The Trusted Platform Module: A Way to Secure Your Computer System

When it comes to securing your computer system, there are many different approaches that can be taken. One method that has gained popularity in recent years is the use of a Trusted Platform Module (TPM). But what exactly is a TPM and how does it work?

A TPM is a hardware component that is designed to provide an additional layer of security for your computer system. It's essentially a small chip that is embedded on your motherboard, and it plays a key role in securing the data stored on your system. When you use a TPM, you can think of it as a way of moving certain sensitive tasks from the main operating system to a more secure location.

The idea behind this approach is to create a trusted environment that you can rely on to keep your data safe. By using a TPM, you're essentially creating a separate "trust zone" within your computer system that is isolated from the rest of the operating system. This allows you to use keys and other security measures to protect your data in a way that's not possible with traditional methods.

One of the benefits of using a TPM is that it provides a level of security that can be difficult to compromise. Since the TPM is a separate component, it has its own set of credentials and access controls that are designed to prevent unauthorized access to sensitive data. This means that even if your operating system is compromised, the TPM will continue to function as expected, providing an additional layer of protection for your data.

But how does this work in practice? Well, when you sign a document or send an email, for example, you use a key from the trusted platform module to authenticate your identity. This key is then used to encrypt and decrypt the data, ensuring that only authorized parties can access it. In other cases, the TPM can be used to provide proof that certain data has been signed by a trusted entity.

Another benefit of using a TPM is that it provides a way to ensure that software is authentic and has not been tampered with. By using a unique identifier, such as a hash value, stored in the TPM, you can verify that the software has not been altered or modified during transmission. This is particularly important for applications where security is paramount, such as financial transactions or military communications.

Of course, one of the key benefits of using a TPM is that it allows you to have some level of control over your data and its security. By having access to a trusted platform module, you can ensure that sensitive information is protected from unauthorized access. This is particularly important in cases where you need to share data with multiple parties or transfer sensitive information between different systems.

Now, not all operating systems support TPMs out of the box. However, since it's an open specification, any platform can be modified to include a TPM. Apple, for example, uses a similar technology called Secure Enclave in their Mac computers. This provides a secure environment that can be used to store sensitive data and perform cryptographic operations.

The TPM specification was first released by the Trusted Computing Group in the late 1990s and early 2000s. Since then, there have been several revisions, including version 1.2 and the current version 2.0. One of the key changes made in version 2.0 is the addition of support for different encryption algorithms and hashing algorithms.

In terms of implementation, TPMs can be found on various platforms, from Intel's TXT to AMD's PSP (Platform Security Processor). These chips are designed to communicate with the operating system using a standardized interface called the Low Pin Configuration (LPC) bus. There are also software implementations available that simulate the behavior of a TPM, allowing developers to test and develop applications without the need for physical hardware.

However, one of the advantages of hardware-based TPMs is that they provide a level of security that cannot be replicated by software alone. Because they contain an embedded key that can be used to secure data, they offer an additional layer of protection against unauthorized access. In addition, because the keys are stored securely on the chip, it's theoretically impossible for attackers to compromise them.

In contrast, software implementations of TPMs rely on being able to keep track of sensitive credentials and ensure that only authorized parties have access to them. While this approach can be effective in certain situations, it may not provide the same level of security as a hardware-based solution.

Nowadays, more companies are starting to implement secure technologies to protect their systems. Intel's Trusted Execution Technology (TXT) and AMD's PSP are examples of platforms that aim to enhance the security of your computer system. They work by adding an additional layer of protection between the operating system and the hardware. This approach provides several benefits, including increased security, improved integrity, and enhanced protection against malware.

These secure technologies pass information through a lightweight diode that gives off infrared light, which are sensors that can provide high-resolution images of objects on your desk or other surfaces. However, despite their potential, there are still many problems with these technologies, such as limited resolution and the need for sophisticated software to interpret the data. Nevertheless, they represent an exciting step forward in the quest to create more secure computer systems.

