The Value of Trusted Platforms
Now that we have described the philosophy behind Trusted Platforms, let's consider why such platforms are so valuable in cyberspace.
With the demand for commercial advantage and the pace of software development, it is important to evolve the information infrastructure to meet new challenges. Despite real and increasing security threats, security technology in cyberspace is in its infancy. The virtual world lacks the mature methods of physical security that have taken many years to evolve. Critical technology infrastructure such as public key infrastructure and intrusion detection systems are only at early stages of deployment. Legislation in cyberspace is lagging, and fundamental notions such as the “electronic signature” have only just been introduced. The often cross-border nature of cyber activities adds difficulty to the task of ensuring secure interactions. The general public has only limited understanding of cyberspace, and individuals and businesses are often ignorant of the measures they should take to protect their interests. This is why the National Plan for Information Systems Protection in the United States [White House 2000] covers education as well as legislation and technology aspects. In summary, threats against information security are real and growing, yet the current computing infrastructure lacks a cheap or ubiquitous method of defense.
In this section, we show how Trusted Platforms can form part of the solution by enhancing trust and confidence in computer platforms. Let's take a look at the following:
Security threats
The limitations of existing security technology
Why Trusted Platforms are needed
Security Threats and the Need to Evolve the Current Infrastructure
Figure 1-2 depicts some different types of threats in a typical networked environment. These are some of the more important security threats, for different entities both inside and outside a corporate network:
Virus and worm introduction, or planting of capabilities to perpetrate or facilitate future attacks (e.g., Trojan horses)
Insider threats (reportedly both the most common and most damaging)
Repudiation (i.e., false denial that previous transactions have occurred)
Authorization violation (i.e., inappropriate access by partners and unauthorized log-ins)
Denial of service attack, either intentional or unintentional
Figure 1-2. Security threats
Safeguards (often called security services) can be put in place to prevent or deter threats from being realized, or to reduce their impact. Such services include authentication, access control, confidentiality, data integrity, and non-repudiation. However, use of such services will not give total protection. Later in the book, we will show that Trusted Platforms can strengthen existing security services, albeit at the expense of additional Denial Of Service (DOS) attacks. (TPs provide no additional defense against DOS attacks, and because they introduce more complex mechanisms, they actually invite more DOS attacks.)
Security threats are real and growing, as shown in Figure 1-3. Figure 1-4 shows that the acknowledged cost of cyber attacks (as reported in [FBI/CSI 2001]) for 1998, 1999, and 2000 averaged $250 million and is increasing. The cost is probably significantly higher than indicated by the respondents to this survey, because most losses caused by security breaches are considered “company confidential” and are never publicly identified.
Figure 1-3. Unauthorized usage of computer systems
Figure 1-4. The cost of cyber attacks
The Limitations of Existing Security Technology
Trusted Platform technology is not the only approach that aims to enhance confidence in computing platforms.
This section discusses current methods and introduces the need for additional technology. Existing security infrastructure consists primarily of the following:
Firewalls for “boundary protection” [Cheswick & Bellovin 1994]
Cryptographic accelerators/co-processors [Smith et al. 1998]
Security protocols, e.g., the Secure Sockets Layer (SSL) (now called TLS) for confidential communication
We mention briefly each type of existing security technology in the following sections.
Firewalls
Security “firewalls” provide boundary protection for computer networks, but these can become a bottleneck. Furthermore, to enable new functionalities and services, it has become common practice to increase the number of “holes” through firewalls through which dynamic content and programs are “punched” (for outbound or inbound traffic). Thus, an organization is faced with either restricting such new traffic (often an unpopular move) or evolving the firewall to deal with the new situation.
Software Security Programs
A plethora of software programs is available to provide security functionality. These programs might run inside a cryptographic co-processor or on the main platform processor (sometimes embedded in the operating system in the main platform environment) and provide a range of functions from straightforward encryption to desktop firewalls. Software that runs on the main processor implicitly assumes that it is running in a safe environment, so maximum confidence is actually delivered only if the software is installed and executing properly. Even then, secrets are stored as normal data, or perhaps in protected files or partitions on the hard disk. When a program executes on the main processor, its secrets are potentially exposed and may be vulnerable to eavesdropping by rogue programs. Data stored on disks may also be vulnerable to eavesdropping.
