A Matter Of Trust

http://www.webservicespipeline.com/development/22104133

The Trusted Platform Model promises to solve many of the most pressing software security challenges. Can it deliver for developers?
By Andy Dorman
Courtesy of IT Architect
Page 1 of 3When a group of nominal competitors get together to control an industry, they're accused of acting as a trust. Because such arrangements are often illegal, they're usually kept secret and informal.
Not in the computer industry. Every major hardware and software company has embraced Trusted Computing (TC), a technology that involves placing special security hardware inside every PC. Opponents say it's designed to prevent competition, hinder interoperability, and perhaps give vendors permanent control over every PC they ship-even after it's been bought and paid for.
Vendors disagree, of course. According to the Trusted Computing Group (TCG), the trade association that sets the specification for the Trusted Platform Module (TPM), the most important component in TC, it will improve network security. The TPM ensures that the machines at each end of a link can be certain of each other's identity and configuration. TCG members say this will let enterprise networks detect and isolate client machines containing viruses and other malware, and warn computer owners if a machine has been tampered with.
Either prediction could come true. TC's first effect will be to make PKI ubiquitous, overcoming much of the complexity that until now has prevented the use of digital signatures and certificates in client authentication. Later, it will facilitate network management by letting servers and switches know exactly what hardware or software is connecting to them. But it can also be abused by vendors seeking to enforce onerous software licensing terms, or to prevent interoperability with proprietary file formats and communication protocols. What actually happens will depend mostly on enterprise IT departments, and whether network managers understand the technology.
SIGN OF THE TIMES
Despite its name, TC isn't really about trust. It's about verification to make trust unnecessary. This is achieved through digital signatures, which can be used both to authenticate a machine and to confirm its configuration. By signing measurements of a PC's hardware or software, or a user's biometrics and presence data, a TC device can vouch for a machine's state, not just its identity.
Authentication based on digital signatures isn't a new idea. It's the foundation of PKI and is already used by most Web servers that encrypt data through SSL. What the TPM adds is secure storage for the private keys used in signing. The theory is that software-based key generation or storage will always be vulnerable to software attacks, so private keys should be created, stored, and used by dedicated hardware.
The TPM is a chip designed to do just this. It contains a random number generator, some memory, and an implementation of the RSA encryption and SHA1 hashing algorithms. The random number generator is used to create key pairs, with the public key exported and the private key stored within the chip. Signatures are calculated by the TPM itself, so the private key is never revealed to anyone.

KEY HOLES
All this is intended to protect against any conceivable software attack. The only way to obtain a private key is to let a computer forensics expert tear the chip apart, and sometimes even that won't help: Broadcom is promoting hardened TPMs with physical security measures that will delete all data in the event of tampering.
Guessing the private key by trial and error is equally difficult. The RSA keys in a TPM are all 2,048 bits long, which would take a present-day supercomputer trillions of years to crack. RSA Security predicts that keys of this length will remain secure until at least the 2030s, even allowing for Moore's Law or grid computing technologies that can distribute the load across thousands of machines.
An uncopyable, uncrackable key sounds attractive, but it can pose problems. The most obvious is that it's only useful for authentication, not encryption. If a TPM is damaged, all the data that requires its keys for decryption is rendered inaccessible. For this reason, the TPM uses different private keys for decryption and signing. Unlike signing keys, decryption keys can be exported.
Letting the key leave the TPM negates the main advantage of secure key storage, so the latest version of the specification, revision 1.2, adds the option of a "trusted" backup. This transfers decryption keys securely between TPMs, rather than simply saving them to disk.
COP-PROCESSOR
Other problems involve the data that the TPM signs, not the keys themselves. The TPM's most controversial feature is attestation, the ability to measure the state of a computer and send a signed message certifying that particular hardware or software is or isn't present. Most TC opponents fear that this will be abused by vendors.
Attestation can be a good thing if it's used to protect a network against a compromised machine. Vendors such as Cisco Systems and Broadcom are already developing switches that will use the TPM for authentication and more. These switches can direct a PC running an unpatched OS to a Windows update server, or stop a virus-infected PC from connecting to a network at all. They can also tell a computer owner whether the configuration has been changed, protecting against spyware and other threats that result from malicious or inept users.
The risk is that attestation can also reveal information to third parties. For example, a Web site could refuse connections to surfers who aren't using a particular browser or OS, or who have pop-up blocking software installed. Worse, an application could encrypt documents in a way that makes them unreadable to any competitor, preventing interoperability. The application vendor could then change its licensing terms and use the TPM to enforce them, perhaps requiring the purchase of a new copy whenever hardware is upgraded, or even charging enterprises a regular fee to access their own data.
The most serious accusation is that the TPM itself could contain a back door, allowing data to be accessed by its manufacturer, the government, or a lucky hacker. Many critics fear that it's a reincarnation of the Clipper chip, the cryptographic hardware proposed 10 years ago that would have given the FBI access to all encrypted communications.

TRUST BUSTERS
The TCG has been working to address some of these criticisms. It stresses that the technology is strictly opt-in, requiring that a TPM be activated by its owner. In February 2004, the group also caved in to requests from the European Commission and altered the specification to improve owner privacy.
The first version of the TPM to be implemented in real chips, revision 1.1, included a hierarchy of keys (see "Kinds of Keys"). At the top was the endorsement key, hardwired into the chip at the time of manufacture. A certificate authority (CA) chosen by the TPM manufacturer would link this to the individual keys generated by the TPM, meaning that every chip could potentially be tracked by the CA.
The endorsement key is still included in revision 1.2, but it doesn't have to be used directly. Instead, the specification provides a mechanism that lets a chip prove to remote entities that it's indeed a spec-compliant TPM, without revealing which specific TPM it is. This is achieved through "zero-knowledge" cryptography, an emerging field that allows one end of a link to demonstrate knowledge of a secret without actually giving away any information about the secret itself.
The new specification also recommends that TPM manufacturers destroy their own copies of the key after it's been embedded in the chip. This lets enterprises choose any CA, including their own internal server, rather than being forced to trust one chosen by the TPM manufacturer.
However, the TCG has held firm on attestation. It has resisted demands from the Electronic Frontier Foundation, a nonprofit group of digital rights activists, that it allow the owner of a computer to alter the measurements fed into the TPM. This would provide a workaround for TPM-enforced incompatibility by letting computer owners trick the TPM into believing that data is being read by one application and not another (see "An Attestation Test for Vendors," Off the Wires). The specification makes a distinction between a computer's owner and its users, so letting the owner lie to the TPM wouldn't help ordinary users deceive an IT department.