January 2005 Computer Fraud & Security 7

TRUSTED COMPUTING

The first stepsIn 1996, an early discussion by WilliamA. Arbaugh and others proposed a solu-tion to the problem.1 Three years later,in 1999, the Trusted ComputingAlliance was formed by a number ofhardware and software companies. Themanufacturers of hardware and softwaredecided to develop a suitable architec-ture that would enhance the underlyingsecurity of computers (for the purposeof this article, the term ‘computer’includes mobile telephones, personaldigital assistants and any other devicethat will be affected by ‘trusted’ com-

puting). A new entity was subsequentlyformed in early 2003, called the TrustedComputing Group.2 In a backgrounddocument available on their website,the Trusted Computing Group set outtheir stall:

‘The Trusted Computing Group (TCG) is a not-for-profit organizationformed to develop, define, and promoteopen specifications for trusted computingand security technologies, including hard-ware building blocks and software inter-faces, across multiple platforms, peripher-als, and devices. TCG specificationsenable more secure computing environ-ments without compromising functionalintegrity, privacy, or individual rights.The primary goal of these specificationsand their implementation is to help usersprotect their information assets (data,passwords, keys, etc.) from compromisedue to external software attack and physical theft

Through its member-driven workgroups, TCG is extending its specificationsinto a variety of related devices, includingmobile devices, servers, peripheral devices,infrastructure and embedded systems.TCG has created software interface speci-

fications for development of applicationsto build on TCG technology. TCG also has created a work group to addressendpoint integrity to enable systemadministrators to ensure remote systemsconnecting to the network are trusted and secure.’

In addition, Microsoft began thesearch for computer security with theintroduction of Palladium in 2002, nowcalled Next-Generation SecureComputing Base (often abbreviated toNGSCB).3

The solution Two phrases are used to describe, albeitinaccurately, the concept developed bythe Trusted Computing Group: ‘trustedcomputing’ and ‘trustworthy comput-ing’. Ross Anderson suggests the phrase‘controlled computing’ may be moreappropriate.4 The aim is to increase thetrust to be placed in the computer. The

assumption is that a software processcannot provide reliable informationunless it can be certain that the process

Trusting your computer to be trustedStephen Mason

It is axiomatic that computers are not to be trust-ed. As a tool, they are capable of improving ourlives. However, beneficial as computers may be,they are also unsafe. The dangers are obvious,although what you consider is a threat willdepend on your perspective. Application softwarevendors do not always receive licence fees for allof their software running on every computer.Users have to buy anti-virus solutions to protecttheir computers from attack by malicious code.Owners of secrets have to take precautions to prevent the unauthorized use or theft of sensitive data. Musicians, actresses andauthors want to be properly remunerated for their creativity. Therange of problems associated with the misuse of computers is manifest, and once a computer is linked into a network, the risksincrease considerably.

Stephen Mason

“The aim is to

increase the

trust to be

placed in the

computer ”

1 William A. Arbaugh, David J. Farberand Jonathan M. Smith, “A Secure andReliable Bootstrap Architecture”,December 2, 1996 available in electron-ic format at http://www.cis.upenn.edu/~waa/96-35/footnode.html - 19.

2 The web address of the TrustedComputing Alliance (http://www.trused-computing.org) re-directs the viewer tothe Trusted Computing Group web siteat https://www.trustedcomputinggroup.org/.

3 The web address is http://www.microsoft.com/resources/ngscb/default.mspx.

4 Ross Anderson ‘Cryptography andCompetition Policy – Issues with‘Trusted Computing’’ paragraph 2.1 available in electronic format at http://www.cpppe.umd.edu/rhsmith3/ papers/Final_session1_anderson.pdf.