Software is vulnerable to attack by viruses, of which thousands of varieties exist. The “Nimda” and “Code Red” worms created problems in corporate infrastructures in autumn of 2001, and new strains of viruses are being continually developed and released into the computing and Internet environments. Viruses can attack even security software. Several proprietary applications are available for detecting viruses, preventing their entry and cleaning up if an attack does take place: Symantec's Norton antivirus toolkit program is one such application. However, virus strains are developing continually, and although parts of the antivirus software are frequently updated, it does not provide reliable protection against unknown viruses.
Cryptographic Co-processors
Another type of existing security product is the cryptographic co-processor, or accelerator (e.g., those provided by Eracom, IBM, Lockheed, nCipher, Thales, Rainbow, and HP). Accelerators such as the IBM4758 are highly credible, self-contained high performance computing engines. These contain specialist hardware and firmware to provide security functions, often faster than can be provided by a general-purpose platform processor. They provide a protected environment for secrets and can include mechanisms that detect attempts to gain access to the secrets. If such an attempt is found, the accelerator can often erase its secrets and disable its functions. A cryptographic accelerator might provide a bulk (symmetric) encryption service, plus generation of keys from a genuinely random source. Prices can be hundreds of U.S. dollars.
IBM currently has PC products with a security chip incorporated on the motherboard. These don't have “roots of trust” but do have some security functions (primarily “protection of secrets”) provided by a Trusted Platform.
The manner in which Trusted Platform hardware differs from cryptographic co-processors is in both function and integration into the platform architecture. Trusted Platforms require two separate additional functions, one (called a “CRTM”) built into the boot process and the other (called a “TPM”) that communicates with the CRTM and the host platform's processor: See Chapter 3 for a better introduction to these functions and their technical details.
Carrying out sensitive processing inside a cryptographic co-processor is an entirely acceptable solution to the problem of creating a trusted environment. Moreover, cryptographic co-processors may be preferred over a Trusted Platform in some circumstances, because the co-processor can do bulk encryption in a physically protected environment. However, such specialized hardware is too expensive to be automatically included in all platforms, so it is not possible for ubiquitous platform security to be based on conventional crypto co-processors. The Trusted Platform should be seen as an alternative to the crypto co-processor with its own benefits, including lower cost.
Other Specific Technologies
A number of techniques have been used to enhance levels of confidence in computing platforms: These include compartmentalized mode workstations, embedded software, Boot Integrity Services (Intel), Microsoft security services in their current versions of operating systems (Microsoft Windows 2000) [Microsoft], and the Java “sand box.”
In addition, a great number of security protocols and mechanisms might be implemented in either hardware or software. For example, the Internet Engineering Task Force (IETF) standards include the Transport Layer Security (TLS) and Internet Protocol Security Protocol (IPSEC). Such standards, together with others like Secure Multi-Purpose Internet Mail Extensions (S-MIME), Internet Key Encryption (IKE), and virtual private network (VPN), have been designed to provide different security features, such as user authentication, access control, and confidentiality. [Kohl & Neuman 1993] and [Wobber et al 1994] give some examples of possible solutions. Other technologies that either use or support platform security include digital signatures, watermarking, smart cards, public key infrastructure (PKI), and biometrics. Any of these techniques that involve software executing on the main CPU necessarily rely upon the correct operation of the host computing platform.
Why Do We Need Trusted Platforms?
The increase in online business transactions has created new needs. One of these needs is for cost-effective security hardware that does not fall foul of product export and import regulations. Trusted Platforms can supply this.
The lack of a cheap enabler has been a restraint on the development of solutions/services that could rely on platform security. And the lack of solutions/services that rely on platform security has been a restraint on the development of the platforms themselves.
In this section, we consider why we provide user confidence using trust mechanisms rather than security mechanisms (albeit that the trust mechanisms are provided by security mechanisms) and why an increased need for Trusted Platforms exists. We also look at the main problems that Trusted Platforms are designed to overcome and the advantages that are obtained over a more conventional security approach.
