TPM stands for BILLIONrusted Platform USAmodule, it is integrated on the motherboard (Mainboard) to secure the data on the computer.
Yes, that’s an answer you’ll often see on tech forums, but this answer isn’t really exhaustive.
That’s why in this article, I will explain to you more fully and thoroughly about this TPM chip, about questions surrounding TPM, for example:
What does TPM use and secure, how to check if the computer has TPM or not, why does Windows 11 require TPM 2.0, TPM 1.2 and TPM 2.0 differently ….. etc., cloud clouds ..
#first. A little introduction to TPM . chip
TPM was first introduced in 2005, which is a physical chip located on the motherboard (or possibly inside the CPU) that provides encryption features and creates additional layers of security for the computer. calculator.
TPM is a chip capable of generating encryption keys and providing authentication functions for both hardware and software, thereby enhancing the security of the computer.
In a nutshell, TPM is a factory that produces locks for households (software – software) and factories and enterprises (hardware – hardware).
Modern computers and laptops (manufactured from 2018 onwards) most have a TPM chip soldered in the motherboard (mainboard).
In case you build a computer yourself, and you buy a motherboard that doesn’t have TPM built in, you can absolutely buy a TPM module from outside and plug it in.
However, at the moment, TPM modules are quite expensive and if your motherboard does not support TPM then buying a TPM module is just a waste of your money.
So please check the information carefully before deciding to upgrade, some motherboards will have a TMP connector, you just need to buy more TPM to attach it.
As I mentioned above, the TPM chip is not only mounted on the motherboard, but some types of TPM can also be integrated directly into the CPU.
And there are also some other types called virtual TPM that do not need a physical chip to operate, but instead, it is integrated as a form of software (software) for the computer. But certainly this type of virtual TPM, the level of security will not be high.
Please refer to this article to get more information about TPM: What is TPM 2.0 on Windows 11? and how to test it?
#2. Difference between 1.2 and 2.0 . TPM chip
TPM 1.2 was first released in 2005 and received its final revision in 2011.
Meanwhile, TPM 2.0 was first released in 2014 and received the latest revision in 2019, as of the time of this writing (2021).
Although TPM 2.0 is an upgraded version of TPM 2.0, TPM 2.0 is not compatible with TPM 1.2 .
For the algorithm above TPM 1.2, the SHA-1 and RSA algorithms are required, and the AES algorithm is optional.
As for TPM 2.0, SHA-1 and SHA-256 algorithms are required for the hash function. In addition, TPM 2.0 is using HMAC and 128-bit AES algorithms for symmetric key algorithms.
The difference between the two algorithms is huge, and it is clear that TPM 2.0 is a much more secure solution than TPM 1.2.
In terms of decentralization, TPM 1.2 has only a storage hierarchy, while TPM 2.0 has a platform, storage, and validation hierarchy.
What about root keys? TPM 1.2 only supports SRK RSA-2048 algorithm, while TPM 2.0 supports more keys and algorithms per hierarchy.
For authorization, TPM 1.2 uses HMAC, PCR, Locality and physical presence algorithms. Meanwhile, TPM 2.0 provides the same authorization features as well as password protection.
Regarding NVRAM, TPM 1.2 only supports unstructured data, while TPM 2.0 supports both: unstructured data, counter, bitmap, extended (Extend), PIN pass – pass code PIN and fail.
=> Once again, TPM 2.0 has provided us with a series of remarkable and very real improvements.
Algorithm comparison table of TPM 1.2 and TPM 2.0 support
|STT||ALTERNATIVES||Algorithm NAME||TPM 1.2||TPM 2.0|
|first||Asymmetric (asymmetrical)||RSA 1024||Yes||Optional|
|ECC P256||Are not||Yes|
|ECC BN256||Are not||Yes|
|2||Symmetric (symmetrical)||AES 128||Optional||Yes|
|SHA-2 256||Are not||Yes|
|SHA-2 256||Are not||Yes|
#3. Outstanding advantages of TPM 2.0 compared to TPM 1.2?
TPM 1.2 uses only the SHA-1 hashing algorithm, which is probably a weak point since SHA-1 is not secure and people have switched to SHA-256 since 2014.
Proof that SHA-1 is not secure is that Google and Microsoft removed support for certificates based on the SHA-1 algorithm in 2017.
