Business PC Security Solutions

Q . What is the Trusted Computing Group (TCG)? How is it related to the Trusted Computing Platform Alliance (TCPA)?
A . The Trusted Computing Group has been formed to continue the Trusted Computing specification work started by TCPA. Key changes to organizational structure, IP licensing policy, and membership base have been instituted to support the organizational charter of open specifications for trusted computing. Initial founding promoters are HP, IBM, Intel, Microsoft, and AMD.

Q . Why did you need to form TCG? What was wrong with the TCPA?
A . The TCG is an evolution of the work started by TCPA. The TCG instituted the following changes to enhance TCPA organizational issues around voting, incorporation, and intellectual property licensing:

• The new organization has a policy promoting licensing under reasonable and non-discriminatory licensing (RND) terms, typical of many industry standards groups. This type of policy typically helps to streamline adoption of industry standards.
• Unlike TCPA, the new, incorporated group provides for logo and marketing programs, democratic organizational management and independent advocacy.

Q . Why is the name being changed from TCPA to TCG?
A . Given the significant changes and benefits to the evolution of the TCPA, the founders wanted to clearly identify the new organization.

Q . How many companies do you anticipate will join?
A . We anticipate broad and diverse participation. TCPA had almost 150 members; we expect these and other members to quickly join.

Q . How does the customer benefit from TCG?
A . Users have more secure local data storage and lower risk of identity theft through hardware encryption of digital secrets (such as keys, certificates, and passwords), and more uniformly and transparently secure systems for transmitting data or handling transactions. Additionally, IT staff can deploy and maintain systems more easily with better security, open standards, and less complexity due to standardized solutions.

Q . What can the TCG realistically do to help improve security and build trusted computing platforms? What kind of timeframe do you propose for product availability, for example?
A . By designing open and available building blocks and common interface stacks as an industry standard, the industry can address a range of security needs and help preserve functional integrity, privacy, and individual rights. Some TCG-enabled HP products began shipping in late second quarter 2003, with new notebooks supporting the standard available October 2003.

Q . What value does a TCG-compliant platform provide the customer?
A . A TCG-compliant platform provides customer benefit in four areas:

1. Platform Authentication
   • Provides attestation which can be used to determine the state of a platform and authenticate an acceptable configuration
   • Verifies that the system seeking access is the expected system
2. Protected Storage
   • Enhanced protection of encryption keys, which can be used to further protect passwords and other sensitive data. Can be used to store other secret data such as passwords and configuration settings.
3. Cryptographic Functions
   • Hardware-based key generation, encryption, decryption, and digital signature operations
   • Applications include secure network logon, digitally signed e-mail, or secure website access
4. Allows Enhanced Policy Enforcement by operating system or application
   • Reduces exposure to viruses spread by email
   • Helps ensure right version of virus protection is running
   • Provides enhanced, flexible control of access rights
   • Manages rogue access points

Q . Some industry watchers have charged that encryption methods incorporated into the TCG building blocks or other security solutions could be used as a form of censorship, giving big organizations and potentially government authorities the ability to track and identify personal electronic information. How does your organization guard against the possibility?
A . TCG specifications are based on user opt-in (user choice) and user control. The specifications specifically have a strong policy to not disclose or provide means of tracking electronic information.

Q . As hardware prices continue to drop, do you believe that users care enough about security to pay slightly more for products incorporating the TCG building blocks?
A . Security is important to all kinds of customers, and we believe users will invest in the changes required. Computer users do not want to continue to rely on security standards set in 1981. One benefit of open standards historically is that as more products become available, prices decrease. The more products that are available, the more options become available to all users. Also, with the focus on protecting data and digital identity, the cost is very low compared to the value.

Q . What applications and services benefit from systems conforming to the TCG specification?
A . A TCG-enabled system offers a low-cost standardized means of embedding security functionality in a platform, which means that improved levels of security can become ubiquitous-hence enabling and encouraging the development and use of applications and services that use security. Another benefit is improved control of access to data. Previously such access has depended upon authorization or authentication. Now access can also be linked to the state of the software in the platform. This enables the denial of access to data if rogue software, such as a virus, is introduced into a platform, because such introduction necessarily changes the software state of the platform.
Other traditional features of the subsystem, such as persistent storage and signing, improve many applications and services such as Public Key Infrastructure (PKI) deployments and interactions, Web browsers using SSL, and e-mail use of S-MIME, among others.

