Wave Systems Corp. (fka WAVXQ)

[RootOfTrust]

awk

"I have addressed this to the company and will report if and when I hear something on this subject."

Intel or Wave?


The difference between the IBM, Infineon and Wave back-up and restore migration products, is that Wave's uses an attestation server and Infineon's and IBM's do not. Again, I would say this is the case of local data (no attestation server) vs. network data (attestation server). Trusted Computing is of limited value until it is networked to trusted third parties.

My conclusion therefore is that the Wave KTM is far more robust than the Infineon TPM Professional Package (and the IBM User Verification Manager). Now...it's unclear to me if the Wave back-up/restore mechanisms included in the Intel TPM user guide is simply a "basic" (local data) version of the KTM or is in fact KTM (network data). In any case there must be education and marketing to prospective enterprise accounts now taking place...well, the difference between network attestation vs. none should be pretty apparent to prospective TPM users.

I believe the choice is; pay Wave a Premium Service for "network" (trusted third party) back-up and restore migration OR pay nothing and you can use either Wave "standard" (CD comes bundled with motherboard) Embassy Trust Suite or the Infineon Security Platform Software software for "local" (private network) back-up and restore migration.


From the TCG Solutions Catalog:


Back-up, Restore Migration Administration

Back-up and restore migration products provide IT administrators with the tools
to service users in case of a Trusted Platform Module (TPM) or platform
malfunction and also support upgrades to a new platform. Included capabilities
for secure remote archival of sensitive keys that have been established with the
platform properties. Additionally, retrieval of the archived information requires
authorized access based upon the security policy established at the initiation of
the archival process. While the keys can be restored to the original platform, the
primary purpose of back-up restore and migration in the TCG context is to
support the secure restore onto another platform.
Products that support these capabilities are noted below.


IBM User Verification Manager *(UVM) www.pc.ibm.com/us/security/index.html

IBM’s User Verification Manager serves as a translator between applications and
authentication devices. This middleware layer helps protect applications from
requiring knowledge of the authentication devices and manages the security
policies for the system. UVM provides an interface for applications. Via this
interface applications can have critical information stored securely by the UVM.
UVM also provides an interface for communicating with authentication devices.


Wave Systems Key Transfer Manager* (KTM) http://www.wave.com

KTM provides for enterprise control and management of the archived TPM data,
which surpasses any existing TCG backup and restore solutions available today.
It also provides a consistent way to utilize and secure access to enterprisemanaged
backup key(s).
KTM’s flexible, policy-driven server infrastructure is web-based and secured by a
Hardware Security Module (HSM). The KTM product includes the requisite
corresponding client utility and middleware. Wave Systems supports both
license and ASP* (Application Service Provider) models.
Key Transfer Manager* makes a complex issue easy to administer and allows a
business to manage its TPM-secured intellectual property assets securely. KTM
can be integrated with other products in Wave’s offering of the EMBASSY Trust
Suite Client and Server Solutions for a robust environment for trusted platforms.


Infineon Technologies* TPM Professional Package* http://www.infineon.com

The Infineon Management software enables the TPM user to back-up and
migrate their secrets. Migration enables the secure and user controlled transfer
of secrets to the TPM on another platform. The target PCs have to be authorized
by the system administrator to maintain the system security. This mechanism
allows users to utilize the secrets in a secure manner on different platforms. The
solution strongly separates administrator and users giving the administrator
policy rights but no access to the user data and secrets.