AI
Thursday, December 18, 2003 11:03:14 AM
For the newbies and anyone who cares:
Wave's future relies on the re-architecture of the PC. This re-vamp will include many changes besides just putting a TPM on the motherboard. In fact, you will see many implementations where the stand-alone TPM chip is not the only chip in the system. These will be PC applications. The reason I say this is that looking at the LaGrande Technology (LT) architecture for protection, and the AMD technology coming in their K5-K9 processors, we see that there are many areas of hardware chip upgrades necessary. The TPM is currently designed on the motherboard for a PC application, yes. However, for LaGrande and AMD's technology to work, secure I/O is required. Looking more closely at secure I/O, the Super I/O controller is also located on the motherboard. So why not build a TPM core to be fabbed into the I/O controller? Same thing with graphics being sent to your monitor or TV.
Wave is not about "being in a DVR (digital video recorder)" as someone put it. Wave is about creating and managing an architecture of support for trust and security inside the PC, and on the other end, the server side, through attestation of system architecture and key management.
This includes hardware manufacturers making a TPM, a Super I/O controller, and a secure graphics processor (all three being hardware chipsets) that supports this new architecture! This is not about TPM-only. It is clearly depicted in this graphic from Intel:
I/O Controller
The I/O controller must be secure, which requires hardware support. Therefore, there must be TPM-like functions built into the I/O controller. The controller will protect the information coming from the floppy drive, hard drive (Seagate), keyboard keystrokes, mouse and other I/O peripherals.
Graphics Controller
Microsoft's description of a NGSCB-Enabled Gfx Chipset
NGSCB-enabled computers require a specially designed chipset, which is currently being developed by multiple vendors. This chipset includes the following basic features to support NGSCB functionality:
-Page-granular DMA protection in collaboration with the NGSCB-enabled CPU
-System management mode (SMM) containment in collaboration with the NGSCB-enabled CPU
-NGSCB features implemented in the bus bridge or memory controller
-Memory, I/O controller, and bridges that follow the parameters set by the DMA exclusion vector, which is an in-memory, 1-bit-per-page table that may be cached and that ensures that DMA devices do not read or write to the secure area of memory
-DMA exclusion vector programming under nexus control
-Memory reset scrub if the protected environment fails
-Connectivity with the SSC
The SSC is Microsoft's word for TPM.
As you can see, there are multiple vendors creating the secure graphics processors. There are also multiple vendors creating the secure super i/o controllers and there are also multiple vendors creating the TPM controllers. All of these hardware units will have to talk to each other, and to an outside source that holds the master keys to make sure that the hardware has not been compromised. They will also have to talk to outside servers to make sure that the PC accessing content (from a Disney server), running on a Disney media player (and they did develop one, gee, wonder why?), is the correct PC that is supposed to have access.
How it works (generally)
At boot-up (skipping secure boot), the CPU(prescott) will "handshake" with the o/s(NGSCB) to see if the architecture/platform to support trusted computing is there. In other words, it will check to see if there is a TCPA TPM, Super I/O and "protected" graphics controller to support the system, a nexus, and the user has actually turned this all "on".
Once this initializing process is done, the nexus will ask the CPU to initiate authenticated startup which starts the nexus security kernel. This clears the hardware and loads the nexus kernel into physical memory to be used. The operating system will make sure that no other processors are interuppting this process and that it is secure. Once complete, the CPU then hands over control to the nexus, which will process data and transactions in a protected mode.
The other TCPA hardware in the PC will recognize the system as running in nexus mode and support it.
Wave's Business Model
From Microsoft:
Hardware Certification
NGSCB-enabled motherboards should have a certificate to identify the origin of the system. This certificate can be provided by the system's original equipment manufacturer (OEM) or by the motherboard manufacturer. It could be downloaded as part of the initial system setup process. Additional certificates (for example, SSC certificates) may also be required to generate the motherboard certificate. NGSCB enables any number of trusted internal or external entities to interact with a secure component or platform. Because multiple parties can independently evaluate and certify NGSCB-enabled systems, users will be able to obtain verification of their system’s operation from organizations that they trust. Additionally, this environment will form the basis for a strong business incentive to preserve and enhance privacy and security and offers the opportunity for affinity programs that allow customers to identify NGSCB-enabled systems.
