In this article, we compare the TPM 1.2 vs 2.0 from an IT professional perspective, where we describe the Trusted Platform Module (TPM) and how Windows 11 uses it for access control and authentication.
You may perhaps know that Windows 11 was recently announced, and it conveys a broad assortment of novel features and few specific requirements.
When it comes to the hardware requirements of Windows 11, the recent modification everyone is discussing is the TPM chip. Except you have it, you cannot upgrade to Windows 11 because of TPM 2.0 errors.
Windows 11, Windows 10, Windows Server 2016, and 2019 support “Device Health Attestation” with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1).TPM 2.0 requires the latest UEFI firmware. A PC with legacy BIOS and TPM 2.0 won’t work as expected.
Windows 11, Windows 10, Windows Server 2016, and 2019 support “Device Health Attestation” with TPM 2.0. Support for TPM 1.2 was added beginning with Windows version 1607 (RS1).
TPM 2.0 requires the latest UEFI firmware. A PC with legacy BIOS and TPM 2.0 won’t work as expected.
Two versions of TPM are available. This guide discusses the comparison of TPM 1.2 and 2.0 and then determines which one is better.
TPM 1.2 vs 2.0 – which one should I use?
TPM was initially founded in 2009 by Trusted Computing Group. Since then, it became extensively used in set-top boxes, computers, and ATM devices.
TPM 1.2 was introduced and developed between 2005-2009, and it was last updated in 2011. Conversely, TPM 2.0 was initially introduced in 2014, whereas the latest amendment started in 2019.
These two versions come with multiple differences. Before beginning with their comparison, let’s now check out the functioning of TPM and how it defends your PC.
TPM (Trusted Platform Module) is a dedicated microcontroller that offers encryption features as well as an extra layer of security into your PC.
Typically, it is a chip equipped on a motherboard. However, it can be integrated within the CPU or can independently operate in firmware. Certain motherboards possess TPM connectors. Therefore, you can also add a TPM chip.
A fully virtual TPM is also available, and it operates on a software level. However, several experts consider that it is not so secure as its physical counterpart for obvious reasons.
TPM is predominantly used for encryption. It will create and save parts of the encryption keys. It implies that if you wish to unlock an encrypted drive, you have to use that particular TPM chip that produced the encryption key.
Because the encryption key is not saved on a drive, hackers will find it more challenging to decrypt your data. Also, hackers will require access to the TPM chip and that they don’t have. Hence, the functioning of TPM ensures the security of your data.
TPM chips are also implemented with tamper protection. If a hacker corrupts the motherboard or chip, then TPM must still be capable of maintaining your data in a locked state.
Apart from encryption, the TPM can also defend your PC against bootloader malware after confirming the boot loader. If your bootloader has been corrupted, then TPM will stop your system from undergoing the booting initialization process.
TPM also comes with a Quarantine Mode, which is useful to resolve bootloader issues. Finally, TPM saves all your passwords within it, so your passwords stay secure from attacks by hackers.
Some other usages of TPM include protecting software licenses, managing digital rights, and avoiding cheating in video games.
TPM 2.0 comes with various enhanced features compared to TPM 1.2. Though both are identical, you must be aware that TPM 2.0 is not compatible with TPM 1.2.
TPM 1.2 presents an all-purpose specification, whereas the 2.0 version comes with the platform-specific specifications, which mention which portions of the library are optional or mandatory.
In terms of algorithms on TPM 1.2, RSA and SHA-1 are essential, whereas the AES is optional. For TPM 2.0, SHA-256 and SHA-1 are essential for hashes.
For generation and authentication of asymmetric digital signature in TPM 2.0 and public-key cryptography, RSA and ECC with Barreto-Naehrig 256-bit curve and a NIST P-256 curve are used.
The 128-bit AES for symmetric-key algorithms and HMAC are used by TPM 2.0 for symmetric digital signature generation.
