Service Desk 0300 300 2212

Trusted Computing - Ready for Use?

Trusted Computing, based on cryptographic hardware on PC motherboards, has been available for a number of years, however a panel session at the ISSE 2009 conference considered whether it may now be ready to improve the security of enterprise computing. Trusted Platform Modules (TPMs) - a "smartcard on the motherboard" - are now present in between 60% and 80% of enterprise PCs, a level at which it becomes possible to manage systems on the assumption that they will have a TPM.

The basic functions of the TPM, to provide secure storage and perform secure cryptographic calculations, can be used in many different ways and could potentially address the root causes of many security incidents: viruses and other malware, weak authentication and unencrypted data. However software and protocols that can use TPMs have been slow to develop. Microsoft's Bitlocker allows the integrity of the system to be checked against the TPM at each stage of the boot process thus making it much harder to install malware or interfere with disk encryption. However businesses have been slow to adopt the Vista operating system, which introduced Bitlocker, so this may have to wait for the release of Windows 7. A TPM can also authenticate a device to the network and vouch for its integrity, allowing guest or insecure machines to be quarantined at the network level, but this relies on IEEE 802.1X technology, which has also taken a long time to achieve widespread adoption. Device authentication can also be used as a preliminary to user authentication to allow devices such as VPN servers to protect themselves against attacks from unknown machines.

However there remain significant issues in deploying TPMs on an enterprise scale. Although most PCs contain them, they are disabled by default and require physical access to enable them, which may be impossible for an organisation with several thousand PCs. TPMs also have the ability to make user errors much worse, for example forgetting a password or replacing a machine that contained a vital private key, either of which could leave information permanently inaccessible. Central management of systems to support users through key and password recovery is essential otherwise the technology is likely to be judged impossible to use.

TPMs are also appearing in servers, routers, printers and other devices, though applications for these are even less developed. However a promising sign is the use by Windows XP SP1 of a TPM as a source of entropy for random number generators, thus improving the ability of virtual machines on the same platform to provide encryption independent of each other.

Andrew Cormack - ISSE conference in Scheveningen, Netherlands, 6-8 October 2009 (http://www.isse.eu.com/)

 

 

 

 

Privacy Policy | Web Admin
JANET(UK), Lumen House, Library Avenue
Harwell Oxford, Didcot, Oxfordshire
OX11 0SG

 

"));