Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
A Technical Overview of CAN/CSA-ISO/IEC 11889-4:16: Trusted Platform Module Supporting Routines
Understanding the Cryptographic Foundation and Implementation Requirements for TPM Part 4
Scope of the Standard
CAN/CSA-ISO/IEC 11889-4:16, officially titled Information technology — Trusted Platform Module Library — Part 4: Supporting Routines, specifies the low-level cryptographic and utility functions that enable the operation of a Trusted Platform Module (TPM). This standard is the Canadian adoption of ISO/IEC 11889-4:2015, which itself is identical to the Trusted Computing Group’s TPM 2.0 Library Part 4. The routines covered include hashing, HMAC, symmetric encryption, random number generation, parameter encryption, and session management. Every TPM command relies on one or more of these supporting routines, making Part 4 essential for any compliant TPM 2.0 implementation. The standard targets developers of TPM firmware and software stacks, ensuring interoperability across platforms and applications, such as secure boot, disk encryption, and platform attestation.
Technical Requirements for Supporting Routines
The standard defines precise algorithms, data structures, and function prototypes for each supporting routine. Implementors must adhere to the following key requirements:
- Hash functions: Must support SHA-256, SHA-384, and SHA-512. The routines include context-based incremental hashing (start, update, complete).
- HMAC: Shall be based on the approved hash functions and follow the standard HMAC construction (H(K⊕opad || H(K⊕ipad || M))).
- Symmetric encryption: Must support AES-128, AES-192, and AES-256 in CBC and CFB modes. The standard dictates the exact initialisation vector handling for parameter encryption.
- Random number generator (RNG): Must implement a Deterministic Random Bit Generator (DRBG) compliant with NIST SP 800-90A, with options for Hash_DRBG, HMAC_DRBG, or CTR_DRBG.
- Parameter encryption: Provides XOR and AES-CFB based methods to protect command parameters in transit.
All function prototypes use C-language bindings with explicit context structures to support multiple concurrent sessions. The standard also specifies error codes and state transitions for each routine to ensure robust error handling.
| Routine Category | Algorithms | Key Lengths (bits) | Approval Status |
|---|---|---|---|
| HASH | SHA-256, SHA-384, SHA-512 | N/A | Mandatory |
| HMAC | HMAC-SHA-256, HMAC-SHA-384, HMAC-SHA-512 | 256–512 | Mandatory |
| Symmetric Encryption | AES-128-CBC, AES-256-CBC, AES-128-CFB, AES-256-CFB | 128, 256 | Mandatory |
| RNG | Hash_DRBG, HMAC_DRBG, CTR_DRBG | N/A | Mandatory (at least one) |
| Parameter Encryption | XOR, AES-CFB | 128, 256 | Conditionally mandatory |
Table 1: Summary of core supporting routine categories and their algorithms as specified in CAN/CSA-ISO/IEC 11889-4:16.
Implementation Highlights
Developing a compliant implementation requires careful attention to both security and interoperability. The standard mandates side-channel resistance for all routines that handle secret keys, especially AES and HMAC. Context structures must be initialised securely and wiped after use to prevent key leakage. The use of enumeration types for algorithm selection allows the TPM to be extensible while maintaining backward compatibility. Implementation should follow the exact function naming and parameter ordering given in the standard to avoid deviations that could break conformance tests. The standard also specifies how supporting routines interact with the command dispatcher, including the handling of session-based authorisation and parameter encryption. To reduce development effort, teams can wrap existing cryptographic libraries, but must validate that the wrapping layer meets all interface and error-handling requirements.
Tip: When implementing RNG, ensure the DRBG is seeded with sufficient entropy. The standard recommends using multiple entropy sources and performing health tests as per NIST SP 800-90B.
Warning: Using algorithm identifiers that are not defined in the standard (e.g., SHA-1) will result in non-compliance. Always use the official algorithm enumeration constants.
Success: A compliant implementation guarantees interoperability with operating systems that require TPM 2.0, such as Windows 11, enabling seamless integration for BitLocker, Windows Hello, and secure boot.
Danger: Improper handling of session contexts can lead to authorisation bypass or key disclosure. The standard requires that contexts be explicitly terminated and cleared from memory after each command.
Compliance Notes and Certification
To claim compliance with CAN/CSA-ISO/IEC 11889-4:16, an implementation must pass the relevant conformance tests provided by either the Trusted Computing Group (TCG) or an accredited certification body. In Canada, certification is typically coordinated through the Standards Council of Canada or recognised laboratories such as those accredited by the Canadian Association for Laboratory Accreditation (CALA). A full compliance assessment covers:
- Functional correctness of all supporting routines.
- Implementation of all mandatory algorithms.
- Side-channel resistance evaluation.
- RNG entropy source validation.
The standard includes informative annexes with guidance on integration, but these are not normative. Any deviation from the normative text—such as using different algorithm identifiers or omitting required functions—will invalidate compliance. Since the standard is adopted unchanged from the ISO/IEC version, global certification is generally accepted.
FAQs
Q: What is the relationship between CAN/CSA-ISO/IEC 11889-4:16 and the TCG TPM 2.0 Library?
A: They are technically equivalent—the ISO/IEC standard is the international version of the TCG specification. An implementation conforming to one automatically conforms to the other.
A: They are technically equivalent—the ISO/IEC standard is the international version of the TCG specification. An implementation conforming to one automatically conforms to the other.
Q: Are the supporting routines mandatory for all TPM commands?
A: Yes. Every TPM command relies on at least one supporting routine (e.g., HASH for command audit, or HMAC for authorisation). The TPM cannot function without these routines.
A: Yes. Every TPM command relies on at least one supporting routine (e.g., HASH for command audit, or HMAC for authorisation). The TPM cannot function without these routines.
Q: Can I reuse an existing cryptographic library for the routines?
A: Yes, but the library must be wrapped to match the exact function prototypes, context structures, and error codes defined in the standard. Direct use of different APIs may cause conformance issues.
A: Yes, but the library must be wrapped to match the exact function prototypes, context structures, and error codes defined in the standard. Direct use of different APIs may cause conformance issues.
Q: What is the status of the standard as of 2026?
A: The 2016 edition remains current and widely adopted. The TCG has released newer versions of the TPM 2.0 specification, but the ISO/IEC version has not been updated. Check official sources for the latest amendment status.
A: The 2016 edition remains current and widely adopted. The TCG has released newer versions of the TPM 2.0 specification, but the ISO/IEC version has not been updated. Check official sources for the latest amendment status.
Article published 2026. This content is for informational purposes and should be verified against the official CAN/CSA-ISO/IEC 11889-4:16 document for precise requirements.