Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
Navy Anti-Tamper (AT) Technical Agent
http://www.navytechmatch.com/DOD/Opportunities/SBIRView.aspx?id=OSD05-A06
Basic Information: Go To DOD SBIR Site
--------------------------------------------------------------------------------
Title: Secure Trusted Computing System-on-Chip
Program: SBIR
Technology Area: Information Systems , Materials/Processes
Open Date: 9/15/2005
Close Date: 10/14/2005
Description:
--------------------------------------------------------------------------------
The Navy Anti-Tamper (AT) Technical Agent, in conjunction with the DoD Anti-Tamper Executive Agent (ATEA), is charged with developing technologies to prevent/delay the exploitation of Critical Program Information (CPI). The DoD requirements for program protection in deployed tactical systems often necessitate frequent real-time processing of encryption and hashing algorithms for integrity and veracity assessment. A secure trusted System-on-Chip component supporting these processing requirements can be used to build or extend the trusted environment to outside of the component up to the host processor boundaries, and with networking, enabling both networked platforms in a transaction to evaluate the trustworthiness within another runtime content, and even establish equivalency of components in their respective environments. By supporting a variety of standard input/output interfaces and protocols, this System-on-Chip family provides a spectrum of embedment design options for integrity and security processing needs.
Objective:
--------------------------------------------------------------------------------
Develop a System-on-Chip (SoC) family of devices, utilizing Trusted Foundry Library components, which can provide Trusted Platform Module processing support for computer processing integrity measurement, and provide a range of power consumption/performance options. To be secure, the System-on-Chip family must incorporate capabilities to detect unauthorized access attempts, provide a mechanism to react to the attempt (with penalties not a part of this SBIR) and prevent compromise of secured data.
Phase I:
--------------------------------------------------------------------------------
Develop a preliminary concept of a family of System-on-Chip designs using existing trusted foundry components, which support the security and integrity encryption and hashing requirements, and protect resident secured data. Develop concept for System-on-Chip design, and provide a plan for accomplishment of phases II and III.
Phase II:
--------------------------------------------------------------------------------
Complete System-on-Chip design, design. Develop design package for Navy to initiate fabrication of two evaluation wafer lots using the GFE services of a Trusted Foundry. Package devices resulting from these processed wafers and develop a plan for testing of the final products. PHASE III DUAL-USE APPLICATIONS: Phase III development could include testing the Phase II System-on-Chip designs, reviewing and revising the Phase II SoC designs and fabrication, using a government furnished equipment (GFE) Trusted Foundry, five additional wafer lots. This would be followed by packaging and testing the resulting System-on-Chip trusted processors. The contractor would then demonstrate the System-on-Chip on an active DoD program requiring Anti-Tamper. Commercial applications include the protection of high-value chip architectures and ensuring that proprietary designs are protection during processing and testing stages.
References:
--------------------------------------------------------------------------------
ttps://www.trustedcomputinggroup.org/press/news_articles/rc23363.pdf 1) Wills, L., Newcomb, P., Eds. Reverse Engineering, Kluwer Academic Publishers, 1996. 2) Ingle, K. A. Reverse Engineering, McGraw-Hill Professional, 1994. 3) DOD Needs to Better Support Program Managers’ Implementation of Anti-Tamper Protection, GAO Report GAO-04-302, 2004. (http://www.gao.gov/new.items/d04302.pdf) 4) Huang, A. Hacking the Xbox: An Introduction to Reverse Engineering, No Starch, 2003. 5) Fullam, S. Hardware Hacking Projects for Geeks, O'Reilly, 2003. 6) Grand, J., Russell, R., Mitnick, K. Hardware Hacking: Have Fun While Voiding Your Warranty, Syngress, 2004.
SBIR Keywords
--------------------------------------------------------------------------------
TechMatch Keyword(s):
--------------------------------------------------------------------------------
Computer Systems
Computer Hardware
Electronics and Electrotechnology
Electronic Components
Materials
Microelectronics
DISCLAIMER:
--------------------------------------------------------------------------------
The Solicitations listed on this site are copies from the various SBIR agency solicitations and are not necessarily the latest and most up-to-date. For this reason, you should use the agency link listed below which will take you directly to the appropriate agency server where you can read the official version of this solicitation and download the appropriate forms and rules.
The Official Website can be found at: http://www.acq.osd.mil/sadbu/sbir/solicitations/index.htm
Office Of The Secretary Of Defense (OSD)
Deputy Director Of Defense Research & Engineering
Deputy Under Secretary Of Defense (Science & Technology)
Small Business Innovation Research (SBIR)
FY2005.3 Program Description
Read the following few sentences:
"As envisioned, the Global Information Grid (GIG) will connect the roughly 3 million computers, 100,000 LANs, 100 long-distance networks, and a multitude of wireless networks and devices in support of all DoD, national security, and related intelligence community missions and functions. It will provide the joint warfighter with a single, end-to-end information system capability, built on a secure, robust network-centric environment, allowing users to post and access shared data and applications regardless of their location – while inhibiting or denying an adversary’s ability to do the same..."
The only technology I know that is capable of securing every node (THREE MILLION COMPUTERS) is by using TPMs
Read the papers listed in the following link. Several of them discuss TPMs and other security strategies. There is too much to copy and paste into this post.
http://www.dodsbir.net/solicitation/sbir053/osd053.htm
Barge - too funny
I didn't realize that was the paper you were referring to. The link didn't show up in your post.
Barge & Cliff: re NEC
I'm not doubting NEC is including TPMs in their models. I just noticed the information wasn't readily available in the spec sheet. I know NEC has been involved with TCPA and TCG for a long time.
Going back to this paper (from this last Winter), it shows some of their thoughts regarding TPMs
http://www.nec.co.jp/techrep/en/r_and_d/a05/a05-no1/a070.pdf
Barge: NEC
Here's a PDF on the Australian site
http://www.nec-online.com.au/NECPDF/nec%20versa%20m350%20anz.pdf
Product Details
http://www.nec-online.com.au/Products/Product_Details.asp?CID=1&RangeID=1&CatID=2&ModID=...
OSI Layers and TPM
Here's a good diagram on how TPMs fit into the OSI model.
http://azgita.gov/enterprise_architecture/AZ_EA_Target_Technology_Table.htm
I thought some might enjoy...
this new search engine I heard about. It takes some getting used to, but displays information much differently. It's called Grokker.
Here are the results for "Trusted Platform Module"
http://www.grokker.com/applet.html?query=%22Trusted%20Platform%20Module%22
Wave Systems
http://www.grokker.com/applet.html?query=%22Wave%20Systems%22
Trusted Computing Group
http://www.grokker.com/applet.html?query=%22Trusted%20Computing%20Group%22
Comparison of Infineon and Wave Systems
Infineon Prof Pack 2.0
http://www.infineon.com/upload/Document/cmc_upload/documents/012/7539/tpm1.2-software-pb.pdf?BV_Sess....
Wave Systems - Embassy Trust Suite
http://www.wave.com/products/ets.html
Comparison of Languages Supported
BOTH = indicates Wave and Infineon support this language
BOTH English
BOTH French
BOTH German
BOTH Italian
BOTH Japanese
BOTH Spanish
BOTH Simplified Chinese
WAVE Simplified Russian
INFI Traditional Chinese
INFI Korean
Operating Systems Supported
Wave - ETS
Windows 2000 (with SP4)
Windows XP Home Edition (with SP1)
Windows XP Professional Edition (with SP1)
Infineon - Prof Pack 2.0
Windows 2000 Prof
Windows 2000 Adv Server
Windows XP Home
Windows XP Prof
Windows XP Tablet PC Edition Version 2002
Windows 2003 Server
Seagate & Wave
Reposting of this paper:
TP-541
From: Global Product Marketing
June 2005
http://now.eloqua.com/eloquaimages/clients/Seagate/{aa786575-884c-4601-8797-a6ea0e1fbe68}_TP-541_-_S....
to get to this document, you go through this registration screen.
Momentus FDE Whitepaper registration
http://fde.seagatestorage.com/
Next Generation Mobile Systems: 3G & Beyond
May, 2005
http://www.wiley.com/WileyCDA/WileyTitle/productCd-0470091517.html
Page 204
http://print.google.com/print?id=jDQh96evzkkC&lpg=PA204&dq=%22trusted+Computing+Group%22&...
Page 205
http://print.google.com/print?id=jDQh96evzkkC&pg=PA205&lpg=PA205&dq=%22Trusted+Platform%...
Page 206
http://print.google.com/print?id=jDQh96evzkkC&lpg=PA204&dq=%22trusted+Computing+Group%22&...
Page 207
http://print.google.com/print?id=jDQh96evzkkC&lpg=PA205&dq=%22Trusted+Platform%22&prev=h...
Page 312
http://print.google.com/print?id=jDQh96evzkkC&pg=PA312&lpg=PA312&dq=%22Trusted+Platform%...
DRM News Blog
http://www.drmblog.org/
Enabling DRM in Embedded Devices
by Tony Walters
http://linuxdevices.com/articles/AT3715099716.html
Sun wants Feds to set copy-protection standards?
http://news.com.com/2061-10802_3-5841241.html
August 22, 2005 8:28 AM PDT
Sun wants Feds to set copy-protection standards?
Sun President Jonathan Schwartz announced a new open-source standard for digital rights management during a speech here in Aspen, Co. last night.
In an interesting aside, Schwartz said that he believed the federal government should be involved in DRM standards. He used the example of pre-Civil War railroads in the United States, saying that a shipment from New York to Washington, D.C. might have to switch rail lines because of the lack of rail-gauge standards.
That raised some eyebrows in the audience. One attendee from a large media company told me afterwards, with just a hint of bitterness, that such a call for government involvement in DRM sounded a little like the Hollings bill from a few years ago -- which was soundly panned and failed without the dignity of a floor vote.
On Monday, Progress and Freedom Foundation president Ray Gifford replied to Schwartz: "One place I affirmatively disagree is where he said he saw a role for government in standards-setting."
