Trusted Computing and Trusted Platform Modules: Technology, Ideology, and Economics CS265 Project Spring 2005 Randy Fort The computing industry has been acutely aware that better means of authentication and security have been sorely needed for quite some time. Software alone has failed or proven inadequate in far too many cases. TC (Trusted Computing) is one solution being vigorously pursued by industry heavyweights such as Microsoft, Intel, HP, Infineon and others. This approach utilizes a marriage of hardware and software to eliminate most of the egregious failures of software-only solutions. However, the proposed solution, like many proposed security ideas, is accompanied by a great deal of controversy. There is resistance not only from consumer advocates, but also implementation resistance from software vendors. The politics of security are often more important than the technology. This is especially true in the case of trusted computing. In this paper, I will explore the technology, its promises and shortcomings. But even more importantly, I will examine the market based, and ideological objections. The Technology First, who is the Trusted Computing Group, and what is a TPM? The Trusted Computing Group is a non-profit industry consortium, which develops hardware and software standards [10]. It is funded by many member companies, including IBM, Intel, AMD, Microsoft, Sony, Sun, and HP [10]. A Trusted Platform Module, as defined by the Trusted Computing Group, is simply an embedded IC (integrated circuit) built into a platform [6, 10]. TC were very PC centric [2]. Earlier versions of But a reworking of the standards now encompasses any platform that has a TPM chip integrated. Since the TPM utilizes an IC embedded into the platform, it has many advantages over software-only solutions. For example, the TPM chip could prevent unauthorized configuration changes, which are the source of much vulnerability [6]. The storage of software keys, and system configuration hash values and passwords in a sealed chip makes unauthorized system modification prohibitively difficult. Monotonic counters, which cannot be altered like system clock time, can be factored into cryptographic calculations to prevent replay attacks [3]. Since the encrypted passwords are not visible on the file system, but rather inaccessible in the sealed chip, brute force crack attacks are not feasible. The TPM chip also provides a secure storage area for smart card data, or biometric data to enable secure two-factor authentication [6]. Future generations of TPMs, employing Intel's LaGrande technology and Microsoft NGSCB (aka Palladium) software (which will be in the Longhorn release), will have the ability to prevent screen scraping and keystroke loggers [1, 8]. These capabilities will require new compliant hardware, and operating system support. LaGrande technology is not expected until late 2005. Intel's Microsoft is planning Longhorn for 2006, but is often notoriously late on OS ship dates. The Basic Mechanics of TC and TPM Implementation One of the most important concepts of trusted computing is that of attestation [1, 5]. Attestation essentially means that the originating platform guarantees the accuracy of the information it is providing. Attestation has many different facets beyond the scope of this paper, but they all essentially boil down to verifying the integrity of the information by using the TPM. We should note that under the current specification a user could not be forced to attest [5, 8]. According to version 1.2 of the trusted computing specification, attestation is only performed at the owner's request. But it remains to be seen whether or not vendors will require attestation to use or update software. If a vendor requires a TPM, it essentially becomes “mandatory option” [5]. Few of the concepts of trusted computing are new. What TPMs bring to the table is a secure sealed storage chip for private keys, on-chip crypto algorithms and random number generators among others. [5]. "The theory is that software-based key generation or storage will always be vulnerable to software attacks, so private keys should be created, stored, and used by dedicated hardware [1]". Since the TPM is a separate chip, inaccessible to other system processes, it is more secure than software only. "The TPM represents a separate trusted coprocessor, whose state cannot be compromised by potentially malicious host system software. [4]" Ideology When the history of TC and TPMs is written, its success or failure will probably hinge upon the ideology of the suspicious more than the technology itself. Many critics of TPMs fear that cash hungry software companies will utilize TPMs as a weapon against the users. Since TPMs can be used to enforce licensing policy, or lock in users, one could reasonably fear that they will be used to force unwanted upgrades out of customers [7]. Even those with no