In conclusion, a Trusted Platform Module is a powerful tool that can provide an additional layer of security for your computer system. By using a TPM, you can ensure that sensitive data is protected from unauthorized access and provide a level of control over its security. Whether used alone or as part of a comprehensive approach to security, TPMs offer a promising solution for anyone looking to enhance the security of their digital environment.

"WEBVTTKind: captionsLanguage: eni've seen a bit of talk about this thing called a tpm is it trusted platform module or something yeah that's right the trusted platform module and that the new version of windows may require a tpm what is a tpm and how does it work so yes it is the trusted platform module and one of the things that windows 11 is going to require a pc to have is to have a trusted platform module as part of it the idea behind a trusted platform module is a way of making computers secure or more secure and the best way to understand why we might need one is to think about how things would happen if we don't have one in a sort of traditional computer setup mike's done a lot of videos looking at various encryption algorithms and things and one of the common factors whatever your encryption algorithm is let's call it inc we've got a function and that is going to take a key and this might be a symmetric key might be a public private key thing it's going to take a key and it's going to take a message that we want to encrypt and then you can go and watch any of mike's videos pick your favorite encryption algorithm and he will explain it with some wonderful diagrams some colorful colors and some liquids he's pouring around and things but the problem we've got is the key we need to keep a copy of the key on our computer system so what can we do to keep it private well if we have it in the computer's memory theoretically any programming running on the computer could potentially access it now normally the operating system and the memory management unit in the cpu will stop that happening they will protect it but that requires the operating system to be working in the way you want it to do it's running the code you expect to be running and not one that's been modified by some dodgy geezer called mike and as well as encrypting your message it's also sending a copy of your key to mica i've got yourkey.com i only joke mike doesn't do use that web address to catch people's keys he uses a different one so we've got a problem we need to keep the key secure we could keep it on the computer in memory but it's potentially possible something else could access it or we could write it onto the hard disk but if someone gains access to your hard disk they've got the key on sean how do you think we might keep it secret this feels like a trap but i'm going to say it anyway you could encrypt it well yeah so yeah we could encrypt the key but the problem then is that all we've done is we've just moved the problem we've now made the key that we're using to sign our messages secure but we now have to keep the key used to decrypt the key that we're using to encrypt our messages secure as well so we could do that and that is actually what's part of the prop the tpm will do but we still have the same problem we have a key on our system that we need to protect so we could encrypt it but we're just moving the problem upper layer and the same is true with the software we could say well actually we'll encrypt or hash the version of windows on the system or whatever operating system we're using and then if that when we load it in um we'll make sure that it matches that hash well that's fine but now you've got the bootloader has to be the thing you trust because you need to say well if someone modified the bootloader it might not check it properly and say yes this is correct when actually they've just slipped in a bit so mike gets your key it seems to me that something has to be trusted at some point somewhere yeah exactly so we need some way of storing this so that we know the key is accessible but we can't get it out of the system unless we want to get it out of the system so this is what the trusted platform module on a computer effectively does it provides a way of storing keys so that we can use them we can do that but in a way that means that they aren't going to be sort of compromised by mike or anyone else who's trying to get access to your keys well how do we do that what does the tpm do to do that we talked earlier about how one way we can protect the key is by encrypting it we encrypt it and then we have a form that we can store and then when we need to use it we decrypt it and then we get rid of the degraded version as soon as we finish that so basically the trusted platform module is a little chip which is effectively a very small computer in its own right it's running software that can store keys it can generate random numbers secure random numbers it provides the sort of support that you would need in the computer system to do cryptographic type of functions in a secure way so let's think about our problem of we want to store our keys in a way so that we can only access them well the way that we do that is that in a trusted platform module we have what's called the storage route key and this is just a key that's been programmed in there when the chip was built or derived from a key that was in the trusted platform module when the chip was built that is used to encrypt the keys that we want to store but it's stored in the trusted platform module this separate chip on your computer's motherboard and you can't get the key out of the trusted platform module you can pass another key to the trusted platform module and say can you what's called wrap this key up in a way so that i can only access