Trusted computing

Trusted computing (or Trustworthy Computing) is a family of open specifications whose stated goal is to make personal computers more secure through the use of dedicated hardware. Trusted computing proposals have attracted heavy criticism from academics, security experts, and users of free and open source software, who contend that the true goal of trusted computing is to impose several restrictions on how people may use their computers.

The basic system concepts are:

1. Identification of each client hardware and software package, using certificates stored inside the computer's chips
2. An application can lock data with a key and then have the chip lock the key. If the OS has no bugs then only the original unmodified application can retrieve this key. If the application then has no bugs the data cannot be read or modified by the user or by any other software.
3. Encryption of all data between the computer chips and Internet commerce sites can be performed using hardware.

The idea of trusted computing is controversial. Critics of trusted computing claim that instead of increasing security, it will result in the imposition of mandatory digital rights management (DRM) and other restrictions on users, a reduction in privacy, and no real benefit to security. Critics of TC believe that it is at odds with the concept of secure computing, where anonymity (not disclosure) is the main issue. Critics characterize a "trusted system" more as a system you are forced to trust rather than one which is particularly trustworthy. As described by trusted computing opponents, the new systems would come at a high cost, by trusting networked computers to controlling authorities rather than to individuals (see digital imprimatur). Proponents of trusted computing argue that privacy complaints about TC are baseless, and claim that consumers will still have a choice between systems, based on their individual needs.

Another related controversy is security through obscurity. Users may not be able to look inside trusted computing hardware to see if they are well-implemented with no holes, no bugs and no backdoors. However, trusted computing specifications are open and available for anyone to review. Cryptographic designs and algorithms often become obsolete in a few years, and critics claim that this may result in the forced obsolescence of first generations of TC-enabled computers.

The TCG project is known by a number of names. "Trusted computing" was the original one, and is still used by the Trusted Computing Group (TCG) and IBM. Microsoft calls it "trustworthy computing". Intel has just started calling it "safer computing". Prior to May 2004, the TCG was known as the TCPA.

Trusted systems advocates claim that their needs require changes to the current systems at the hardware level. Others argue that the additional security referred to by "trusted computing," could be achieved without relinquishing superuser control over their computer. Trusted computing architects, however, claim that the name means that a computer can be trusted as to its hardware/software configuration. This is a requirement to see this computer as a trusted client.

According to cryptographer Bruce Schneier "A 'trusted' computer does not mean a computer that is trustworthy. The DoD's definition of a trusted system is one that can break your security policy; i.e., a system that you are forced to trust because you have no choice." Richard Stallman of the FSF has adopted a similar stance, branding the concept "Treacherous computing".

Contents

1 Basics 1.1 Secure I/O 1.2 Memory curtaining 1.3 Sealed storage 1.4 Remote attestation 2 Drawbacks 2.1 Users can't change software 2.2 Users don't control information they receive 2.3 Users don't control their applications 2.4 Proposed owner override for TC 3 External links

Basics

A variety of initiatives fall under the heading of trusted computing: Microsoft is working on a project called NGSCB. An industry consortium including Microsoft, Intel, IBM, HP and AMD, have formed the Trusted Computing Platform Alliance (TCPA), which has a Trusted Computing Group (TCG), designing a Trusted Platform Module (TPM). Intel is working on a form called LaGrande Technology (LT), while AMD's is called Secure Execution Mode (SEM). But essentially, there are proposals for four new features provided by new hardware, which require new software (including new operating systems and applications) to be taken advantage of. Each feature has a different reason, although they can be used together. The features are:

1. Secure I/O
2. Memory curtaining
3. Sealed storage
4. Remote attestation

Secure I/O

Secure input and output (I/O) provides a secure path between the user's computer and devices like his keyboard and screen. This prevents programs from getting access to what's being typed or displayed in other programs. (Malicious programs sometime watch these things to spy on users.)

It will also be able to distinguish a physically-present user from a program impersonating a user and prevent some programs from misleading the user by modifying another program's output.

