This column received a lot of play in various technophile blogs and newsgroups, including Slashdot, and I was surprised to see how relatively little the digerati seemed to know about the Trusted Computing concept, besides knee-jerk opposition to anything that threatens to “lock down” the Internet. There are, however, some extremely intelligent (and often quite abstract) discussions about identity on the Internet. A variety of those voices can be found in the two dozen sites linked at Kim Cameron’s Identity Weblog. One should know that Cameron is in charge of identity architecture at Microsoft, but both his commentary and the blogs he links to are quite ecumenical.

Finally, I received a long and thoughtful email from Mike Fratto who, as the editor of Secure Enterprise magazine, follows TPM issues closely since the chips are starting to be used by his corporate audience. Some of this is a tad technical, but he raises a number of good points:

"I doubt we will see the TPM used in the consumer space for a number of reasons:
1) It's incredibly complicated to use and that ain't changing anytime soon. To enable a TPM the user has to enter the BIOS and enable the TPM manually. Then they have to create a set of keys and remember all those passwords. ... Try explaining key management, escrow, and recovery to soccer-moms everywhere. Secondly, consumers won't understand what the TPM is used for and they won't use it."

Story continues below ↓

As someone who has used computers since the Seventies, when doing almost anything was extremely difficult, I’m an unreconstructed optimist about the possibility of simplifying technology.

"2) No company serving customers wants to deploy software into a consumer computer. Once that happens, the company has to support the software and the consumer desktop. ... They avoid it like the plague."

Not sure about this: Macromedia and Real download and support a lot of software on consumer machines. And if supporting TPM turns out to be cheaper than other security measures (see above on how banks are struggling with the mandate of “two factor” identification) they may decide it’s worth the trouble.

"3) There is already a mechanism to validate the identity of a Web site when using SSL. It's part of the protocol. The fundamental weakness (though weakness is relative) is in DNS, which is wholly unsecure but is "trusted" as being authoritative. Using the TPM on the server side may help, but TPM processing is slow and that is unacceptable for busy Web sites. ... Besides, phishing and pharming is not a technical problem — it's a human one. There is NO technology that will stop phishing or pharming."

But the existence of both phishing and pharming depends on the establishment of bogus Web sites, which take advantage of weaknesses (as you point out) in software-based protocols. If TPM processing is the only way to fix that, somebody’s going to figure out how to make it work on the server side.

"4) When the computer starts, the TPM may or may not run system validation; it may or may not ask for user authentication; it may or may not even be activated; how the TPM is used depends completely on software. ... So in the case of authentication, the use of biometrics, tokens, and other hardware stuff is a non-starter in the consumer space because each device needs special drivers and software and there is no way to predict what will be installed on the laptop. At boot time, special drivers will have to be written to talk to the biometric device. That adds significant cost to a PC — an industry already selling on tight margins. Besides, biometrics, tokens, etc. are hard to use compared to passwords. Now users left to their own devices will choose easy-to-guess passwords, so to access the TPM, an attacker just has to guess, or capture, or trick the user into giving up that password."

Clearly, if TPMs use a biometric or physical token to validate the user, there will need to be some standardization on the driver software. If users demand secure computing, manufacturers will figure out how to build it in cost-effectively (look at how many hardware additions, starting with clocks and sound-cards, have been added to personal computers over the last two decades even as prices continued to drop). As far as users defaulting to a password, rather than something more secure, that’s a question of education and culture. A lot of people used to leave their front doors unlocked, too.

"5) Arbitrary applications can't access the TPM, they must be authorized by the end user. Users are "trained" to click through any dialog box that pops up without even reading what they are agreeing to. The Sony/BMG case is relevant (not the problems, but the acceptance of the DRM in the license agreement). So as an attacker, I can just as easily build a Trojan that victims will install because of their "training."

This strikes me as another implementation and education issue, not a reason to scrap the whole idea.

"6) The TPM won't encrypt e-mails by itself. It encrypts/decrypts keys that are used by software to then encrypt/decrypt/sign email provided the user enables email security. Again, there have been standardized protocols available for years, but they are rarely used in the consumer space because of other factors."

Indeed, one of the factors that have kept consumers from encrypting e-mail is that it’s difficult. TPMs on both ends would likely make it easier. But the real reason I cited this was simply to show that having a firm identity on the Internet didn’t necessarily mean a loss of privacy.

"7) The whole DRM issue is a red herring. Media distributors are already doing DRM without the TPM. The TPM only protects the keys while they are being stored. Once a DRM application extracts the keys from the protection of the TPM, those keys are available in memory and can be read. It is easily crackable.'

That’s interesting. The biggest concern among critics about TPM seems to be its potential for Draconian digital rights management. If it’s easily crackable, then the media companies are going to have to come up with something else.

The question of identity and anonymity on the Internet clearly isn’t going away anytime soon — in many ways, I think it’s the most important issue facing cyberspace today. I look forward to hearing more from readers about where we should take the discussion next.

< Prev | 1 | 2 | 3

Discuss Story On Newsvine
Rate Story:
View popularLowHigh
Email
Instant Message
Print