Q . Can you give an example of why one of a TCG platform is desirable?
A . Ubiquitous security in platforms encourages the development and use of security services. PKI related security processes, such as digital signature and key exchange, are protected through the secure TCG subsystem. Access to data on the platform could be denied if the software environment in the platform is changed (by a virus, for example). Critical applications and capabilities such as secure e-mail, secure Web access, and local protection of data are protected by an additional security layer when on a TCG platform. Note: It is the operating system and services above the TPM that perform the above-mentioned policy enforcement (such as data denial). The TPM does not police this type of activity. The TPM is a passive device and performs its requested operation only upon proper authorization from user/owner. The TCG does not influence policies around the types of software that are allowed to run.

Q . Is the real "goal" of TCG to design a TPM to act as a DRM or Content Protection device?
A . No. The TCG wants to increase the trust that users and remote entities have in users' platforms. The increase in trust comes from the mechanisms provided by the TPM. One of these mechanisms is a report, or attestation, of the current configuration of the platform. A user or system owner may elect to attest remotely to this configuration. Knowledge and confirmation of the current software running on a system have been a desired feature for security systems for many years; not only for private users, but especially for system administrators who are responsible for infrastructure security and reliability. For instance, this capability could allow a system administrator to know that a user is operating the current version of the virus protection software. The TCG is now attempting to provide that functionality. Application vendors are building applications supporting specific use models. Platform owners determine which OS and applications to run on their platforms. The TCG remains committed to thorough and open reviews with industry and government experts of this technology and its implications for use models. Finally, a user can disable the TPM for any particular boot cycle, regardless of the state (enabled/disabled) that the administrator has specified. If the TPM is disabled, the user may not be able to access certain resources without the TPM, but the end user always has the choice to enable or disable the TPM.

Q . What are TCG, TPM, and HP ProtectTools Embedded Security?
A . TCG refers to the Trusted Computing Group, an industry-wide security standards group. TPM refers to the Trusted Platform Module, a security chip developed from TCG specifications. HP ProtectTools Embedded Security refers to the HP-branded TPM on HP business PCs.

Q . What is the availability of TCG specification be on HP client products?
A . HP ProtectTools Embedded Security is available on the HP Compaq business desktop d530 and HP Compaq business notebook nc6000 and nc8000. Value desktop and notebook families will not be available with a ProtectTools Embedded Security option.

Q . How is the HP ProtectTools Embedded Security and Embedded Security Manager made available to customers?
A . Embedded Security was made available as a CTO option on all new HP Compaq business desktop d530 series computers in the second quarter of 2003 and 3Q03 for select HP Compaq business notebooks. Hardware is configured at the factory upon order. Software is either pre-installed or available from the Web as a download, depending on your specific desktop or notebook model. The TPM plugs into a connector on the system board.

Q . In what scenarios might the Trusted Platform Module (TPM) be used?
A . Several usage scenarios are possible:

• Multiple users on a single system needing to encrypt files and folders for their own access
• The TPM can help protect root keys for decrypting encryption keys and certificates in silicon rather than breakable software and registries and allow users to restrict access to data stored on a shared client device.
• Help ensure network access to trusted clients - the network can authenticate a TPM-enabled device and allow access only to those systems with IT-approved configurations adhering to corporate security policy.
• Need to secure email communication - the network can authenticate the device and help ensure a secure communications pipeline, and in addition, the TPM can work with PKI to authenticate trusted authorship of emails and documents.