objection to DRM schemes have concern over the potential power TPMs give to software vendors. Will vendors resist the temptation to use TPMs as a tool for cash flow instead of security? For example, Microsoft has come under fire for its plans to provide security updates only to properly authenticated customers. A program it calls the "Genuine Windows Advantage" [16]. But pundits within the industry have reported that properly licensed owners are often harassed by authentication. Support calls can be required to get keys for OS reinstalls of OEM computers (such as Dell) who have properly licensed Windows. Microsoft may require calls to product activation hotlines even when factory reinstall disks are used on an original unmodified machine [14]. Since users are being already harassed on reinstalls with factory original disks, there is a valid concern that Microsoft will extend this practice to its other software and enforce it with the club of TPM. Cambridge Professor and information security guru Ross Anderson is the de facto leader of the anti-TPM charge. His website has an impressive list of arguments against trusted computing [11]. Anderson makes a number of provocative points, not the least of which is that trusted computing requires you to surrender control of your machine to the vendors of your hardware and software, thereby making the computer less trustworthy from the user’s perspective [11]. Anderson believes that trusted computing is just the next logical step for DRM. He sees it as a way for Microsoft to prevent piracy, and reap revenues from overseas markets where piracy rates are above 90% [13]. "For years, Bill Gates has dreamed of finding a way to make the Chinese pay for software: TC looks like being the answer to his prayer [12]." Microsoft has apparent ambitions along the lines of controlling what users can do with their own computers. A recent update to the Windows media player had some disturbing verbiage buried in the EULA, which few people ever read. The EULA states: "Digital Rights Management (security). You agree that in order to protect the integrity of content and software protected by digital rights management ('Secure Content'), Microsoft may provide security related updates to the OS Components that will be automatically downloaded onto your computer. This security related (sic) updates might disable your ability to copy and/or play Secure Content and use other software on your computer. If we provide such a security update, we will use reasonable efforts to post notices on a web site explaining the update. [15]" [Emphasis added] Thus, an unsuspecting user, simply by accepting a click-wrap update to a component of windows, will give Microsoft the right to disable whatever "secure content" and applications it deems inappropriate. "There's nothing to explain. You're trying to kidnap what I have rightfully stolen" [9] Putting aside the company we love to hate the most, many users dislike all authentication schemes for a simple reason: we like free stuff. We will download our rippers, DCMA notwithstanding, and copy The Lord of the Rings to out hearts content. Teenagers, somewhat in retreat from the incessant RIAA lawsuits, are continuing on with ever-cheaper technology. A dozen CDs can be ripped and exchanged at lunch in round robin fashion with USB keys. We must grant the fact that at least some of our fear of TPM stems from the fact good movies and music are even better when they are free. This doesn't justify the police state EULA that Microsoft has implemented. But we must acknowledge the fact that a huge amount of software, music, and movies are illegally copied. Economics Now that we have discussed the technology and ideology, I would like to explore market-based considerations of the economics of TC and TPMs. One essential component of Longhorn's architecture is called the Nexus. The Nexus is defined as a "small OS kernel that runs on the new hardware [1]". The Nexus is intended to run along side Windows. The concept is that a small, focused piece of software will be more secure than Windows. (But a comparison to Windows per se does beg the question of how high the bar is being set.) But this returns back to one of the original problems that trusted computing had in its earlier incarnations: PC centric architecture. Or course I'm sure Microsoft will be willing to sell embedded XP for every device. I'm equally sure that many hardware vendors will find Palladium unpalatable. On the negative side, consumer demand for TPMs is likely to be tepid. Software vendors without TC and TPM agendas like Microsoft could be reluctant to implement them for home markets. The process isolation that could prevent screen scraping and keyboard sniffers by utilizing encrypted I/O would require new hardware and “upgraded” Windows. And the emerging market of teens will not be receptive to anything that could hinder them from copying