Rock Solid Solution to Safeguarding Connected Computing
Module (TPM), which is amazing in its own way because within five years everybody will have a
TPM in their computers. The TCG is a standards group in the information technology industry,
formed by the major suppliers to agree on a set of security specifications, and the TPM is the first
instance of a silicon incarnation of one of the key specifications.
Why should anybody care? Since the widespread adoption of the Internet, starting in 1995 or so
and really accelerating during the Dot Com Bubble of the late 1990s, a tremendous amount of
value has migrated to the Internet, making it an attractive target for thieves. Nowadays, most
people in the developed world use computers, and many own their own systems. An increasing
proportion of these systems are mobile (i.e., notebooks). A lot of value is resident in these
systems in all sorts of forms: trade secrets, financial plans, credit card numbers, and passwords
for bank accounts, to name a few. Moreover, with connected computing now becoming the norm
rather than the exception, much of this value passes over communications links between nodes.
These value-containing transmissions can be anything from an email with a password in it
traveling between two client computers via an email server all the way up to an electronic funds
transfer flitting among interbank computers.
And goodness knows, the thieves have gotten cleverer. Hackers go after systems just for sport
and in competition with each other for bragging rights, but a more serious brand of highly
sophisticated computer specialist is primarily interested in the money. Over the past few years,
frequent stories have hit the media about the theft of credit card numbers from corporate servers.
Other targets have included heists of individuals' personal information, a trade that blossomed to
such a degree that it spawned a new sort of crime: identity theft.
As the whole culture moves to computing — one 10-year-old kid asked his father, a friend of
mine, "Dad, what was your favorite Website when you were young?" — the need to secure the
data in (and passing between) systems has become urgent.
A Sea Change in Public Thinking
Americans have always valued their freedom and privacy. We considered them fundamental
rights. And yet how quickly and easily all that changed after the suicide planes smashed into the
World Trade Center buildings. Before September, 11, 2001, people wanted all the privacy they
could get. If you had told someone then that they could have more convenience or scope of
action if they were to register a fingerprint with a central registry, they would have looked at you as
if you were crazy. Only criminals had fingerprints on record. But since that day, a new need has
arisen: people want to be known as who they are. If you said to me now, agree to a background
check and register a fingerprint, and you can run through the airport like OJ Simpson in his better
days with only a swipe of your finger, I would jump on it.
This need to be known as who you are has arisen out of the changed macro security situation,
the rise of identity theft and other heretofore unknown dangers, and the increased value of stored
data that individuals need to claim as theirs. This change has created a base for mass
acceptance of security features in the computing environment.
The Rise of Hardware Security
IBM, which had and continues to maintain a deep bench in the security field, pioneered the
original security chip technology in 1999. The chip — revolutionary in that it was extremely
secure, simple to use, and inexpensive — was a cryptographic microprocessor embedded in the
system board of the computing client. It supported RSA pubic key infrastructure (PKI) operations
and included electronically erasable programmable read only memory (EEPROM) for storing key
pairs. The chip communicated with the main processor via a local bus and also linked to the
system BIOS during boot up. An application programming interface (API) routed cryptographic
operations through the chip (cryptographic middleware automatically routed function calls to the
hardware).
The chip library supported 512-bit and 1024-bit key generation, encryption, decryption, and digital
signature operations as well as 256-bit decryption for symmetric key operations. All private key
operations took place within the protected environment of the chip, out of reach of sniffing Trojan
horses and other hackerware.
When a system with the embedded chip first booted up, the chip had to be enabled with a BIOS
setting (the BIOS itself was protected by an integrity procedure). IBM designed the chip this way to
avoid the difficulties Intel had with the Pentium III processor when it launched in 1Q99. Intel built
an enabled serial number into the PIII and raised a storm with privacy groups. IBM benefited from
being able to observe Intel’s mistake, and the embedded security chip was shipped without any
initial keys loaded. No one was able to give a user his or her identity. Each system owner
configured his or her own personalized subsystem identity by initializing it.
This subsystem identity key pair was called the “hardware key pair.” Once inside, the private key
was
used only to hide other keys and never to identify the system or owner. The hierarchical nature of
the key management system was one of its important strengths. The first key pair was used to
protect another key pair, called the “platform identity key pair.” This key pair was created under the
system owner’s control and could be used by the system owner to definitively identify the PC.
