Q: What is a TPM?
Microsoft announced Windows 11 will requirement one, so what is it, and why do you need it?
Microsoft announced Windows 11 will requirement one, so what is it, and why do you need it?
A: A type of cryptographic vault. It stores (and validates) cryptographic keys on an impenetrable* chip. Even if somebody steals your device, they can't recover the keys.
It's roughly the same thing as the chip on your credit card, Historically, credit cards simply used a long number that could be read from the front of the card, or read from the magnetic strip on the back....
...this made credit-cards horrible insecure, as the merchant (or waiter) could simply steal the number and run up purchases. This was the major source of credit-card fraud.
The newer chips on credit-cards fix this. The chip uses a built-in private key that can be used to validate transactions WITHOUT REVEALING THE KEY. Merchants can't commit fraud outside that one signed transaction, even if they wanted.
Your phone works the same way. Your phone is encrypted by a secret key within the chip. When you unlock your phone by typing a passphrase, it sends the passphrase to that chip to enable decryption of the internals of the phone.
It means that if somebody steals your phone, they can't read the contents. Even if they break open the phone and steal the flash chips that store all your data, they still can't read those chips, because they are encrypted. They can't even "crack" the key by guessing passphrases.
That's why in the famous case of the iPhone from the San Bernardino terrorist, the FBI couldn't decrypt the phone. Ultimately, they hired hackers to hack the chip (presumably using techniques Apple has since fixed).
Without such chips, if somebody steals your device (phone, laptop, etc.), they have complete access to read anything they want from the device, without needing special hacks. Even if encrypted, they could "crack" your password at the rate of BILLIONS of attempts per second.
There are other threats, such as "secure boot". Maybe an evil maid enters your hotel room and installs evil software on the system, so when you boot it and enter your password, it steals your password without you noticing. Secure boot refuses to boot anything but Windows.
People steal mobile phones and credit card numbers all the time, so such chips have been important in those markets.
People don't steal desktops often, so hasn't been so important for Windows.
Laptops are sorta halfway in between.
People don't steal desktops often, so hasn't been so important for Windows.
Laptops are sorta halfway in between.
Apple MacBooks have long has a security chip (T1, now T2 chip). It's the same sort of cryptographic vault as on their iPhones, but doesn't follow the TPM standard. Thus, it's unlikely they will be able to boot Windows 11.
(TPM is one form of the general concept).
(TPM is one form of the general concept).
There are many downsides to all this security. Secure boot means being unable to boot alternative operating systems, like Linux for doing forensics and repair on a hacked Windows computer.
They can also be used to enforce DRM, the "digital rights management" that prevents copying of music and movies. In other words, instead of a chip that protects you, it can be a chip that works against you, protecting others from you.
* I claim this hardware cryptographic vault is "impenetrable" above. In practice, hackers sometimes discover hacks to penetrate it. Sometimes they can pull the chip, and using acids and telescopes, discover the built-in private key.
An important distinction here is the difference between "online" guessing of passwords and "offline".
Given an encrypted file (like that encrypted ZIP or PDF you sent me), I can try BILLIONS of passwords per second, offline, because it's just data.
Given an encrypted file (like that encrypted ZIP or PDF you sent me), I can try BILLIONS of passwords per second, offline, because it's just data.
But in the case of these cryptographic vaults, I can't try the password myself. I send the password to the chip, and it validates it. It can enforced a certain rate (like 1 guess every few seconds), and lock you out have too many bad guesses (like after 10).
It's why a 4-digit PIN can be used to secure your ATM card, because THEIR machine locks me out after 3 bad guesses.
But you can't use a 4-digit PIN to encrypt a PDF file, because MY machine won't lock me out, no matter how many guesses I make.
But you can't use a 4-digit PIN to encrypt a PDF file, because MY machine won't lock me out, no matter how many guesses I make.
BTW, Windows 10 requires a TPM for "BitLocker", their full-disk encryption. But most desktops don't use BitLocker, and hence, don't require a TPM.
I presume that by requiring a TPM, Windows 11 will also simply always encrypt the disk by default.
I presume that by requiring a TPM, Windows 11 will also simply always encrypt the disk by default.
That means "recovery" services are a thing of the past. You can't recover data from encrypted drives.
On the other hand, now we have cloud services like OneDrive, DropBox, BackBlaze, and so on.
On the other hand, now we have cloud services like OneDrive, DropBox, BackBlaze, and so on.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
