Trusted Computing and Trusted Platform
Modules: Technology, Ideology, and Economics
CS265 Project
Spring 2005
Randy Fort
The computing industry has been acutely aware that better means of
authentication and security have been sorely needed for quite some time.
Software alone has failed or proven inadequate in far too many cases.
TC
(Trusted Computing) is one solution being vigorously pursued by industry
heavyweights such as Microsoft, Intel, HP, Infineon and others.
This approach
utilizes a marriage of hardware and software to eliminate most of the egregious
failures of software-only solutions.
However, the proposed solution, like many proposed security ideas, is
accompanied by a great deal of controversy. There is resistance not only from
consumer advocates, but also implementation resistance from software vendors.
The politics of security are often more important than the technology. This is
especially true in the case of trusted computing. In this paper, I will explore the
technology, its promises and shortcomings. But even more importantly, I will
examine the market based, and ideological objections.
The Technology
First, who is the Trusted Computing Group, and what is a TPM? The
Trusted Computing Group is a non-profit industry consortium, which develops
hardware and software standards [10]. It is funded by many member companies,
including IBM, Intel, AMD, Microsoft, Sony, Sun, and HP [10].
A Trusted
Platform Module, as defined by the Trusted Computing Group, is simply an
embedded IC (integrated circuit) built into a platform [6, 10].
TC were very PC centric [2].
Earlier versions of
But a reworking of the standards now
encompasses any platform that has a TPM chip integrated.
Since the TPM utilizes an IC embedded into the platform, it has many
advantages over software-only solutions.
For example, the TPM chip could
prevent unauthorized configuration changes, which are the source of much
vulnerability [6]. The storage of software keys, and system configuration hash
values and passwords in a sealed chip makes unauthorized system modification
prohibitively difficult. Monotonic counters, which cannot be altered like system
clock time, can be factored into cryptographic calculations to prevent replay
attacks [3]. Since the encrypted passwords are not visible on the file system, but
rather inaccessible in the sealed chip, brute force crack attacks are not feasible.
The TPM chip also provides a secure storage area for smart card data, or
biometric data to enable secure two-factor authentication [6]. Future generations
of TPMs, employing Intel's LaGrande technology and Microsoft NGSCB (aka
Palladium) software (which will be in the Longhorn release), will have the ability
to prevent screen scraping and keystroke loggers [1, 8]. These capabilities will
require new compliant hardware, and operating system support.
LaGrande technology is not expected until late 2005.
Intel's
Microsoft is planning
Longhorn for 2006, but is often notoriously late on OS ship dates.
The Basic Mechanics of TC and TPM Implementation
One of the most important concepts of trusted computing is that of
attestation [1, 5].
Attestation essentially means that the originating platform
guarantees the accuracy of the information it is providing. Attestation has many
different facets beyond the scope of this paper, but they all essentially boil down
to verifying the integrity of the information by using the TPM. We should note
that under the current specification a user could not be forced to attest [5, 8].
According to version 1.2 of the trusted computing specification, attestation is only
performed at the owner's request. But it remains to be seen whether or not
vendors will require attestation to use or update software. If a vendor requires a
TPM, it essentially becomes “mandatory option” [5].
Few of the concepts of trusted computing are new. What TPMs bring to
the table is a secure sealed storage chip for private keys, on-chip crypto
algorithms and random number generators among others. [5]. "The theory is that
software-based key generation or storage will always be vulnerable to software
attacks, so private keys should be created, stored, and used by dedicated
hardware [1]". Since the TPM is a separate chip, inaccessible to other system
processes, it is more secure than software only.
"The TPM represents a
separate trusted coprocessor, whose state cannot be compromised by potentially
malicious host system software. [4]"
Ideology
When the history of TC and TPMs is written, its success or failure will
probably hinge upon the ideology of the suspicious more than the technology
itself. Many critics of TPMs fear that cash hungry software companies will utilize
TPMs as a weapon against the users. Since TPMs can be used to enforce
licensing policy, or lock in users, one could reasonably fear that they will be used
to force unwanted upgrades out of customers [7]. Even those with no objection
to DRM schemes have concern over the potential power TPMs give to software
vendors. Will vendors resist the temptation to use TPMs as a tool for cash flow
instead of security?