On the procedures side, as part of the subsystem initialization, the owner of the system could
make an archive copy of the platform private key. This archive could be divided into two to five
parts, which could be encrypted with two or more administrators’ keys and potentially stored in
multiple locations. If the system, chip, or motherboard died, or the system needed to be
upgraded, the owner had the ability to securely migrate all of his or her key information from the
old system to the new system. The security administrator might or might not want to use this sort
of backup scheme. Without it, the whole system could become inaccessible. With it, as with any
archive system, a potential security exposure existed if the administrator’s private key were ever
compromised. Each firm employing the technology had to assess its circumstances and risk
profile.
Next, a “user key pair” was created. The private key of the user pair was encrypted with the public
key of the platform pair. Before encrypting the private key of the user pair, a “passphrase” (up to
128 characters) was associated with it. Then, it was encrypted with public key of platform pair.
The memory of the passphrase was stored in the chip. As another level of protection, the chip
would not execute any operations if it didn’t receive the correct passphrase for that key.
Unlike software encryption, which can’t keep a counter, the chip could keep track of login
attempts, and it would not let the count-per-time rise too high, interpreting repeated assays as
hammering behavior. Each failed attempt increased the length of the delay before a user could try
again — up to 28 days. Although this feature could be reset with an administrative passphrase, it
functioned as a good antihacking mechanism.
The user key was not used for signing anything, but allowed the chip to load keys from
elsewhere. Unlike a smart card, the chip could work with multiple certificates (issued, for
example, by a senior citizen’s group, a corporate employer, Microsoft Outlook, American express,
and MasterCard). The number of keys could get quite large, since each organization a user might
interact with might have its own.
Impossible to Go it Alone
Although IBM’s technology was great, it had one major flaw. It would not be useful unless
everyone a computer user might potentially interact with had the same system. Yes, a security
chip could be put to work authenticating a user to a platform and storing passwords conveniently,
but for true end-to-end security in which many devices need to trust each other in order to interact,
a common framework was necessary.
Thus, in October 1999, IBM offered its embedded security chip technology to the Trusted
Computing Platform Alliance (TCPA), an industry group formed to create the specifications for
future security platforms. The IBM technology was essentially accepted by the group and
released as the TPM 1.1b specification in the first quarter of 2002.
Initially, the group had grand plans for broad usage, specifically, the spread of PKI. These
ambitions went on hold, however, because simply too many entities had to cooperate to make
PKI successful. The essence of PKI is that a user’s public key is widely available to match
against his or her private key. Someone sending something to that person can encrypt the
document with the public key, knowing that only the person with the correct private key can open
it. Vice versa, the owner of the private key can prove to others who he or she is by “signing” the
outgoing document with the private key. The document can be opened by anyone who has
access to the pubic key, knowing that if it opens, it must have come from the person with the
private key paired with the public one.
PKI can work well only if there is a trusted third party that holds the users' pubic credentials. In a
commercial organization, this structure is easy to create. Management simply makes the
organization itself the trusted third party and tells the employees that they must use the system.
Among consumers, this issue is trickier. Whom to do you trust to hold your credentials? What if
someone else you're trying to transact with doesn't trust your trusted entity and you don't trust
theirs? Is your trusted entity empowered to pass your credentials around the Internet to anyone
who asks for them? These are knotty questions, and their lack on an imminent solution is likely
to delay the full rollout of PKI in the general domain of eCommerce for quite some time.
So, the TCPA set about working on more modest goals: key generation and management, user
and platform authentication, file and folder encryption, and password management. However,
TCPA suffered from a governance problem. The group was large and unwieldy, and decisions
were argued endlessly. A small group of the largest vendors, including AMD, Hewlett-Packard
(HP), IBM, Intel, and Microsoft formed a new entity called the Trusted Computing Group (TCG) in
April 2003. In a United-Nations-like structure, decision making in the TCG was vested in this
equivalent of the Security Council, the founding Promoters group. Other members, which paid
lower dues, were called Contributors, and still others, at a lower membership rate, were called
Adopters. To date the TCG boasts of more than 110 members of all types.
Industry Reaches Consensus
The TCG released the current specification, TPM 1.2, in February 2005. The leap between the 1.1
spec and the 1.2 was in reality a lot further than a simple point-release increment. During the
three-year period between the two releases, Microsoft — which had been promoting its own
software-based architecture, known at the time as Palladium and more recently called
(euphoniously) Next Generation Secure Computing Base (NGSCB) — folded its fate in with that
of the hardware companies already promoting the TPM chip.