Trust Versus Security
The trust mechanisms in a Trusted Platform reliably generate, store, and report measurements about the software environment in a platform. A user who wants to trust that platform (for some particular purpose) gets the measurements (called “integrity metrics”) about the platform and compares them with expected values. If the measured values are the same as the expected values, the user will interact with the platform (for that particular purpose). Otherwise, he or she should not. (Strictly speaking, only the actual user knows the level of confidence that he requires in order to trust a platform to do a particular job and hence the expected measurement values.) “Social trust” is directly involved because the user trusts other organizations or individuals to say “these particular values indicate that the platform can safely be used for such-and-such purpose.” The actual required values could differ according to the particular intended use of the platform.
Why are Trusted Platforms preferable to secure platforms? There are several reasons. Technologically, existing secure computers have no way of proving that they are operating as expected. This is a weakness in a world in which platforms are exposed to attack, data is increasingly mobile, and connections are increasingly dynamic. Commercially, trade in information security equipment is still subject to government scrutiny (although perhaps not to the same degree as in the past). The most important answer, however, is that although modern commerce would benefit from a higher level of confidence in platforms, conventional secure platforms are too expensive and too painful to use (untrained users are not sympathetic to the fact that the security is visible to the user!), or perhaps just unnecessary. Secure computers have existed for decades and still are not ubiquitous. Trusted Platforms attempt a different approach.
When people think of information security, they think of secure data. Confidence in secure data relies on confidence in ownership of secrets: The recipient of data trusts it because the recipient knows who owns the underlying secret. It follows that trust in cryptography relies on “social” trust—the statement by some trusted person or organization that such-and-such key belongs to such-and-such entity.
Trusted Platforms may be considered as an attempt to go back to basics, in that they provide confidence by directly exposing the “social trust” that underpins all information security. The distinguishing feature of a Trusted Platform is that it enables someone to vouch for a platform and its integrity. As it turns out, this requires the use of conventional security techniques, but these are simply enablers. The provider of an electronic service, for example, can use a Trusted Platform to prove that a service is the proper service and that the service is operating as the provider expects. This provides greater confidence to both the provider and the user of the service. This is not the whole story, of course. Trusted Platforms must be economically priced and designed to minimize the impact of government regulations on trade in information security equipment. Therefore, TCPA Trusted Platforms include functionality that duplicates the best of currently available similar equipment (confidentiality of data on the platform), functionality that addresses a known problem to which no current solution exists (preventing access to secrets by some types of “bad” code, such as hacker scripts), and functionality that exposes the social trust in a Trusted Platform. This range of functions is intended to convince customers that Trusted Platforms provide useful benefits now and in the future.
Information Integrity and Platform Integrity
The problem of platform integrity is heightened by a changing business environment with a greater reliance on the use of networked computers and an increasing use of PCs. Enhanced trust in the proper operation of local or remote computing platforms is needed if critical business deals are to be carried out online. Such deals would greatly simplify current procedures that must be done offline or “out of band” by other, more trusted, traditional mechanisms.
A computer platform has integrity if the applications running on it execute without interference. Existing security solutions assume the integrity of the platforms on which they operate. In particular, they assume that secrets can be safely stored and used on a computing platform. The owner of a platform may feel satisfied with the integrity of their own platform because the owner is in control of the software environment and history (previous behavior including interactions, physical modification, and software execution) of their platform. However, platforms are increasingly connected and exposed to threats from the Internet. This means that such confidence may be misplaced. A third party is in an entirely different situation to an owner, because the third party usually knows nothing about the environment and history of a remote platform. A third party, therefore, has no explicit confidence in the integrity of a remote platform.
Therefore, if a platform is required to reliably prove its integrity, it follows that there is a need to report integrity measurements and a need for proof that a platform can reliably report integrity measurements. How Trusted Platforms provide such a measurement is explained in the gray section later in this chapter, and in more detail in Chapter 3.
Finally, Trusted Platforms fulfill the need for protected storage for secrets (i.e., protection for cryptographic keys and platform authorization data, for example, that must remain confidential). Trusted Platforms provide a mechanism for encrypting secrets securely using the new hardware in a Trusted Platform (i.e., the TPM). Further, they provide a mechanism for associating encrypted secrets with a physical platform and ensuring that such data is only accessible on that same platform. When such secrets are encrypted, constraints can also be specified about the software environment that must exist in order for the secrets to be released. This last mechanism is not available from existing security solutions.
