Wave Systems Corp. (fka WAVXQ)

[Vacationhouse]

Steps for writing trusted applications







Steps for writing trusted applications



http://www.computerworld.com/softwaretopics/software/story/0,10801,100216,00.html

Opinion by Craig Werhan, Wave Systems

MARCH 08, 2005 (COMPUTERWORLD) - Are we serious about combating the threats against our computers, our livelihood and the applications that we write and use everyday? While one way to take the offense is to write better code, I remember my grandmother's advice that prevention is always the best medicine, or the best defense in this instance. A new breed of computers is available that offers the means to secure applications, to protect data and identities and to help prevent attacks against PCs.
These "trusted" computers have a security chip on the motherboard called a Trusted Platform Module (TPM). This chip, and associated software, conforms to an open specification created by the Trusted Computing Group (TCG), an organization comprised of more than 90 companies. The TPM chip stores cryptographic keys and other data securely (away from traditional storage) to enable varying features in applications such as strong authentication, data protection, network access control, secure VPN and wireless networks, and safer commercial transactions.

With the rapid deployment of these trusted computers by large and small computer manufacturers, tens of millions of desktop, notebook and tablet PCs with the TPM technology are already in the hands of users. IDC estimates that by 2007, 55% of PCs shipped worldwide will contain TPMs.

TCG Security Options

First, we need to understand how an application interacts with the new components. The following diagram shows three applications using different methods for accessing TCG-enabled services. The TCG-enabled cryptographic service provider (CSP) is invoked by following either the Public Key Cryptography Standard (PKCS#11) or the Microsoft Crypto Application Library (MSCAPI) cryptographic protocols. The TCG Software Stack (TSS) is the layer of software that directly interfaces to the TPM to make everything happen. Finally, the TCG-enabled middleware is third-party software that makes programming of advanced functions easier.


Figure 1: The TCG Application Architecture



Next, let's look at the options that developers have for building applications that conform to the TCG specification.

First Option: Calling a CSP

In this option, developers access the TCG-enabled CSP through an application program interface conforming to the MSCAPI or PKCS#11 standards. The TCG-enabled CSP provides cryptographic features while making a hacker's job more difficult. For example, the TCG-enabled CSP directs certain encryption and decryption operations for securing data to be done within the secure boundaries of the TPM.

If a developer knows MSCAPI or PKCS#11, it is relatively easy to provide basic security capabilities to PCs with TPMs. For applications already using a software-based CSP, the developer can harden RSA asymmetric key operations by simply calling the new TCG-enabled CSP that works with its targeted TPM-enabled platforms. For applications not previously using a CSP, standard MSCAPI or PKCS#11, calls to the TCG-enabled CSP can be inserted to create keys and use those keys to protect data or to authenticate a user. Since TPMs do not enable bulk encryption or symmetric key operations, the TCG-enabled CSP differentiates when to use hardware vs. software cryptography.

Second Option: Calling the TCG Software Stack

The TSS is the software layer that interfaces to the trusted platform module. The second option is to write directly to the TSS application programming interface according to the TSS specification that is available from the TCG. TSS security services allow applications to maintain privacy, protect data, perform owner and user authentication, and to verify operational capabilities of the platform. The TSS contains a rich object-oriented interface for applications to incorporate the full capabilities of the TCG-enabled platform. The TSS also provides all the functions for key management required to manage the TPM's limited resources.

Through the TSS, an application developer can "seal" or permanently tie data to a particular computer and execution profile so that the data is available only in that environment. Secure storage is another example of a capability that is available through the TSS, but not via MSCAPI or PKCS#11.

The TSS is also the interface for advanced features such as security policies for authentication and trusted time-stamping of transactions and auditing, which may extend the trustworthy relationship between the computer owner and other parties. As the lowest level of programming interface available to the applications developer, the TSS provides more capabilities but at the cost of significantly greater effort for development and maintenance.

Third Option: Using Third-Party Products

The third option involves using third-party middleware products that have been created to ease the burden of programming to various vendors' TSS software. The application developer may use Software Developer Kits provided by third parties to expose advanced TCG capabilities and add other features. For example, enterprise-level TPM key backup and recovery functions can be added directly to applications by using these tools. Key management services, including key escrow for the corporate environment and key recovery for the consumer, increase flexibility while maintaining security.

Another example of third-party products is attestation servers that let users and service providers ensure that computers are in a trustworthy state. Attestation provides a level of confidence that cryptographic keys have been appropriately generated and are used solely in a tamper-resistant environment. A developer may invoke a trusted computer's attestation capabilities by modifying the application to require and verify the proper credentials provided by an attestation server.

A major benefit of the TCG security strategy is allowing application developers to create hardware-based secure applications through existing PKCS#11 or MSCAPI interfaces. When programming advanced TCG capabilities, several options can be used to increase the security and value for users of trusted computers.

As developers pursue writing trusted applications, PCs advance toward a more trustworthy computing environment that thwart attacks intent on undermining their security and integrity. Although my grandmother wouldn't understand it, she would be happy that we followed her advice.

Craig Werhan started his career as an application developer and has also managed development projects for several industries. He is currently a senior product manager at Wave Systems Corp., which creates software for the trusted computing marketplace. He can be reached at cwerhan@wavesys.com.