it by asking you to unwrap it and give me the key to use so if we want to store the key to encrypt our message we take that key we give it to the trusted platform module it encrypts it it wraps it up as it's called with the storage root key on the system and then we have a form that we can store either sometimes within the trusted platform module or that we could actually store it on hard disk on inside our system because we can only decrypt that using the trusted platform module chip on the motherboard for our computer and every chip is programmed with a different key so that only the trusted platform module to wrap that key is able to unwrap it so that's basically what the trusted platform module is it's a chip that provides us with a way of doing cryptographic functions outside the main computer system but it's built in such a way so we can use the keys but we can't fetch them from the trusted platform module so we can take a key put it in the trusted platform module wrap it and then when we want to use it we take the wrapped version give it back to the trusted platform module unwrap it or even potentially get the trusted platform module depending on what functions it implements to do the decryption for us we send it the data it comes back and things the way these chips are built is they're built so they only have the minimal amount of functionality you need to make it secure on them because some bits of it you can still do in software but you're trying to make the bits that have to be secure exist in this separate chip so they're not accessible outside the system one problem though is you're still relying on the software running on the system the trusted platform module can wrap and unwrap keys so what's to stop me coming along or what's the stop mic coming along with a usb stick sticking it in the side of your laptop booting his favorite version of linux on there and then accessing your hard disk finding the wrapped version of the key that's on there and asking the trusted platform module to unwrap it so what the trusted platform modules the tpms also offer is what we call ceiling a key and here they do exactly the same thing you take the key you give it to the trusted platform module and encrypts it but as well as requiring the key that's built into the tpm to decrypt it it also requires what i call the platform configuration registers which is another part of the trusted platform module to have the same state in them and this is called sealing a key so what this basically means is if you set these things up right you can only unseal the key you can only undecrypt it effectively unseal it when using the same trusted platform module and you also have the system in exactly the same state now how does that work well these platform configuration registers are registers they're just spaces basically inside the trusted platform module which you can cause to have a particular value now you can't set them to have a specific value but what you can do is as the system boots up you can change the values in there you can take the value that's currently stored in that register and combine it with some value that you give it as part of the system so for example you could take the value in a register and combine it say with a hash of the bios for example or the sort of state of the mbr system whatever it is that you've chosen to do these things and then when you come to unseal the key as well as needing the key that's embedded in the trusted platform module those configuration registers you can say this one needs to be the same this one needs to be the same this one needs to be the same so you can guarantee that not only is the system the machine that encrypted it originally because it's got the same key on there but also that it's running the same software it's the same bios version it's the same version of windows the hard disk perhaps hasn't been changed in the layout whatever it is that the system is using to store these things and these can all be stored in the trusted platform module in a way that they can be stored they can be used but you can't read them back out and that set perhaps under specific circumstances so for example if you've got a key which you use to sign your email and you get a new laptop you may want to in specific cases be able to take it out one tpm and put it into another one and there's provision to do that but in general only that trusted platform module can access these things so it's having something locally on your system that you can trust and then deriving everything else in terms of that local thing the trusted platform module there's other things you can do with it as well you can use it to prove that this key has been signed by a a key in a trusted platform module which is what perhaps windows are using it for to sort of guarantee this is running on the machine that they sold you this copy to run it on if you're cynical about why they're wanting these things and things but it also enables you to much more guarantee that the things are secure on your system so in a nutshell at a very high level that's what a trusted platform module does on your system it's a way of trying to secure your computer system make things more secure by moving it off the main computer system where you have to eventually trust something at some point into something that you can trust and you can then test things along that you can guarantee that the software you expect is running on the system is tpm proprietary are there different versions of this or is this one kind of like platform so the trusted platform module the specification for it was created by the trusted computing group i think it was in the late 90s early 2000s and things and there's been various versions there was certainly version 1.2 we're now at version 