Trusted Computing Group Backgrounder May 2003 Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved
Trusted Computing Group Enabling the Industry to Make Computing More Secure Businesses, governments, academic institutions, and individual users are becoming increasingly interconnected through a variety of wired and wireless communication networks and with a variety of computing devices. Concerns about the security of communications, transactions, and wireless networks are inhibiting realization of benefits associated with pervasive connectivity and electronic commerce. These concerns include exposure of data on systems, system compromise due to software attack, and lack of user identity assurance for authorization. The latter concern is exacerbated by the increasing prevalence of identify theft. In addition, as users become more mobile, physical theft is becoming a growing concern. Users and IT organizations need the industry to address these issues with standards-based security solutions that reduce the risks associated with participation in an interconnected world while also ensuring interoperability and protecting privacy. Standardization will also enable a more consistent user experience across different device types. The Trusted Computing Group (TCG) has been formed to respond to this challenge. The purpose of TCG is to develop, define, and promote open, vendor-neutral industry standard specifications for trusted computing. These include hardware building block and software interface specifications across multiple platforms and operating environments. Use of these standards will help users keep the data and digital identities on their systems more secure from external software attack and physical theft. They can also provide capabilities which can be used for more secure remote access by the user and enable the user s system to be used as a security token. This backgrounder will provide an overview of the threats being addressed by TCG, the structure and specifications of the organization, and the user and IT benefits that can be derived from the use of TCG specifications. The Threat of Software Attack A critical problem being addressed by creation and use of these specifications is the increasing threat of software attack due to a combination of increasingly sophisticated and automated attack tools [1], the rapid increase in the number of vulnerabilities being discovered [1], and the increasing mobility of users. The large number of vulnerabilities is due, in part, to the incredible complexity of modern systems. For example, a typical Unix or Windows system, including major applications, represents on the order of 100 million lines of code. Recent studies have shown that typical product level software has roughly one security related bug per thousand lines of source code. Thus, a typical system will potentially have one hundred thousand security bugs. The reality of this problem can be seen in data on reported vulnerabilities and incidents maintained by the CERT Coordination Center (CERT) at the federally funded Software Engineering Institute operated by Carnegie Mellon University [2]. For example, reported vulnerabilities have, on average, doubled each year for the past three years. Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved 2
Vulnerabilities Reported No. of Vulnerabilities 4500 4000 3500 3000 2500 2000 1500 1000 500 0 1995 1996 1997 1998 1999 2000 2001 2002 The large and rapidly increasing number of vulnerabilities creates an ideal situation for hackers, as the difficulties associated with keeping up with necessary patches (when available) creates an environment in which most systems will have at least one of the known vulnerabilities. Client systems are particularly vulnerable, as they typically do not have security-aware administrators to keep up with the patches. And, hacker interest in client systems is increasing, due to the valuable information stored on these increasing mobile systems. The resulting number of incidents reported to CERT below, each of which may represent multiple systems, demonstrates that the problem is indeed very real. Incidents Reported No. of Incidents 90000 80000 70000 60000 50000 40000 30000 20000 10000 0 1995 1996 1997 1998 1999 2000 2001 2002 The end result is that the data on systems is at risk. This risk takes several forms. First, there is risk of electronic theft of valuable personal or enterprise data. Second, there is risk of electronic theft of identity / authentication information which can give hackers access to other systems and accounts, thereby compounding the potential damage related to these attacks. In addition, as Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved 3
users become more mobile, there is an increasing risk that data and identity information on user systems may be compromised due to physical theft or loss. As these risks increase, there is also an increasing recognition that software-only security mechanisms are not sufficient to protect information assets (e.g. user data, passwords, keys, credit card numbers, etc.). Even firewalls protecting intranet environments do not provide much comfort, as software attacks are known to originate from users inside these firewalls (e.g. from users on an intranet) and may also bypass these firewalls (e.g. via e-mail attachments), thus attacking from within. The use of hardware-based embedded security subsystems is an increasingly important approach for protecting information assets from compromise due to these attacks. TCG s goal is to make these protections available across a broad range of computing devices with common software interfaces to facilitate application development and interoperability. In addition to protecting against compromise, the TCG specifications provide mechanisms for proactively establishing a more trusted relationship for remote access through more secure user authentication and machine authentication and/or attestation. Incorporation of TCG The Trusted Computing Group, which was announced on April 8, 2003, is incorporated as a notfor-profit corporation with international membership and broad industry participation. The purpose of TCG is to develop, define, and promote open industry standard specifications for embedded hardware-enabled trusted computing and security