He added: "If you want to have government in the middle of a standards-setting process, you set yourself up for failure. Look at digital television. Q.E.D. Private standards-setting bodies seem to be working pretty well."
Posted by Declan McCullagh
Security Concerns - Thin Clients vs TPMs
I think someone posted this earlier today, that Wave and Wyse will be presenting together in September. It's interesting to note that everyone knows that FAT clients are inherently insecure. It's even more curious to note, that THIN clients are MORE secure, yet Wyse is already preparing to make THIN clients even more secure. Neoware, which is Wyse's direct competitor, is ALSO acknowleging that FAT clients have a foothold on market and TPMs will be a necessity
http://www.gildertech.com/public/Telecosm2005/Agenda.htm
September 26, 2005
Trusted Computing and Secure Networking: trusted storage, networks, processing, and computing applications
Speakers:
John Kish, President and CEO, Wyse Technology
Steven Sprague, President and Chief Executive Officer, Wave Systems
As organizations put their core business processes on the Internet, the ability to know the identities of the entities in a transaction, protect the data being sent, and keep unauthorized intruders away from sensitive databases and corporate resources has become a difficult challenge.
http://www.computerworld.com/managementtopics/management/helpdesk/story/0,10801,101941,00.html
Trust your PC to protect your ...
... network. No, not Windows, but the PC hardware itself. In March, Dell Inc. became the last of the major PC makers to begin shipping systems with Trusted Platform Module (TPM) security devices, which are based on specifications developed by Trusted Computing Group Inc. in Portland, Ore. Steven Sprague, CEO of IT security vendor Wave Systems Corp. in Lee, Mass., says that in four or five years, as companies replace their older PCs, all corporate desktops and laptops should be TPM-ready. TPM chips can be used to encrypt e-mail messages and data on hard drives. Most important, says Sprague, the technology can authenticate users before letting them on corporate networks, making it more difficult for unauthorized people to access systems. He adds that once all your PCs are TPM-enabled, it may be possible to ditch your single sign-on plans because you'll be able to use the initial authentication to give end users access to all their applications. Sprague says the TPM specification for mobile devices will be ready by the end of the year. Goodness. What will we do when computing becomes secure?
Michael Kantrowitz, CEO of Neoware Systems Inc.
A lot cheaper and more secure ...
... than PCs. That's what all thin-client advocates boast about their devices. Yet, according to market research company IDC, thin clients make up a minuscule 1% to 2% of the overall desktop market. That doesn't dampen the enthusiasm of Michael Kantrowitz, CEO of Neoware Systems Inc. in King of Prussia, Pa. After all, Fortune magazine just dubbed Neoware the eighth-fastest-growing company in the U.S., and IDC ranks it as the No. 2 thin-client vendor behind Wyse Technology Inc. Kantrowitz thinks his company is on a trajectory to pass San Jose-based Wyse, although he wouldn't say when. Furthermore, he predicts that by 2010, as much as 10% of desktop systems will be thin clients, due to a combination of cost issues and security concerns that TPM technology may or may not resolve. Kantrowitz estimates that up to 90% of corporate desktops could be replaced by thin clients, but he acknowledges that it won't happen. "PCs are entrenched in IT departments and will continue to be entrenched," he says.
http://www.thinclient.org/archives/news/
Wyse Technology Dominates Thin-Client Market
SAN JOSE, Calif., July 12 /PRNewswire/ -- Wyse Technology, the global leader in thin-client computing, today announced the company has extended its number one position in the thin-client market in the first quarter of 2005, according to a recent report from International Data Corporation (IDC).
Source: RedNOVA
According to Framingham, Massachusetts-based IDC, Wyse Technology secured 38.15 percent of the overall worldwide enterprise thin-client market, growing product shipments at an aggressive 14.7 percent over the prior quarter. The IDC report on the thin client market is based on shipment records and information from the major vendors and their channel partners.
"Wyse started 2005 with greater unit growth than any other major vendor in our survey, outgrowing the market as a whole," noted Bob O'Donnell, Research VP, Clients and Displays with IDC. "We predict the thin client market will grow at a compound annual growth rate of 20.7% from 2005 to 2009, significantly outpacing the overall growth rate of the PC market."
The report showed Wyse's nearly 15 percent product shipment growth was more than double that of competitors HP and Neoware.
"We stand alone with these remarkable growth rates because of our commitment to investment in a world-class management team, global R&D operations and industry leading software, hardware and service solutions," commented John Kish, CEO of Wyse Technology. "We are driven by our customers and the overall market, to continually invest more in the development of our devices and infrastructure management software than anybody else in the industry. With this report, we are seeing the results of our customer-driven and aggressive efforts in the domestic and global marketplace."
About Wyse Technology
Wyse is the #1 vendor the world's largest businesses and institutions trust for scalable thin-client computing solutions. Wyse provides the hardware, software, and services that shift computing complexity to the network, reducing cost, liberating IT departments from unnecessary support and maintenance functions, empowering users to be more productive in their jobs, and protecting and improving access to critical information and business applications. Headquartered in San Jose, California with offices worldwide, Wyse has been #1 in thin-client market share for the last eight years, enjoys a close partnership with Citrix Systems, and has been named Microsoft "Embedded Partner of the Year" for three years. Wyse customers include FedEx, Best Buy (Canada), Quaker Foods, Gold's Gym, and CON-WAY Transportation.
For more information, visit the Wyse website at http://www.wyse.com/ or call 1-800-GET-WYSE.
Wyse Technology
CONTACT: Skye Pillsbury of OutCast Communications, +1-415-392-8282, orskye@outcastpr.com, for Wyse Technology
Web site: http://www.wyse.com/
Secure hard drive
This is the closest product that I've found to Seagate's secure drive.
Xelios Secure Bio Drive
http://fr.xelios.com/content.php?type=product&id=14
and Software
http://fr.xelios.com/content.php?type=product&id=41
Two Ways Microsoft Is Improving Security in Longhorn
by Alex Woodie
http://www.itjungle.com/two/two082405-story01.html
There's been a lot of talk of late about new user interface features in the upcoming Longhorn release of Windows, things designed to elicit a "gee-whiz" response among users, like transparent windows and icons that display the content of the file. Eye candy aside, Microsoft executives have gone on the record saying if they could just get security right with Longhorn that would be enough. Two ways that Microsoft is following through on that pledge is better control over administrative privileges and the Trusted Platform Module (TPM) microchip.
Security improvements in the upcoming release of the Windows Vista client and the Windows Longhorn server will be delivered through hardware and software. Let's take a look at both.
Hardware-based Security Enhancements
Windows Longhorn will use a hardware-based security mechanism, called the Trusted Platform Module (TPM), to ensure only authorized applications are accessing system resources. The TPM itself is a cryptographic microprocessor that is installed on the motherboard, and is used to generate matching keys. If a requesting application or service does not have a key that matches the master key stored on the TPM, the program is denied access.
There are several advantages to using a hardware-based security mechanism like TPM compared to software-based security mechanisms. Because the master key is held on the TPM device and is separate from the operating system and the computer system's memory, the TPM system is not susceptible to underlying flaws or vulnerabilities in the operating system or attacks on the memory. TPM systems are vulnerable to attack, Microsoft says, but it requires having physical access to the TPM microchip, something that is not possible over the Internet.
Microsoft is writing software that will allow developers and users to deploy TPM in Longhorn, predominantly as a way to make it easier for administrators to manage a large numbers of clients. The TPM Base Services (TBS) service will control access to the TPM, while Microsoft's TPM driver will work with TPM chips that conform to the Trusted Computing Group's (TCG) TPM version 1.2 specification, according to a white paper that Microsoft published this April called "Trusted Platform Module Services in Windows Longhorn."
The market for TPM technologies is practically non-existent today, but that will change, especially with the advent of the Longhorn client, concludes IT industry researcher IDC in a recent report. IDC predicts TPM device shipments will grow from about 20 million units in 2005 to more than 50 million in 2006 and about 120 million by 2007.
Software-based Security Enhancements
One of the important security enhancements Microsoft is building into Vista and Longhorn is that the computer's default access level will no longer be set to administrator. Because many of today's Windows vulnerabilities can only be exploited when the computer is operating under administrative privileges, this single change is expected to have a far-reaching effect in clamping down security exposures.
Chris Jones, a corporate vice president with Microsoft, discussed the significance of this change during a July interview by Microsoft's PR firm and posted to Microsoft's Web site. "We've increased the protection so that by default people don't run as administrator," Jones says. "In the past, you ran as administrator, which means that any code that got to your system had full privileges to the box. And we're preventing that in Windows Vista. It's a great change for us."
Microsoft hopes to prevent the spread of spyware, adware, and other malware by keeping user privileges as low as possible. In the Windows Vista beta, there's a new feature called User Access Protection, or UAP, designed to allow users to switch back and forth between user and administrator privileges as applications demand it.
Of course, moving the Windows world from administrator privileges to regular user privileges is a lot easier said that done. Besides eliminating the administrator setting by default, Microsoft is going to require a lot of help from the development community to make sure applications keep running in regular user mode. Jones called on developers to start writing programs to run with regular user privileges.
"For almost every developer, I want them to make sure their application runs as standard user. You can actually do that today without Windows Vista. Take Windows XP, turn on standard user, and make sure your application runs," Jones says. "Developers really have to get that right."
There are other things that Microsoft can do to prevent third-party applications (such as spyware) from altering the registry and making changes to other areas of the operating system. Some people in the community have called for Microsoft to implement full operating system-level application sandboxing. Sandboxing would restrict applications' access to certain resources. These restrictions could take the form of preventing an application from reading or writing to files outside of the directory in which it was installed, and preventing read and write access to the Windows registry.
Certain elements of Windows and Microsoft's development tools already use a form of sandboxing. With the .NET Framework version 1.1, for example, the developer could configure an ASP.NET program to run in a "partial trust" mode that prevented it from accessing system-level resources and resources owned by other applications. We'll take a closer look at Microsoft's sandboxing options in a future issue of The Windows Observer.
