Data Centers

Talking Shop: Can you trust trusted computing?

Skeptical analysis of Microsofts Trustworthy Computing initiative


ScOrp is TechRepublic's first opinion writer. His ideas and suggestions are his own and do not represent those of TechRepublic or CNET Networks.

The necessity of providing adequate security for computers and networks while maintaining full functionality is a familiar one to today's IT professionals. There must be free and easy access to resources by authorized users and ONLY by authorized users. Of course, with every security measure comes a certain overhead. Having a lock on a physical door necessitates having and safeguarding keys, which in turn necessitates the making and management of keys and a backup plan for lost keys—or, more closely related to passwords and encryption, giving out the combination to the lock and ensuring that only the right people have that combination.

While it's a lot easier to have no lock, just a door that can be opened and entered, that isn't very secure for the storage of valuables. It's the same with securing a network. Whether it's a firewall that snoops through packets before allowing passage, or encrypting/decrypting files, or even just passwords on user accounts, there's a time delay and a requirement to manage the details of the process.

But consider what would happen if there were a second lock on the door that only the police or a neighborhood association representative could open. Consider also that this third party had "your" lock mastered to accept their key too. What kind of agreement would it take for you to feel confident that this third party would not walk into your house at any time and check your belongings against your receipts to make sure that you bought them? What kind of agreement would it take for you to believe that this third party would always be available to open the door upon your request? How about: None! There is no agreement that any rational person would accept in these situations. And yet, that is exactly what is planned for your computer(s).

Some definitions
TCPA (Trusted Computing Platform Alliance): Formed by Compaq, HP, IBM, Intel, and Microsoft, this alliance was formed to work on "creating a new computing platform for the next century that will provide for improved trust in the PC platform." This organization gave rise to TCG.

TCG (Trusted Computing Group): This is an "industry standards body" that will "develop and promote open industry standard specifications for trusted computing hardware building blocks and software interfaces across multiple platforms, including PCs, servers, PDAs, and digital phones. This will enable more secure data storage, online business practices, and online commerce transactions while protecting privacy and individual rights." (Clearly, the word "trust" is defined in a special and unusual way here; the standard layman's definition is not accurate.)

Palladium: Microsoft's implementation of TCPA/TCG standards. Palladium is Microsoft's code name for an evolutionary set of features for the Windows operating system. A Microsoft press release says, "Combined with a new breed of hardware and applications, these features will give individuals and groups of users greater data security, personal privacy, and system integrity."

NGSCB (Next Generation Secure Computing Base): This is merely the new name for Palladium. It is harder to pronounce ("enscub"), which is possibly a deterrent to discussing it.

"Fritz" chip: Named after U.S. Senator Fritz Hollings, the main proponent of enabling (requiring?) "TC" standards as the law of the land in the United States. (To avoid confusion in this article, both TCPA and TCG will be lumped under the term "TC." It's mostly a cosmetic difference, anyway.)

In a nutshell
What happens with TC is this: Most of the larger and many of the smaller makers of hardware and software will begin producing chips and applications that mutually support a TC standard that includes requiring digital signatures for every file opened on a computer. A computer with an enabled Fritz chip will take control of the machine right from boot-up. At every stage of the boot process, the TC-coded Fritz chip will check and verify compliance with TC standards, from BIOS to starting up services and devices. There will be a table stored internally with a list of TC-approved hardware, and if a device is not present on that list, it might as well not be on the Hardware Compatibility List. All software must have an approved digital signature and an unexpired/non-revoked serial number, or it will not start up. Any "significant changes" to the state of the machine (new hardware or applications) will require going online and recertifying those changes even if those changes are all in TC-compliance.

You will have only two boot results possible: Either a computer that has passed examination by a resident intruder or a machine that will not even work until it's reregistered and passes an online examination. If it passes, a software-based watchdog will take the leash after the boot is completed. If it doesn't pass, someone will know exactly who you are and why your machine is out of compliance.

Depending upon the exact definition of "significant changes," this could amount to an insane Admin overhead level just to get a PC up and running after replacing a NIC. If nothing else, you'll have to "flash" frequently to update the approved hardware list or face failure to boot even after making NO changes at all.