Using Trust to Simplify Security
A Trusted Platform can provide an alternative solution to using complex conventional security protocols. By way of example, look at the case in which certain security protocols are used to prevent divulgence of sensitive information among parties. These parties must provide sensitive information in order to cooperate, but they do not trust each other with sensitive information. For best confidence, those protocols should operate in trustworthy platform environments. But if these protocols operate in trustworthy environments, why not use a simpler protocol with the knowledge that the platforms can simply be trusted not to reveal the sensitive information to other parties? In particular, a Trusted Platform would be able to provide just as good a solution by ensuring that secrets from multiple parties are not revealed to a platform unless the platform both executes software that performs the desired operation and also does not reveal to any party a secret belonging to another party.
Main Problems: Hardware Cost and Exportability
The main problems that had to be addressed by TCPA were the cost of hardware cryptographic co-processors and the fact that different co-processors could be required for different marketplaces because of product export/import regulations. Governments can (and do) impose restrictions on the use of security equipment, so a co-processor that is legal in one country may not be in another. These restrictions apply mainly to strong confidentiality for bulk data (messaging and filing). Countries such as the United States, France and Britain have relaxed their import/export rules in recent years, but it is always possible that those rules will be strengthened again and that other marketplaces have their own security restrictions.
These problems are serious obstacles to the ubiquitous inclusion of security in computer platforms. TCPA hopes to succeed by using simple, low-cost, security hardware with functionality that avoids the import/export trap. TCPA can be regarded, in one sense, as an experiment to test the international marketplace for ubiquitous platform hardware security. To do so, the TCPA sets an industry standard for platform security features and interfaces.
We have already mentioned that ordinary crypto co-processors are too expensive to be fitted “as standard” in the intensely competitive and price-sensitive computer market. Substantial reductions in co-processor cost can be achieved by minimizing the size, functionality, and performance of the co-processor (greater production volumes also decrease cost, but sufficient motivation for this must exist). The problem is that cheap hardware executes symmetric “bulk” encryption (the most common form of encryption used to provide confidentiality for files and messaging) much slower than can be done on a modern central processing unit (CPU). Higher performance specialist hardware is capable of symmetric encryption at the same rate as the main CPU (or even better than the main CPU), but it is unlikely to be as cost-effective because the CPU (obviously) can be used for multiple purposes and because of the numbers in which CPUs are manufactured. If ubiquitous security software existed that relied on hardware protection, it is possible that high performance hardware could be manufactured in such quantities to be cost-effective. However, no such ubiquitous security software exists because no ubiquitous security hardware exists, and no such ubiquitous security hardware exists because no ubiquitous security software exists. This results in deadlock.
TCPA cuts this Gordian knot by inserting simple hardware into a platform, to act as a root of trust for that platform. While a conventional crypto co-processor provides hardware protection for its security processes, a hardware root of trust in an otherwise normal platform provides software protection for the platform's software processes, at the same time that it maintains all the advantages of a normal, open computing platform. The root of trust enables gathering and reporting of evidence about the trustworthiness of the platform's main processing environment. The simple TP hardware contains all the functions that must be trustworthy if the evidence is to be trusted. After it is proven to be trustworthy, the platform's processing environment can be used for bulk encryption. Serendipitously, it transpires that all the functions that must be trusted are functions that operate on small amounts of data, so the performance of low-cost hardware is acceptable. Furthermore, it transpires that the functions that must be trusted are relatively non-contentious as far as product import and export are concerned. Thus, the hardware can be low-cost, and different versions of hardware for different marketplaces are not required.
TCPA calls “all the things that must be trusted” the Trusted Platform Module (TPM). To be precise, TCPA does not mandate that the TPM be implemented in hardware; it merely specifies the TPM's properties. Thus, it is possible for an entire computer platform to act as its own TPM, provided that the platform has the necessary properties. In reality, most TPMs will be hardware devices that are built into a platform. It can be argued that a Trusted Platform is the cheapest way to enhance security in a non-secure platform, because a TPM includes just the minimum functions that must be trusted. This residual hardware cost cannot be eliminated because, as already mentioned, it is axiomatic that the integrity of a platform cannot be proven using software only.