For example, Microsoft has come under fire for its plans to provide
security updates only to properly authenticated customers. A program it calls the
"Genuine Windows Advantage" [16].
But pundits within the industry have
reported that properly licensed owners are often harassed by authentication.
Support calls can be required to get keys for OS reinstalls of OEM computers
(such as Dell) who have properly licensed Windows. Microsoft may require calls
to product activation hotlines even when factory reinstall disks are used on an
original unmodified machine [14]. Since users are being already harassed on
reinstalls with factory original disks, there is a valid concern that Microsoft will
extend this practice to its other software and enforce it with the club of TPM.
Cambridge Professor and information security guru Ross Anderson is the
de facto leader of the anti-TPM charge. His website has an impressive list of
arguments against trusted computing [11].
Anderson makes a number of
provocative points, not the least of which is that trusted computing requires you
to surrender control of your machine to the vendors of your hardware and
software, thereby making the computer less trustworthy from the user’s
perspective [11].
Anderson believes that trusted computing is just the next logical step for
DRM. He sees it as a way for Microsoft to prevent piracy, and reap revenues
from overseas markets where piracy rates are above 90% [13]. "For years, Bill
Gates has dreamed of finding a way to make the Chinese pay for software: TC
looks like being the answer to his prayer [12]."
Microsoft has apparent ambitions along the lines of controlling what users
can do with their own computers. A recent update to the Windows media player
had some disturbing verbiage buried in the EULA, which few people ever read.
The EULA states:
"Digital Rights Management (security). You agree that in order
to protect the integrity of content and software protected by digital
rights management ('Secure Content'), Microsoft may provide
security related updates to the OS Components that will be
automatically downloaded onto your computer. This security related
(sic) updates might disable your ability to copy and/or play
Secure Content and use other software on your computer. If we
provide such a security update, we will use reasonable efforts to post
notices on a web site explaining the update. [15]" [Emphasis added]
Thus, an unsuspecting user, simply by accepting a click-wrap update
to a component of windows, will give Microsoft the right to disable whatever
"secure content" and applications it deems inappropriate.
"There's nothing to explain. You're trying to kidnap what I have rightfully
stolen" [9]
Putting aside the company we love to hate the most, many users dislike all
authentication schemes for a simple reason: we like free stuff. We will download
our rippers, DCMA notwithstanding, and copy The Lord of the Rings to out hearts
content. Teenagers, somewhat in retreat from the incessant RIAA lawsuits, are
continuing on with ever-cheaper technology. A dozen CDs can be ripped and
exchanged at lunch in round robin fashion with USB keys. We must grant the
fact that at least some of our fear of TPM stems from the fact good movies and
music are even better when they are free. This doesn't justify the police state
EULA that Microsoft has implemented. But we must acknowledge the fact that a
huge amount of software, music, and movies are illegally copied.
Economics
Now that we have discussed the technology and ideology, I would like to
explore market-based considerations of the economics of TC and TPMs. One
essential component of Longhorn's architecture is called the Nexus. The Nexus
is defined as a "small OS kernel that runs on the new hardware [1]". The Nexus
is intended to run along side Windows. The concept is that a small, focused
piece of software will be more secure than Windows.
(But a comparison to
Windows per se does beg the question of how high the bar is being set.) But this
returns back to one of the original problems that trusted computing had in its
earlier incarnations: PC centric architecture. Or course I'm sure Microsoft will be
willing to sell embedded XP for every device. I'm equally sure that many
hardware vendors will find Palladium unpalatable.
On the negative side, consumer demand for TPMs is likely to be tepid.
Software vendors without TC and TPM agendas like Microsoft could be reluctant
to implement them for home markets. The process isolation that could prevent
screen scraping and keyboard sniffers by utilizing encrypted I/O would require
new hardware and “upgraded” Windows. And the emerging market of teens will
not be receptive to anything that could hinder them from copying at will.
Furthermore, applications wanting to use NGSCB would have to be rewritten to
interface with the Nexus [1]. That is a costly undertaking with little benefit for the
home market. This is unlikely to be popular in the consumer market where users
are not keen on a chip policing their computer, and even less happy about paying
for it.
On the positive side, enterprise IT departments and government see great
value in TPM. Large organizations are usually strict about properly licensing
software out of fear of legal liability, and privacy fears are much less of a concern
[2].