QinetiQ deploys encryption across 10,000 laptop and desktop computers for improved security
Publication date: Monday, 22 August 2005
http://www.ebcvg.com/press.php?id=1544
Global defence and security company QinetiQ has deployed a full disk encryption product from the UK’s largest encryption software specialist, BeCrypt, to secure data on over 10,000 laptop and desktop computers across its enterprise.
QinetiQ’s scientists and engineers are involved in projects for governmental and commercial organisations across a number of business areas including defence, security, space, health, energy and transport sectors, making it critical that it prevents unauthorised access to restricted material on devices should they ever be lost or stolen.
Government policy and guidelines must be followed if a company working on government projects needs to hold UK government ‘protectively marked’ data on site. This policy includes advice on the use of cryptography. CESG, the UK National technical Authority for Information Assurance, has certified DISK Protect to protect UK Government data to the Baseline standard.
“We have an obligation to ensure that we are enforcing watertight security policies when it comes to sensitive data relating to our and our customers’ business,” said Dr. Amjad Farooq, Head of Business Improvement, CIO Group at QinetiQ. “BeCrypt has made enforcing security policies very straightforward.”
“Defining and enforcing security policies across thousands of employees is no easy task,” said Peter Jaco, Chief Executive Officer, BeCrypt. “BeCrypt’s encryption and security products were designed to tackle this issue and make enterprise-wide security easy to manage and deploy, no matter how big the workforce. BeCrypt worked closely with QinetiQ and its system integration partner Accenture to ensure a smooth deployment of our technology.”
BeCrypt’s DISK Protect provides full hard disk encryption for desktop and laptop PCs running Microsoft Windows NT, 2000, XP and XP Tablet operating systems. It provides strong user authentication at boot time and allows the optional use of SMART Cards and USB tokens for dual factor authentication. Once the user has been authenticated, and has logged onto Windows, disk encryption is transparent and the user need take no further action – everything written to the hard disk is automatically encrypted and everything read from the hard disk is automatically decrypted, in real time.
About QinetiQ
QinetiQ (pronounced ki’ ne tik as in ‘kinetic energy’) is a leading global defence technology and security company. Founded in July 2001 from the majority of the Defence Evaluation and Research Agency (DERA), the laboratories of the UK MOD, QinetiQ today has grown internationally, with 12,000 employees in the UK and US, many of them internationally acclaimed experts, providing government and commercial customers unparalleled resources to create, evaluate, test, and deliver technology based services, solutions and products.
As part of its fast growing security business recently launched products include: Tarsier – a radar system that identifies debris on an airport runway; BorderWatch – which can see into vehicles to identify possible stowaways; The MillimetreWave Portal – a people screening system that can identify concealed weapons. Ferroguard – a man‑portable metal detection system; and X-net – a system to stop vehicles being driven through checkpoints.
About BeCrypt
BeCrypt Limited was formed in 2001 to meet the growing demand for high-level computer encryption products in the international government and corporate marketplace. The company is a leading provider of enterprise encryption and security products designed to fully protect all corporate data. BeCrypt products protect customers in a number of key UK government areas including: central and local government, the military and defence sector, law enforcement and transportation. The company also services the commercial sector with key customers in the financial services, pharmaceutical, insurance and banking sectors.
BeCrypt’s DISK Protect and PDA Protect products have been designed to meet stringent government security standards and have been approved by the UK Government’s Information Assurance group, the Communications Electronics Security Group (CESG) within GCHQ.
BeCrypt has won an award from the Department of Trade and Industry for innovative technology and has patents pending on a number of unique encryption technologies.
Further information at http://www.becrypt.com
I wonder if this solution is with or without TPMs; If you recall, Toshiba has solution that incorporates Tecra, TPMs and BeCrypt DISK Protect
http://uk.computers.toshiba-europe.com/cgi-bin/ToshibaCSG/generic_content.jsp?service=UK&ID=0000....
http://uk.computers.toshiba-europe.com/Contents/Toshiba_uk/EN/Others/Freedom_AutumnWinter.pdf
e-Financial WorldExpo
October 27 - 28, 2005
National Trade Centre at Exhibition Place
Toronto, Canada
Lots of interesting topics
http://e-financial.wowgao.com/agenda/index.php
Last year (2004), David Grawrock spoke about Trusted Computing. I wonder if there will be anyone discussing TPM's this year
Principal Engineer Security Architect, Intel
http://e-financial.wowgao.com/presentation_proposals/pre_show.php?subjectid=23&
Trusted Computing: Opportunities and Challenges
IT managers have searched for years for more effective ways to secure confidential corporate data. Trusted Computing has emerged as one potential option. This hardware-based security initiative starts with the Trusted Platform Module silicon embedded in a PC or other device motherboard, to securely store data, authenticate users and perform other functions. Applications on top of the TPM then allow IT managers to set varying security levels, control applications and perform other administrative functions. However, as with most security schemes, issues of privacy, owner control and usability emerge. What is the status of the Trusted Computing initiative? What issues is it addressing specifically, and how will it impact IT planning and administration? David Grawrock, lead author of the Trusted Platform Module specification and Intel researcher, will address these issues. Grawrock also will briefly review the Trusted Platform Module features and applications.
Biographical Summary:
David Grawrock is a Principal Engineer Security Architect for the Platform Architecture Solution Division of Intel. As a security architect he works both with internal and external projects. He is a lead security architect for LaGrande Technology, part of Intel's security initiative. He is Intel's lead technical representative to the Trusted Computing Group and is a member of the TCG Technical Committee and chair of the TPM workgroup. Prior to Intel David worked for Symantec, Central Point and Lotus. While at Symantec David was a lead architect for Norton Your Eyes only and other products. David has worked in the computer industry for 25 years.
Secure Device Identity Tutorial
July, 2005
Elliptic Semiconductor
Secure Software
Broadcom
Phoenix Technologies
http://www.ieee802.org/802_tutorials/july05/Secure%20Device%20Identity%20Tutorial.pdf
Motion Omnipass, TPM, Windows Security Center
Starts at page 39
http://www.motioncomputing.com/resources/UserGuide_LE1600.pdf
Trusted Computing Group Frequently Asked Questions
July 2005
https://www.trustedcomputinggroup.org/about/faq/
19 Deadly Sins of Software Security (Paperback)
What are items 1-19? Duh, software is inherently insecure and can be hacked.
http://www.amazon.com/exec/obidos/tg/detail/-/0072260858/002-7142290-2697630
http://blogs.bartdesmet.net/bart/archive/2005/08/20/3492.aspx
Windows Vista Security - About Secure Startup, TPM, EFS, Syskey and much more
http://blogs.bartdesmet.net/bart/archive/2005/08/17/3471.aspx
Introduction
In this post, I'll cover the Windows Vista Secure Startup feature to present you one of the big security enhancements made in the Windows code-named Longhorn wave. To go short, Secure Startup is a new security feature in Vista that addresses the concern of better data protection, based on hardware support.
Background
So, what is all this Secure Startup stuff all about? Take a look back at my short definition of Secure Startup above. It's a security feature, it addresses data protection and it's based on hardware support.
Let's start with the latter one, the hardware support. Currently, almost all of the security-related stuff is handled by the operating system and by applications running on top of the OS in order to protect data which is stored somewhere on a machine. In the end, security is all about enforcing security rules and policies in order to make sure data and services are protected against malicious usage whatever form it may take (e.g. data disclosure). However, this approach of having the software dealing with all security-related stuff makes the system also vulnerable by its very nature. As the system itself has to store and retrieve keys for data protection (e.g. the global system key, abbreviated as syskey, in Windows), the information used to secure things is right there on the harddisk. Imagine the very actual risk of "stolen laptops". It's a simple task to retrieve the data which is stored on the machine using tools that can be found on the internet, no tricks involved. Check out Steve Riley's (blog) column on The Case of the Stolen Laptop as well.
Okay, there exist solutions to address this issue partially. For example, you could store encryption keys on a separate medium, e.g. some removable storage thing. However, it's still key to realize that you only improve the security of data secured by that very key. For example, it's wrong to think that storing the syskey on a floppy disk will enhance the security of the data stored on disk to a high extent. Data which was unencrypted before will still be unencrypted. You're only securing the data which is secured by the syskey. And of course, physical security still plays a very important role.
<Intermezzo subject="syskey">
A computer contains a bunch of critical security-related information nowadays. It's clear that this information needs to be protected against a broad variety of attacks, including information disclosure. This information includes the local Security Account Manager (SAM) database, Active Directory account information, IPSec keys, wireless network keys (WEP, WPA), computer keys (e.g. used for Kerberos), system recovery passwords (e.g. Active Directory restore mode), secrets managed by LSA (local security authority), SSL keys, EFS keys, etc. All this stuff protects something, but how is this stuff protected itself? The answer is that there are keys to encrypt the (private) keys which are stored on the system. These are called master keys, an example being a master key associated with a user in order to protect his/her EFS, SSL, etc keys. On their turn, these master keys are also encrypted by a kind of "root key", called the syskey. I've been blogging about this thing earlier on http://blogs.bartdesmet.net/bart/archive/2004/02/29/226.aspx as I'm a syskey-addict .
By default, the syskey is stored on the computer itself and is randomly generated during Windows Setup. This information is then spread across the registry (called "scattering") in a pattern which is unique for your Windows installation ("obfuscation"). Using the syskey.exe tool included with Windows in the system32 folder, you can change the way the syskey is stored or derived. A first option is to store the key on a floppy disk. You simply can't boot the pc without the floppy and you can't retrieve secured information without having the key (but remember that unprotected data physically stored on the harddisk is not protected). Another mode enables you to enter a system boot password which is used to derive the master key from. Check out the syskey.exe tool but do it with care.
Syskey can help against information theft when combined with EFS. The use of EFS encrypts the data on disk whileas syskey encrypts the keys used to encrypt the data. By moving the system key off the harddisk using syskey.exe, e.g. to a floppy or by using a password, security is enhanced in the "case of the stolen laptop (or whatever machine)". The syskey password mode is the safest of the three available modes as there exist cracking tools to extract the syskey from the registry (no, I won't be posting links to these tools :p).