The nail in the coffin for software security really came much earlier, in 2000, when a computer
security firm named nCipher, stocked with fancy Ph.Ds. and based in Cambridge, England,
proved that software-based security had fatal flaws. nCipher was able to crack software security
because "good" random numbers have a high degree of entropy; that is, they spread out all over
numerical space so that they can't be hacked by someone who knows that the number lies
somewhere within a limited domain and hammers away at it with incremental attempts until it
pops open. But a highly entropic random number has its own weakness, which is that it can be
detected as such. In software security, the key, encryption algorithm, and data to be encrypted
must all be in main memory at the same time. The nCipher people came up with an algorithm
that searched main memory, looking for a high degree of entropy. Once they found the most
likely 512- or 1024-bit string, they had the key. With a Trojan horse like Back Orifice and the
nCipher algorithm, an Internet intruder could take command of a PC protected by nothing more
than software security and gather its private keys. In hardware security, cryptographic operations
are routed through the TPM chip, giving a much greater degree of protection.
The publishing of the TPM 1.2 specification signaled the beginning of broad adoption by the
industry. Although IBM continued to lead initially, by the end of 2004, many other companies were
shipping TPM-enabled clients, including Fujitsu, HP, Intel, NEC, Samsung, and others. As 2004
was closing out, Dell announced that it, too, would adopt the standard. This move was
significant because Dell alone among the large vendors had been a holdout. In 2005, many
others started shipping TPM-enabled clients, including Acer, Gateway, Lenovo (IBM's PC spin-
off), MPC, Sony, and Toshiba. For now, these companies are putting TPMs mostly on their
commercial lines, but eventually desktops and notebooks aimed at consumers can be expected
to carry the chips as well. With Microsoft firmly on board with its NGSCB incorporating the TPM
standard and Dell finally having joined the TPM camp, 2005 became the first year of broad
adoption.
Since much of the build-out needed for PKI remains unfinished, and organizations are not yet
clear on how they wish to use security hardware, many clients are still being shipped with TPMs
that are not being enabled. Commercial customers often "buy up" when they purchase hardware
with the idea in mind of creating "head room" that will allow future usage without having to buy
again. This phenomenon is one reason why shipment levels are higher than usage levels for
now. As the market gets more used to security technology, this disparity should close up.
Discrete vs. Integrated
When TPM technology first hit the market, it was available only in discrete form. That is, the
silicon module was separate from other system elements and communicated with them via a
dedicated hardware bus. More recently, silicon manufacturers have begun to integrate TPM
functionality into existing parts, a practice that greatly reduces the cost but also has a slight
negative effect on security. Examples include integration with the Super I/O (Winbond), the
network chip (Broadcom), and even the processor (Transmeta). Intel, a major player on the TCG,
has not yet voted with its feet, but eventual inclusion of TPM functionality in core logic is highly
likely. Intel may still be manifesting caution based on the fiasco of 1999, when the company
shipped processors with a serial number function enabled (allowing a query function to positively
identify any computer on the 'Net). The outcry from the Electronic Frontier Foundation and others
caused Intel to pull way back from any high profile support for technology with the potential to
compromise privacy. In addition, Intel must solve the technical problem of integrating some flash
memory into the South Bridge before the TPM can be subsumed into core logic.
Although integrated beats discrete on cost, discrete could still maintain 10-20% of the market
over time if it is sold as being more resistant to hacking. Having a part that meets Federal
Information Processing Standards Publication 4 (FIPS-4) will be a requirement in some cases (e.
g., federal agency bids) and desirable in others (e.g., central banks). Only a discrete part will be
able to meet this more stringent security standard.
Silicon Providers
As of today, TPM modules of one sort or another are produced all over the world, including in
Taiwan, China, Germany, the United States, and other countries. Producers include Atmel,
Broadcom, Infineon, Sinosun, STMicro, Transmeta, and Winbond. In addition, a number of TCG
members have created software that makes use of the TPM to provide security in various ways.
These firms include IBM, Lenovo, M-Systems, NTRU, Phoenix Technologies, Softex (Omni Pass
and Theft Guard), Utimaco (SafeGuard), VeriSign (Personal Trust Agent), and Wave Systems
(Embassy Trust Suites).
TPM Forecast
Based on the high degree of industry support for the TPM, Endpoint forecasts that by 2010, more
than 250 million modules will ship on client systems (Figure 1).
Figure 1
buyers were far more likely to equip notebooks than desktop with TPMs. It appears as if buyers
understood that notebooks presented inherently greater risks than desktops, which are more
easily secured physically. With early applications emphasizing secure logon and file and folder
encryption, a notebook user whose system was stolen could be somewhat reassured knowing
that a thief would be unable to boot it, and if he did, would be unable to read the files. Thus,
notebook attach rates have already risen and are expected to continue to rise faster than desktop
attach rates (Figures 2 and 3).