© 2003 Microsoft Corporation. All rights reserved.
--------------------------------------------------------------------------------
Wave is no longer in the $1-per-applet business, but rather in the verification-of-applet-and-hardware business...the recover-my-hardware business....the make-sure-I-don't-lose-everything-if-my-hardware-fails business...the stamp-this-hardware-at-manufacture business. Wave's IP is more centered around making sure that the PC hardware is the PC hardware that's supposed to be there. That the applet that's on your PC, is the applet that is supposed to be there. That if someone needs a new applet (like lets say I want to do online bill pay from now on with my bank), that banking bill-pay applet is sent securely to my PC, and uncompromised when sent - and initiated properly so that its all secure and using the proper keys (mine). To make sure that nothing has been compromised across the entire system. To make sure that 2nd and 3rd party servers and PCs can communicate to each other securely and its a trustworthy system. (the Lark Allen bank truck powerpoint slide). There will be client technology that hand-shakes with server technology to get this done, and it will be Wave's on both sides.
In Simpler Terms
Think of Wave as a security company. They want to secure the ticketing agency (Ticketmaster) and the arenas (sports, concerts, etc). When you buy a ticket for an NFL game, it doesn't matter which "game" it is, or what "team" (Chicago Bears, etc. can be equated to a software program, any software). Wave doesn't care which software, or what team or concert. You are buying a ticket and they want to certify it (assign it a "key" to identify it). When you take that ticket to the NFL arena, or the concert (Wave wants to be there at the gate, looking at your ticket, and checking it to make sure its genuine, not a copy, or altered to assign you a better seat all without knowing who you are). To Wave, it doesn't matter if there is a concert or football game, or not, or who is playing or if a team (software) has a "bye" or if its the off season. The stadiums (client computers) need to be secured everyday of the week, and the security company gets paid regardless. But, they will have a couple teams playing here and there called WaveXpress, SignOnline, TVTonic, etc. That will add to their share of the revenue from that arena (computer), each time those teams "play" or give a "concert".
In other words, if you do business with someone over the internet, you want to know that the person on the other end is who they say they are. To accomplish this, when that person's pc was made, and when the chips in that person's PC (and your PC) were made, they will be validated with certificates and keys. These keys must not be compromised. Secondly, when that person "turned on" the hardware, that hardware and software you each are using should have been installed without interruption. If you decided to download someone else's software from the net to use (like your bank's online bill pay), your bank, you, and the independent server that you all verify yourselves with should have your keys and certificates attested to, and made sure they are the right ones. If your hardware is compromised or your software is hacked, the people doing business with you (your bank, your shopping websites, your whatever) need to know that you are an anomaly immediately to not give anyone access to your information. Wave Systems is creating the technology to do this. Not to just send secure emails...to secure the communication channels between Joe's PC and Sara's PC and let Joe know that Sara is who Sara says she is.
Evidence
There already have been many instances of evidence uncovered. Intel is shipping TPM-enabled motherboards with Wave software as part of the installation CD. Intel has Wave and Wave's software listed on the outside of the box. NSM has shipped SafeKeeper PCs that have used Wave's IP to make the chips, themselves. Many companies are building TPMs and graphics and I/O controllers (NSM). Atmel, Infineon, NSM, STMicro are all doing TPMs today. Broadcom is putting TPM chips on their gateways for wireless users. Intel has recently announced that they will begin to make graphics chips. Wave's model of security and distribution is coming alive due to this hardware being built and deployed. Some is built and deployed with Wave technology, some is not. Again, it doesn't matter. Wave just needs the hardware to be OUT there, and "turned on" to be generating revenues for them.
This is all my opinion of course, and I could be wrong. No one should trade or buy stock on this post. This is merely an opinion to hopefully generate dialogue on the direction of the company Wave Systems.