</Intermezzo>
Another example is the use of EFS, the Encrypted File System, in Windows 2000, XP, 2003. With EFS (a NTFS-related feature), a user can encrypt his/her data which is stored on disk, completely transparent for further usage. However, this only secures users against each other on a multi-user system. It does not secure you against a stolen computer from which the EFS keys are restored in order to decrypt a user's data. And there's also a threat that comes from recovery agents that should be trustworthy people.
<Intermezzo subject="EFS">
Let's talk about EFS a little further. EFS stands for Encrypted File System and was introduced in the Windows 2000 operating system family as an add-on device driver for the NTFS driver (from XP on, it's merged into the NTFS driver itself). What it does is providing a transparent way to encrypt/decrypt files and folders on the level of the file system. (Read: EFS is all about data confidentiality through encryption, not about integrity and protection against tampering.) What I do mean by the word transparent is the fact that you don't need a password in order to access a file. EFS is available on Windows 2000, Windows XP Professional and Windows Server 2003. Now the technical stuff.
As a side-note I want to mention that you should never encrypt single files, always encrypt entire folders. This is because of the fact that EFS creates a temporary plaintext "shred" of the file (called Efs0.tmp) in order to encrypt it and then copy it back to the folder where it belongs to. This shred can remain on the disk, leaving a potential attack open. The only effective way to solve this is to encrypt entire folders or to wipe the disk (but prefer the former one if you can).
First, a little word on how to encrypt a file or folder. In Windows Explorer, right-click a (file or) folder and go to Properties. On the tab General, click Advanced and mark the "Encrypt contents to secure data". That's it. Now, when another user tries to open the file (assuming he has read permission to the file) he/she will get an "access denied" error. Another way to encrypt/decrypt a file/folder is by using the cipher.exe tool with the /E and /D flags. More information can be found in the Windows Help and Support documentation. Geeks can also use the advapi32.dll's EncryptFile function that will call into the feclient.dll file that's handling file encryption stuff. The actual encryption/decryption is done by part of the LSA system which runs as SYSTEM, so impersonation and user profile loading is being done.
Now, how is this encryption done behind the scenes? It should be clear we do need a key in order to encrypt the file. Next, we do need an algorithm to encrypt and decrypt the data efficiently, which means we should use symmetric encryption. The former one, the key, is the so-called File Encryption Key (FEK) which is a key that's randomly generated on a file-by-file basis (when you encrypt a folder, you're in fact flagging the folder to encrypt every single file inside the directory). The latter one, the encryption algorithm, is DESX on Windows 2000. On Windows XP SP1 and later and on Windows Server 2003 there's also support for 3DES and AES. By default, Windows 2000 and Windows XP (pre SP1) use DESX whileas Windows XP SP1 and later as well as Windows Server 2003 use AES.
Note: You can force 3DES to be used as the encryption standard for all cryptographic services on the system by altering the local system policy (Security, System Cryptography, "Use FIPS Compliant Algorithms For Encryption, Hashing and Signing"). If you prefer to use the registry, go to HKLM\SYSTEM\CurrentControlSet\Control\LSA and set FipsAlgorithmPolicy to 1. To control the encryption algorithm for EFS only, go to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\EFS and change AlgorithmID to 0x6603, which enables 3DES. Note that on Windows 2000, this won't work if the High Encryption Pack (separate floppy disk) isn't installed. Changing the encryption mechanism this way doesn't change the encryption for existing files, it only affects newly encrypted files.
To continue, what happens with the FEK? Well, it's just stored together with the file. In order to secure the encryption key so that only the owning user can decrypt the file, the FEK itself is encrypted using public/private key encryption (RSA) using the public EFS key for the user. If multiple users need to able to access the file (which is the case when using recovery agents - by default the administator is a recovery agent - for instance), there will be one encrypted FEK for each user (encrypted with that user's public key). All these encrypted FEK instances are stored in the so-called Data Decypher Field of the file.
This mechanism provides a high stack of encryptions. At the very bottom line we have the system startup key (syskey, see above). On top of that, there's a master key for the user. Next, we have the EFS key for the user. And last but not least, there is a separate key for each encrypted file. You might wonder where the private keys for the user live and how these are protected. The private keys are stored in %appdata%\Microsoft\Crypto\RSA\<usersid> and are encrypted by the user's master key, which lives in %appdata%\Microsoft\Protect\<userid> (check on XP Pro computer) and is encrypted based on the password of the user. If you change your password, the master keys are reencrypted automatically. However, if your password is being reset, this does not happen (it simply can't because there is no way to use the old password for decryption first) and so you loose your information if you don't have a recovery agent in place.
Other sources where you can find useful EFS-related information are:
Protect your Windows Network From Perimeter to Data - Steve Riley, Jesper J. Johansson - pg 175-178
Microsoft Windows Internals Fourth Edition - Mark E. Russinovich, David A. Solomon - pg 775-785
Hacking Exposed Windows Server 2003 - Joel Scambray, Stuart McClure - pg 413-422
Some general EFS-related guidelines include:
Use EFS in a domain configuration. On a standalone pc, you can break EFS using various tools because all the secrets that are part of the encryption/decryption are kept locally (unless you're using syskey in mode 2 or 3, i.e. floppy or password mode). Another possible attack is to clear the local Administrator password by removing the local SAM database in %windir%\system32\config\sam. As the local Administrator is a recovery agent by default, logging in as local Administrator will make it possible for you to recover the encrypted file. Syskey modi 2 and 3 solve this problem because you need the EFS keys which are stored by LSA in a so-called "secrets cache" which is physically protected by the syskey. In a domain, the domain admin is a recovery agent by default which establishes a "physical gap" between the EFS encrypted files on one system and the recovery agent stuff on another one.
Be aware of "interactive logon cache", a Local Security setting that enables you to cache the last n logons on the machine which is particularly interesting for mobile users that need to login to their computers when being on the road, without access to a domain controller. Using this cache, an attacker might be able to authenticate and decrypt a user's files.
Avoid encrypting single files, because of the shred backup file being made in efs0.tmp. Although this plaintext backup file is deleted after the EFS encryption has taken place, the data will still live on the harddisk and can be recovered by an attacker (e.g. by using the Support Tool dskprobe.exe). As I mentioned above, the cipher.exe /w can be used (it was actually implemented by Microsoft as a reaction on a Bugtraq post about this issue).
Finally, my personal advice is to use EFS in a domain environment and to consider to use syskey mode 2 or 3 to move the system key away from the harddisk.
</Intermezzo>
Also notice the existence of so-called ATA passwords which don't have to do anything with the OS but can be used to secure all data stored on a harddisk. I won't cover this in further detail over here.
So, Secure Startup wants to provide a way to offload certain aspects of data protection to the hardware, but in an OS-controlled fashion. Very concretely, the Secure Startup feature uses a Trusted Platform Module (TPM 1.2) to protect the user data and to protect against tampering while the system is offline. Just like EFS, Secure Startup is transparent to the users. Basically what it does is encrypting the entire Windows volume.
Trusted Platform Module
A Trusted Platform Module is a microcontroller to store keys, passwords and digital certificates, and is typically sitting on the motherboard (of the upcoming generation of computers). TPM is "invented by" the Trusted Computing Group which is promoted by several computer companies, including Microsoft (see member list). TCG is a non-profit organization that aims to enhance the security of computing in general and was formed in early 2003, based on the work done by the Trusted Computing Platform Alliance (TCPA). TCG has impact on both hardware and software by delivering a standards proposals such as TPM. Detailed specification documents can be found on https://www.trustedcomputinggroup.org/downloads/specifications/.
Back to TPM in particular now. In order to understand the role of TPM, you'll need to have a basic understanding of what TCG calls the "Trusted Platform". What follows is based on the "TCG Specification Architecture Overview" specification. In order for a platform to be called trusted, it should provide three basic features:
Protected capabilities are a collection of commands that can interact with sensitive data that is "shielded" against malicious access. Such places are called "shielded locations" and include registers and places in memory where manipulations of sensitive data are guarenteed to be protected. The protected capabilities have exclusive access to these shielded locations. Samples include management of cryptographic keys and random number generators.
Attestation is all about the accuracy of information, which is an important factor in the trustworthiness of a platform. First there is attestation by the TPM which can be used to provide proof of data known to the TPM itself. Using a so-called Attestation Identity Key (AIK) internal TPM data is digitally signed. Secondly, there is attestation to the platform to provide proof of a platform's trustworhtiness to report integrity measurements. Hand-in-hand with attestation to the platform we have attestation of the platform, used to provide proof of a platform's integrity measurements also using an AIK which signs PCRs (Platform Configuration Registers, part of the protected capabilities). Last but not least there is the need for authentication of the platform's identity.
Integrity measurement, storage and reporting is the collection of integrity-related services to enhance and measure the trustworthiness of a platform. The integrity measurement part helps to obtain metrics which have impact on the overall trustworthiness of the platform, based on trusted states. Integrity storage is used to log integrity metrics in a safe manner, by digesting the contents and storing it in PCRs. Finally, integrity reporting is a form of attestation for the data stored in the integrity storage. The overall idea of this set of "services" is to have trustworthy evidence of the state a platform was/is in, to assist processes in evaluating these integrity states and taking appropriate actions upon that.
In order to provide this functionality, the TCG architecture requires components that need to be trusted for the full 100%, otherwise misbehavior can't be detected. These components are critical to the trustworthiness of the system and are called roots of trust. The collection of roots of trust in a system has to provide the functionality needed to describe the platform's characteristics that affect the trustworthiness of it. This includes:
Root of Trust for Measurement (RTM) to make reliable measurements of system integrity.
Root of Trust for Storage (RTS) for the secure maintenance of integrity digests.
Root of Trust for Reporting (RTR) for reporting of the RTS' contents.
Now, how is integrity measured in order to be stored and reported? To support this integrity measurement, there is a so-called measurement kernel component that generates measurement events, consisting of two components: a measured value and a hash digest of that value (e.g. SHA-1). Basically, these measurements and the corresponding digests are snapshots of the operational state of the machine. The digest is stored by RTS whileas the measured value can be consumed anywhere. In order to verify the measured data digest values are recreated and compared to the stored data. Sequences of related measurement event data are kept in a Stored Measurement Log in which a common measurement digest is used as the starting point. Newly aqcuired measurement values are appended to the common measurement digest and rehashed in order to preserve ordening. This process is called extending the digest.