Figure 2
steadily rising proportion of notebooks, and eventually the number of TPMs shipped in desktops
will outpace that of those shipped in notebooks (Figure 4).
Figure 4
The TPM forecast is based on a set of assumptions set out below. Should any of these
assumptions turn out to be incorrect, the forecast could vary materially.
- Most OEMs commit strongly in 2005 with the TPM 1.2 spec
- Dell's entry in 2005 gives the TPM market a legitimacy that acts to jump-start it across
the board - Windows Vista incorporates TPM 1.2 in NGSCB in 2006
- Intel integrates TPM functionality in its South Bridge by 2008
- The client space saturates with TPM completely by 2010
- Enterprise customers, for whom justification is easy but who are naturally conservative,
will be relatively slow to implement security solutions; however, many enterprises will
purchase TPM-enabled clients as part of a “buy up” strategy - Uptake of TPM-enabled clients by consumers, in contrast, will be more rapid, since
these buyers pretty much take what is offered on the shelf; consumer implementation,
however, will have to await the resolution of trust issues
This forecast covers only TPM modules shipped with PC clients. A far greater number will
ultimately ship in other devices, such as servers, mobile phones, storage, and peripherals.
Final Notes
One of the reasons why adoption of client security as embodied by the TPM has been slow is
that such functionality has scant visible manifestation. For example, when file encryption is
working, files just appear to open and close. The fact that they are being encrypted and
decrypted on the fly is barely noticeable, save for a slight lag. With today's highly capable
hardware, this lag is becoming progressively more invisible. One element that gives greater life
to the TPM concept is access control hardware, particularly fingerprint readers. The user sees
the reader on the surface of the device and knows that it contains security technology. Biometric
access will become increasingly common with fingerprint readers being the most prevalent
form of biometrics. People are familiar with fingerprinting and more likely to accept such a
system than vein-pattern readers, iris scanners, and the like — which brings us back to where
we started: the concept of fingerprinting has evolved beyond its connotation as a method of
criminal identification to become a means for citizens to claim their own identities.
Of the various authentication means — what you have (e.g., a smart card), what you know (e.g.,
a password), and what you are (e.g., a unique fingerprint) — what you are is by far the most
secure as well as the most convenient. You don't lose or forget yourself, and the complexity of
your unique biological characteristics makes stealing your identity difficult enough to support
biometrics' use in eCommerce. Of course, multifactor authentication is possible. You can be
required to enter both a fingerprint and a password, but why not just enter two prints from
different fingers and call it a day?
For the moment, fingerprint reader pairing with TPM lags. Many more TPMs have shipped than
readers. However, this pairing should begin to pull into line about halfway through the forecast
period.
Meanwhile, the exciting news is that the TCG is applying the trust specification developed for
PCs to a broader — potentially universal — set of devices, including servers, mobile phones,
peripherals (i.e., keyboards, mice), storage, infrastructure, and software. One of the most
interesting developments that the
TCG is undertaking is the specification of something called Trusted Network Connect (TNC), a
significant, high profile development directly applicable to today’s network operations.
Introduced in April 2005, TNC is an open standard that allows network operators to establish
policies for client access. The TNC spec presents a roadmap for technology development and
deployment. As a standard, it provides for the introduction of components from many vendors.
Essentially, it establishes an endpoint profile and integrity check before allowing entry to a
trusted network. Using authentication technology based on the TPM, the TNC Client collects
information about the authenticity and integrity of the client and bundles it as part of a network
access request. That is, not only are the user and the device identified, but the status of the
device is queried as well. For example, you may be the correct user and your device may be the
right piece of hardware, but perhaps your virus definition files are out of date. That's where the
other half of the TNC equation, the TNC Server comes in. Residing at the server end, it
determines quality of a client's compliance, and hands the machine off to quarantine and
remediation if necessary (e.g., topping off that out-of-date virus definition file) or simply bounces
it out as an unfriendly intruder, depending on policy. If — and when — everything checks out
right, the client is admitted to the network.
The TNC spec and many others will be forthcoming from the TCG over the next months and
years. These specifications will enable all manufacturers to build devices that let people
transact over the Internet with confidence. This confidence will be key as the value of what
travels over the Internet and what is stored on these devices rises over time. Security
technology is crucial to the success of eCommerce.