The difference between these algorithms is obvious. So, it can be derived that TPM 2.0 is quite a secure solution.
In terms of crypto primitives, the TPM 1.2 and 2.0 provides the following features:
Although they share identical features, TPM 2.0 utilizes Direct Anonymous Attestation through the Barreto-Naehrig 256-bit curve. Hence, it conveys more security throughout the use.
When it comes to hierarchy, TPM 1.2 only comes with the storage hierarchy, whereas TPM 2.0 presents a storage, platform, and endorsement hierarchy.
In terms of root keys, TPM 1.2 only supports SRK RSA-2048. On the other hand, the TPM 2.0 supports multiple keys and algorithms for each hierarchy.
In terms of authorization, TPM 1.2 utilizes PCR, HMAC, locality, and physical presence. These same authorization features and password protection are found in TPM 2.0.
In regards to NVRAM, TPM 1.2 only supports unstructured data. On the other hand, TPM 2.0 supports unstructured data, Bitmap, Counter, Extend, PIN pass, and fail.
TPM 2.0 presents a broad assortment of improvements. Moreover, it is a more secure alternative in terms of encryption and data protection.
The following table shows a quick overview of the algorithms supported by TPM 1.2 and TPM 2.0:
TPM 1.2 only utilizes the SHA-1 hashing algorithm, but this algorithm does not secure SHA-1. Moreover, several agencies began shifting to SHA-256 in 2014.
In 2017, Google and Microsoft discarded the support for SHA-1 based certificate signature. It is important to note that TPM 2.0 supports the latest algorithms, which would enhance drive signing and key generation performance.
TPM 2.0 provides a more reliable experience. Windows are configuring the lockout policy. Through TPM 1.2, the executions differ by policy settings. This could be a security issue.
It is also vital to mention that several features like Windows Defender System Guard, Autopilot, device encryption, and SecureBIO are accessible only through TPM 2.0.
When announced initially, the Windows 11 hardware requirements mentioned that Windows 11 will function with TPM 1.2 and TPM 2.0. The latter proves to be a more secure option.
As per the documentation, a TPM 1.2 chip allows upgrade to Windows 11, but not recommended. But, Microsoft has already updated its documentation. Presently, the TMP 2.0 is the requirement for Windows 11.
The same makes us believe that TPM 2.0 is certainly the prerequisite for Windows 11. The users with TMP 1.2 chips cannot use Windows 11.
But it is possible to install Windows 11 without using TPM if you are a tech nerd. But, the great news is that it appears that few Windows 11 systems would function without TPM 2.0 chips.
TPM was originally developed for business users, but the technology is now accessible on home PCs too.
Encryption of your data is not important for home users. But if you want to make sure that your files remain safe always, it is a must to use TPM and encrypt your files.
All encryption does not need TPM. But its implementation provides a hardware security layer. Consequently, hackers will find it more challenging to get data access.
It provides tampering protection. Therefore, you can stay stress-free that your encrypted files are always protected against hackers, although they attempt to change your hardware.
TPM is not merely useful for file encryption. You are perhaps using it being a home user without being acknowledged about it. If you use Windows Hello feature, it means that you are already utilizing a TPM.
Your PINs and passwords are also saved in TPM. This is true for home users as well. Finally, TPM presents the Secure Boost feature. This feature prevents bootloaders from contaminating your PC. Therefore, although you are not a business user and don’t encrypt your data, the TPM feature benefits you as a home user.
TPM 1.2 and TPM 2.0 present their advantages. With lately introduced Windows 11 requirements, the TPM chips would turn out to be must-have requirements. Therefore, if you don’t have a TPM chip, you can plan to purchase a TPM chip.
The question is, which is the better version of the TPM? The answer is quite simple, and the TPM 2.0 is more secure and newer. It provides more security functionalities. It works efficiently with Windows. Thus, TPM 2.0 is a better alternative than TPM 1.2.
Do reach Microsoft’s Trusted Platform Module Technology Overview