technologies, including hardware building blocks and software interfaces, across multiple platforms, peripherals, and devices. By using the building blocks and software interfaces defined by TCG specifications, the industry can address a range of security needs without compromising functional integrity, privacy, or individual rights. TCG was created with an organization structure and governance model, as defined by the TCG bylaws, which is similar to many other computing industry standards bodies. This includes the following: An open membership model with multiple membership levels A Board of Directors consisting of Promoters and elected Contributors Multiple Work Groups that are open to Promoter and Contributor members and seek active participation by these members A reciprocal reasonable and non-discriminatory (RAND) patent licensing policy between the members Supermajority voting at the Board and Work Group level to facilitate progress This structure is designed to enable the expedient development of open, industry standard specifications with broad industry participation and to foster widespread adoption of the organization s specifications. The key deliverables of TCG will be hardware and software interface specifications, white papers and other materials that facilitate understanding and adoption of the specifications, and marketing programs that promote awareness and customer adoption. TCG also plans on introducing a logo program that will enable users and IT departments to determine which system(s) are compliant with the TCG standards. Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved 4
Further information on the bylaws and membership levels are available on the web at www.trustedcomputinggroup.org. TCG Specifications: TCG has adopted the published specifications of the Trusted Computing Platform Alliance (TCPA) as its initial specifications. This includes Main (TPM) Specification 1.1b and PC Specific Implementation Specification 1.0. TCG will enhance these specifications, extend their use across multiple platform types, and provide new software interface specifications to facilitate application development and interoperability. TCPA has recognized TCG as a successor organization for development of trusted computing specifications and all work on future specifications has moved to TCG Work Groups. Future TCG specifications will provide backward compatibility with TCPA specifications. As of May 2003, TCG has established operational technical Work Groups for future Trusted Platform Module (TPM) and PC Specific Implementation Specifications as well as for a new TCG Software Stack (TSS) Specification. Work Groups for server, PDA, and mobile phone platform- specific implementation specifications will be operational soon. TCG also has an active Conformance Work Group that will develop Common Criteria Protection Profiles. As an open standards body with members representing a wide range of computing platforms and operating system environments, TCG will receive inputs for new specifications from the membership and then finalize these specifications based on the process prescribed in the bylaws. TCG s RAND patent licensing policy is intended to invite the broadest participation and produce the best technical solutions. The end result will be specifications that can be broadly adopted across multiple platform types and environments to address a range of security needs. Specifications are not developed exclusively for any specific company products or architectures. The first two TCG specifications, which are expected in 2H 03, will be an enhanced Trusted Platform Module (TPM) Specification and a new TCG Software Stack (TSS) Specification. TCG Policies that impact specification development are: Open Platform Development Model - TCG is committed to preserving the open development model that enables any party to develop hardware, software, or systems based on TCG specifications. Further, TCG is committed to preserving the freedom of choice that consumers enjoy with respect to hardware, software, and platforms. Platform Owner and User Control TCG is committed to ensuring owners and users of computing platforms remain in full control of their computing platform and to requiring platform owners to opt-in to enable TCG features Privacy Effect of TCG Specifications TCG is committed to ensure that TCG specifications provide for an increased capability to secure personally identifiable data. Trusted Platform Module (TPM) Overview The Trusted Platform Module (TPM) is a hardware component that provides four major functions. 1. Asymmetric key functions for on-chip key pair generation using a hardware random number generator; private key signatures; and public key encryption and private key decryption of keys enable more secure storage of files and digital secrets. This is accomplished through hardware- Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved 5
based protection of (1) the symmetric keys associated with software-encrypted files (data, passwords, credit card numbers, etc.) and (2) private keys used for digital signatures. This includes use of the TPM random number generator to create keys and performance of operations on private keys created by the TPM (digital signatures, public key encryption for storage, decryption) in the TPM. Private keys created in the TPM are protected by the TPM even when in use. 2. Secure storage of HASH values representing platform configuration information in Platform Control Registers (PCRs) and secure reporting of these values, as authorized by the platform owner, in order to enable verifiable attestation of the platform configuration based on the chain of trust used in creating the HASH values. This includes creation of Attestation Identity Keys (AIKs) that cannot be used unless a PCR value is the same as it was when the AIK was created. 