Earlier today, the Trusted Computing Group (TCG) announced in a press release the Trusted Platform Module (TPM) 2.0 Library Specification was approved by the ISO/IEC Joint Technical Committee (JTC) 1 and will be available later in the year as ISO/IEC 11889:2015. This landmark accomplishment is set to encourage worldwide adoption of the TPM 2.0, which is critical for improving trust in information technology products and services.
TPM 2.0 builds on the achievements of its predecessor ISO/IEC 11889:2009, playing an important role in enhancing security by combining hardware and software features. It provides improvements to secure generation of cryptographic keys and to control their use. It includes a privacy protected mechanism that enables remote trust-verification of the software used to boot a particular system. Most importantly, TPM 2.0 supports cryptographic agility, allowing for effective management of cryptographic algorithms; including easier migration when a major weakness is found in an algorithm. Under the same technical framework, it also expands the use of additional publically available algorithms based on market requirements for TPM applications.
The fact that the standard was supported by a large number of countries, including Australia, Belgium, Canada, China, Czech Republic, Denmark, Finland, France, Ghana, Ireland, Italy, Japan, the Republic of Korea, Lebanon, Malaysia, Netherlands, Nigeria, Norway, the Russian Federation, South Africa, the United Arab Emirates, the United Kingdom and the United States, underlines the growing level of concern around cybersecurity, among both developed and emerging economies. It also stems from the inclusive and collaborative development process led by the TCG, which reflects its commitment to finding open and vendor-neutral technology solutions that address industry, consumer and government security requirements.
Microsoft, along with other technology companies, is an active participant in the TCG and over the years has invested in the innovation and promotion of the commercial adoption of trusted computing standards, including in developing TPM features as a part of Windows Vista, Windows 7, 8, 8.1, and most recently Windows 10. These actions and our customers’ feedback significantly advanced our understanding of the trusted computing technology, which in turn helped us deliver timely, market-driven solutions.
However, we recognize that we have to go further to address the security challenges posed by the explosive growth of mobile devices, society’s increasing reliance on wireless networks and the Internet of Things. To this end, Microsoft is providing more TPM functions in Windows 10 and enabling easier deployment of the TPM to achieve “secure by default” objectives for devices, such as mobile devices, servers, etc. TPM 2.0 implementations will include more algorithms and processes such as key generators, as well as onboard storage for cryptographic system measurements for validation and digital certificates. Moreover, Windows 10 hardware requirements enable tailored TPM 2.0 deployments for organizations, ensuring greater flexibility if so needed.
In our view TPM 2.0 represents a significant step forward as it effectively combines best practices from leading industry providers while also ensuring complete transparency of the specification through an open public review and consultation process. However, there is more to be done. The approval of TPM 2.0 offers a rare opportunity for countries to embrace and promote wider commercial adoption of this trusted computing technology in the near term. As technology evolves quickly new standards will be needed. The TPM 2.0 standard development, implemented through the PAS Transposition Process in ISO/IEC JTC 1, provides a template for a future collaborative security standards adoption. It provides ample opportunity for security experts to collaborate and reach an international consensus – one which will ensure user security and privacy and maintain trust in the Internet as a foundational platform of commerce and well-being in the long run.