We have already introduced the (logical) concepts of root of trust for measurement and root of trust for reporting. Originally, it was intended that the TPM would be the single physical root of trust in a platform and provide both logical roots of trust. In the first PC implementation specification [TCPA 2001c], however, two physical roots of trust exist because it was considered to be too commercially risky and expensive to integrate the CRTM into a TPM. The CRTM itself is currently specified to be a (physical) root of trust in a memory device that protects it against unauthorized alteration. The TPM is the other root of trust, with more extensive protection mechanisms than the CRTM. Eventually, it is desirable that the CRTM instructions are migrated to the TPM, because the TPM can provide much better control over those instructions. The roots of trust cooperate to enable a process by which integrity metrics can be obtained. Integrity metrics are measurements about the platform and are used to prove that the host platform is in a state in which it can be used to process sensitive data. As will be seen later, integrity metrics can be used to prove to a local user or a third party that a platform is operating as expected and to prevent the release of secrets unless a platform is executing particular software. This feature is new to Trusted Platforms.
In summary, the requirement on enhancing trust and confidence in e-business must satisfy a number of criteria, such as low cost and exportability; otherwise, such security mechanisms will never become ubiquitous. So it is necessary to identify the absolute minimum set of functionality that must be trustworthy if the overall platform is to be trusted, protect those things, and leave the rest “as is.” Trusted Platform functionality is designed to provide the base capabilities essential to the implementation of security solutions, in a low-cost hardware device. The development of software that exploits these capabilities will allow for the strengthening of existing application security and for the development of new applications relying on platform integrity. The potential for ubiquitous availability of TCPA could provide the environment for the development of new security solution architectures (in other words, architectures within which software is trusted to perform operations involving sensitive data).
The Benefits of Using Trusted Computing Technology
You will see that both companies and consumers receive commercial benefits from Trusted Platforms. In this section, we briefly discuss the following:
The benefits of using Trusted Platforms that will emerge in the short, medium, and long term
How Trusted Platforms encourage greater customer confidence
How Trusted Platforms encourage e-business and enhanced e-services
Some of this confidence can be transferred to trust in companies themselves; Appendix B includes a section highlighting reasons why this would benefit companies.
Benefits to the User
Probably the most important aspect for users is that Trusted Platforms provide a low-cost way to trust a software environment for some particular purpose.
A Trusted Platform allows users to answer the following questions (see Figure 1-5):
How can I have confidence that my computing platform will behave in the way I expect? (integrity)
How can I trust a remote system that is not under my control? (integrity)
Figure 1-5. Questions addressed by Trusted Platforms
In addition, a Trusted Platform supports any means of user authentication. Therefore, it can support the continuing personalization of web sites and user mobility, e.g., VPN and hot-desking. A Trusted Client can take part in riskier transactions than might otherwise be possible. For further details, see Chapter 2, which looks at applications of Trusted Platform technology.
The Trusted Platform architecture is designed to provide immediate, medium-term, and long-term benefits to users. Longer-term benefits are predicated on software improvements: All TPM chips support all TCPA functions, but existing software applications are not designed to take advantage of them. When TCPA platforms are more common, it is anticipated that customers and Internet Service Vendors (ISVs) will start developing applications that use these more advanced functions. The most advanced functions require a public key infrastructure (PKI) and are designed for use by e-services.
Short-term (immediate) benefits
In the short-term, benefits of Trusted Platforms are likely to be based on "Protected Storage" functions. Customers can use Protected Storage to protect the confidentiality of data on their hard disks in a way that is fundamentally more secure than pure software solutions. You'll need a basic TCPA implementation with a TPM chip embedded within a platform and associated software provided by the TCPA chip manufacturer.
In providing Protected Storage, the TPM does the following:
Provides an option (which does not have to be used) such that encrypted data can then be decrypted only on the same platform that encrypted it
Provides for digital signature keys to be protected and used by the TPM
Medium-term (intermediate) benefits
In the medium-term, benefits of Trusted Platforms will probably also involve the measurement of integrity metrics relating to the software environment on the platform, for use by the platform. This scenario is the same as the short-term solution, but it requires additional software. Customers can then protect their sensitive data against hacker scripts by automatically preventing access to data if unauthorized programs are executed.
The specific mechanism has the following properties:
It uses the TPM chip.
It acts as a portal to encrypted data, such that this data can be decrypted only if the platform has a given set of software environment integrity metrics. If a hacker loads a script, the presence of that script changes the state of the software environment and the TPM denies access to any secrets that were linked to that previous software environment. The script still executes, but it cannot access any such secrets and cannot interpret any information protected by such secrets.