at will. Furthermore, applications wanting to use NGSCB would have to be rewritten to interface with the Nexus [1]. That is a costly undertaking with little benefit for the home market. This is unlikely to be popular in the consumer market where users are not keen on a chip policing their computer, and even less happy about paying for it. On the positive side, enterprise IT departments and government see great value in TPM. Large organizations are usually strict about properly licensing software out of fear of legal liability, and privacy fears are much less of a concern [2]. They want to thwart illegal software just as much as the vendor does. Software authorization is a minor annoyance to a fortune 500 companies with site licenses. Furthermore, they want the protection from malware, and want the decreased support costs that TC promises. For enterprise users, trusted computing is a huge advantage, and a minor cost. Hardware costs for TPM implementation are likely to be a non-issue for corporations as well. Many large companies lease and replace machines on a regular schedule. Consequently, as TC and TPMs evolve with NGSCB and Intel's LaGrande, it will gradually flow into the enterprise anyway. In fact, IBM has been quietly building TPMs into computers since 2002 [1]. It is unknown if individual consumers will accept TPMs. If trusted computing is truly opt-in, and users are not persuaded that TPMs are in their own best interest, they may simply leave it disabled. Will users buy computers with non-TPM motherboards because they do not trust it? Will the specter of distrustful users defecting to Linux cause Microsoft to back down again? This is a real possibility. Even a small gain of a few percentage points of the Firefox browser according to Netcraft was enough to get Microsoft's "freedom to innovate" back on track to issue a freestanding update to the Internet Explorer [17]. These issues will not be resolved any time soon. Conclusion "Microsoft goes to great lengths to argue that NGSCB is harmless. The most likely reason for this is that many people seem to be convinced that NBSCB is harmful. [8]” So despite its potential for improving security, TC and TPMs face an uncertain future. It promises much greater security, but hands tremendous power to software vendors. Many users are more comfortable with the devil they know then the devil they don't. There is customer demand from large corporate IT departments [2]. But despite their demand, they have good reason to distrust TPMs as well. For example, if in 2012, Microsoft were to shut down Obsolete Longhorn installations what recourse would they have? We have seen that in the consumer market, Microsoft has already given itself the right to police content and applications on your computer via the Windows Media Player EULA. How many more vendors are waiting to follow the leader? References [1] Andy Doman, Trusted Computing: A matter of Trust, http://www.networkmagazine.com/shared/article/showArticle.jhtml?articleId=22102889 [2] DigitalIDWorld, "Assuring Networked Data and Application Reliability", Digital ID World Jan/Feb 2004 https://www.trustedcomputinggroup.org/press/1-3412425E_SC.pdf [3] Trusted Computing Group, TPMv1.2 Specification Changes, https://www.trustedcomputinggroup.org/downloads/TPM_1_2_Changes_final.pdf [4] Reiner Sailer, et al, , "The Role of TPM in Enterprise Security", https://www.trustedcomputinggroup.org/press/news_articles/rc23363.pdf [5] Trusted Computing Group, TCG Specification Architecture Overview, https://www.trustedcomputinggroup.org/downloads/TCG_1_0_Architecture_Overview.pdf [6] Trusted Computing Group, Trusted Platform Modules Strengthen Use and Platform Authenticity, https://www.trustedcomputinggroup.org/downloads/whitepapers/TPMs_Strengthen_User_and_Platform_Authenticity_113004_Final.pdf [7] Catherine Flick, "The Controversy over Trusted Computing", http://luddite.cst.usyd.edu.au/~liedra/misc/Controversy_Over_Trusted_Computing.pdf [8] Mark Stamp, Information Security: Priciples and Practice, coming soon to a book store near you. [9] Vincini, "The Princess Bride", MGM, 1987 [10] Trusted Computing Group, https://www.trustedcomputinggroup.org/ [11] Ross Anderson, http://www.againsttcpa.com/index.shtml [12] Ross Anderson, http://www.againsttcpa.com/tcpa-faq-en.html [13] Robyn Meredith, Forbes, "Microsoft's Long March", http://www.forbes.com/forbes/2003/0217/078_print.html [14] Will Knight, Microsoft's anti-piracy plans spark controversy, http://www.newscientist.com/article.ns?id=dn2483 [15] Mark Minasi, Media Player Software License Chicanery, http://www.windowsitpro.com/Articles/Index.cfm?ArticleID=26215 [16] Robert Lemos, "Microsoft to nix some Net product activation", http://news.zdnet.com/2100-3513_22-5589504.html [17] Paul Festa, Microsoft yielding to IE standards pressure?, http://news.com.com/Microsoft+yielding+to+IE+standards+pressure/2100-1032_3-5620988.html