Trusted computing: How it works

NEWS With TPCA (Trusted Platform Computing Alliance) or Palladium technology, a computer can advertise its trustworthiness to other systems, such as websites. Trojan horses and applications for pirating software, meanwhile, won't be able to change data processed in the trusted parts of the PC. "A trusted platform can attest to its configuration, and I, a merchant, can decide if I want to deal with that PC," Marcus Varady, marketing manager for Intel's safer computing initiative and the chair of the TCPA steering committee, said in a recent interview. "I can then drop my wall of protection within that environment to collaborate with them on a trusted level." A website selling music, for example, could determine if a customer has a PC fitted out with such copyright protections before allowing any songs to be downloaded from the internet. However, opponents maintain that the price of such protection would be a reversal of the Information Age, in that it would impose more restrictions on people's use of information than any previous technology. William Arbaugh, an associate professor of computer science at the University of Maryland, acknowledged that the TPCA could improve security but said hardware and software modifications could do even more harm if abused by companies. "The TCPA as it stands now is unacceptable," Arbaugh concluded. In addition, even proponents of the technology concede that it is not foolproof in preventing piracy. Palladium, for instance, could not stop a hardware attack, which might cause some information to leak out. The technology's security disappears when data is outside the Palladium infrastructure, Microsoft's Biddle said. "Once Elvis has left the building, Elvis can't get back in the building," he added. The modifications to PC hardware are fairly mild for technology that could completely change how data is dealt with in the future. The TCPA and Microsoft's Palladium rely on additions to the hardware of normal PCs. While Palladium calls for more extensive changes, the modifications are remarkably similar. Both call for a new chip to be placed on the motherboard of all future computers. The chip would include new encryption functions as well as a small amount of memory that would act as a digital vault to store important keys to decrypt protected data. The TCPA refers to the chip as the "trusted platform module", a successor to Intel's processor ID - an idea the chipmaker abandoned in 1999 after a public outcry over privacy. Microsoft refers to the hardware component of Palladium as the "security support component". Microsoft and the TCPA envision that operating-system makers will add code to take advantage of the new hardware features. The software side of Palladium is Microsoft's vision of where such features can lead: Called the nexus or nub - or, more formally, the "trusted operating root" - the core software will handle all access to the new security. Microsoft will release the code for its nexus so that security-concerned developers can vet the software for flaws. Opponents criticise any process or technology controlled by a single company that may have ulterior motives - especially when that company is Microsoft. Eben Moglen, a noted Free Software Foundation attorney and professor of law at Columbia University, has argued that such proprietary initiatives could stunt the growth of open-source technologies like Linux, which is gathering strength as a challenger to the Windows operating system. Lucky Green warns that Palladium-like technologies could end up giving too much power to manufacturers of operating systems, such as Microsoft, at the expense of applications makers. "Since operating systems that restrict data can determine which applications can run, it changes the software landscape into first-citizen applications that have access to the content and second-citizen applications that don't have access," he said. "That puts the software makers at the mercy of the hardware vendors." Green suspects that Microsoft wants to use Palladium to enforce software licences. He claims the day after attending the USENIX Security Conference, he contacted an attorney and filed two patents on ways that Palladium-like systems could be used for such enforcement. While Green won't discuss his intentions, many believe he is trying to preempt companies from using the technology for this purpose. "The objective and capabilities are to secure the applications and data against the end user to the benefit of third parties," he said of trusted computing initiatives in general. Proponents scoff at such notions as conspiracy theory. "I have seen no signs that Microsoft and Intel are out to screw the world; and if they do screw the world, I think Congress will stop them," said the University of Pennsylvania's Farber. Nevertheless, all parties involved acknowledge the confounding complexity of the issue, and even Microsoft doesn't know where it will end up. "We can speak to what we intend to have happen," said Mario Juarez, another product manager for Palladium, but added, "there are so many unanswered questions at this point." Robert Lemos writes for News.com