Articles & White Papers

March 22,2022

TPM 2.0-Ready: Top Security with PUFcc

The Tale of TPM

The rising security threats endangering our connected world, from the chip to the cloud, are among the biggest challenges facing us today. Microsoft recently addressed some of these concerns by mandating the inclusion of TPM 2.0 (Trusted Platform Module) in all devices running its latest Windows 11 operating system. It’s a significant step towards standardizing chip-level protection and recentering the semiconductor industry to make security integral to the chip-design process.

TPM is an international standard for secure crypto coprocessors that store and protect encryption keys, passwords, and other sensitive data such as digital certificates. Since 2007, the U.S. Department of Defense (DoD) has required all newly procured computer assets to include a TPM. The International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) standardized TPM in 2009, and the Trusted Computing Group (TCG) maintains improvements of the standard.

Implementation of a TPM remains optional for device manufacturers and can range from software emulation or firmware to discrete chips. However, for security operations requiring the use of keys, most agree that a discrete TPM chip provides the highest level of security. This is particularly so for protecting critical system applications against sophisticated hacking attacks [1].

Even when TPM is implemented in hardware, a dedicated microcontroller without proper protection, for instance, can still be prone to various attacks. These tampering techniques can include side-channel attacks and exploitation of weak key generation vulnerabilities, among others. [2, 3]

Advances in TPM 2.0

While this new version makes several advances, all of us who manufacture or use online devices expect TPM to prevent critical system failures that may seriously impact safety or security. In summary, TPM1.2 and TPM 2.0 include the following functionalities [4, 5]:

1. Secure storage of keys (especially endorsement keys) and attack-resistant certificates.

2. Secure generation of Identifiers (IDs) and keys

3. A high-quality hardware random number generator (RNG) in order to fulfill 1.

4. Public-key cryptographic algorithms capable of generating and verifying digital certificates

5. Symmetric key cryptographic algorithms for data encryption and decryption

6. Key management all the way from endorsement key (EK) and storage root key (SRK) to session key uses.

7. Secure attestation service for device management.