Memory curtaining

Memory curtaining has the hardware keep programs from reading or writing each other's memory (the space where the programs store information they're currently working on). Even the operating system doesn't have access to curtained memory, so the information would be secure from an intruder who took control of the OS.

Something very similar can be achieved with new software, but doing it in hardware requires less code to be rewritten.

Sealed storage

Sealed storage protects private information by allowing it to be encrypted using a key derived from the software and hardware being used. This means the data can be read only by the same combination of software and hardware.

For example, users who keep a private diary on their computer don't want other programs or other computers to be able to read it. Currently, a virus could search for the diary, read it, and send it to someone else. (The SirCam virus did something similar.) Even if the diary were protected by a password, the virus could try most common passwords—on a modern computer, this is pretty fast. Or the virus could modify the user's diary software to have it leak the text once he unlocked his diary. With sealed storage, the diary is securely encrypted so that only the unmodified diary program on his computer can read it.

Remote attestation

Remote attestation allows changes to the user's computer to be detected by him and others. That way, he can avoid having private information sent to or important commands sent from a compromised or insecure computer. It works by having the hardware generate a certificate stating what software is currently running. The user can present this certificate to a remote party to show that their computer hasn't been tampered with.

Remote attestation is usually combined with public-key encryption so that the information sent can only be read by the programs that presented and requested the attestation, and not by snoops listening in on the conversation.

To take the diary example again, the user's diary software could send the diary to other machines, but only if they could attest that they were running a secure copy of the diary software. Combined with the other technologies, this provides a more secured path for the diary: secure I/O protects it as it's entered on the keyboard and displayed on the screen, memory curtaining protects it as it's being worked on, sealed storage protects it when it's saved to the hard drive, and remote attestation protects it from unauthorized software even when it is used on other computers.

Drawbacks

Opponents of trusted computing argue that the security features that protect computers from viruses and attackers also restrict the actions of their owners. This makes new anti-competitive techniques possible, potentially hurting people who buy trusted computers.

Cambridge Crytographer Ross Anderson has concerns that "TC can support remote censorship. In general, digital objects created using TC systems remain under the control of their creators, rather than under the control of the person who owns the machine on which they happen to be stored (as at present). So someone who writes a paper that a court decides is defamatory can be compelled to censor it - and the software company that wrote the word processor could be ordered to do the deletion if she refuses. Given such possibilities, we can expect TC to be used to suppress . . . writings that criticise political leaders." He goes on to state that

" . . . software suppliers can make it much harder for you to switch to their competitors' products. At a simple level, Word could encrypt all your documents using keys that only Microsoft products have access to; this would mean that you could only read them using Microsoft products, not with any competing word processor.

The . . . most important, benefit for Microsoft is that TC will dramatically increase the costs of switching away from Microsoft products (such as Office) to rival products (such as OpenOffice). For example, a law firm that wants to change from Office to OpenOffice right now merely has to install the software, train the staff and convert their existing files. In five years' time, once they have received TC-protected documents from perhaps a thousand different clients, they would have to get permission (in the form of signed digital certificates) from each of these clients in order to migrate their files to a new platform. The law firm won't in practice want to do this, so they will be much more tightly locked in, which will enable Microsoft to hike its prices."

Anderson summarizes the case by saying "The fundamental issue is that whoever controls the TC infrastructure will acquire a huge amount of power. Having this single point of control is like making everyone use the same bank, or the same accountant, or the same lawyer. There are many ways in which this power could be abused."

Users can't change software

In the diary example, sealed storage protects the diary from malicious programs like viruses, but it doesn't distinguish between those and useful programs, like ones that might be used to convert the diary to a new format, or provide new methods for searching within the diary. A user who wanted to switch to a competing diary program might find it would be impossible for that new program to read the old diary, as the information would be "locked in" to the old program. It could also make it impossible for the user to read or modify his diary except as specifically permitted by the diary software. If he were using diary software with no edit or delete option then it could be impossible to change or delete previous entries.