Furthermore, the TPM can act as an endpoint of communication which means that it can be used to provide several security related services for secure exchange of data between systems, relying on a trustworthy identification of the systems involved in the communication. By providing key management support and configuration management, the TPM can help to improve security for communication between systems. In order to support this scenario, TCG defines four classes of protected message exchange:
Binding is the process of encrypting the to-be-transferred data by means of a public key of the intended recipient, which can only recover the message using the corresponding (non-shared?) private key.
Signing generates a signature for the message that can be used to validate the integrity of the message and is typically done by hashing the message and encrypting it using a (signing only) key.
Sealing is an extension of binding and also encrypts messages. Furthermore, it binds the message to a series of platform metrics that need to be fulfilled in order for the message to be decrypted. This binding binds the symmetric key used to encrypt the message (for speed) with a set of PCR values and the assymetric key. Sealing clearly improves trustworthiness of a platform by requiring a certain state for the platform to be in, before decryption can be done.
Sealed-signing links the signing operations with the PCR registers of the machine creating the signature. This allows a verifier to check the PCR contents included with the signed message in order to have a clear picture of the configuration of the signing platform configuration at the time of the signing process.
The protected storage component (RTS) holds keys and data entrusted to the TPM. Embedded in the TPM there are two (semi-)fixed keys, the Endorsement Key (EK, used to establish a platform owner) and the Storage Root Key (SRK, associated with the platform owner, can be replaced). Keys stored in the TPM are categorized into two categories: the migratable keys (which can be transferred to another TPM) and non-migratable keys (cannot leave the system). An AIK (see attestation discussion above) is a prime sample of a non-migratable key. TCG defines 7 key types which are dedicated to certain functionality. These include:
Signing keys - assymetric key, migratable or not migratable, signs application data and/or messages
Storage keys - assymetric key, encrypts data or other keys
Identity keys (AIK) - assymetric key, not migratable, used to signed data from the TPM (e.g. PCR register values)
Endorsment keys (EK) - decryption key, not migratable, used to decrypt owner authorization data when the owner of a platform is established, also used to decrypt AIK-creation related messages
Bind keys - encrypt/decrypt small amounts of information to be transferred across platforms, e.g. symmetric keys
Legacy keys - keys created outside the TPM (e.g. by the OS or an application), imported in the TPM and also migratable
Authentication keys - symmetric keys to protect transport of data where the TPM is involved in
The RTS interfaces with storage devices through a so-called Key Cache Manager which I won't cover over here. You can find more information in the "TCG Specification Architecture Overview" document mentioned above.
This brings us to the TPM Components, which I'll cover a little further. Keep in mind we're talking about a hardware component over here. The software aspect will be covered further on. A first important component is the I/O component that acts as an interface of the TPM component to the outside world. It's connected to the TPM's internal communication bus and routes messages to the right destination. Next, there are a couple of engines for cryptographic functionality, such as the random number generator, an engine for SHA-1 hashing, a key generation engine and and RSA engine. Further on, there is a piece of non-volatile storage that holds the EK, SRK and other owner-related data. On the field of memory, there are the PCRs too that can be either volatile or non-volatile. Another piece of storage contains the AIKs, but it's recommended by TCG to store these keys outside the TPM (nevertheless, there is reserved room inside the TPM component itself). Further on, there is program code living inside the TPM (which acts as the Core Root of Trust for Measurement or CRTM). The execution engine runs the program code. Finally, a so-called Opt-In component is used to enable/disable/deactivate various operations that the TPM is capable of providing.
For the operational states of the TPM component, I refer to the "TCG Specification Architecture Overview" document again.
On to the software aspect of TPM. At the very bottom we have of course the TPM component itself which is managed by the TPM Device Driver in the OS' kernel mode. On top of that we have the user mode, consisting of system processes and user processes. In the system processes space, you'll find the TCG Device Driver Library (TDDL) which provides an interface (TDDLI) to players higher in the stack. The TSS Core Services (abbreviated as TCS; TSS stands for TCG Software Stack) talks to the TDDLI interface and provides a TCSI interface to the user processes. In the user processes space, there's a service model called the TCG Service Provider or TSP which has an associated interface called TSPI. Finally, we end up with the application interacting with this TSPI interface thing. Detailed information about these interfaces can be found in "TCG Specification Architecture Overview". The TCG Software Stack Specification (TSS) is available over here as well as the header file (C).
Secure Startup
The Windows Longhorn Secure Startup feature acts on three different fields:
Data protection of offline systems - a non-connected offline system is safe against data theft because of encryption of user and system data (read: the entire Windows volume) including the hibernation file, the page file, system files, temporary files, user data, etc. All applications on the machine also benefit from additional (implicitly added) security for offline scenarios.
Ensurance of boot integrity includes tampering detection for monitored files. The system won't boot if tampering (during offline time) is detected.
Hardware recycling - as the TPM contains encryption keys and other encryption stuff, simply erasing its contents makes the volume useless and non-recoverable. This eliminates the need of disk sweeping to physically delete critical content.
The overall idea is to encrypt the entire Windows volume, therefore including the SYSKEY, without having the top-most encryption key on the harddisk but moving it to a hardware component (the TPM). When the system is booting, the keys needed to read the data from the harddisk to boot Windows are only released when no tampering is detected. This is done by unique measurements from multiple factors during system boot, which results in a digest. If someone has tampered with the boot system, the digest won't be the same and the tampering is detected. The use of TPM is completely transparent for the operating system during boot and further operation. Notice that the encrypted data on a protected partition is bound to a particular installation of Windows.
Let's go in somewhat more detail and look at the boot process with TPM enabled. First of all, there's a firmware security bootstrap mechanism that kicks in. This procedure is encoded in the TPM hardware and is in the end responsible to ensure system integrity, through the Core Root of Trust Measurement (CRTM). When the system is considered to be secure and trustworthy, a series of measurements is done to create a fingerprint of the system. At boot time, the same measurements are made in order to check the system for integrity. This mechanism is called Static Root of Trust Measurement (SRTM) and makes sure the encryption key for the system volume is only unsealed when the integrity verification process succeeds. The measurements I've referred to are stored in the PCRs of the STM component and include the following: firmware, option ROMs, step-by-step measurement of the boot process up to the BOOTMGR level, a value measurement of the boot-time events that occur (OS boot time). The volume encryption is based on block encryption.
In order to run Secure Startup in Vista, the system needs to match the following requirements:
TPM 1.2 should be available on the hardware and should be enabled (see operational modes in "TCG Specification Architecture Overview"). Ownership should be taken as well (see further).
The Master Boot Record (MBR) of the harddisk should be modified by a version shipping with Vista that can talk to the TPM hardware (to collect measurement data etc).
Vista must be installed on an NTFS volume.
Notice that Vista also supports the use of EFI (extra link) with TPM. The classic non-EFI scenario is to have an MBR active NTFS partition that contains Vista. EFI is a more recent BIOS specification replacing boot loaders and especially created for trusted computing scenarios. The idea is to offload the system hardware preparation stuff to the firmware at boot time, freeing the OS from these tasks. TPM boot procedures can be supported by such an EFI BIOS.
Vista supports TPM through the Windows Security Center where various management tasks are available. First of all there's of course support to enable Secure Startup on the machine. This is where the encryption is started after reboot. Next, there's support to disable Secure Startup with the option to retain encryption (which moves the key to a floppy or to the harddisk also with support for a password - compare to syskey modi) or to remove encryption (decryption kicks in). To support recovery an administrator can choose to store a recovery key on removable media or to supply a password for recovery. Recovery is needed when the hardware changes (old harddisk in new computer with different TPM), when the system is tampered with, data corruption of the MBR or the system, debugging, offline system updates. In all of these cases, the measured data does not match the original gathered data and the boot process is blocked till a recovery password or medium is supplied by the end user. These passwords and keys for recovery can be stored in Active Directory, enabling enterprise-level scenarios.
With this, I want to conclude a brief overview of the Secure Startup technology based on TPM in Windows Vista. I want to stress that Secure Startup is not the only feature of Vista that leverages the power of TPM. Other places include WMI support for TPM administration tasks, Group Policy support for TPM, a Key Storage Provider (KSP) that works with TPM and the exposure of the TSS interfaces to 3rd party applications. More information can be found via the links mentioned below.
Links
Secure Startup - Hardware-Enhanced Security - WinHEC 2005 - ppt
Secure Startup - Full Volume Encryption: Executive Overview - WinHEC 2005 - doc
Secure Startup - Full Volume Encryption: Technical Overview - WinHEC 2005 - doc
Trusted Platform Module Services in Windows Longhorn - WinHEC 2005 - doc
posted on Wednesday, August 17, 2005 4:41 PM
Feedback
# re: Windows Vista Security - Using TPM (Vista beta) 8/20/2005 5:59 AM Greg
Hi,
We recently installed windows Vista to find what is provided at the TPM level. The windows TPM base is provided (tbs.dll) as well as a driver for tpm 1.2, and the WMI interface. However we didnt find how to activate secure boot.
As written in "Trusted Platform Module Services in Windows Longhorn", Microsoft is not going to provide the TSS stack itself. Do you know any vendor who proposes the TSS stack on top of tbs.dll ?
Do you know which kind of integrity measurement Windows Vista is going to provide?
Do you know if microsoft is going to release beta version of its NGSCB ?
Regards,
Greg
# re: Windows Vista Security - About Secure Startup, TPM, EFS, Syskey and much more 8/20/2005 6:56 PM Kevin Severud
If you're part of the beta then your question should be directed to the newsgroups. I'm sure you'll get an answer there that can point you to information on how to enable Secure Startup on Vista.
Anything worthwhile here? Can someone translate?
http://www.datenreise.de/index_tc.html
HP 7600 - TPM 1.2
I realize this is fairly old (and has been posted before), but I don't see this listed in the TPM matrix.