Computer Fraud & Security January 20058

TRUSTED COMPUTING

itself works in accordance with a definedexpectation. For instance, an item ofmalicious code may send files to all ofthe email addresses in an address bookwhen the computer is connected to anetwork. In all probability, the code willundertake this activity without theauthority of the computer owner. In thisexample, assuming the owner uses thecomputer to create and manage files,they trust the computer to carry out

these specific tasks. However, if mali-cious code has been surreptitiously sidledinto the computer by some means, thecomputer is not to be trusted, becausethe malevolent code causes the computerto work in a way that is not in accor-dance with the expectations of theowner.

The aim of the Trusted ComputingGroup is to ensure the computer worksin accordance with an expectation. Theexpectation is achieved by attesting tothe state of the software applications thatrun under an operating system and upona hardware platform. Central to the con-cept is the process of vouching for theaccuracy of information. Set out below isa simplified explanation of how itworks.5

Protected capabilities The term ‘protected capabilities’ is usedby the Trusted Computing Group toindicate a set of commands that provideaccess to what is termed ‘shielded loca-tions’ where sensitive data are stored.Central to the concept is the TrustedPlatform Module (TPM), which imple-ments the protected capabilities func-tion. The TPM can be implemented asan item of hardware or as software.Where it takes the form of hardware, itis a chip that is separate from the mainprocessor, but is attached to the moth-erboard. The specification requires theTPM to be tamper resistant. The indi-vidual components that make up theTPM are set out in the TCGSpecification Architecture Overview(hereafter ‘Specification’). The TPM hasbeen described as a ‘self-contained pro-cessing engine with special capabilitiesthat include the following:

• Random key number generator.• A digital signature engine.• A hash function.• Asymmetric encryption.’6

The TPM is known as a ‘root of trust’and is implicitly trusted. In effect, theTPM causes a measurement kernel tomeasure events. There are two types of data measured:

• A representation of embedded dataor program code.

• The measurement of hash digest ofthis code.

The embedded data or program code is a digest of components that havebeen measured during the manufacturing stage, and created by the manufacturer. It is interesting tonote that the Specification makes itclear that components ‘that pose athreat to security’ should be vetted forback doors.7

The aim is for the TPM to trust eachof the components on the platform. Thisis achieved by expanding trust from theTPM to all other components on thecomputer.

When the computer is powered up, a‘Core Root of Trust for Measurement’(CRTM) measures its own integrity inthe Basic Input Output System (BIOS)and the integrity of the entire BIOS.The CRTM stores a condensed summa-ry of the measurements in the TPM.These measurements cannot be alteredor deleted. Several other measurementsthen occur in sequence, and if there is anew item of software that has beenrecently introduced, the operating sys-tem updates the measurement. Eachcomponent measures the next compo-nent in the chain, and stores the valuecreated in such a way that it cannot bealtered by another component. In thisfashion a chain of trust is created. Anymalicious code that has been introducedinto the system cannot be hidden,because it does not contain any autho-rized embedded data or program code.As a result, it is not capable of alteringany other item of software without thechange being noticed.

Once this security mechanism is inplace, based on mathematical inductionby way of the extensive use of cryptography, the operating system canbe used in what is termed the trustedmode. The question is, how can it betrusted?

AttestationThe platform can be checked for integri-ty by a process called attestation. The

“The TPM is

known as the

‘root of trust’

and is implicitly

trusted”

5 For a detailed explanation, the readeris directed to 'TCG SpecificationArchitecture Overview' Revision 1.2dated 28 April 2004, available in elec-tronic format on the TrustedComputing Group web site.

6 Stefan Bechtold ‘The Present andFuture of Digital Rights Management –Musings on Emerging Legal Problems’in Eberhard Becker, Willms Buhse, Dirk Günnewig, Niels Rump (eds.),Digital Rights Management –Technological, Economic, Legal andPolitical Aspects (Springer, Berlin 2003),pp 597-654, p 634 available in electronic format athttp://www.jura.uni-tuebingen.de/bechtold/pub/2003/Future_DRM.pdf.

7 TCG Specification ArchitectureOverview’ paragraph 4.2.5.4.4.

January 2005 Computer Fraud & Security 9

TRUSTED COMPUTING

Trusted Computing Group have provid-ed a glossary, which provides for fourtypes of attestation, and one form ofauthentication.8 This process can be ini-tiated by the owner of the computer(‘owner’ for the purpose of this papermeans the legal owner), or it can be initiated remotely by a third party application.

