Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

(Wave mention) Should Your Computer Trust You?
under the section titled "leveraging TPMs"

http://www.epn-online.com/page/15671/should-your-computer-trust-you----an-insight-on-the-meaning-of-...

An insight on the meaning of trusted computing platforms
Trusted computing platforms
October 2004

In 1999, Compaq, HP, IBM, Intel and Microsoft initiated an industry standards body, now known as the Trusted Computing Group (TCG at www.trustedcomputinggroup.org), dedicated to enhancing the security of the computing environment across multiple platforms and devices. The TCG now comprises over 50 members, implementing so-called trusted computing platforms (TCP) either in discrete hardware or embedding IP blocks within processor chips. One key objective of building TCP modules is to prevent identity theft from both external software attack and physical theft, protecting passwords and keys. Another strong point of TCP implementations is the capability to validate a machine's original configuration before it allows any transactions, hence securing data access and enabling online commerce transactions. The basic idea behind a Trusted Platform Module (TPM) is to offer shielded locations in hardware (memory, register, etc.) where it is safe to operate on sensitive data. These locations protect a unique Endorsement Key (EK, 2048-bits long) that can be generated by the TPM manufacturer on the wafer or done by the OEM, and from which can be derived several Attestation Identity Keys for accessing different services under different identities (all this managed by the user), effectively creating the basis for a public key infrastructure. The TPM also protects encrypted integrity measurements about the computer platform, known as Platform Configuration Registers (PCRs). This encrypted data is used as a fingerprint of the hardware and software configuration data.


Who do you want to trust?


So not only the platform is identified, but it is also checked to be running in the appropriate configuration, hence preventing software-based attacks (these would change the hashed value of the integrity measurements). But then, the number of permutations for devices, services, hardware/software/firmware versions, is too large to be completely defined at all times. At corporate level, this may be solved by strict policy and control, or by stage measurements and updates, ensuring that certain software is properly running and updated before granting a machine access to sensitive network resources. But for consumers who are not backed up by an IT department, and who subscribe to different services who's providers implement TPM security, keeping the PCRs up to date may prove quite a challenge. Indeed, if paid services require a specific configuration, and the user changes this configuration (either knowingly or not, maybe due to shared-component issues, and not necessarily due to a virus attack), then they should be denied access to those services. In order to re-qualify for the service, the user will need to undo the changes, or reinstall the affected software components. Of course, finding the fault may not be obvious and no one wants to take the blame. This may raise some conflicts of interest too, say between different content providers requiring exclusive platform configurations to offer their services. Well, if a TMP-based system denies a valid user access for too trivial a reason too often, it will be rejected. In fact, the TPM must be enabled by the owner, and it can be turned off (giving up with the whole idea altogether). Many computers if not most new ones are already shipping with TPMs mounted, with little user awareness so far. Economics will tell what's worth protecting first, the user's interests, or the service provider's.


Some specifications for TPMs


TCG 1.1 specifications require that private key data never leaves the TPM, which can't be removed or swapped without triggering a status change. The module should have the capability to implement all TPM commands, with an internal math engine to accelerate asymmetric key generation, encryption, decryption, hashing (SHA-1) for measurement values, and to Random Number Generation (RNG). It must be built with tamper resistance to prevent physical attacks that might reveal TPM or user secrets. Again, the TPM does not measure, monitor or control anything, it only stores encrypted measurement values. The platform owner (typically the IT department) controls the TPM and must opt-in using initialization and management functions. The Trusted Computing Group also released Software Stack (TSS) specifications, that define a standard software interface for accessing TPM functions and facilitate application development and interoperability across platforms.


Current offerings


Betting on a discrete solution, STMicroelectronics announced a single-chip Trusted Platform Module meeting the current TCG 1.2 specification. The ST19WP18-TPM is based on an 8-bit CPU architecture with embedded set of memories (ROM, RAM & EEPROM NVM) and security features. A 1088-bit arithmetic processor speeds up cryptographic calculations using Public Key Algorithms. Packaged in a TSSOP28, the module includes software layers to support Windows 2000/XP OS drivers, and Memory Absent and Memory Present BIOS drivers. Other software modules are under development, complying with the TSS specification.
National Semiconductor just announced the PC8374T Desktop Trusted I/O device, a discrete solution that integrates a Trusted Platform Module within a Super I/O chip, together with embedded firmware to implement industry-standard TCG 1.1b compliant security functions. Based on the company's embedded 16-bit CompactRISC core technology for hidden execution of security code, the chip also features flash memory-based secured information storage, SecureRun, a performance accelerator that supports cryptographic algorithms (SHA-1 and RSA), and a true RNG. It mounts on the low pin count (LPC) bus.
Infineon is also in the game with the SLD 9630 TPM chip, based on its 66P secure controller family. Compliant to TCG 1.1b specification, the chip offers active shielding against physical attacks, as well as frequency and temperature sensors. To facilitate integration into customer platforms, the company provides firmware which runs on the secure controller, the TCG Software Stack, and support for integration into the customer's own BIOS.
When launching the AT97SC3201 TPM chip, Atmel emphasized how authenticated identity can be extended to the BIOS, operating system and the catalogue of registered programs to protect from worms and viruses. If a computer's BIOS and OS only allow execution of programs whose measurements match the values found in the m measurement catalogue protected by the TPM, neither worms nor viruses could ever execute. The TCG 1.1b-compliant chip integrates a low power RISC processor, 500ms 2048-bit RSA crypto accelerator, true random number generator, secure EEPROM storage for 20 public/private keys, SRAM, timer, real-time clock, LPC interface to Intel processors, and tamper prevention circuitry that disables the chip if someone tries to read its contents. The modules include drivers for Windows 98, 2000, XP, and NT 4.0 operating systems; as well as MAD and MPD BIOS drivers. What's more, the company extends trusted computing to embedded systems, by also making the AT97SC3201S mountable on the SMBus, into a 6x6mm millimeter package. This allows to TPM-enable systems such as voting machines, industrial computers, or gaming systems.


