Nice to know: What is TPM?

Whoever works with sensitive data every day, tries to secure them as good as possible. One way to encrypt data is the Trusted Platform Module (TPM). In the first article of our new series about security, we will explain what this is all about.

The Trusted Platform Module (TPM) is a chip that is integrated into many systems and offers more security. It is used primarily in PCs, notebooks, mobile phones, but also in entertainment electronics. A device with TPM, adapted operating system and suitable software is called trusted computing platform (abbr.: TC platform).

What are the advantages of TPM?

The advantages of TPM are security and encryption as well as the identification of devices. For example, each chip contains a unique cryptographic key by which the computer can be identified – only if the owner allows reading it out.
In addition, cryptographic keys can be stored in the TPM in order to save encrypted data outside of the TPM. The keys are generated, used and securely stored within the TPM, so they are protected against software attacks. Other benefits include better licensing and data protection. The owner of the system can sign data to prove his origin. In addition, changes to the system can be detected using the TPM that have been made for example by malicious programs or by users.

What keys are used in the TPM?

The Endorsement Key (EK) is an RSA key pair (the abbreviation RSA stands for the three mathematicians Rivest, Shamier and Adleman, who developed this cryptographic method) and is specifically assigned to each TPM. The key length is 2048 bits. The RSA key pair consists of a private key that never leaves the TPM and decrypts or signs data, as well as a public key used to encrypt and check signatures. The key can be created outside of the TPM and can also be deleted and re-created.

The Storage Root Key (SRK) is created when an admin or user takes over the systems, that means, that the owner of the computer changes. The SRK is also an RSA key with a length of 2048 bits. As the name implies, the SRK is the root of the TPM key tree as it encrypts other keys used.

The Attestation Identity Keys (AIKs) are RSA keys with a length of 2048 bits. They are created using the Endorsement Keys and protect the privacy of the user. The AIKs can somehow be seen as a pseudonym for the EK, so that is can remain anonymous.

How can TPM be used?

The TPM chip, which is integrated into the hardware, is of course crucial for the use of TPM. This is partly inherently on the motherboard; alternatively the module can often be optionally installed, if a TPM header is present. However, the right software is required in order to use TPM. To protect the software from easy manipulation, a secure operating system such as Windows 10 IoT Enterprise is recommended.

##More about Windows IoT

Which spo-comm Mini-PCs offer TPM?

In the spo-comm systems spo-book WINDBOX III Advanced, spo-book NOVA CUBE Q87 and spo-book BOX N2930, a TPM chip is actually integrated (TPM 1.2). The successor of the spo-book WINDBOX III Advanced will be released in the third quarter of 2017 and will include the new TPM 2.0, which was published in 2014. In addition, TPM can be optionally installed in the systems spo-book TURO Q87, spo-book EXPANDED Q170 and spo-book NINETEEN Q170.

More on this topic

12 Apr 2017 know-how

What’s new? Bluetooth 5, TPM and high demand for SSDs

A lot has happened in the last few weeks. This month we have some news about the new Bluetooth standard, the Trusted Platform Module and we explain the rising prices for SSDs. In addition: Product change in the spo-comm range and everything about Windows 10 IoT Enterprise.
27 Jul 2017 know-how

Security: Powerguard SSD

In an industrial environment data loss is often a critical point. If you can’t rely on a uninterruptible power supply (UPS) for reasons of cost or space, there’s a new possibility to provide more security: with so-called Powerguard SSDs.
5 Sep 2017 know-how

Security: Mini-PC with battery as UPS

Another alternative to the uninterruptible power supply (UPS) is presented in the third part of our blog series about security: the Mini-PC with built-in battery.