Remote attestation could cause other problems. Currently web sites can be visited using a number of web browsers, though certain websites may be formatted (intionally or not) such that some browsers cannot decipher their code. Some browsers have found a way to get around that problem by emulating other browsers. For example, when Microsoft's MSN website briefly refused to serve pages to non-Microsoft browsers, users could access those cites by instructing their browsers to emulate a Microsoft browser. Remote attestation could make this kind of emulation irrelevant, as sites like MSN could demand a certificate stating the user was actually running an Internet Explorer browser.

Users don't control information they receive

One of the early motivations behind trusted computing was a desire to support stricter Digital Rights Management (DRM): technology to prevent users from sharing and using copyrighted or private files without permission. Microsoft has announced a DRM technology that it says will make use of trusted computing.

Trusted computing can be used for DRM. Take the example of downloading a music file from Metallica: First, Metallica will come up with some rules for how their music can be used. (For example, they might only want you to play the file three times a day without paying more money.) Then they'll use remote attestation to only send their music to a music player that enforces their rules. Sealed storage prevents you from opening the file with another player that doesn't enforce the restrictions. Memory curtaining prevents you from making an unrestricted copy of the file while it's playing. Secure output prevents you from capturing what's sent to the speakers.

Without remote attestation, you wouldn't have this problem. You could simply download the song with a player that doesn't enforce Metallica's restrictions or one that lets you convert the song to an unrestricted format like MP3.

Users don't control their applications

If a user upgrades his computer, sealed storage could prevent him from moving all his music files to his new computer, forcing him to buy all the songs again. It could also enforce spyware, with music files only given to users whose machines attest that they will tell the artist or record company every time the song is played.

TC opponents are alarmed at the prospect of these technologies being used as a form of remote control. For example, Microsoft's newsmagazine, Slate, could make it such that in order to download their news articles, one would need to attest that they use MS Reader. MS Reader could be programmed so as not to allow viewing of their news stories without asking Microsoft if a change has been made. This could allow Microsoft to "rewrite history" by changing or deleting certain articles. Even if a user saved the original article on his computer, the software could refuse to let it be viewed once a change had been announced.

TC opponents, including Richard Stallman [1], find this prospect and other aspects of TC reminscent of George Orwell's 1984, where the government changed everything ever archived to make it seem like their predictions were always correct.

Proposed owner override for TC

All these problems come up because trusted computing protects programs against everything, even the owner. A simple solution to this is to let the owner of the computer override these protections. This is called Owner Override, and it only currently outlined as a suggested fix.

When you activate Owner Override, the computer will use the secure I/O path to make sure you're physically present and actually the owner. Then it will bypass the protections. So with remote attestation, you can force the computer to generate false attestations -- certificates that say you're running Internet Explorer, when you're really running Opera. Instead of saying when your software has been changed, remote attestation will say when the software has been changed without your permission.

While it would seem that the idea of Owner Override would be met with praise, some Trusted Computing Group members have instead heralded it as the biggest potential downfall of the TC movement. Owner Override defeats the entire idea of being able to trust other people's computers, remote attestation. Owner Override continues to offer all of the security and enforcement benefits to an owner on his own machine, but loses any ability to ensure another owner cannot waive rules or restrictions on his own computer. Once you send data to someone else's computer, whether it is your diary, a DRM music file, or a joint project, that person controls what security if any their computer will enforce on their copy of that data.

External links

• Trusted Computing Group (TCG) - Trusted computing standards body, previously known as the TCPA.
• 'Trusted Computing' Frequently Asked Questions - Anti-TC FAQ by Cambridge University security director and professor Ross Anderson.
• Next-Generation Secure Computing Base (NGSCB) - Microsoft's trusted computing architecture
• Palladium and the TCPA - from Bruce Schneier's Crypto-Gram newsletter.
• Against-TCPA
• Interesting Uses of Trusted Computing
• Can you trust your computer? essay by the FSF