If a hacker can get physical access to a computer, they can bypass any locks and passwords to get access to the computer’s data. 

That is why encrypting your computer is so important. 

 But keeping up with a decryption key is another inconvenience. 

Using a trusted platform module (TPM) chip can be a lifesaver. 

Let’s look at what a trusted platform module is and how it works.

What is a trusted platform module chip?

A Trusted Platform Module (TPM) is a tamper resistant hardware chip on endpoint devices that handles cryptographic tasks. It can create, store, and protect passwords or cryptographic keys and has several features that make it tamper resistant. Full-Disk encrypted computers often use TPMs for authentication during the boot process. 


TPM chips are a hardware based security component that are mounted on the motherboard of a computer or device. 

In most cases, hardware level security controls are stronger than software based ones. 

Trusted platform modules have quickly grown in popularity over the last decade. 

In fact, the United States Department of Defense mandates that any new computers they purchase must have TPM chips version 1.2 or later.


What does the TPM chip do?


The trusted platform module actually increases computer security in several ways. 

Of course, one of the more well known uses is for handling encryption keys, but there are more. 

What TPMs do will depend on what you are using it for.

Here are some of the ways Windows 10 began using Trusted Platform Modules:

Security Feature

Benefits if used with TPM

Platform Crypto Provider

Keeps private key for certificate from being read even if device is compromised. 


Protects from dictionary attacks

Virtual Smart Card

Creates same level of security as physical smart cards do

Windows Hello For Business

Credentials can't be copied from device. 


Verifies the TPM before credentials are provisioned.

Bitlocker Drive Encryption

Can be configured to secure various kinds of devices storing data-at-rest.

Device Encryption

Simple data-at-rest encryption

Measured Boot

Boot security measurements that detect malware

Health Attestation

MDM solutions can verify health before giving access to resources and services.

Credential Guard

Protects from malware with administrative access to a single machine in an environment

Let's dive into each of these a little deeper:

Platform Crypto Provider

Windows has a built-in cryptography framework used for various security tasks. 

It was designed to allow applications to access it through an API. 

This framework adds special security capabilities that a software cryptographic tool could not. 

It uses the Platform crypto provider to interact with the trusted platform module and adds these properties:

  • Key protection - Hackers and malware can get security keys from memory. For example, a hard drive that is encrypted would require that the key be kept in memory while the drive is open. When keys are created and maintained by the TPM, though, the keys don’t have to go to memory where they are vulnerable. 

  • Dictionary Attack protection - A dictionary attack is one in which an attacker tries passwords over and over until they get a hash that matches the one they are trying to break. When Trusted Platform Modules require a PIN to access the keys (like Bitlocker does), it can block guesses after a set number of failed attempts. This works better than similar software solutions because the TPM will remember this even after rebooting. 

Virtual smart cards

Smart cards can add a strong layer of security to an organization’s defenses. 

Basically, when an employee needs to access an encrypted drive, they plug in a USB smart card, press a button, and enter a PIN. 

If correct, the computer can access a certificate stored on the USB to decrypt the drive. 

Virtual smart cards use the trusted platform module to copy this multi-factor authentication. 

The TPM stores the key and the user still has to enter a PIN to access it - still requiring two forms of authentication.

Something they have and something they know

Windows Hello for business

For the past 5 years or so, technology providers like Microsoft have been on a quest to replace passwords. 

When people are forced to remember passwords, they tend to form bad habits - password reuse, short passwords, easy to guess, etc. 

Windows Hello is one of the solutions that Microsoft has been developing. 

It allows you to use other forms of authentication like face scans, fingerprints, PINs, Active Directory accounts, and third party Identity management solutions. 

The data is combined with a cryptographic key and stored in the TPM where it is protected from tampering and malware.

Bitlocker drive encryption

BitLocker is the native solution inside of Windows for handling disk and drive encryption. 

Basically, if the disk is encrypted, when someone logs in, they receive a prompt requesting the key to decrypt the hard drive. 

When your device has a trusted platform module, though, you won’t have to put this password in. 

The TPM will store this key and provide it for you. 

It may sound risky, but the TPM does a few things to ensure security:

  • Hardware root of trust - certain components of a computer like firmware could theoretically be compromised, right? To avoid an attacker being able to compromise the system’s firmware and bypass encryption, the TPM creates a root of trust. Essentially, hashes are run of important components like firmware. Then, when it’s time to enter the disk encryption key, the TPM will check the firmware to be sure everything is ok before proceeding.

  • Key is provided only when boot measures are correct - like with the hardware root of trust, the TPM checks Windows boot process to be sure that nothing is amiss before providing the decryption key. 

Device encryption

Much like BitLocker for business versions of Windows, device encryption can work with the trusted platform module to check hardware before decrypting a drive. 

Device encryption relies more on software code signing that the business version, BitLocker. 

Measured boot

Rootkits often place code that fires off during the boot process. 

Measured boot is a method for running measurements of firmware and the kernel at various steps in the boot process to identify malicious software. 

When a device has a trusted platform module, remote attestation becomes possible. 

This means that Windows will sign a certificate of the measurements that can be used for later comparison.

Health attestation

Mobile device management software (MDM) needs to validate the configuration of the devices being managed. 

When combined with the trusted platform module, it can have greater confidence in the state of a device and take the necessary actions when a device is compromised.

Credential guard

For years, hackers targeting active directory domains could fool a device into giving a hash of the users’ credentials. 

The attacker could then “pass the hash” and authenticate without knowing what those credentials were. 

Credential guard isolates credentials in memory so they are less accessible to attackers. 

When combined with TPM, a much greater measure of security is achieved. 

The credentials become nearly unreachable.

Conclusion

The trusted platform module is part of an initiative to make Windows much more secure. 

When combined with a layered approach to security, it can really help harden a system. 

You should definitely consider using TPMs as part of your security strategy.

Leave a Reply

Your email address will not be published. Required fields are marked *

About SmartFix

We are a family owned business that provides fast, warrantied repairs for all your mobile devices.

Brooklyn Area

2307 Beverley Rd Brooklyn, New York 11226 United States

1000 101-454555
suppo[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

San Francisco Area

358 Battery Street, 6rd Floor San Francisco, CA 27111

1001 101-454555
[email protected]

Store Hours
Mon - Sun 09:00 - 18:00

121 Resources for you to:

Learn & Master Cyber Security
Send Me the PDF
close-link
Get the Exclusive Bonus
Privacy Checklists and My Favorite Resources

Get Instant Access! 
Your information will never be shared
close-link
LET'S FIGURE OUT HOW TO HELP YOU BECOME A CYBER HERO + FREE STUFF!

Reasons to Subscribe to the CyberX Email List:

 
CLICK HERE TO SUBSCRIBE

 1. Free Stuff 
You'll get instant access to free resources. 

 2. Content Tailored to You 
Over time, Ill get to learn more about you and deliver content that actually matters

 3. No Hype 
Just real content that's meant to make a difference. 
 

close-link

Download the PDF Version Of This Guide

Want to save this guide for later? I'll email you the PDF for free. 
 
DOWNLOAD THE FREE GUIDE
close-link

Would the SMB Cybersecurity Plan Be Helpful?

Do you want a proven plan for security for your SMB? How about a logical plan for reducing the risk of breaches?
DOWNLOAD THE FREE GUIDE
close-link

SAVE MY SPOT!
shares