Embedded security


Because the security profile in the TCG specifications require TPMs to be tamper-proof, specific design methodologies are necessary, that make the integration of TPMs into existing processor chips difficult (not cost effective, not performance optimised). And even though the Endorsement Keys generated within the TPMs never leave the module and cannot be tracked, chip manufacturers trying to integrate TPM hardware into their dies would raise suspicion from the public. But for the mobile consumer devices, where low footprint is critical, TPM-like solutions are directly integrated into the mobile processor.
Targeting ARM-based mobile phones, PDAs, set top boxes or other systems running open Operating Systems, ARM's TrustZone technology is implemented within the microprocessor core itself, enabling the protection of on and off-chip memory and peripherals. A Monitor mode within the core acts as a gatekeeper to identify secure code and reliably switch the system between secure and non-secure states. When the monitor switches the system to the secure state, the processor core gains additional levels of privilege to run trusted code, and to handle tasks such as authentication, signature manipulation and the processing of secure transactions. The company explains that TrustZone technology tags and partitions secure code and data within the system, and maintains a clear, hardware separation between secure and non-secure information. A bit like having an integrated TPM (except it doesn't qualify as such), TrustZone can enable security through integrity checking for all the features within a SoC device.
Also designed for the mobile market, SafeNet launched the SafeZone trusted mobile computing IP core, a licensable IP implementation of the TCG's TPM designed for small footprint and low power. It includes all the basic functions and design necessary to implement a trusted-mode processor, including modules for a secure real-time clock, true random number genereration, public key operations, encryption/decryption, authentication, and secure key storage. It replaces a standalone TPM chip or WAP WIM Smart Card.


Leveraging TPMs


Accessing functions of the TPM is accomplished through the TCG software stack, complying to the Public-Key Cryptography Standard (PKCS#11) and Microsoft Crypto Application Library (MSCAPI) cryptographic protocols. Software development tools are available that aim at simplifying the integration of TPM's authentication capability with vendors' operating systems and firmware.
Addressing the need for independent software vendors to deal with the trusted computing market, Wave Systems announced a Cryptographic Service Provider (CSP), the EMBASSY Trust Suite, that allows a software developer to write a hardware-based cryptographic program that will run on any TCG-compliant trusted platform module. CSP, an application developer, enables TPM-based security through the standard MSCAPI interface without needing to understand vendor-specific requirements regarding the TCG Software Stack (TSS).
The NTRU Core TCG Software Stack (CTSS) Version 1.0 provides the essential core interface and security services framework for any application or platform that relies on TPM. It is designed in accordance with TCG specifications for a standard version 1.1 TSS and is enhanced with strong, standards compliant cryptographic libraries. The CTSS provides a set of software components that allow applications running under various operating systems to take advantage of the platform's 1.1b compliant TPM in a coordinated, consistent, and portable manner.

Optimised for the Intel Wireless Trusted Platform security co-processor, Certicom just launched a comprehensive security platform for mobile handset development. Dubbed the Certicom Security Architecture for Mobility, the solution combines several toolkits that enable device manufacturers to cost-effectively embed security across multiple devices. These include a cross-platform cryptographic toolkit; a FIPS 140-2 validated cryptographic module; a digital certificate management toolkit; a complete secure sockets layeyer toolkit; and a client-side virtual private network toolkit. Each toolkit is accessed via the Security Builder Middleware that provides portable hardware-based security across multiple devices and processors. This hardware abstraction layer works with Security Builder API that places a single, intuitive API between the application or operating system and the strongest and/or fastest cryptographic provider. This results in a common security architecture allowing software vendors and device manufacturers to quickly enable hardware-optimised security across multiple platforms.
Phoenix offers its cME TrustedCore software suite, a visual development environment that provides built-in device security and a secure console-managed environment supporting system recovery applications from the company and certified third-party providers. The built-in device authentication creates a "chain of trust" architecture that integrates with common enterprise standards for network system management and security. This combines with cME TrustConnector, a Crypto Service Provider application.
IBM's Rapid Restore, Intel's Lagrande Technology, Microsoft's Next-Generation Secure Computing Base, or HP's ProtectTools are some of the security enhancement applications that would typically leverage and expand on the unique hardware security features offered by a TPM-enabled motherboard.


ARM
110 Fullboune Road
Cherry Hinton
CB1 9NJ Cambridge
United Kingdom






Certicom Corporation
5520 Explorer Drive, 4th Floor
L4W 5L1 Mississauga
Canada
tel: +1-9055013785
fax: +1-905-507-4230





Infineon Technologies AG De
St Martin Strasse 53
81669 München
Germany
tel: +49-(089)63621475
fax: +49-(49)08923422763






Atmel
3 Avenue du Centre
78054 St.Quentin/Yvelines
France
tel: +33-(1)30607000
fax: +33-(1)30607111





National Semiconductor
Livry-Gargan-Straße 10
82256 Fürstenfeldbruck
Germany
tel: +49-(08141)350
fax: +49-(08141)351515





SafeNet, Inc
4690 Millennium Drive
MD 21017 Belcamp,
U S A
tel: +1-443 327-1238
fax: +1-410-931-7524






STMicroelectronics
Technoparc du Pays de Gex
165 rue Edouard Branly
1637 St-Genis-Pouilly
France
tel: +33-(4)50402540
fax: +33-(4)50402860