This feature can be exploited through software at different levels in the software stack, ranging from standalone applications to a fully TCPA-aware operating system (OS).
Long-term benefits
Longer-term benefits of Trusted Platforms involve the reporting of integrity metrics relating to the software environment on the platform, for use by third parties. This benefits e-business. The scenario requires additional public key infrastructure support, whether restricted to a corporation or extended across organizational boundaries.
Users and their partners, suppliers, or customers can connect their IT systems together and expose only the data that is intended to be exposed.
The specific mechanism has this feature:
TCPA provides reporting of integrity metrics of the software environment on a specific platform. This allows a remote party to verify the software environment in a TCPA platform before sending data to that platform. This provides confidence in the software state and identity of a remote party, enabling higher levels of trust when interacting with this party.
Both trusted clients and trusted servers can use this feature.
How Trusted Platforms Create Better Customer Confidence
Trusted Platforms can help create better customer confidence in several ways, including the following:
Enhanced security using hardware
Hardware-based security
Processes that execute in specialist security hardware are better protected than processes that execute on ordinary computing engines. These protected functions are much more resistant to interference and snooping from logical or physical attack, so there is greater confidence in those processes than in processes that execute on an ordinary computing engine.
In a conventional platform with a conventional crypto co-processor, the co-processor protects all its functions from logical and physical attack but does not protect processing on the ordinary CPU. A Trusted Platform provides logical and physical protection for secrets and logical protection for the data protected by those secrets (which is processed on one of the main CPUs). The TPM acts as a conventional co-processor for secrets, and the integrity mechanisms prevent the release of secrets to inappropriate processing environments and permit a local or remote user (or computer) to verify the trustworthiness of a platform before interacting with that platform. So a Trusted Platform protects a larger number of processes than a conventional platform with a conventional crypto co-processor: A critical few processes (dealing with secrets) are protected by a minimalist crypto co-processor. Other processes (on data that uses secrets) are less protected than they would be inside a crypto co-processor (because no physical protection exists, for example, against deletion), but are better protected than ordinary processes outside a crypto co-processor (because the confidentiality and integrity of the data is protected).
Specifically, a Trusted Platform provides hardware protection for keys and other secrets, which would normally be used to encrypt files or gain access to servers or other networks. The TPM prevents the release of secrets until presentation of an authorization value and/or the presence of a particular TPM and/or the presence of a particular software state in the platform. The TPM prevents inappropriate access to encrypted files and network resources by snooping around a hard disk, or moving a hard disk to another platform, or loading software to snoop on other processes, for example.
Provision of feedback about trust to the user
By interacting with Trusted Platforms using smart cards or handheld computers, a user can decide whether to trust a computer or computing infrastructure.
A smart card or other handheld computer can be programmed to interrogate a Trusted Platform (local or remote), retrieve identity information and integrity metrics, and compare the identity and integrity metrics with expected values. If they are different, the smart card or handheld computer user can refuse to interact with the Trusted Platform because it is the wrong computer or because it is in an inappropriate software state and not to be trusted for the intended purpose.
This enables a user to access an arbitrary computer platform in an organization or public area or an arbitrary server, and to determine whether it can be trusted to work on private information and not reveal the private information without authorization from the user.
Provision of a technological foundation for privacy
Both businesses and individuals are increasingly concerned with the privacy of their confidential and personal information, particularly when their computer platforms are connected to networks.
In the computing context, privacy provides a way to prevent others from gaining access to information without the informed consent of its owners. Cell phones, telephone caller ID, credit cards, and the Internet provide people with a dramatic new level of freedoms that can enhance business processes and personal lives, but these innovations come with privacy concerns. All of these systems are capable of providing information, including financial and personal data that most users assume to be private. The TCPA believes that the ability to ensure such privacy is an essential prerequisite of a trusted system. This privacy needs to be as robust as any other aspect of the trust in the system. [TCPA 2000b]
Privacy controls should determine whether it is permissible to reveal that the information exists and the circumstances in which the information can be disclosed or used. A credit card number is not secret, for example, but it is private. Only the owner of a credit card has the right to use the credit card number. Others, who have been given the credit card number, should not disclose, distribute, or use the number in a manner that is not approved by the card owner. It follows, therefore, that data is rendered private if the owner of the data can control distribution of information about the data, even knowledge of the existence of that data. Whether particular data should be treated as private data depends on the nature of the data and the opinion of the owner of that data. Some people are not concerned about privacy, and others are. One person may consider that a particular type of data must be private, while another may not.
