Mocana Embraces TPM 2.0 for IoT Device Authentication Assurance

With the addition of support for the Trusted Platform Module 2.0 specification, Mocana is looking to help improve security updates and container deployment in embedded, internet of things devices.

Mocana TPM 2.0

Mocana is set to announce on July 25 that it is supporting the Trusted Platform Module 2.0 standard to help improve the security of embedded devices that make up the internet of things.

The TPM 2.0 standard enables organizations to provide cryptographic assurance about software delivery. TPM 2.0 support on the Mocana platform also enables new forms of embedded security for containers running on devices. A core improvement that TPM 2.0 provides over the older TPM 1.2 standard is that multiple sets of cryptographic keys and owners can be involved in the attestation process for security and authenticity.

"The multiple hierarchies of the keys allow us to provide solutions sets for signing and for endorsement processes that are associated with the various ownership models, and it allows us to put things together for a supply chain where we can have multiple signatories," Dean Weber, CTO of Mocana, told eWEEK. "TPM 1.2 had a single owner, whereas in this new model we can promote multiple owners."

Mocana is an embedded security software provider that provides software offerings that help vendors secure devices. Mocana got started back in 2002 when the term "IoT" didn't exist, though there were embedded computing devices. The growing volume of IoT devices has led to an increase in demand for technologies that Mocana delivers, which is why the company raised an $11 million funding round in May 2017.

With the multiple owner model for cryptographic assurance that TPM 2.0 enables, Weber said that attestation, for example, can be such that keys can be assigned to the vendor that builds a TPM, a separate set of keys can go to the vendor that builds the platform and another to the organization that owns the platform. With TPM 2.0, the hierarchy of the key architecture can remain independent, providing for providence and endorsement of the platform from TPM creation all the way through application execution, he said.

Steve Hanna, senior principal at Infineon Technologies and co-chair of the Embedded Systems Work Group in the Trusted Computing Group (TCG), commented that TPM 2.0 also provides cryptographic algorithm independence. He noted that with TPM 1.2 users were limited to only being able to use SHA and RSA cryptographic algorithms.

"TPM 2.0 is a library specification, so it's no longer a one-size-fits-all approach," Hanna told eWEEK. "There's a recognition that TPM is used in embedded systems as well as still being used in PCs, laptops, tablets, mobile phones and servers."

Secure Updates

A key challenge for embedded devices is the delivery of secure updates, which is an issue that TPM 2.0 and Mocana are aiming to help solve. Weber explained that the key architecture in TPM 2.0 helps to enable a secure update process.

"We have the software-enabled function of secure updates, where we're using secure cryptography instead of just a hash and signing type of methodology," Weber said.

Weber added that Mocana's support of TPM 2.0 now enables multiple signatories to help further validate a secure update. For example, if Infineon has an update for its TPM, Infineon signs the update. The platform developer also wants to make sure the update has been approved, as does the platform owner. Weber said that all of the signatories need to be present and valid for an update to be delivered and installed.

The multiple signatory process for TPM 2.0 validation can be a complicated matter. Weber said Mocana's Trust Center product provides a framework for creating the update package and validating the update package before transport. Upon transport and arrival, Mocana Trust Center can revalidate the package prior to installation of the package.


Embedded and IoT devices are increasingly making use of Docker container technology to help separate different applications that might be running. TPM also has a role to play in helping to provide an additional layer of security to embedded container deployments.

"What Mocana has done is implemented local and remote modes of operations, which are TPM specifications that allow us to use certified TPM keys to make sure that the containers are secure, separated and difficult to compromise," Keao Caindec, vice president of marketing at Mocana, told eWEEK.

Weber added that the TPM 2.0 specifications can be complicated for developers to implement and it's the goal of Mocana to make them easier to use. He noted that for existing TPM 1.2 users, Mocana's trusted abstraction platform migrates the system calls into a standard API call such that developers don't need to change their system architecture.

Sean Michael Kerner is a senior editor at eWEEK and Follow him on Twitter @TechJournalist.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.