they
use the TPM module
• You need Application developers and IT admins can deploy vSmartCards on Windows 10
Mobiles Devices as an Example
https://trustedcomputinggroup.org/wp-content/uploads/TCG-Guidance-for-
TPM-2.0-Mobile-Specification-Implementations.pdf
QUESTIONS?