Where the owner decides to attest the TPM, specific internal data to theTPM is digitally signed using anAttestation Identity Key (AIK). Thedescription of the AIK key is providedin the glossary:

‘A special purpose signature key createdby the TPM; an asymmetric key, the pri-vate portion of which is nonmigratable andprotected by the TPM. The public portionof an AIK is part of the AIK Credential,issued using either the Privacy CA[Certification Authority] or DAA [DirectAnonymous Attestation] protocol. An AIKcan only be created by the TPM Owner ora delegate authorized by the TPM Owner.The AIK can be used for platform authen-tication, platform attestation and certifica-tion of keys.’

When they decide to test the TPM,the owner is responsible for acceptingthe validity of the integrity measure-ment. A comparison is made of the actu-al state of the TPM against its anticipat-ed state. The aim is to be assured thatany software that is running is known,and can be identified.

Remote attestation can take placewhere a third party, such as a softwarevendor or the owner of intellectualproperty (such as music), may wish tointerrogate the TPM on the owner’scomputer to identify whether the par-ticular computer has any integrity. Thiscan be carried out by initiating theintegrity challenge over the Internet, forinstance.

Other features The Trusted Computing Group includeadditional properties that reinforce theconcept, two of which are:

• Secure booting or process isolation:The operating system is designed todetect, during the boot-up process,that the system has not booted-up asit should. One example would bewhere spyware slipped into the sys-tem unnoticed or where software hasbeen added that is not licensed. Thesecurity of the additional code wouldimmediately be suspect. As a result,

the booting process may stop.However, because the process tableand memory are designed to besecure, the malicious code will notaffect the system.

• Sealed or protected storage:Data can be stored in a secure storage area. The Storage Root Keycontrols the secure storage area,which is stored in the TPM. Datacan be stored in a secure area relat-ing to each program. Where soft-ware is stored in a secure area, itcannot be retrieved unless the valuesof the software stored in the TPMare the same as the values on thesystem at the time the store is interrogated.

An additional feature that is describedin the literature but not, it seems, clearly

set out in the Specification, includes thecreation of trusted identities, using digi-tal signatures and external certificationauthorities. Apparently it is possible tocreate pseudonymous identities.9 Theseare not the only characteristics that areassociated with controlled computing,and further attributes can be found bycarrying out a simple search on theInternet.

Uses for controlled computingA number of practical uses have beenproposed for controlled computing.They include:

• Remote electronic voting:The server handling the voting couldinterrogate the computer from whichthe voter intends to cast their vote toensure the software has not beenaltered.

• Online games:Although online gaming is rapidlyincreasing in popularity, cheating is, apparently, widespread. As with remote electronic voting, the

“Controlled

computing will

become a

reality without

too much

fuss ”9 For a discussion of this particularissues, see Stefan Bechtold ‘The Presentand Future of Digital RightsManagement – Musings on EmergingLegal Problems’ p 636. The languageused by the Trusted Computing Groupin many of its documents tends to beboth opaque and confusing (as alsonoted by Catherine Flick ‘TheControversy over Trusted Computing’ athesis submitted in partial fulfilment ofthe requirements of the degree ofBachelor of Science Honours (Historyand Philosophy of Science), Universityof Sydney, June 2004 available in elec-tronic format at http://luddite.cst.usyd.edu.au/~liedra/misc/Controversy_Over_Trusted_Computing.pdf ). This may bethe fault of the author of this article,rather than those responsible for writingthe documents published by the TrustedComputing Group.

8 ‘TCG Glossary’ Specification Revision0.1 22 July 2004, available in electronicformat on the Trusted ComputingGroup web site.

Computer Fraud & Security January 200510

TRUSTED COMPUTING

server will be able to interrogate the computer of the player to ensure the software has not beenmodified.