2.0 uh one of the major changes was allowing support for different encryption algorithms different hashing algorithms so for example tpm 1.2 the spec came out only supported sha-1 a couple of years later shaw one was shown that there was ways you could compromise it although not in a way that i think would necessarily affect the way the tpm was using it and things but anyway you want to be able to support newer better more secure algorithms and things so it's a specification various different vendors produce chips so they'll generally talk over what's called the low pin campus the pc bus on your computer system and you can then refer to them you can actually get ones that are implemented in software and things like that of course they're good for simulating and testing things but they're software so you can change them and they're not as secure as having in hardware the advantage of the hardware thing is that because it's a dedicated chip it's got a key embedded in it when it's created that can't be changed and the others are all derived from that or wrapped or sealed with that and things you can rely on it cheating the keys securely even if the system itself gets compromised we've talked a lot about windows it begs the question your mac is behind you on the desk over there how do apple deal with this tpm isn't a windows specific thing it's an open specification it's supported by linux pretty much any platform could support it when apple originally switched to the x86 platform their laptops their machines did have tpm chips embedded on them but they didn't really get used and then they took them off because it's a way of saving money and pushing the prices up but apple basically do the same thing they provide the same thing they do it with their secure enclave it's got the same sort of ideas they can program keys into it and then they can use those keys to wrap things but they've just done it in their own apple way as opposed to using the way that everyone else is doing it and things and that's perfectly fine it works some of our twitter followers will know i recently upgraded my computer to an amd horizon there wasn't enough rainbows inside your machine like rgb leds in your machines or colorful uh lighting in my office with my rgb beast it doesn't have a tpm as a thing called a psp or is that similar the tpm provides part of the security you need but also companies like intel and amd are starting to extend that so you've got intel's trusted execution technology txt you've got the amd psp as you talk about and they're all trying to make your computer more secure and provide more ways of knowing that the software running on your computer is the software you expect it to be and not mike's special brew of the disc and the reason why you've got that is because as these rotate they pass between a couple of sensors and these are a lightweight diode which probably gives off something like infrared light and there's no need for it to be anything else between there's obviously a lot of problems with it right first of all the networks are still not quite high resolution enough to deal with 1080 and 4k videoi've seen a bit of talk about this thing called a tpm is it trusted platform module or something yeah that's right the trusted platform module and that the new version of windows may require a tpm what is a tpm and how does it work so yes it is the trusted platform module and one of the things that windows 11 is going to require a pc to have is to have a trusted platform module as part of it the idea behind a trusted platform module is a way of making computers secure or more secure and the best way to understand why we might need one is to think about how things would happen if we don't have one in a sort of traditional computer setup mike's done a lot of videos looking at various encryption algorithms and things and one of the common factors whatever your encryption algorithm is let's call it inc we've got a function and that is going to take a key and this might be a symmetric key might be a public private key thing it's going to take a key and it's going to take a message that we want to encrypt and then you can go and watch any of mike's videos pick your favorite encryption algorithm and he will explain it with some wonderful diagrams some colorful colors and some liquids he's pouring around and things but the problem we've got is the key we need to keep a copy of the key on our computer system so what can we do to keep it private well if we have it in the computer's memory theoretically any programming running on the computer could potentially access it now normally the operating system and the memory management unit in the cpu will stop that happening they will protect it but that requires the operating system to be working in the way you want it to do it's running the code you expect to be running and not one that's been modified by some dodgy geezer called mike and as well as encrypting your message it's also sending a copy of your key to mica i've got yourkey.com i only joke mike doesn't do use that web address to catch people's keys he uses a different one so we've got a problem we need to keep the key secure we could keep it on the computer in memory but it's potentially possible something else could access it or we could write it onto the hard disk but if someone gains access to your hard disk they've got the key on sean how do you think we might keep it secret this feels like a trap but i'm going to say it anyway you could encrypt it well yeah so yeah we could encrypt the key but the problem then is that all we've done is we've just moved the problem we've now made the key that we're using to sign our messages secure but we now have to keep the key used to decrypt the key that we're using to encrypt our messages