news / tech talk
Trusted Platform Module
by Lee LeClair02/10/2010
As seen in Inside Tucson Business
- Arizona Daily Star
- BizPlanIt
- Linux World Expo
- 40 under 40
- They're on the A-List
- Dotche system built by Ephibian
- AzBusiness
- Arizona Daily Star
- Arizona Daily Star
- Phoenix Business Journal
- Ranking Arizona
- The Arizona Republic
- Hostingtech.com
- American City Business Journals Inc.
- AZtechBiz
- Inside Tucson Business
- Arizona Business Gazette
- Inside Tucson Business
- Fiesta Mall
- Arizona Daily Star
- .com Success!
- Business Wire
- Buck's Woodside Menu
- CRN
- Arizona Daily Star
- LocalBusiness.com
- The Business Journal - Phoenix
- Phoenix Business Journal
- LocalBusiness.com
- Business Wire
- Inside Tucson Business
- internet.com
- AzBusiness
- AZtechBiz
- designshops.com
- AZtechBiz
- BizAZ
- Virtualized Cloud
- Collaboration and Communication
- Personally Identifiable Information
- Cyberwarfare
- iPad and E-Readers
- Trusted Platform Module
- Smartphone Data Security
- Cyber-Espionage
- DTNs
- Have a Plan
- Cloud Computing - Part 2
- Impact of Technology on Existing...
- Data Archiving
- Mobile Telephony - Part 2
- Cloud Computing
- Social Networks
- Password Management
- Netbooks
- Microtargeting
- Packet Analysis
- IP v6
- Surge Protection
- Traveling Safely
- Thin Client
- Uptime
- Mobile Telephony
- Know Thy Programs
- Voice Over IP - Part 3
- Google Apps
- Virtual Computing
- Securing Users
- Simple Desktop Management
- Service Oriented Architecture
- Light-based Communication
- Data Mining
- Small Business Architecture
- Voice Over IP - Part 2
- Business Automation
- Database Needs
- DMZs
- CPUs
- SPAM & Botnets
- Security Testing
- Customer Advocacy
- Laptop Security
- Windows Vista
- Large Scale Deployment
- Network Access Control
- Generator Use
- Uninterrupted Power Supplies
- Web Site Security
- Blu-ray vs. HD-DVD
- Dual-Core Processors
- Business Security
- AJAX
- 3G Mobile Internet
- Apple Intel Processors
- Entertainment Tech
- Cafe Wireless
- Commercial Hosting
- Gaming Consoles
- Voice Over IP
- Blogging
- Is WI-FI Secure?
- OpenDocument Format
- Allured Publishing Changes Name to...
- Computer Model Can Help Prevent War?
- Defense contractors run gamut from...
- ASU gears on-site construction...
- The Cleveland Foundation Selects...
- Global Partners Join Forces to Speed...
- Intuit Completes Acquisition of...
- Strategy unveiled on how tobacco tax...
- Gaiam's, Real Goods' revenues increase...
- LSST Awarded Time on TeraGrid
- Aldine Independent School District...
- Miraval featured in Natural Solutions...
- Ventana Medical Systems Joins TSIA to...
- UA $3 Million Bioterrorism Grant...
- Arizona Center for Integrative...
The Trusted Platform Module (TPM) caused shockwaves this week as the story of how it was cracked hit the headlines. A TPM is a hardware chip that was developed for the purpose of providing a tiny secure vault of encryption capability to be used on all kinds of commercial devices like laptops, desktops, Xbox 360 game consoles, TVs, satellite TV receivers etc. The intent was to provide an inexpensive but highly secure way to protect content and millions have already been produced and sit on motherboards of all types. The chip can encrypt data of all types and many security conscious individuals and companies have already incorporated its use to protect data and verify its integrity as well as positively identify unique devices.
Christopher Tarnovsky, a security consultant, took six months to crack the chip using chemical baths to remove layers of the outer material. He then used a highly sensitive tiny probe to eavesdrop on the communications channels inside the chip itself. Once he found the right places to tap without triggering software failsafes, he could "see" and record the encryption processes going on including the key used and then reverse the entire process in effect nullifying the chips capabilities.
What is the impact of this? Some are already arguing that the process used is so complex and difficult that it is unlikely to be duplicated. However when large amounts of money are at stake as they are in satellite TV, gaming, and other kinds of piracy, it is likely that Tarnovsky's crack will be replicated, refined, and turned into a quick process for mass production. It is simply supply and demand. That is assuming Tarnovsky is the first to have achieved this crack. True pirates with high technical skills like some in Russia and China may have already achieved this but would not reveal it as their plan would be to profit from it in a different way than gaining notoriety as a security consultant.