HP Compaq dc7600 Convertible Minitower PC
• Enhanced Security: Help secure the physical and intellectual properties of your business with HP ProtectTools, a single interface for hardware, software, firmware and OS level security. Enjoy enhanced protection of data and system access and support for future security features expected in an upcoming Microsoft operating system with a TPM 1.2 embedded security chip that comes standard on all HP Compaq dc7600 PCs. TPM 1.2 includes hardware based encryption that provides the ability to consolidate, encrypt and help protect important data in a Personal Secure Drive and HP patented preboot technology which requires authentication prior to system boot and helps prevent non-authorized users from being able to boot the PC via a boot CD.
http://www.hp.com/hpinfo/newsroom/press/2005/050425a.html
HP Introduces Advanced Security Capabilities and Support for Latest Microsoft Operating Systems
SEATTLE, April 25, 2005
--------------------------------------------------------------------------------
HP today introduced the first business desktop system to meet future Microsoft security requirements and support for Microsoft Windows® x64 Editions across platforms for business users.
The new business desktop PCs and workstations with advanced security features are specifically designed to take advantage of enhancements planned for Microsoft's upcoming "Longhorn" operating system. HP also is enhancing system performance with support for the new Microsoft Windows x64 Edition operating systems across the HP ProLiant server line and on new business desktops and workstations.
The products, announced at Microsoft's WinHEC conference, build on the company's history of collaboration with industry-leading partners such as Microsoft, Intel and AMD to deliver innovative technology solutions that help prepare business customers for the performance and security demands of today and tomorrow.
"Twenty years ago, HP was among the first technology companies to adopt Microsoft's original operating system, and we continue that tradition of sharing industry 'firsts' by joining with Microsoft in the release of its Windows x64 Edition operating systems and delivering next-generation client security features," said Mike Winkler, executive vice president, Customer Solutions Group, and chief marketing officer, HP. "Our legacy of innovation and collaboration with industry leaders also includes being the first to ship an AMD processor-based business desktop, an alliance HP continues today with the expansion of our product lineup."
Will Poole, senior vice president of Windows Client Division at Microsoft, said, "HP's early support for Microsoft innovations throughout the years has allowed us to jointly deliver value to our customers. HP's introduction of systems that easily run both 32-bit and 64-bit applications and feature next-generation, hardware-based security enables customers to preserve their current investments and prepare to take full advantage of future innovations in Windows Longhorn."
HP desktop PC helps prepare businesses for security and environmental concerns
Designed to help protect customers' business systems, the new HP Compaq dc7600 Business Desktop will be the first to ship standard with the HP ProtectTools embedded security chip. Developed by Broadcom, the chip provides customers with hardware-based encryption, enhanced data protection and system access.
"Broadcom and HP are helping drive the widespread adoption of hardware-based security by making Trusted Platform Module features available in an array of innovative business systems," said Greg Young, senior director and general manager, High-Speed Controller Line of Business, Broadcom. "The new HP dc7600 desktop with the embedded Broadcom® NetXtreme® Gigabit Ethernet Controller provides customers the next generation of desktop security features to help protect their important information from threats."
Designed to meet the Trusted Computing Group's Trusted Platform Module 1.2 standard, the new chip allows HP to deliver the first business desktop compatible with the future security features expected in Microsoft "Longhorn" operating systems.
In addition to enhanced security, the dc7600 will deliver better performance with the new Intel® 945G chipset featuring improved integrated graphics, dual-channel DDR2 memory, SATA II hard drives and support for dual-core processors. These new industry features provide customers increased protection for their desktop investment and an improved user experience.
The dc7600's customized thermal design also helps enhance productivity and minimizes system downtime by providing customers more reliable systems. The airflow design is structured to help cool all components of the desktop as increasing demands for power are required. Also, HP's thermal design helps reduce system noise, which can often be distracting to business customers and may reduce productivity. The dc7600 has the same thermal and acoustic benefits of the BTX motherboard designs, but maintains the small size and expandability business customers have come to expect from HP.
In addition, the dc7600 series is the first desktop PC from HP to fully meet the European Union's Restrictions on Hazardous Substances directive. All PCs sold in EMEA must meet these requirements by July 2006 and HP is moving quickly to make it easy for customers to plan their desktop deployments. Additional specifications and pricing for the dc7600, which is expected to be available later this summer, will be released in the coming weeks.
HP provides customers with increased performance, scalability and reliability via 64-bit
HP is supporting Microsoft Windows XP Professional x64 Edition on a new AMD processor-based business desktop and across its entire lineup of professional workstations, and Microsoft Windows Server 2003 x64 Editions on HP ProLiant servers.
The HP dx5150 Business Desktop is the newest addition to the 5000 series of business desktops, designed with the latest high-performance AMD processors ranging from the AMD Sempron™ processor 3000+ to the AMD Athlon™ 64 processor 4000+. Coupled with support for the new Microsoft Windows XP x64 Edition operating system, dual-channel DDR400 memory, high-performance serial ATA hard drives and an x16 PCI-Express slot, the dx5150 is ready to handle some of the most challenging business applications.
"Through continued collaboration, HP and AMD are helping drive the computing market forward by delivering desktops and workstations that reach new performance, price and security levels," said Marty Seyer, corporate vice president and general manager, Microprocessor Business Unit, Computation Products Group, AMD. "With this new desktop, AMD is providing HP the technology to deliver a wide portfolio of high-quality systems that integrate the latest technology innovations and give customers the power of choice."
For security-conscious customers, the dx5150 features the latest AMD Enhanced Virus Protection which, when used with Microsoft Windows XP SP2, can prevent certain malicious viruses from executing. The system also includes AMD's Cool'n'Quiet™ technology, which helps reduce processor power consumption and fan noise. Additionally, the ATI RADEON® XPRESS200 chipset with built-in graphics offers features, including standard dual-display support, which help customers be more productive. The HP dx5150 Business Desktop is available today at prices starting at $470.(1)
HP adds more power and expandability to entry-level workstation
HP also announced an affordable entry-level workstation that offers customers greater performance and expandability with support for Microsoft Windows XP Professional 64-bit Edition, as well as the new Intel 955X Express Chipset and new dual-core processor technology. Support of Intel's dual-core Pentium® D processor is expected to provide customers with significant performance improvements when running multi-threaded applications or in multi-tasking environments.
The new HP xw4300 Workstation gives budget-conscious customers working with large models the ability to maneuver and edit images simultaneously and in real time via eight gigabytes of total system memory. This first combination of 64-bit processors and operating system with greater than four gigabytes of system memory is what enables this breakthrough performance.
As the next generation in the family of HP xw4000 series workstations, the xw4300 offers many of the same key features, including a tool-less chassis, PCI-Express graphics and HP's Performance Tuning Framework that guides the system setup, allowing a custom configuration that best matches the workstation to user requirements. The HP xw4300 Workstation, which replaces the HP xw4200, is expected to ship to customers early this summer, with additional specification and pricing detail available at that time.
HP is offering Microsoft Windows Server 2003 x64 Editions across its portfolio of 64-bit HP ProLiant servers based on AMD Opteron™ and Intel Xeon™ MP processors. HP offers a broad 64-bit server portfolio, including HP ProLiant servers and HP Integrity servers based on Intel Itanium® 2 processors. For their most demanding workloads, customers choose HP Integrity servers running Windows Server 2003 for Itanium-based systems for the highest levels of performance, scalability and reliability.
Wave Systems and campus security
Colleges struggle to combat identity theft
Universities a target-rich environment for ID thieves
http://www.msnbc.msn.com/id/8986162/
reminds me of this Wave bit:
Project Name: Building a Trusted Infrastructure: opportunities and issues of digital security on campus
http://www.oit.ucsb.edu/committees/ITPG/2003_proposals/trusted_infrastructure.pdf
Page 6 describes Wave System products/features (although Wave is not mentioned by name or even listed in the sources at the end of the document; must be Stealth mode).
Page 11 - dates mentioned (although I don't know the status of this project or if it is even still active)
UCSB Feasibility study - by end of winter 2004
Beta Test - Spring 2005
Eval and Decision - Summer 2005
Implementation in 3 stages:
Secure Infrastructure Deployment - Summer 2005
Transaction Execution - Winter 2005
Application Development - Summer 2006
These UCSB dudes are smart....
They won this year's capture the flag:
http://www.cs.ucsb.edu/~vigna/CTF/
Univ of Calif - Capture the Flag.
http://www.cs.ucsb.edu/~vigna/CTF/
History and Background
The UCSB CTF evolved from a number of previous security "live exercises" that were carried out locally at UCSB. The first wide-area edition of the UCSB CTF was carried out in December 2003. In that CTF, fourteen teams from around the United States competed in a contest to compromise other teams' network services while trying to protect their own services from attacks. The contest included teams from UCSB, North Carolina State University, the Naval Postgraduate School in Monterey, the West Point Academy, Georgia Tech, University of Texas at Austin, and University of Illinois, Urbana-Champaign.
In 2004 the UCSB CTF evolved into an international exercise, which included teams from the United States and Austria, Germany, Italy, and Norway. This was never be attempted before on such a large scale.
The exercise is loosely based on the DEFCON Capture the Flag contest. Acknowledgments go to the Ghetto Hackers that did such a wonderful (and inspiring) job in organizing the CTF contest at DEFCON. Many of the ideas of our CTF are derived from the DEFCON CTF and the lessons learned by participating to the DEFCON contest. The contest is now organized by Kenshoto.
This exercise is different from the DEFCON contest because it involves several educational institutions spread across the different continents. The DEFCON contest includes locally connected teams only.
In addition, the DEFCON contest has always involved a limited number of teams. We developed a new network solution that allows a large number of teams to participate.
Finally, we use a novel technique to route traffic among the teams that allows for a more realistic experience.
TPM Hacks of Mac OS X for Intel Beta Prove Little
August 18, 2005
http://www.eweek.com/article2/0,1895,1849870,00.asp
Apple moves 'aggressively' to limit OS X x86 videos
August 18, 2005
http://www.macnn.com/articles/05/08/18/cease.and.desist.issued/
It's amazing the number of TPM news articles. There is at least one a day. A year ago, hardly anybody knew about TPMs.