Wave's future relies on the re-architecture of the PC. This re-vamp will include many changes besides just putting a TPM on the motherboard. In fact, you will see many implementations where the stand-alone TPM chip is not the only chip in the system. These will be PC applications. The reason I say this is that looking at the LaGrande Technology (LT) architecture for protection, and the AMD technology coming in their K5-K9 processors, we see that there are many areas of hardware chip upgrades necessary. The TPM is currently designed on the motherboard for a PC application, yes. However, for LaGrande and AMD's technology to work, secure I/O is required. Looking more closely at secure I/O, the Super I/O controller is also located on the motherboard. So why not build a TPM core to be fabbed into the I/O controller? Same thing with graphics being sent to your monitor or TV.
Wave is not about "being in a DVR (digital video recorder)" as someone put it. Wave is about creating and managing an architecture of support for trust and security inside the PC, and on the other end, the server side, through attestation of system architecture and key management.
This includes hardware manufacturers making a TPM, a Super I/O controller, and a secure graphics processor (all three being hardware chipsets) that supports this new architecture! This is not about TPM-only. It is clearly depicted in this graphic from Intel:
I/O Controller
The I/O controller must be secure, which requires hardware support. Therefore, there must be TPM-like functions built into the I/O controller. The controller will protect the information coming from the floppy drive, hard drive (Seagate), keyboard keystrokes, mouse and other I/O peripherals.
Graphics Controller
Microsoft's description of a NGSCB-Enabled Gfx Chipset
NGSCB-enabled computers require a specially designed chipset, which is currently being developed by multiple vendors. This chipset includes the following basic features to support NGSCB functionality:
-Page-granular DMA protection in collaboration with the NGSCB-enabled CPU
-System management mode (SMM) containment in collaboration with the NGSCB-enabled CPU
-NGSCB features implemented in the bus bridge or memory controller
-Memory, I/O controller, and bridges that follow the parameters set by the DMA exclusion vector, which is an in-memory, 1-bit-per-page table that may be cached and that ensures that DMA devices do not read or write to the secure area of memory
-DMA exclusion vector programming under nexus control
-Memory reset scrub if the protected environment fails
-Connectivity with the SSC
The SSC is Microsoft's word for TPM.
As you can see, there are multiple vendors creating the secure graphics processors. There are also multiple vendors creating the secure super i/o controllers and there are also multiple vendors creating the TPM controllers. All of these hardware units will have to talk to each other, and to an outside source that holds the master keys to make sure that the hardware has not been compromised. They will also have to talk to outside servers to make sure that the PC accessing content (from a Disney server), running on a Disney media player (and they did develop one, gee, wonder why?), is the correct PC that is supposed to have access.
How it works (generally)
At boot-up (skipping secure boot), the CPU(prescott) will "handshake" with the o/s(NGSCB) to see if the architecture/platform to support trusted computing is there. In other words, it will check to see if there is a TCPA TPM, Super I/O and "protected" graphics controller to support the system, a nexus, and the user has actually turned this all "on".
Once this initializing process is done, the nexus will ask the CPU to initiate authenticated startup which starts the nexus security kernel. This clears the hardware and loads the nexus kernel into physical memory to be used. The operating system will make sure that no other processors are interuppting this process and that it is secure. Once complete, the CPU then hands over control to the nexus, which will process data and transactions in a protected mode.
The other TCPA hardware in the PC will recognize the system as running in nexus mode and support it.
Wave's Business Model
From Microsoft:
Hardware Certification
NGSCB-enabled motherboards should have a certificate to identify the origin of the system. This certificate can be provided by the system's original equipment manufacturer (OEM) or by the motherboard manufacturer. It could be downloaded as part of the initial system setup process. Additional certificates (for example, SSC certificates) may also be required to generate the motherboard certificate. NGSCB enables any number of trusted internal or external entities to interact with a secure component or platform. Because multiple parties can independently evaluate and certify NGSCB-enabled systems, users will be able to obtain verification of their system’s operation from organizations that they trust. Additionally, this environment will form the basis for a strong business incentive to preserve and enhance privacy and security and offers the opportunity for affinity programs that allow customers to identify NGSCB-enabled systems.