• Online banking:Passwords and PIN numbers can bestored in the secure storage area, andthe bank could undertake remoteattestation of the user’s computer toensure the system has not been modi-fied by malicious software.

• Computer to computer networks:The feature that permits a thirdparty to attest to the integrity ofanother computer remotely, also allows a person who forms part of a peer-to-peer network toensure the computer they connect to is to be trusted. In this instance,the recipient machine can effectively restrict the amount of data that is made available to a computer that makes a connection.10

• Digital rights management:This aspect permits owners of intel-lectual property, such as music, filmsand books published in digital for-mat, to exercise greater control overthe terms of the licence under whichthe property is sold, and to preventthe property from being passed on toothers illegally.11

• Preventing netspionage:A corporation will be able to secure sensitive corporate data frommis-use by officers, employees andcontractors with access to the computer infrastructure. Espionagewill be more difficult for commer-cial organizations as well as governments (that is, unless govern-ments are provided with the copiesof the keys used to secure the system).

Some concerns with controlled computing The concept of ‘trusted computing’ hasbeen widely denounced by commenta-tors in the media and by some acade-mics.12 Ideally, there are a number ofissues that should be resolved beforecontrolled computing is introduced.However, it is probable that, given thenumber of products that are already onthe market,13 and the large number ofmanufacturers that are part of theTrusted Computing Group, controlledcomputing will become a reality with-out too much fuss by owners (includinggovernments, in all probability) until it has become ubiquitous through ignorance.

The main problems that merit atten-tion include the following:

• Remote attestation:Third parties will have the ability tointerrogate a computer to check thestate of the TPM. Whilst this facili-ty will enable an organization toestablish the integrity of a computerthat an employee is using to connectto the network remotely, it will also

enable some people to refuse tocommunicate with an owner unlessthe owner is running their software.Another example is where the owner of a film will theoreticallyhave a far greater element of control over how the owner of acomputer is permitted to view afilm (providing they are also theowner of the rights to view thefilm), such as how many times theyare permitted to watch it, andwhether they can copy it or view iton another device, such as a televi-sion. If the film company refuses topermit the fair use of the film, per-haps because it can only be viewedby a specific application on a specif-ic computer, then it is possible thatcopyright laws may be infringed.Further, software vendors mightmodify future versions of their soft-ware to prevent an owner fromchanging to a competing applica-tion. This has serious implicationsfrom the point of view of privacyand possible anti-competitive behaviour.

“The implications

of controlled

computing are

profound and

far reaching”

10 Stuart E. Schechter, Rachel A.Greenstadt, and Michael D. Smith'Trusted Computing, Peer-To-PeerDistribution, and the Economics ofPirated Entertainment' HarvardUniversity, 29 May 2003 available in electronic format at http:// www.eecs.harvard.edu/~stuart/papers/eis03.pdf.

11 Ryan Roemer 'Trusted Computing,Digital Rights Management, and the Fight for Copyright Control onYour Computer' 2003 UCLA J. L. & Tech. 8.

12 As a starting point, Stefan Bechtoldprovides a useful list of links athttp://cyberlaw.stanford.edu/blogs/bech-told/tcblog.shtml.

13 Apparently some TCG membersalready offer products based on the spec-ifications. These include systems fromFujitsu, HP, IBM and Intel.Components that can implement thehardware specification are available fromAtmel, Broadcom, Infineon, NationalSemiconductor and STMicroelectronics.Software and applications are availablefrom M-Systems, NTRU, Softex (OmniPass and Theft Guard), Utimaco(SafeGuard), Verisign (Personal TrustAgent) and Wave Systems (EmbassyTrust Suites). See the TrustedComputing Group web site for moredetails.