Any data (even secret data) can have a privacy attribute. Some data associated with Trusted Platforms do not require security protection but could be considered privacy sensitive by some users. The best such examples are public asymmetric keys (such as the public endorsement key) and X.509 certificates (such as the endorsement certificate and identity certificates). To maintain the privacy of such data, the TCPA specification requires that access to some such data is under the control of the owner of that data. An owner who is not concerned about privacy can still distribute the data, or publish its existence, to his heart's content. An owner who is concerned about privacy should use whatever mechanisms are provided to prevent others from accessing the data or learning about the data.
TCPA provides a novel form of privacy protection by preventing the revelation of secrets unless the software state of a platform is in an approved state. If secrets are kept on a server built on a Trusted Platform, a user can verify that the server is the expected platform and is operating as expected even before sending private information to the server. After a user's private information is on a server, the user can be reassured that data in the server will become unavailable if the software environment on the server changes (during a hacker attack, for example). Thus, the secret should never be used in unapproved circumstances.
Some aspects of privacy are expressed in Trusted Platforms via explicit commands or special features of commands or protocols. These commands or enhancements enable the TPM owner to dictate some aspect of a TPM's behavior, such as whether it will do “real work” and whether it will accept an owner. For example, the entire notion of TPM identities exists only to provide privacy when a TPM owner uses a signing key that identifies his platform. A user has multiple trusted attestation identities that are associated with a TPM, which is particularly useful in e-business because different identities can be associated with different types of tasks. The technology prevents someone from building up a profile of the user by combining behavior associated with different identities. A user can use one identity when dealing with a bank, another identity when buying goods, and yet another identity when posting opinions to a newsgroup. An identity can have any arbitrary name or label (even the user's real name, if he or she wishes), yet each identity can prove that it corresponds to a Trusted Platform. A third party can still track the consistency of a user's behavior and benefit from being able to inspect the environment on the associated platform to see if it is trustworthy, but the third party cannot correlate activities performed using different identities. (Or, at least, the correlation cannot be done by exploiting TCPA mechanisms.)
TCPA also respects the privacy of a user of a Trusted Platform. TCPA differentiates between the user of a Trusted Platform and the owner of a Trusted Platform. The owner has certain privileges over a Trusted Platform, but a user's data is private; even the owner of the platform cannot access that data without permission from the user. Hence, a platform could be owned and used by a single owner or user (in the case of a consumer or small business), or it could be owned by one entity and used by another entity. This would be the case in a corporate environment, where the IT department is the owner, and the user is the individual to whom the platform has been issued.
This issue of privacy is discussed in a more technological context later in this chapter.
Provision of trustworthy digital signatures
Digital signatures will become more important as they gain greater legal status, and Trusted Platforms can support and enhance the use of digital signatures. You'll realize these benefits:
A Trusted Platform protects signature keys using the TPM, never reveals those keys outside the TPM, and uses such keys to digitally sign data submitted to the TPM.
A Trusted Platform can enhance digital signatures by incorporating integrity metrics that indicate the software state of the platform when data is signed.
Depending on the implementation of the TPM, a Trusted Platform can further enhance signatures to guarantee that what is signed corresponds to what was seen by the signer. (This issue is considered further in Chapter 14.)
Support for security services and improved e-services
TCPA embeds trust and security functionality into computing platforms to properly anchor existing security services; it also provides a basis for improved security services and services that use security. Trusted Platforms are deliberately designed to support existing security techniques, even though the TP may lead to the development of improved security techniques that eventually supplant existing techniques. Trusted Platforms are even deliberately designed to use existing security techniques to provide the functions of a Trusted Platform, and TCPA invents new processes only when necessary. This is critical, and not just a matter of preference: The best security techniques are those that have been subject to study for a long time, yet are still considered to be secure.
The TCPA limits itself to the specification (rather than supply) of Trusted Platforms and services derived from Trusted Platforms. TCPA Trusted Platforms provide the base for software and services at all levels to meet new e-business expectations, whether that base is for platform manufacturers' products and services or their customers' own products and services built with/on such platforms.
