X
Tech

Hasta la Vista Secure TPM

from OS sandbox to application authentication support in a marketing generation
Written by Paul Murphy, Contributor
I spent some time last week reviewing the TPM-1.2 (Trusted Platform Module) implementation for Microsoft Vista because what Microsoft promised for Longhorn back in 2001 and 2002 seemed applicable to a current problem. As it turns out Vista doesn't deliver on any of that - in fact, the more I look at this the stranger it seems to me ...the ability to mimic any one authorized network device can render all others untrustworthy. that people are acting all horrified over another few weeks of delay in the delivery of NT 5.3 while saying exactly nothing at all about the substitution of another NT generation for Longhorn.

Let me explain, starting with a particularly clear description of what TPM/Longhorn was supposed to offer - it's from a late 2003 PC Magazine write-up by John Clyman:

NGSCB provides an additional mode that future software will optionally switch into when it needs to perform sensitive tasks. Imagine a three-layer cake with hardware devices at the bottom, kernel-mode software (such as the core OS) in the middle, and user-mode software such as applications on top. NGSCB conceptually splits each layer into two sides.

The left-hand side, where today's hardware and software exist, works as before, while the right-hand side is a secure space. Typical applications will run on the left-hand side until they need a secure service, then switch briefly to the right-hand side to fulfill that need.

Four key capabilities become available on the right-hand side: secure I/O, sealed storage, strong process isolation, and attestation (digitally signed program identification).

Secure I/O means that every bit of information flowing between input/output devices and the system is both encrypted (and thus difficult to snoop) and cryptographically signed (so it can't be altered en route). In initial versions of NGSCB, the secure I/O path specifically encompasses USB devices, including keyboards and mice; the CPU and chipset; graphics controllers; and the pathways that connect them. Protecting information at each of these stages means that malicious software can't, for example, monitor keystrokes or crawl video memory to observe what's being written to the screen.

Sealed storage is cryptographically secure disk storage that can be locked or unlocked only by particular keys, so one application can't peek into the contents of another application's sealed storage space without authorization. Strong process isolation similarly means that software can't examine or co-opt memory used by other software. And attestation provides a mechanism to make sure each application is what it says it is, by recording a cryptographic checksum that becomes invalid if the application changes in any way. The idea is to ensure that specified data can be accessed only by an application with explicit permission, and also that no application has been compromised by, say, a Trojan horse. This level of security should work not just on individual systems but also in the context of networked machines.

Now that may sound 1980ish to a Unix person, but remember this was next generation Windows as seen from 2003. By 2005, however, the vision had been modified by Intel's solution for hardware based DRM to become little more than an authentication technology. Here's the 411 direct from Microsoft::

 

TPM is a microchip designed to provide some basic security-related functions to the software utilizing it. The TPM chip is usually installed on the motherboard of a PC or laptop, and communicates with the rest of the system via a hardware bus.

Systems that incorporate a TPM have the ability to create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called "wrapping" or "binding" a key, helps protect the key from disclosure. On TPMs, the master "wrapping" key is called the Storage Root Key (SRK), and this key is stored within the TPM itself, so the private portion of the key is never exposed.

These systems can also take advantage of another feature of the TPM design that allows for creating a key that has not only been wrapped, but also tied to certain platform measurements such that the key can only be unwrapped when those platform measurements have the same values that they had when the key was created. This process is called "sealing" the key to the TPM. Decrypting it is called "unsealing." The TPM can also seal and unseal data that is generated outside of the TPM.

Systems that incorporate a TPM are resistant to attack in the same ways that any hardware is more resistant to attack than software - especially in the realm of cryptographic key management. Private portions of key pairs are kept segregated from memory controlled by the operating system. Keys can be sealed to the TPM, so certain assurances about the state of a system (its trustworthiness) can be made before the keys are unsealed and released for use. Also, since the TPM uses its own internal firmware and logical circuits for processing instructions, it does not rely upon the operating system and is not subject to external software vulnerabilities.

Basically it's gone from OS sandbox to application authentication support in a marketing generation -and that wouldn't be too bad if Microsoft's need to sell this to the control oriented lockdown market didn't sabotage the whole thing.

But maybe I'm reading them wrong; see what you make of this bit: from a 2006 Microsoft Vista document:

 

Scenario 2 Turn off and clear TPM

This scenario covers two common tasks that administrators would perform during a re-configuration or recycling of a TPM-equipped computer. These tasks are turning off the TPM and clearing the TPM.

 

Turn off the TPM

Some administrators may decide that not every TPM-equipped computer in their network needs have the additional protection a TPM provides. In this situation, it is best to ensure that the TPMs in those computers are turned off. The following procedure steps you through the process of turning off the TPM.

A physical presence is not required to turn off the TPM.

To perform the following procedure, you must be logged into a TPM-equipped computer with local administrator credentials.

To clear the TPM

Clearing the TPM cancels the TPM ownership and turns the TPM off. This should be done when a TPM-equipped client computer is recycled, or when the TPM owner has lost their TPM owner password and recovery information was not backed-up. The following procedure steps you through the process of clearing the TPM.

...

If you do not know your TPM owner password, click I don't have the TPM owner password, and follow the instructions provided to turn off the TPM without entering the password.

 

Huh? get your own network tap working and run a man in the middle attack to impersonate an authorized machine (or just "borrow" one network password) and you can turn TPM off remotely? And then re-initialize and reseal with your own (user invisible) password so it'll check out as working just fine, thank you very much. No local presence or password required? Is this for real?

FYI: in high security environments it's common to run parallel networks offering differentiated access to classified material depending on the user's authorization. In a Sun Smart display world, for example, the server is set up so each containerized group has its own uniquely accessible network interface with access to the group granted or denied depending on the authorizations encoded on the user's card and verified (at lower levels) by challenge and (at higher levels) by co-signatories.

Where PC clients are used for low risk access in this type of environment, those clients are usually constrained to run using TPM-1.2 - meaning that Microsoft's write-up suggests that the ability to mimic any one authorized network device can render all others untrustworthy - making a complete mockery of the promises made for Longhorn security and leaving me to wonder, again, why the media types who heralded the Longhorn ideas as certain to dominate the PC world by mid 2005 are so unanimously silent on the topic today.

Editorial standards