In-Depth

Tools to Secure Your System, Privacy, and Sanity

How can you know you haven't been connected to a look-alike server, and how does it know your device isn't infected with malware? New hardware specification models from the Trusted Computing Group may help.

Ethical business practice is predicated on the foundation that the people involved in transactions trust each other to fulfill their end of the contract. A fundamental element of this trust is both parties knowing each other’s true identities. Confidentiality is also an important element of a sound business relationship.

But gaining and maintaining trust in a digital environment presents many additional challenges the traditional business world has not had to tackle. Today, two parties involved in a transaction may not be human, but machines from different companies simultaneously executing programs. In this model, how can those responsible for overseeing and assuring that these transactions go smoothly be sure that all parties are safe and protected from spyware, tampering, or attack?

Knowing Whom to Trust

When using a cell phone, PDA, or PC, can anyone really be sure the equipment is safe? When contacting a server from such a device, how can one be sure an attacker has not redirected the data to a look-alike server and tricked the sender into revealing IDs and passwords? Even if connected to the right server, how does one know an attacker has not compromised that server by installing spyware to capture the transaction about to be conducted?

At the server end, how does the server administrator know if the person trying to connect is trustworthy? Even if the server administrator believes the sender’s claim of identity, how does the administrator know that the computing devices (PC, PDA, etc.) have not been compromised with any manner of malware?

Such problems apply broadly across the digital world. People regularly engage in transactions using cell phones, PDAs, television sets, and PCs and in so doing, impact other PCs, servers, cell phones, or retail point-of-sale stations. No one company could feasibly cover the vast number of issues that arise from the daily traffic on the multitudes of devices used. Even if one company attempted to provide a solution, it might not be accepted by the entire industry. The breadth of the problem and customer demand for open standards-based solutions require a standards-body approach to the solution.

The Trusted Computing Group (TCG, https://www.trustedcomputinggroup.org/home) is an open standards group dedicated to solving security problems with solutions that are consistent across computing platforms. TCG consists of over 50 industry-leading corporations, including chip, platform, and device manufacturers, as well as software vendors and others. These companies have worked together to specify a single chip—a dedicated Hardware Security Module (HSM) the organization calls a Trusted Platform Module (TPM). A TPM can be used to address security issues consistently across a wide range of devices (from cell phones to servers) and operating systems.

The intent of a standards body (such as the Trusted Computing Group) is to combine the efforts of multiple experts to develop open standards for the industry, create interoperability and compatibility between the standards-based products from vendors, and create commodity products that system integrators can design into computing systems for the benefit of the industry at large.

A TPM’s capabilities are self-contained. It uses a single, well-defined interface to communicate with the computing system (of which it is a part), and does not depend on an operating system. A TPM provides two central value propositions. It can be used to:

  • provide a unique, unspoofable identity to the device of which it is a part

  • conserve status information about the software running in the device (this status information can be used to determine if the device has been changed without authorization)

In addition to specifying the TPM, the Trusted Computing Group also specifies a low-level software stack that serves as middleware between the TPM and higher-level software stacks. This middleware layer is called the TCG Software Stack (TSS).

Creating a Unique Identity and the Ability to Prove It

A TPM is a microcontroller that has an Internet security and authentication algorithm called RSA (after the developers: Rivest, Shamir and Adleman) designed into it. The standard specifies that the TPM must be welded into the computing device of which it is part and must disable itself if the electrical connection to that device is disturbed. This enables the TPM to calculate a public/private asymmetric key pair for itself. It can export the public key and retain the private key, create a digital signature with its private key, and be the unique identity for the device.

In larger computing devices (PDAs, PCs, disk drives, servers), it is possible to associate a digital certificate with the TPM’s key pair and to create a machine certificate that provides the same identity values to a machine that digital certificates provide to people.

Machine identity gives the device the ability to demand that TPM-equipped digital devices prove their identities based on recognition of the private keys stored in their TPMs. In such interaction, Device A demands to know the identity of Device B. Device A provides Device B with a random piece of data and the order to digitally sign that data. Device B signs the data and returns it. Device A checks the signature. If it is the correct signature, Device A decides that it is, in fact, speaking with Device B and not an attacker masquerading as Device B.

A unique identity might be based on a public key infrastructure (PKI) with a certificate tied to the TPM. This is not necessary, however. The ability to perform a digital signature does not require a PKI. It requires the ability to calculate a hash of a data object and the ability to encrypt that hash with an asymmetric key pair. TPM can do both. Just because a device can prove it is who it says it is does not mean that it can be trusted. An attacker may have installed malware that is able to spy on everything that happens in a device.

Security products often use hashing as a way to check that nothing in the software has changed since the software was installed. To do this, it is necessary to hash the software after it is installed and save that hash value in a secure place. In the future, if someone wants to know whether the software has been attacked, it can be hashed again and compared to the value that was stored. If they are different, then something has changed, which is enough to stop execution and send an alert that this system cannot be trusted.

Platform Configuration Registers

TPMs are built with a set of storage registers called Platform Configuration Registers (PCRs). PCRs store hash values. The original hash value must be stored in a secure place. If the attacker can get to the original hash value, he can replace it with a hash value of his own. In that case, the self-check is worthless. The TPM can store hash values inside itself. The only way to write to the PCRs is by proving ownership of the TPM. Not owning the TPM, PCR values can be accessed but cannot be changed.

The use of PCRs in a TPM has been publicly demonstrated as a way to prove trustworthiness. As an example, a client application asked a server if it could be trusted. The server responded by calculating hash values for its operating system and applications, then comparing those values to values set by the IT administrator and stored in the PCRs. If they match, then the server has not changed since the administrator configured it and the system can be trusted. If they do not, a warning will be sent to the client.

Security Products on the Market

TPM-based hardware and software products manufactured by TCG member companies are available today. These embedded solutions add greater security to TPM- and TSS-based products, many of which include software that allows embedded security solutions to be used with computer applications to implement features such as protected digital email signatures, digital certificate-based virtual private networks, and protected network authentication.

Other solutions are a combination of hardware and software products that "lock" data such as sensitive keys, identity information, and confidential data. Some are software solutions utilizing the TPM functionality and adding document and signature security. There are a myriad of software solutions that protect files and personal confidentiality.

Conclusion

The ability to recognize and include both known people and machines and exclude those that are unknown and/or untrustworthy is critical to the success of an e-business system. The mission of the Trusted Computing Group is to specify hardware security models (HSMs) that can be widely used in many devices, independent of device footprint, capabilities, or operating software and which provide a consistent set of security functions that can be used to prove the identity and integrity of the computing device.

These capabilities make the TPM a basic enabler of e-business and business-on-demand applications by making it possible for computing devices to receive accurate answers to the questions “Who are you?” and “Can you be trusted?”

Must Read Articles