3. An Endorsement Key which can be used by an owner to anonymously establish that identity keys were generated in a TPM, thus enabling confirmation of the quality of the key without identifying which TPM generated the identity key. 4. Initialization and management functions that allow the owner to turn functionality on and off, reset the chip, and take ownership, with strong controls to protect privacy. The system owner is trusted and must opt-in. The user, if different from the owner, may opt-out if desired. An Endorsement Credential, in conjunction with Conformance and Platform Credentials, can be used, as authorized by the owner, to create Attestation Identity Key (AIK) Credentials that can be attested to by a certificate authority. TCG specifications describe the creation of these credentials in order to enable their use, but TCG will not issue credentials itself. TCG Software Stack (TSS) Overview The TCG Software Stack (TSS) will provide a standard software interface for accessing the functions of the TPM in order to facilitate application development and interoperability across platform types. The TSS includes functions that can be used to create interfaces for existing crypto APIs such as Microsoft CryptoAPI (CAPI), CDSA, and PKCS#11, thereby enabling TPM support for current and future applications using these APIs. To make full use of the TPMs capabilities, including such functions as key backup, key migration, platform authentication and attestation, applications will need to write directly to the TSS. Platform Specific Implementation Specifications Overview The TPM specification is a platform independent specification for enhancing security and trust in computing platforms. Platform Specific Implementation Specifications are developed to ensure compatibility among implementations within each computing architecture. They include definition of the Core Root of Trust for Measurement (CRTM) and the Trusted Building Block (TBB). The TBB includes the TPM, CRTM, and how they are connected to a platform. The method for establishing the chain of trust for the platform is also defined. As an example, per TCG PC Specific Implementation Specification v.1.0, the CRTM for PCs is the BIOS or BIOS boot block and the BIOS is required to load HASHES of pre-boot information into various PCRs of the TPM. This establishes the anchor for the chain of trust and the basis for platform integrity metrics. This can be used to validate that the platform configuration has not changed and that the BIOS has not been changed by malicious code such as a Trojan horse. While not required, verifiable attestation of the platform configuration can be extended by a chain of trust to the boot loader, operating system, and applications if software support for this is provided. TCG does not provide specifications for how this is accomplished, as this is under the control of these software suppliers. Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved 6
Protection Profiles Overview Protection Profiles are separate documents that refer back to the TCG specifications and can be used to judge conformance with standard security properties and principles using independent lab evaluation and certification to Common Criteria Standards (ISO/IEC 154080). A Protection Profile provides security requirements such as environment, threats, objectives, and Evaluation Assurance Level (EAL) for platform subsystems (e.g. TPM, TBB). A vendor or manufacturer can create a Security Target (ST) that describes their evaluated product or Target of Evaluation (TOE) that describes how these requirements are met and have this independently verified by a Common Criteria lab. The planned logo program will be based, in part, on system conformance as demonstrated by independent testing using these protection profiles. User and IT Benefits TCG s current specifications, which have been implemented in desktop and notebook PC s and are supported by multiple applications, can immediately benefit users and enhance confidence in the security of their systems in many ways. Examples are: More secure storage of files, personally identifiable information, and digital secrets. This protects both data and identity from compromise due to external software attack or physical theft. More secure user authentication by protection of keys used by authentication processes such as 802.1x, S-MIME e-mail, and VPN s. This enhances the security of remote access. Lower-cost and stronger user authentication by using the TPM in a TPM enabled system as a security token along with other types of authentication (passphrases, fingerprint readers, keyfobs, smartcards, proximity badges, SIMs, etc.) to achieve stronger multifactor user authentication. In this case, the system becomes what you have from an authentication standpoint. In addition, there are a number of additional benefits that will be realized as applications are developed to more fully exploit the capabilities of the TPM: More secure platform authentication through protection of an identity key that is associated with the platform Platform authentication with multiple anonymous trusted identities which, when combined with user authentication, will enable additional remote access security while protecting privacy. More secure data protection through confirmation of platform integrity prior to decryption. In Summary: The goal of TCG is to answer the need for increased security and trust in computing platforms. The open industry standard hardware building block and software interface specifications developed and promoted by TCG will attain this goal through hardware-based cryptographic functions, protected storage of user data and secrets, mechanisms for secure storage and reporting of platform integrity information, and platform authentication with multiple attestation identities. TCG invites broad and active industry participation in the development of open industry standard specifications for increased security and trust in computing devices. Work is already underway Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved 7
for PC s, servers, PDA s, and mobile phones, but other devices would also benefit from enhanced security. As the threats to trusted computing and technologies evolve, TCG will continue to look for opportunities to work with the industry to make meaningful contributions to enhancing the security of the computing environment. Information on TCG and how to join is located at www.trustedcomputinggroup.org. References: 1. CERT Web Site: http://www.cert.org/archive/pdf/attack_trends.pdf [Overview of Attack Trends] 2. CERT Web Site: www.cert.org/stats/cert_stats.html [CERT/CC Statistics] Copyright 2003 Trusted Computing Group (www.trustedcomputinggroup.org.) All Rights Reserved 8