© 2003 Microsoft Corporation. All rights reserved.
--------------------------------------------------------------------------------
Wave is no longer in the $1-per-applet business, but rather in the verification-of-applet-and-hardware business...the recover-my-hardware business....the make-sure-I-don't-lose-everything-if-my-hardware-fails business...the stamp-this-hardware-at-manufacture business. Wave's IP is more centered around making sure that the PC hardware is the PC hardware that's supposed to be there. That the applet that's on your PC, is the applet that is supposed to be there. That if someone needs a new applet (like lets say I want to do online bill pay from now on with my bank), that banking bill-pay applet is sent securely to my PC, and uncompromised when sent - and initiated properly so that its all secure and using the proper keys (mine). To make sure that nothing has been compromised across the entire system. To make sure that 2nd and 3rd party servers and PCs can communicate to each other securely and its a trustworthy system. (the Lark Allen bank truck powerpoint slide). There will be client technology that hand-shakes with server technology to get this done, and it will be Wave's on both sides.
In Simpler Terms
Think of Wave as a security company. They want to secure the ticketing agency (Ticketmaster) and the arenas (sports, concerts, etc). When you buy a ticket for an NFL game, it doesn't matter which "game" it is, or what "team" (Chicago Bears, etc. can be equated to a software program, any software). Wave doesn't care which software, or what team or concert. You are buying a ticket and they want to certify it (assign it a "key" to identify it). When you take that ticket to the NFL arena, or the concert (Wave wants to be there at the gate, looking at your ticket, and checking it to make sure its genuine, not a copy, or altered to assign you a better seat all without knowing who you are). To Wave, it doesn't matter if there is a concert or football game, or not, or who is playing or if a team (software) has a "bye" or if its the off season. The stadiums (client computers) need to be secured everyday of the week, and the security company gets paid regardless. But, they will have a couple teams playing here and there called WaveXpress, SignOnline, TVTonic, etc. That will add to their share of the revenue from that arena (computer), each time those teams "play" or give a "concert".
In other words, if you do business with someone over the internet, you want to know that the person on the other end is who they say they are. To accomplish this, when that person's pc was made, and when the chips in that person's PC (and your PC) were made, they will be validated with certificates and keys. These keys must not be compromised. Secondly, when that person "turned on" the hardware, that hardware and software you each are using should have been installed without interruption. If you decided to download someone else's software from the net to use (like your bank's online bill pay), your bank, you, and the independent server that you all verify yourselves with should have your keys and certificates attested to, and made sure they are the right ones. If your hardware is compromised or your software is hacked, the people doing business with you (your bank, your shopping websites, your whatever) need to know that you are an anomaly immediately to not give anyone access to your information. Wave Systems is creating the technology to do this. Not to just send secure emails...to secure the communication channels between Joe's PC and Sara's PC and let Joe know that Sara is who Sara says she is.
Evidence
There already have been many instances of evidence uncovered. Intel is shipping TPM-enabled motherboards with Wave software as part of the installation CD. Intel has Wave and Wave's software listed on the outside of the box. NSM has shipped SafeKeeper PCs that have used Wave's IP to make the chips, themselves. Many companies are building TPMs and graphics and I/O controllers (NSM). Atmel, Infineon, NSM, STMicro are all doing TPMs today. Broadcom is putting TPM chips on their gateways for wireless users. Intel has recently announced that they will begin to make graphics chips. Wave's model of security and distribution is coming alive due to this hardware being built and deployed. Some is built and deployed with Wave technology, some is not. Again, it doesn't matter. Wave just needs the hardware to be OUT there, and "turned on" to be generating revenues for them.
This is all my opinion of course, and I could be wrong. No one should trade or buy stock on this post. This is merely an opinion to hopefully generate dialogue on the direction of the company Wave Systems.
Join the InvestorsHub Community
Register for free to join our community of investors and share your ideas. You will also get access to streaming quotes, interactive charts, trades, portfolio, live options flow and more tools.
