What’s the difference between the endorsement key and the attestation identity key within the TPM?


I’m trying to make notes about the TPM and what it does. More specifically I’m looking at the 3 RSA key pairs: the ‘endorsement key’, the ‘storage root key’ and the ‘attestation identity key’.

This is what I have written so far:

The ‘Endorsement Key’ is an RSA key pair where any data sent to another device is encrypted using the private key and the receiving device decrypts it with the public key, so it knows the data is trusted. This is created when the TPM is manufactured (not user-specific)

The ‘Storage Root Key’ is a pair of RSA keys within the TPM and is used to protect TPM protected keys created by applications and stored outside of the TPM, so that these keys cannot be used without the TPM. It’s created when you take ownership of the TPM (If user changes so does the key)

However, I am now trying to research the use of the attestation identity key but don’t understand how it is different from the endorsement key? If anyone could explain in simple terms because this is all new to me I would greatly appreciate it 🙂