They want to thwart illegal software just as much as the vendor does.
Software authorization is a minor annoyance to a fortune 500 companies with
site licenses. Furthermore, they want the protection from malware, and want the
decreased support costs that TC promises.
For enterprise users, trusted
computing is a huge advantage, and a minor cost. Hardware costs for TPM
implementation are likely to be a non-issue for corporations as well. Many large
companies lease and replace machines on a regular schedule. Consequently, as
TC and TPMs evolve with NGSCB and Intel's LaGrande, it will gradually flow into
the enterprise anyway.
In fact, IBM has been quietly building TPMs into
computers since 2002 [1].
It is unknown if individual consumers will accept TPMs.
If trusted
computing is truly opt-in, and users are not persuaded that TPMs are in their own
best interest, they may simply leave it disabled. Will users buy computers with
non-TPM motherboards because they do not trust it?
Will the specter of
distrustful users defecting to Linux cause Microsoft to back down again? This is
a real possibility. Even a small gain of a few percentage points of the Firefox
browser according to Netcraft was enough to get Microsoft's "freedom to
innovate" back on track to issue a freestanding update to the Internet Explorer
[17]. These issues will not be resolved any time soon.
Conclusion
"Microsoft goes to great lengths to argue that NGSCB is harmless. The
most likely reason for this is that many people seem to be convinced that NBSCB
is harmful. [8]” So despite its potential for improving security, TC and TPMs face
an uncertain future. It promises much greater security, but hands tremendous
power to software vendors. Many users are more comfortable with the devil they
know then the devil they don't. There is customer demand from large corporate
IT departments [2]. But despite their demand, they have good reason to distrust
TPMs as well. For example, if in 2012, Microsoft were to shut down Obsolete
Longhorn installations what recourse would they have? We have seen that in the
consumer market, Microsoft has already given itself the right to police content
and applications on your computer via the Windows Media Player EULA. How
many more vendors are waiting to follow the leader?
References
[1] Andy Doman, Trusted Computing: A matter of Trust,
http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=22102889
[2] DigitalIDWorld, "Assuring Networked Data and Application Reliability", Digital ID World Jan/Feb 2004
https://www.trustedcomputinggroup.org/press/1-3412425E_SC.pdf
[3] Trusted Computing Group, TPMv1.2 Specification Changes,
https://www.trustedcomputinggroup.org/downloads/TPM_1_2_Changes_final.pdf
[4] Reiner Sailer, et al, , "The Role of TPM in Enterprise Security",
https://www.trustedcomputinggroup.org/press/news_articles/rc23363.pdf
[5] Trusted Computing Group, TCG Specification Architecture Overview,
https://www.trustedcomputinggroup.org/downloads/TCG_1_0_Architecture_Overview.pdf
[6] Trusted Computing Group, Trusted Platform Modules Strengthen Use and Platform Authenticity,
https://www.trustedcomputinggroup.org/downloads/whitepapers/TPMs_Strengthen_User_and_Platform_Authenticity_113004_Final.pdf
[7] Catherine Flick, "The Controversy over Trusted Computing",
http://luddite.cst.usyd.edu.au/~liedra/misc/Controversy_Over_Trusted_Computing.pdf
[8] Mark Stamp, Information Security: Priciples and Practice, coming soon to a book store near you.
[9] Vincini, "The Princess Bride", MGM, 1987
[10] Trusted Computing Group, https://www.trustedcomputinggroup.org/
[11] Ross Anderson, http://www.againsttcpa.com/index.shtml
[12] Ross Anderson, http://www.againsttcpa.com/tcpa-faq-en.html
[13] Robyn Meredith, Forbes, "Microsoft's Long March", http://www.forbes.com/forbes/2003/0217/078_print.html
[14] Will Knight, Microsoft's anti-piracy plans spark controversy, http://www.newscientist.com/article.ns?id=dn2483
[15] Mark Minasi, Media Player Software License Chicanery, http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=26215
[16] Robert Lemos, "Microsoft to nix some Net product activation", http://news.zdnet.com/2100-3513_22-5589504.html
[17] Paul Festa, Microsoft yielding to IE standards pressure?,
http://news.com.com/Microsoft+yielding+to+IE+standards+pressure/2100-1032_3-5620988.html