HP Client Manager / Protecttools
http://h18000.www1.hp.com/im/client_mgr.html
FREE solution, HP Client Manager provides centralized hardware management for HP and Compaq business desktops, notebooks, and workstations from a Web browser. It lays the foundation of the Altiris infrastructure to provide HP- and Compaq-specific information that complements other Altiris solutions to fully address system lifecycle management needs. Features of HP Client Manager include:
Hardware inventory for asset management
PC health monitoring and hardware alarm notification
Diagnostics for remote troubleshooting
Change BIOS/security settings from the Management Console
SoftPaq acquisition and deployment
Manage TPM enabled HP clients with HP ProtectTools
Web-accessible reporting
HP Client Manager is included in the HP Client Foundation Suite and the HP Client Premium Suite.
Integration with HP Instant Support
HP Client Manager now integrates with HP Instant Support providing Web-based tools that help troubleshoot and diagnose hardware configuration issues and provide access to HP Services expertise.
Tight integration with HP Instant Support tools reduces troubleshooting and resolution time of hardware problems.
You can run a diagnostics or system health scans that check your computers for hardware issues tracked by the HP Instant Support knowledgebase.
You can connect to an HP Support Representative through an Active Chat session if needed or link to the HP Instant Support knowledgebase for more information.
When you run a System Health Scan, HP Client Manager identifies the SoftPaqs needed to address issues. HP Client Manager automates the process of downloading and deploying the required SoftPaqs.
Integration of IS with HP CM gives IT Adminisrators access to Instant Support without giving up hardware and software configuration control to their end users
» Learn more about HP Instant Support
Integration with HP ProtectTools
As a result of this integration, IT administrators can use HP Client Manager to Identify and inventory HP clients computers that include a TPM embedded security chip.
HP Client Manager can then install Protect Tools on those systems; and
HP Client Manager can remotely initialize the security chip on your computers saving time in setting-up a more secure client infrastructure.
» Learn More about HP ProtectTools
http://h18004.www1.hp.com/products/security/protecttools_smartcard.html
» Download HP CM
» Support for HP Client Manager
Winbond
I think this is the first time I've actually checked out the Winbond site (since Winbond acquired the Advanced PC division from National):
Desktop Trusted I/O
http://www.winbond-usa.com/mambo/content/view/209/418/
Notebook Trusted I/O
http://www.winbond-usa.com/mambo/content/view/206/415/
The diagrams appear to be the same as what I remember from National. Maybe someone on this board can find some new/interesting info??
Ottawa Linux Symposium, Day 2
Friday, July 22, 2005
http://os.newsforge.com/os/05/07/22/1054216.shtml?tid=2&tid=18
Atmel chip, IBM, CygnaCom Solutions
I don't remember this:
http://www.commoncriteriaportal.org/public/consumer/index.php?menu=4&orderindex=1&showcatago....
Link to:
April 8, 2005
Common Criteria Evaluation and Validation Scheme
Validation Report
Atmel AT97SC3201 TPM chip in IBM PC; testing performed by CygnaCom Solutions
http://www.commoncriteriaportal.org/public/files/epfiles/ST_VID3005-VR.pdf
I have no idea what this means:
9 Results of the evaluation
The evaluation determined the product to be Part 2 extended, Part 3 conformant and to meet the requirements of EAL 3 augmented with CC components ADV_SPM.1 (informal security policy model) and ALC_FLR.1 (basic flaw remediation)
Nokia whitepapers
It asks you to register, but it does not send you a confirmation; so you can put in random information into each field.
These papers are over a year old...
http://www.idgpartners.com/nokia/mobileconnectivity.jsp
http://www.idgpartners.com/nokia/mobiledevices.jsp
http://www.idgpartners.com/nokia/networksecurity.jsp
Webcast
http://www.idgpartners.com/nokia/wc_nokia.jsp
http://www.idgpartners.com/nokia/pdf/WhitePaper_Managing_Security_On_Mobile_Phones.pdf
http://www.idgpartners.com/nokia/pdf/WhitePaper_Making_Content_Mobile.pdf
http://www.idgpartners.com/nokia/pdf/Datasheet_Nokia_9300_9500_Communicator.pdf
http://www.idgpartners.com/nokia/pdf/nokia_mobile_vpn_datasheet.pdf
These papers discusses authenticating mobile devices via certificates, PKI and VPN.
Haven't found any links to TPMs, but still searching around.
Authentec
http://www.eeproductcenter.com/rf-micro/showArticle.jhtml?articleID=159401031
Fingerprint sensor touts security, navigation, and personalization for cell phones
Gina Roos
eeProductCenter
(03/10/2005 7:28 PM ET)
The manufacturer says
Melbourne, Fla. — AuthenTec has introduced its new EntrPad 1510 — the world's smallest, most powerful and versatile biometric fingerprint sensor, which combines high level security with a host of touch-powered features and functions for cell phones. The sensor is available today and already is being designed into several cell phones scheduled to be unveiled later this year.
The tiny, low-cost sensor is the first to feature AuthenTec's "The Power of Touch" approach, which enhances the overall consumer electronics experience by extending biometric technology beyond secure user authentication to take full advantage of the power of touch.
AuthenTec's EntrPad 1510 enables cell phone manufacturers to easily incorporate compelling new features and functions that are controlled at the simple touch or swipe of your finger. Capabilities such as;
Security: protects important personal or business data, images and lists from theft or fraud; enables m-commerce and wireless banking.
Convenience: easily opens applications or operate functions with the touch of a finger, rather than passwords or multiple keypad strokes.
Navigation: includes scroll wheel and full motion navigating that replaces keypads or other devices; enables wireless gaming
Personalization: enables personalization of a phone with features such as multi-finger speed dial, individualized buddy lists, and other functions.
Built on AuthenTec's best-in-class TruePrint technology, the EntrPad 1510 provides the most accurate and reliable security solution for the wireless market. Unlike competitive "surface based" solutions that read the top layer of a fingerprint, AuthenTec's TruePrint technology reads below the surface " enabling it to read virtually anyone's fingerprint.
In addition to its advanced security and touch features, the EntrPad 1510 is also the fastest sensor in the industry, which enables cell phones to quickly acquire finger images for authentication and detect motion for smoother navigation and gaming performance. The new sensor features the lowest power consumption and minimal system CPU loading — important factors for cell phone manufacturers. The sensor is extremely rugged, with proven scratch and impact resistance including wear and rub-resistance in excess of 10 million finger rubs.
"AuthenTec is changing the way the world uses fingerprint biometrics by incorporating the market's lowest-cost, most convenient and reliable authentication technology with innovation that enables finger-controlled function activation based on specific finger motions," said Scott Moody, president and CEO of AuthenTec. "The 1510 offers an all-in-one solution to designers and manufacturers of wireless electronic devices looking to add a premium end-user feature at a low-cost."
EntrPad 1510 Technology Highlights
Cost: Under $5 in quantities
Performance: Fast finger motion capture > 500 mm/sec, high-rate image capture greater than 1,500 frames-second
Size: 12 mm x 5 mm x 1.86 mm or 1.20 mm
Form Factors: 40 ball grid array
Mobile temp operation: -20°C to 70°C
Operating Systems: Microsoft Windows Mobile; Symbian 6.1, 8.x; Qualcomm REX, Linux
eePC's Gina Roos says
A new tinier biometric fingerprint sensor from AuthenTec combines security, navigation and personalization functionality in the industry's smallest package for cell phones. Touting a 33% smaller footprint than comparable sensors, the new low-cost EntrePad 1510 features the company's TruePrint technology and its newest approach to biometrics called "The Power of Touch". Plus, it's low cost, easy-to-use and provides speedy fingerprint imaging and motion.
What AuthenTec has done is to take biometric technology one step further beyond secure user authentication into the arena of navigation and personalization features. So this new all-in-one sensor can provide both a high level of security and touch-powered features and functions for cell phones.
This tiny sensor, which measures 12 x 5 mm, is the first to feature AuthenTec's "The Power of Touch" approach, which enables cell phone designers to easily incorporate new features and functions for security, navigation, or personalization that are controlled by a touch or the swipe of a finger.
The "Power of Touch goes well beyond the classical security area of biometrics, and adds the element of convenience, making security practical, as well as providing personalization and navigation functionality, said Scott Moody, president and CEO of AuthenTec.
Initially, cell phone manufacturers focused on personal security to protect personal user information such as contact lists, photos and e-mail, Moody said. Today, cell phone makers are extending the idea of personal security to M-commerce, he said. Already in Japan, near field communications chips embedded with encryption technologies are being integrated into cell phones, allowing the phone to act as a credit card by using a fingerprint sensor to authenticate the transaction.
Built on AuthenTec's TruePrint RF-imaging technology, the EntrPad 1510 provides a reliable security solution for the wireless market. Unlike competitive surface-based solutions that read the top layer of a fingerprint, said the company, AuthenTec's TruePrint technology reads below the surface, enabling it to read virtually anyone's fingerprint.
TruePrint Technology
(Click on Image to Enlarge)
This new sensor also includes several key new capabilities. For security applications, the new sensor helps protect personal or business data, images and other important information from theft or fraud as well as enables M-commerce and wireless banking. It also allows users to easily open applications or to operate functions with the touch of a finger rather than with passwords or multiple keypad strokes.
Particularly targeting wireless gaming applications, advanced navigation features provide a wide range of finger speed and direction detection including scroll wheel and full motion navigation to replace keypads or other devices. It also enables easy control of screen menus and graphical content.
The primary driver behind "The Power of Touch" for navigation is to improve the gaming experience on the cell phone. The idea of using the fingerprint sensor for navigation is to eventually replace the mechanical button and use it as a joystick in every direction and at every speed, Moody said.
Personalization opens the door to a new world of wireless features, giving users nearly unlimited ways to personalize their phones. This allows users to personalize their cell phones with features such as multi-finger speed dial, individualized buddy lists, and other functions. For example, it offers users the potential of setting each of their fingers for different tasks.