January 2005 Computer Fraud & Security 11

TRUSTED COMPUTING

• Trusted third party and privacy:Trusted third parties manage theprivacy of the owner on a controlled computing platform. Anowner is able to establish separateidentities, but must do so throughthe trusted third party. This meansthe trusted third party is capable oflinking all of the anonymous cre-dentials to the owner, because theuser is uniquely identified in eachcertificate.14

• Use by criminals:An owner of a controlled computingplatform is able to keep data securefrom being viewed or tampered. Theactivities of terrorists, criminalsintent on stealing, and the distribu-tion of child pornography will berelatively easy to hide from theauthorities. If such illegal activity isto be uncovered, then suitablemechanisms need to be in place toenable a law enforcement authority,

with the requisite authority, toobtain access to the relevant keys inorder to obtain evidence of wrongdoing.

The implications of controlled com-puting are profound and far reaching.This article has only touched lightly onthe concept, its properties and some ofthe objections that have been raised.There are a number of significant issuesthat have not been addressed, and maynever be, unless governmentsintervene.15 Of particular concern iswhether, once an owner has bought acontrolled computer, they will be ableto completely disable the security func-

tions. This raises another point of star-tling importance that has not beenaddressed by the Trusted ComputingGroup, even in the glossary it has produced.

Muddled language specificationsThe language used in the documents

made publicly available is imprecise and impenetrable to the point of being obscure at times. For instance,the phrases ‘trust’, ‘control’, ‘opt-in’ and ‘ownership’ are all used in differentcontexts. As a result, it is difficult todetermine a precise meaning for any ofthese words. As pointed out byCatherine Flick in her dissertation, this is in ‘sharp contrast to the language more usually used in the specification of new computer systemsor protocols’.16

Those that have defended the conceptof controlled computing assert, some-times correctly, that opponents tend topass judgment on the concept unfairly.If controlled computing were to be thesubject of proper control before itcreeps in to general use (it has alreadybegun the march), then the first criti-cism that must be put right is the con-fusing use of language. The documentsproduced by the Trusted ComputingGroup demonstrate how the Englishlanguage has been shredded and re-assembled into insignificance. Meaningis rendered meaningless by ambiguity.For instance, the language used in thedocuments permit a variety of meaningsto be imputed to the word ‘ownership’that causes clear confusion. To obfus-cate the concept in this way is not help-ful. If controlled computing is success-ful, it will not be because of the clarityof the concept and its design features asexpressed in some of the documentsmade publicly available.

Legal ActionThe potential for legal action is

immense. Failing to educate ownerseffectively about the attributes of con-trolled computing devices adequately orat all, will inevitably lead to litigation.The entire edifice is predicated on publickey infrastructure, and unravelling liabil-ity will be like entering a maze. In manyrespects, ‘trusted’ computing will proba-bly cause as many problems as it will failto solve.

About the author

Stephen Mason took his first degree after9 years in bomb disposal, and was a prac-ticing barrister at St Pauls Chambers,Leeds. He is a member of the IT Panel ofthe Bar, General Editor of eSignatureLaw Journal and author of ElectronicSignatures in Law (Butterworths, 2003).Stephen specialises in e-risks, includingsecurity, retention of electronic documents,evidential admissibility, electronic signa-tures, cryptography, authentication, interception and e-mail and internet usepolicies.

“The potential

for legal action

is immense”14 See Bill Arbaugh ‘Improving theTCPA Specification’ IEEE Computer,August 2002 77 – 79 for more detail.Privacy concerns have also been raisedby the Federal government of Germany,the German Insurance IndustryAssociation and Article 29 DataProtection Working Group of theEuropean Union: ‘Working Documenton Trusted Computing Platforms andin particular on the work done by theTrusted Computing Group (TGCgroup)’ 23 January 2004 11816/03/EN WP 86. See also the author’s comments in relation to the complexproblems surrounding the contractualand non-contractual liability ofCertification Authorities in Stephen Mason Electronic Signatures in Law (LexisNexis Butterworths,2003).

15 The paper by Ross Anderson‘Cryptography and Competition Policy– Issues with ‘Trusted Computing’’ dis-cusses some issues that governmentsought to consider.

16 Catherine Flick ‘The Controversyover Trusted Computing’ paragraph 3.2.