secure as well so we could do that and that is actually what's part of the prop the tpm will do but we still have the same problem we have a key on our system that we need to protect so we could encrypt it but we're just moving the problem upper layer and the same is true with the software we could say well actually we'll encrypt or hash the version of windows on the system or whatever operating system we're using and then if that when we load it in um we'll make sure that it matches that hash well that's fine but now you've got the bootloader has to be the thing you trust because you need to say well if someone modified the bootloader it might not check it properly and say yes this is correct when actually they've just slipped in a bit so mike gets your key it seems to me that something has to be trusted at some point somewhere yeah exactly so we need some way of storing this so that we know the key is accessible but we can't get it out of the system unless we want to get it out of the system so this is what the trusted platform module on a computer effectively does it provides a way of storing keys so that we can use them we can do that but in a way that means that they aren't going to be sort of compromised by mike or anyone else who's trying to get access to your keys well how do we do that what does the tpm do to do that we talked earlier about how one way we can protect the key is by encrypting it we encrypt it and then we have a form that we can store and then when we need to use it we decrypt it and then we get rid of the degraded version as soon as we finish that so basically the trusted platform module is a little chip which is effectively a very small computer in its own right it's running software that can store keys it can generate random numbers secure random numbers it provides the sort of support that you would need in the computer system to do cryptographic type of functions in a secure way so let's think about our problem of we want to store our keys in a way so that we can only access them well the way that we do that is that in a trusted platform module we have what's called the storage route key and this is just a key that's been programmed in there when the chip was built or derived from a key that was in the trusted platform module when the chip was built that is used to encrypt the keys that we want to store but it's stored in the trusted platform module this separate chip on your computer's motherboard and you can't get the key out of the trusted platform module you can pass another key to the trusted platform module and say can you what's called wrap this key up in a way so that i can only access it by asking you to unwrap it and give me the key to use so if we want to store the key to encrypt our message we take that key we give it to the trusted platform module it encrypts it it wraps it up as it's called with the storage root key on the system and then we have a form that we can store either sometimes within the trusted platform module or that we could actually store it on hard disk on inside our system because we can only decrypt that using the trusted platform module chip on the motherboard for our computer and every chip is programmed with a different key so that only the trusted platform module to wrap that key is able to unwrap it so that's basically what the trusted platform module is it's a chip that provides us with a way of doing cryptographic functions outside the main computer system but it's built in such a way so we can use the keys but we can't fetch them from the trusted platform module so we can take a key put it in the trusted platform module wrap it and then when we want to use it we take the wrapped version give it back to the trusted platform module unwrap it or even potentially get the trusted platform module depending on what functions it implements to do the decryption for us we send it the data it comes back and things the way these chips are built is they're built so they only have the minimal amount of functionality you need to make it secure on them because some bits of it you can still do in software but you're trying to make the bits that have to be secure exist in this separate chip so they're not accessible outside the system one problem though is you're still relying on the software running on the system the trusted platform module can wrap and unwrap keys so what's to stop me coming along or what's the stop mic coming along with a usb stick sticking it in the side of your laptop booting his favorite version of linux on there and then accessing your hard disk finding the wrapped version of the key that's on there and asking the trusted platform module to unwrap it so what the trusted platform modules the tpms also offer is what we call ceiling a key and here they do exactly the same thing you take the key you give it to the trusted platform module and encrypts it but as well as requiring the key that's built into the tpm to decrypt it it also requires what i call the platform configuration registers which is another part of the trusted platform module to have the same state in them and this is called sealing a key so what this basically means is if you set these things up right you can only unseal the key you can only undecrypt it effectively unseal it when using the same trusted platform module and you also have the system in exactly the same state now how does that work well these platform configuration registers are registers they're just spaces basically inside the trusted platform module which you can cause to have a particular value now you can't set them to have a specific value but what you can do is as the system boots up you can change the values in there you can take the value that's currently stored in that register and combine it with some value