Consider that any system does occasionally get things just a little tiny bit wrong. Hope that this isn't just one more complication when a mission-critical server starts chugging badly and needs attention. "The five nines" (99.999 percent reliability or <5.2 minutes downtime per year) could become a nostalgic memory. At this point, it's not clear exactly what effect the Fritz chip and TC standards will have on hot-swapping server components or hot-plugging USB/FireWire devices. One could hope that changing the state of the machine a bit after the boot sequence wouldn't gum things up. One would also expect that since a major motive behind TCPA was to enforce DRM (digital rights management), that any perceived possible "sidestep" would sound the shutdown alarm in the Trusted OS.

Linux to the rescue?
So, run Linux instead? Don't count on it. You'll still be saddled with the Fritz chip in any motherboard soon to be produced. And it gets worse because both AMD and Intel have solid plans to integrate TC right into the processor where no soldering iron dares to tread. As it is being presented now, TC standards are an option for the user, to be turned on or off. But whether by force of law or by collusion among the overwhelming market shareholders in both computer hardware and software, the TC "on/off" guarantee will soon crumble. Business users won't have a choice anyway, since only the Admin controls the TC toggle—and the Admins will be subject to company policy.

No, "I'll just run Linux!" is simply not a viable workaround. Unconfirmed rumors have it that major Linux distributors, such as Mandrake and RedHat, are already planning to be compliant with TC standards in future releases. They'll have to be, since they do run on hardware. A bit more chilling is the forecasted effect on the Open Source/GPL community at large—bright, motivated developers will be much less likely to volunteer their time and effort "for the community good" when they realize that TC standards disable the General Public Licensed (GPL) software as it functions at present. GPL software must be altered to run on TC-enabled hardware (that digital signature requirement again) and can then be proprietized and the source code "closed" by large commercial vendors. Open Source community members won't be happy about that—they'll probably be unhappy enough to quit altogether—and there goes a troublesome source of competition, all accomplished (somewhat) legally.

Once TC standards become either legally forced or widespread enough, a TC-free user will be hard-pressed to find any files or applications that will function at all on his or her machine.

Suppose you decide that you'll simply refuse to be in compliance with these new standards. One day, you'll receive a Word document in e-mail that you can't open, even though both you and the sender have the same version of Microsoft Word. In fact, you may not even be able to open an e-mail message from a TC-enabled sender at all! The Word doc will have a digital signature that must be "satisfied" in order to decrypt it so that Word can open it, and the e-mail will have the same gimmick in its header. By the same token, a TC-enabled computer will refuse to open a file that doesn't have a TC signature. The level of encryption applied will be completely beyond cracking by foreseeable means—up to 2048-bit keys are in the works. (And you thought Blowfish was tough.)

The point is that every single string of 1s and 0s produced under TC standards will be automatically signed, starting instantly. Every file will be run through the TC process as an integral part of the new file systems (and hardware!), both during creation and opening by an application. Forced encryption at varying levels will be applied as well. Microsoft claims that nothing will stop working overnight, but the fact is that, at some point, when TC standards are judged to be widespread enough, every system connected to the Internet will receive activation orders, and the scheme will then be in place worldwide.

Paranoia or reality?
The Automatic Update feature of Windows XP (and its automatic potential for hazard) has been known and discussed for some time now. At present this is "an option," but the fact is that the vast majority of home users and a significant number of business users/Admins simply take the path of least resistance and surrender that option to Microsoft. It's easier. Who wants to check for new patches every day? Rather than find them, evaluate them, download them, and apply them, why not just let Uncle Bill do the work? The average user sure doesn't want to take that trouble, and overworked IT staffs may see the value in cutting their 12-hour days back to only 11. Makes sense, right? It's also the fastest response to all the new security holes, new viruses, and other threats to system security that seem to pop up daily, right?

Maybe. Maybe not. Next week the diatribe continues (oh yeah, there's more), and a few folks in the trenches weigh in on the subject.

Editor's Picks