The new sensor also provides for easy integration by providing multiple system interfaces including 4-bit parallel and synchronous serial interfaces. The master-mode SSI permits image capture via a SMA channel, which eliminates the need for the application processor to obtain images or navigation data.
Optimized for wireless applications, the EntrePad 1510 uses synchronous serial or 4-bit parallel interfaces.
This brings us to the issue of power consumption. Key features, developed specifically for cell phone designers, are the device's low power consumption and minimal system CPU loading. Once again AuthenTec has significantly reduced the processor load whether the sensor is being used in imaging or navigation mode. Power consumption (at 2.5 volts) is 35 milliamps (mA) for peak imaging and less than .3 mA for finger detection and less than 3.5 mA in navigation mode. (Search www.eeproductcenter.com for article ID 22100509.)
The company also touts that the EntrPad 1510 is the fastest sensor in the industry, which enables cell phones to quickly acquire finger images for authentication and detect motion for smoother navigation and gaming performance. Finger motion capture (in all directions) is rated at greater than 500 mm/second and image capture is rated at greater than 1,500 frames per second. This is faster than AuthenTec's previous introduction, the AES2510, with an image capture of 240 frames per second.
The sensor is also extremely rugged, with scratch and impact resistance including wear and rub-resistance in excess of 10 million finger rubs.
The company also provides hardware, software and support for integration. This includes sensor control, fingerprint matching algorithms, and device drivers for Microsoft Windows Mobile, Symbian 6.1, 8.x, Qualcomm REX and Linux.
Packaged in an ultra-small 40 ball grid array package, the 12 x 5 mm EntrePad 1510 is available in two thickness of 1.20 mm and 1.86 mm. The new device is priced at less than $5 in volume quantities.
AuthenTec, 1-321-308-1300, www.authentec.com
Dell ETS 2.0 capabilities?
Did the Dell representative give you any specs on the software? What are the additional features (above and beyond 1.0)?
Thanks
Does the bolded phrase mean that Waves' KTM Enterprise AD product will be subsumed by Microsoft AD?
Hopefully, corporations and government feel it's worth while to spend the $10,000 for Wave's KTM in the meantime.
http://www.microsoft.com/technet/windowsvista/evaluate/feat/secfeat.mspx
Feature Description
Theft or loss of corporate intellectual property is an increasing concern for organizations. Windows Vista has improved support for data protection at the document, file,directory, and machine level. The integrated Rights Management client allows organizations to enforce policies around document usage. The Encrypting File System, which provides user-based file and directory encryption, has been enhanced to allow storage of encryption keys on Smart Cards, providing better protection of encryption keys. In addition, the new secure startup enterprise feature adds machine-level data protection. On a computer with appropriate enabling hardware, it provides full volume encryption of the system volume, including Windows system files and the hibernation file, which helps protect data from being compromised on a lost or stolen machine. In order to provide a solution that is easy to deploy and manage, a Trusted Platform Module (TPM) 1.2 chip is used to store the keys that encrypt and decrypt sectors on the Windows hard drive. It requires the TPM and an enterprise management infrastructure to ensure that the feature is easy to use for end users.
Secure Startup's full volume encryption seals the symmetric encryption key in a Trusted Platform Module (TPM) 1.2 chip. A TPM chip is a hardware component available in some newer computers that stores keys, passwords, and digital certificates.
Secure Startup also stores measurements of core operating system files in a TPM chip. Every time the computer is started, Windows Vista verifies that the operating system files have not been modified in an offline attack. An offline attack is a scenario where an attacker boots an alternative operating system in order to gain control of the system. If the files have been modified, Windows Vista alerts the user and refuses to release the key required to access Windows. The system then goes into a recovery mode, prompting the user to provide a recovery key to allow access to the boot volume.
Recovery mode is also used if a disk drive is transferred to another system. Recovery mode requires a recovery key that is generated when Secure Startup is enabled, and that key is specific to one machine. As a result, Secure Startup is intended for enterprises with a management infrastructure in place to store the recovery keys, such as Active Directory. Otherwise, there is the potential for data loss if a computer fails and its drive is moved to another computer and the recovery key is not available.
Yes and No. If you are referring to the following phrase, I suspect it is more related to Windows Group Policy (GPO):
Windows Vista includes an agent that can prevent a client from connecting to your internal network if the client lacks current security updates, lacks virus signatures, or otherwise fails to meet your security criteria.
Searching around on Microsoft's site, I haven't found any significant changes to GPOs in Vista. I also haven't found any information on Microsoft's website to indicate how GPOs will specifically interact with TPMs. The only information, I have been able to find regarding this is from Wave's website:
Policy-Driven — KTM Enterprise Server AD is policy-driven and designed to work with trusted platforms and enterprises having different security policies. The policy editor allows an administrator to set policies. Policies are administered through Active Directory and the server policies override client settings.
I suspect when Vista is introduced, GPO's will be able to interact with TPMs in a manner that makes the enterprise even more secure. For instance, one security criteria could be --> only permit computers with TPMs to connect to the internal LAN; Much the same as the way ISPs do not allow computers to connect to their network if they are infected with a virus;
As we all know, computers w/o TPMs will eventually be seen as a security risk to the network.
Vista & TPMs
http://www.microsoft.com/technet/windowsvista/evaluate/overvw.mspx#EFAA
Here's an excerpt:
Network Access Protection
Windows Vista includes an agent that can prevent a client from connecting to your internal network if the client lacks current security updates, lacks virus signatures, or otherwise fails to meet your security criteria. Network Access Protection can be used to protect remote access clients as well as local area network (LAN) connections. The agent reports Windows Vista client health status (such as having current updates and up-to-date virus signatures installed) to the server-based network access protection enforcement service, which determines whether to grant the client access to the internal network or to restrict it to a protected network. The client functionality is dependent on the Network Access Protection infrastructure, which will be included with Windows Server "Longhorn".
Platform Improvements
Windows Vista's authentication capabilities are more flexible, providing a variety of choices for customized authentication mechanisms such as fingerprint scanners and smart cards. Deployment and management tools, such as self-service personal identification number (PIN) reset tools, make smart cards easier to manage and deploy. Smart cards can now be used to log on to Windows Vista, too. Further, Windows Vista enables authentication using Internet Protocol version 6 (IPv6) or Web services.
Certificate enrollment is made easier because Windows Vista includes Credential Manager enhancements that enable backing up and restoring credentials stored on the local computer. The new Digital Identity Management Service (DIMS) provides certificate and credential roaming within an Active Directory forest and end-to-end certificate life cycle management scenarios.
Windows Vista's auditing capabilities make it easier to track what users do. Auditing categories now include multiple subcategories, reducing the number of irrelevant events. Windows Vista integrated audit event forwarding collects and forwards critical audit data to a central location, enabling enterprises to better organize and analyze audit data.
Multi-Tiered Data Protection
Theft or loss of corporate intellectual property is an increasing concern for organizations. Windows Vista has improved support for data protection at the document, file, directory, and machine levels. The integrated Rights Management client allows organizations to enforce policies around document usage. The Encrypting File System, which provides user-based file and directory encryption, has been enhanced to allow storage of encryption keys on smart cards, providing better protection of encryption keys. In addition, the new secure startup enterprise feature adds machine-level data protection. It provides full volume encryption of the system volume, including Windows system files and the hibernation file, which helps protect data from being compromised on a lost, stolen OR RECYCLED machine. In order to provide a solution that is easy to deploy and manage, a Trusted Platform Module (TPM) 1.2 chip is used to store the keys that encrypt and decrypt sectors on the Windows hard drive. It requires the TPM and an enterprise management infrastructure to ensure that the feature is easy to use for end users.
Wave Revenue recap
Period Net Revenue Net Loss Loss Per Share
6 mo 2004 $335,000 $8.7 million 0.11
Q2 2005 $258,000 $4.2 million 0.05
Q1 2005 $78,000 $4.5 million 0.06
Period Net Revenue Net Loss Loss Per Share
Year 2004 $209,000 $14.5 million 0.21
Q4 2004 $108,000 $3.0 million 0.04
Q3 2004 $44,000 $3.8 million 0.05
Q2 2004 $6,000 $4.3 million 0.06
Q1 2004 $50,000 $3.5 million 0.05
Period Net Revenue Net Loss Loss Per Share
Year 2003 $189,000 $25.3 million 0.45
Q4 2003 $59,000 $4.3 million 0.07
Q3 2003 $80,000 $8.3 million 0.15
Q2 2003 $34,000 $6.3 million 0.12
Q1 2003 $16,000 $6.4 million 0.05
Period Net Revenue Net Loss Loss Per Share
Year 2002 $447,000 43.4 million 0.85 Includes Globalwave & SSP charges
Digital Set Top Boxes - Wave Systems referenced
Some presentations in this directory were posted on May 26, 2005. Is this really this recent? Or is it old?
http://www.citi.columbia.edu/conferences/iptv2/
This slide references Wave Systems:
http://www.citi.columbia.edu/conferences/iptv2/mendelson_ITVmap7.pdf
What is this? Is it anything significant?
Reviewing the Microsoft and HP WinHEC presentation again:
http://download.microsoft.com/download/9/8/f/98f3fe47-dfc3-4e74-92a3-088782200fe7/TWAR05010_WinHEC05...
Some highlights:
Provide infrastructure for 3rd party developers and system manufacturers to add value
Slide 9:
Shows how Microsoft Vista will incorporate TPM functionality into the OS: TBS replacing the TDDL
Presentation also discusses Secure startup and binding the TPM to the platform.
Slide 25:
Remote Deployment Consideration
Customers demand automated mechanism to activate and take ownership of TPM
This reminds me of:
http://www.wave.com/products/ktmes.html
Automated Client Setup Options — KTM Enterprise Server AD supports automated software distribution technologies for the client install such as Windows Server 2003 Group Policy and Microsoft SMS. KTM includes unique features so that software administrators can centrally install and manage the client deployments throughout the organization. KTM client software may be installed and configured, and can then perform the initial archive without user intervention.