The importance of trust for e-commerce
Consumers' lack of trust is a major inhibitor to e-commerce, although the expected boom in the use of e-commerce has yet to materialize. There are many contributing factors including brand familiarity, web-site navigation, fulfillment of transactions (i.e., delivery of goods), the lack of sociability of using the Internet to shop, the inability to touch and try goods, and the non-immediacy of receipt of goods. However, according to most surveys on the subject, it appears that consumers' lack of trust in the Internet is a major reason for not buying online ([Cheskin 1999], [GVU], and [AT&T 1999]). Fears about security are an important aspect of this lack of trust. For example, in order to access an e-service in electronic commerce, you may have to communicate with a platform with which you have had no previous contact. In this case, how can you believe that you are contacting the correct business entity and that the behavior of that entity's platform is appropriate? How can you even ensure that your local personal computer remains trustworthy, because it may be accessed by remote software during the service?
For e-commerce to be effective, each of the components that combine to make up the system must be trustworthy. Any breach of security at any one of the levels will add to the feeling of distrust that users have toward shopping online. Indeed, it seems that the media's dramatization of security breaches has already made a substantial contribution toward users' inherent lack of confidence.
It is not surprising that consumers are worried about the vulnerabilities in the system. On September 13, 1999, British Prime Minister Tony Blair succinctly captured the worries that people have when he said that the biggest barrier to the spread of e-commerce is a cultural one. Companies are worried that they won't get paid. Customers are concerned that their personal details will be misused. Copyright holders fear piracy, and so on.
On March 20, 1999, former President Clinton expressed the deep concern of consumers in security and privacy, saying that he wanted to work with industry to find ways to give consumers the same protection in the virtual mall that they now have at the shopping mall, and to enhance the security and privacy of financial transactions on the Internet, which he believed to be an increasingly deep concern of citizens everywhere.
Note that neither of them talks about perfect security; instead the goal is to be “as safe as” something else. In the case of Prime Minister Blair, the goal is to be as safe as any country in the world—presumably that implies the U.S. In the case of former President Clinton, the goal is to make the virtual mall as safe as the shopping mall.
The usefulness of Trusted Platforms also extends beyond services traditionally considered as comprising e-commerce. Using TPs, both customers and service providers can have more confidence in business transactions. This has implications in the office environment for hot-desking, in the home environment, in remote management, and in teleworking. Other benefits, such as software distribution, apply to both the home and office environment, albeit with a slightly different focus.
As a result, many business opportunities are expected to be available in providing trust-enhancing services built on top of Trusted Platform technology. For example, the transactional security service market is expected to increase at a compound annual growth rate of 92 percent, from $128 million in 1999 to $3.3 billion in 2004 [IDC 2001].
Corporate responsibilities addressed by Trusted Platform technology
Finally, organizations that use computer platforms will find it easier to maintain good practice if they use Trusted Platforms. Trusted Platforms can maintain confidentiality of the organization's information. This is currently a major problem.
Attacks occur in these and other ways:
Online theft of information (e.g., corporate data being at risk of loss or misuse if an office platform is used at home over a personal Internet connection)
Offline theft of information (e.g., from a home system used over a personal Internet connection, or information extracted offline from a stolen home or office system)
Information damage has several undesirable effects, including these possibilities:
Direct financial loss resulting from fraudulent use of secrets
Loss of customer confidence or respect (e.g., via web pages being hacked)
Costs resulting from uncertainties, e.g., system failures leading to paralyzed transactions leading to dispute resolution
Legislation for digital signatures imposes requirements for trustworthy systems and safeguarding of private keys. Companies could be more comfortable using Trusted Platforms for digital signatures because of the ability to predicate signatures on the software state of the platform, either by checking the state before signing or by incorporating the state into the signature.
The Value of Trusted PlatformsNew business practices drive the need for protected information processing and communication systems. With increasing and widespread usage of open networks, the need for ubiquitous information protection in computer platforms grows. One solution is the widespread adoption of conventional security techniques but what businesses really want and need is commercial confidence rather than security per se. The approach described in this book is that of Trusted Platforms. Trusted Platforms are a low-cost method of providing confidence in the protection and processing of information. The trust mechanisms in Trusted Platforms use selected security mechanisms, but they are ultimately based upon signed statements of “social trust” made by individuals and organizations. The higher levels of trust that are enabled by Trusted Platforms are valuable to businesses for the following reasons:
|