Meanwhile, TPM 2.0 supports newer algorithms, thereby increasing the level of security to a higher level. And some features such as device encryption, Windows Defender System Guard, Autopilot and SecureBIO are only available when the computer has a TPM 2.0 chip.
The table lists the features that TPM 1.2 and TPM 2.0 support:
|STT||FEATURE||TPM 1.2||TPM 2.0|
|4||Windows Defender Application Control||✓||✓|
|5||Windows Defender System Guard||✘||✓|
|7||Device Health Attestation||✓||✓|
|9||UEFI Secure Boot||✓||✓|
|ten||TPM Platform Crypto Provider Key Storage Provider||✓||✓|
|11||Virtual Smart Card||✓||✓|
#4. How does TPM work?
TPM chip is used to protect and encrypt data (generate and store components of encryption keys), TPM will store confidential information such as passwords, encryption keys and security certificates with Hardware.
This means, to unlock an encrypted hard drive, you need to use the same TPM chip that generated the key.
And also because of the unique nature of a physical chip (the encryption key is not stored on the hard drive), hackers will have a harder time decrypting the data because they have no control over the TPM chip.
TPM chips also have built-in anti-counterfeiting features, so in case the chip and mainboard are tampered with, TPM can still lock your data normally.
When it detects viruses or other malicious software on your device, TPM immediately isolates itself (along with the encrypted data inside).
TPM can also scan the BIOS at startup and run tests to check the software before running it.
TPM can also prevent the computer from starting and lock it if it detects that data has been stolen. In addition, TPM can also store biometric data of Windows Hello (face unlock).
The most common role of the TPM is to generate unique encryption keys, part of which is stored on the TPM chip. From there, the hard drive with that encryption key will not be able to read the data when the hard drive is plugged into another computer. (Bitlocker requires TPM for such a reason.)
#4. The reason why Windows 11 is required to have a TPM 2.0 chip
What we currently know about the system requirements of Windows 11 is quite vague, including whether Microsoft will support TPM 1.2 for Windows 11 or not?
According to the document that Microsoft first published, Windows 11 will work with TPM 1.2 and TPM 2.0, and obviously TPM 1.2 is supported (but not recommended).
However, not long after, Microsoft updated their documentation and currently only machines with TPM 2.0 chip are supported.
Currently, Microsoft is very focused on security for Windows 11. Therefore, it is understandable to require TPM 2.0. TPM 2.0 will meet the latest and most modern security features of Windows 11.
Not only that, Microsoft has also warned about Firmware attacks, thereby causing Ransomware attacks that cause data loss for users.
Therefore, the fact that Microsoft is working to strengthen the security of their operating system is to mitigate those attacks and to ensure the safety of users in the future.
But there is also a part of users who think that Microsoft’s higher system configuration requirements are just a financial conspiracy.
Users will have to forgo computers from Windows 8 and below and some computers running Windows 10 to buy computers or laptops with hardware that supports Windows 11.
There is a high chance that computers that are only 4 years old or earlier will not be able to be updated to Windows 11 in a mainstream way.
At the same time, the high hardware requirements will make computer components more expensive and there will be people hoarding components to sell while the supply is scarce at extremely high prices.
Microsoft has never had such strict hardware requirements for any version of Windows before. So, this assumption is also very possible.
#5. How to tell if a computer has TPM or not?
+ Step 1: Open the Run dialog box (
Windows + R) => and enter the command
devmgmt.msc => then press
+ Step 2: You find the section
Security devices => then click to see details. If
Trusted Platform Module 2.0 then your device is already qualified for TPM.
If you don’t see the
Security devices then your computer does not have TPM or TPM is disabled in the BIOS.
Your job is to enable TPM in the BIOS, to do this, please refer to this article: What is TPM 2.0 on Windows 11? and how to test it?
Above is all the important information about the TPM chip that I have compiled.
Through this article, you have also seen difference between TPM 1.2 and TPM 2.0 . chip yes, and you also know why TPM 2.0 is required to install Windows 11.
Wish you all success, and hope everyone will discuss more about this TPM chip so that you can have more useful knowledge..
CTV: Hoang Tuan – techtipsnreview
Edit by Kien Nguyen
Note: Was this article helpful to you? Don’t forget to rate the article, like and share it with your friends and family!
Source: What is the difference between TPM 1.2 chip and TPM 2.0 chip?