For corporate data users, it depends on the threat. For example, a user who encrypts their hard drive or files using the TPM would believe it to be quite safe. Even if a "protected" laptop were stolen, one might sleep soundly believing that the encrypted data on it quite safe. For most people, that would be true however if the perpetrator was a corporate rival and the laptop stolen belonged to a finance executive then there might definitely be an issue and one would need to proceed accordingly.
From a nation-state perspective, this crack simply verifies that the TPM is of little use other than to protect sensitive but unclassified data. Some articles have mistakenly stated that the TPM is used to protect classified information from some government agencies but that is not true. In the US, any classified information must be encrypted with NSA's Type I encryption which is proprietary and unavailable to the public.
Does this mean that encryption is useless? Not at all, it simply means that the system as a whole must be equally well protected, not just the encryption algorithm. The TPM uses AES encryption which is as sound as it ever was. What was broken with the TPM is the shell of hardware and software protection mechanisms that protected the internal processing of those encryption algorithms. A similar issue occurred recently with an allegedly secure encrypted flash drive. In the same vein, the flash drive was cracked by subverting the mechanism that performed the encryption - not the encryption itself.
The whole episode underlines a common issue with security and commercial entities. The market wants an easy solution that will solve all the ugly security problems. Vendors try to sell a product that will "make all the problems go away". Unfortunately, many frustrated and desperate customers hear what they want to hear and blindly accept the "silver bullet" solution and move forward. The lesson is that one should always be skeptical when it comes to security. Any security solution provides a delay in the amount of time it would take an attacker to get in, nothing provides perfect security that lasts forever.
Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business
Christopher Tarnovsky, a security consultant, took six months to crack the chip using chemical baths to remove layers of the outer material. He then used a highly sensitive tiny probe to eavesdrop on the communications channels inside the chip itself. Once he found the right places to tap without triggering software failsafes, he could "see" and record the encryption processes going on including the key used and then reverse the entire process in effect nullifying the chips capabilities.
What is the impact of this? Some are already arguing that the process used is so complex and difficult that it is unlikely to be duplicated. However when large amounts of money are at stake as they are in satellite TV, gaming, and other kinds of piracy, it is likely that Tarnovsky's crack will be replicated, refined, and turned into a quick process for mass production. It is simply supply and demand. That is assuming Tarnovsky is the first to have achieved this crack. True pirates with high technical skills like some in Russia and China may have already achieved this but would not reveal it as their plan would be to profit from it in a different way than gaining notoriety as a security consultant.
For corporate data users, it depends on the threat. For example, a user who encrypts their hard drive or files using the TPM would believe it to be quite safe. Even if a "protected" laptop were stolen, one might sleep soundly believing that the encrypted data on it quite safe. For most people, that would be true however if the perpetrator was a corporate rival and the laptop stolen belonged to a finance executive then there might definitely be an issue and one would need to proceed accordingly.
From a nation-state perspective, this crack simply verifies that the TPM is of little use other than to protect sensitive but unclassified data. Some articles have mistakenly stated that the TPM is used to protect classified information from some government agencies but that is not true. In the US, any classified information must be encrypted with NSA's Type I encryption which is proprietary and unavailable to the public.
Does this mean that encryption is useless? Not at all, it simply means that the system as a whole must be equally well protected, not just the encryption algorithm. The TPM uses AES encryption which is as sound as it ever was. What was broken with the TPM is the shell of hardware and software protection mechanisms that protected the internal processing of those encryption algorithms. A similar issue occurred recently with an allegedly secure encrypted flash drive. In the same vein, the flash drive was cracked by subverting the mechanism that performed the encryption - not the encryption itself.
The whole episode underlines a common issue with security and commercial entities. The market wants an easy solution that will solve all the ugly security problems. Vendors try to sell a product that will "make all the problems go away". Unfortunately, many frustrated and desperate customers hear what they want to hear and blindly accept the "silver bullet" solution and move forward. The lesson is that one should always be skeptical when it comes to security. Any security solution provides a delay in the amount of time it would take an attacker to get in, nothing provides perfect security that lasts forever.
Lee Le Clair is the CTO at Ephibian. His Tech Talk column appears the third week of each month in Inside Tucson Business