Trusted ComputingBy Jan Ozer | Posted 2003-02-01 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
Primer: Four years after industry leaders formed an alliance to determine a security standard, your network hardware may soon be more vigilant about who's let through the front door.
What is it? A specification to increase network security by building unique hardware IDs into computing devices.
Where did it come from? The Trusted Computing Platform Alliance (TCPA), a group formed by Compaq, HP, IBM, Intel and Microsoft in October 1999. Its first specification, released in September 2001, is currently at version 1.1b. The next version, 1.2, will incorporate the guidelines for operating-system support.
The overall specification requires that the TPM be able to:
- determine and announce whether the computer is running only the expected software and is free from viruses, keyboard snoopers and similar programs.
- authenticate the platform to third parties. In a corporate environment, this means identifying the hardware of each device that logs onto the corporate network.
- encrypt files so that they can be opened only on that platform.
Does this mean I don't need biometrics? Unfortunately, no. If an unauthorized party can boot up your computer, say, by stealing your passwords, trusted computing provides no extra protection.
What's available today? IBM is currently shipping the first computers with a TCPA-compliant hardware module called the Embedded Security Subsystem. It's available as a $25 option (or less, if you buy more than one) on many ThinkPad notebooks and NetVista Desktops. These computers provide two of the key benefits of Trusted Computing: the ability to remotely verify identification, and the ability to encrypt files that can only be decrypted on that computer.
But there are no commercially available network products that can query the remote computer and determine its identity; at this point, you'll have to roll your own. IBM representatives predict several vendors will release commercial systems by year's end.
Wait, doesn't Microsoft do this? Well, sort of. Palladium, Microsoft's security initiative, has many of the same goals as Trusted Computing. Publicly, Microsoft has stated that Palladium is not an implementation of the TCPA spec. That may be, but Palladium requires a hardware module called the "Security Support Component (SSC)"which sounds very similar to a Trusted Platform Moduleand will likely only appear on motherboards in response to an industrywide standard.
For its part, TCPA claims it is operating system-agnostic, but members admit that without operating system support, they can only ensure a trusted state through boot-up. Given that Windows isand will likely continue to bethe dominant OS going forward, the groups need one another if they want to realize their respective visions.
This sounds scary. The thought of Microsoft at the helm of datasecurity and system integrity has sparked fears that Microsoft would prevent other vendors' programs from running on Palladium-equipped systems, prevent users from ripping CD tracks or other exercises of fair use, or arbitrarily revoke your license to run programs on your computer. For its part, Microsoft has continually denied that Palladium could even be used to enforce software licensing, but the fears persist.
Whatever Palladium turns out to be, it won't be soon. Originally scheduled for release as early as 2004, most published reports have Palladium pushed back to 2006 or later.
Think your company's computers are too trusting? Take our