that you give it as part of the system so for example you could take the value in a register and combine it say with a hash of the bios for example or the sort of state of the mbr system whatever it is that you've chosen to do these things and then when you come to unseal the key as well as needing the key that's embedded in the trusted platform module those configuration registers you can say this one needs to be the same this one needs to be the same this one needs to be the same so you can guarantee that not only is the system the machine that encrypted it originally because it's got the same key on there but also that it's running the same software it's the same bios version it's the same version of windows the hard disk perhaps hasn't been changed in the layout whatever it is that the system is using to store these things and these can all be stored in the trusted platform module in a way that they can be stored they can be used but you can't read them back out and that set perhaps under specific circumstances so for example if you've got a key which you use to sign your email and you get a new laptop you may want to in specific cases be able to take it out one tpm and put it into another one and there's provision to do that but in general only that trusted platform module can access these things so it's having something locally on your system that you can trust and then deriving everything else in terms of that local thing the trusted platform module there's other things you can do with it as well you can use it to prove that this key has been signed by a a key in a trusted platform module which is what perhaps windows are using it for to sort of guarantee this is running on the machine that they sold you this copy to run it on if you're cynical about why they're wanting these things and things but it also enables you to much more guarantee that the things are secure on your system so in a nutshell at a very high level that's what a trusted platform module does on your system it's a way of trying to secure your computer system make things more secure by moving it off the main computer system where you have to eventually trust something at some point into something that you can trust and you can then test things along that you can guarantee that the software you expect is running on the system is tpm proprietary are there different versions of this or is this one kind of like platform so the trusted platform module the specification for it was created by the trusted computing group i think it was in the late 90s early 2000s and things and there's been various versions there was certainly version 1.2 we're now at version 2.0 uh one of the major changes was allowing support for different encryption algorithms different hashing algorithms so for example tpm 1.2 the spec came out only supported sha-1 a couple of years later shaw one was shown that there was ways you could compromise it although not in a way that i think would necessarily affect the way the tpm was using it and things but anyway you want to be able to support newer better more secure algorithms and things so it's a specification various different vendors produce chips so they'll generally talk over what's called the low pin campus the pc bus on your computer system and you can then refer to them you can actually get ones that are implemented in software and things like that of course they're good for simulating and testing things but they're software so you can change them and they're not as secure as having in hardware the advantage of the hardware thing is that because it's a dedicated chip it's got a key embedded in it when it's created that can't be changed and the others are all derived from that or wrapped or sealed with that and things you can rely on it cheating the keys securely even if the system itself gets compromised we've talked a lot about windows it begs the question your mac is behind you on the desk over there how do apple deal with this tpm isn't a windows specific thing it's an open specification it's supported by linux pretty much any platform could support it when apple originally switched to the x86 platform their laptops their machines did have tpm chips embedded on them but they didn't really get used and then they took them off because it's a way of saving money and pushing the prices up but apple basically do the same thing they provide the same thing they do it with their secure enclave it's got the same sort of ideas they can program keys into it and then they can use those keys to wrap things but they've just done it in their own apple way as opposed to using the way that everyone else is doing it and things and that's perfectly fine it works some of our twitter followers will know i recently upgraded my computer to an amd horizon there wasn't enough rainbows inside your machine like rgb leds in your machines or colorful uh lighting in my office with my rgb beast it doesn't have a tpm as a thing called a psp or is that similar the tpm provides part of the security you need but also companies like intel and amd are starting to extend that so you've got intel's trusted execution technology txt you've got the amd psp as you talk about and they're all trying to make your computer more secure and provide more ways of knowing that the software running on your computer is the software you expect it to be and not mike's special brew of the disc and the reason why you've got that is because as these rotate they pass between a couple of sensors and these are a lightweight diode which probably gives off something like infrared light and there's no need for it to be anything else between there's obviously a lot of problems with it right first of all the networks are still not quite high resolution enough to deal with 1080 and 4k video\n"