Q . What TCG specification is supported by HP? When can we expect to see products that support it?
A . Existing TCG specifications, including the TCG 1.1 spec, protection profiles, and PC specific specification, is supported on select HP business PCs. TSS (TCG Software Stack) and TPM 1.2 specifications are anticipated as the first new specifications created by TCG in the second half of this year. Products that support the existing TCG specs are available today. Products that use the next anticipated TCG specification, TCG 1.2, in 2004 / 2005, depending on exactly when the specification is finalized, as well as other factors. Future TCG specifications are expected to be backward compatible to TPM 1.1

Q . What comprises HP ProtectTools Embedded Security?
A . Two components - hardware and software.
The software piece is branded HP ProtectTools Embedded Security Manager, and controls basic operation of security chip (such as enabling and ownership), and provides user-friendly file and folder encryption integrated with the OS.
The hardware component is branded HP ProtectTools Embedded Security, and is compliant with the TCG 1.1 standard. The chip is supplied by Infineon Technologies, and each is unique and bound to a particular system. The v1.2 chip specifications are expected to be backward compatible to v1.1.

Q . To which extent are the keys and other protected data in the TPM physically protected? Can a skilled technician in a well-equipped laboratory read them, as on an ordinary Smart Card (electron microscopy, light refraction)?
A . The TPM protection profile requires some physical protection on the TPM. It does not specify the mechanism in which the manufacturer needs to design. The TPM manufacturers are familiar with creating security chips. We anticipate that some TPMs will have stronger physical protections than other mechanisms. The market will determine what is appropriate.

Q . How does HP ProtectTools Embedded Security provide better or more security than security features available on native Microsoft® Window® 2000 and XP operating systems?
A . ProtectTools Embedded Security provides enhanced security as the Embedded Security chip creates a unique Storage Root Key (SRK), stored in silicon with 2048-bit encryption, which is very difficult to compromise. The SRK, in turn, encrypts and decrypts all other encryption keys and digital certificates stored on the Hard Drive. Conversely, through the basic OS security, passwords/keys are stored directly on the hard drive, which can be relatively easily compromised by loading a new OS or removing the drive.

A feature comparison of native Windows 2000 and XP security versus ProtectTools Embedded Security quickly illustrates the added features of the HP solution: Windows 2000/XP native security features -

• File and folder encryption
• Encrypted email
• System login

• Enhanced native Windows 2000 and Windows XP file and folder encryption
• Seamlessly enhances email encryption and authentication built-in to native Communication packages (Outlook, Outlook Express, Lotus Notes, Eudora, PGP)
• Lays a foundation for additional applications to control which machines connect to the corporate network
• Helps reduce hacking and subsequent system attacks, denial of service and network attacks
• Strengthens wireless user authentication and data protection & integrity, limiting spoofing threats
• Use as "embedded" smart card, eliminating more expensive smartcard/token id deployments
• Means to authenticate that system user is communicating with, is the system they believe it to be
• Strong means of verifying transmitted data was received and not compromised
• Enhances other security products such as Smart Cards, fingerprint IDs, etc.

Q . What OS does HP ProtectTools Embedded Security support?
A . Microsoft Windows 2000 and XP.

Q . What are the basic enabling software applications of the Embedded Security Manager?
A . Software includes the following:

• TSS
• MS CAPI support
• BIOS support
• TPM device driver
• PKCS#11 support

Q . What, if any, features are built into HP ProtectTools Embedded Security to help customers manage its functionality?
A . ProtectTools Embedded Security provides robust local management features to this end, which is included as part of the standard ProtectTools Embedded Security Manager delivered with the machine. This local management utility includes:

• Ownership, PIN management, key backup/migration
• Tight integration with Windows security policy infrastructure
• Windows Control Panel applet with system tray, iconic, representation
• Certificate management - view certificates/keys bound to the TPM
• Embedded Security management functions accessible through established manageability protocols (i.e. DMI, SNMP, WEBEM, etc.)

Q . What value does TCPA add to existing Public Key Infrastructure (PKI)?
A . While there are existing technologies to allow hardware protection of a private key (e.g., Smart Cards), these keys are not associated with the platform. If a key is to be used by the platform itself to provide attestation and protect secrets and identities, it needs hardware protection such as provided by the TPM. Protection provided by software alone does not offer the same private key protection as provided by a platform with a TPM, with trusted platforms requiring certificates signed by a Certificate Authority (CA) at several levels. A system administrator for example can identify the platforms that are connected or trying to access his network.

Q . Does the ProtectTools Embedded Security Manager complement or overlap Smart Card security solutions?
A . Both, depending on customers' security needs and policies. For some customers with current or future Smart Card deployments, the Embedded Security Manager provides an additional, complementary authentication factor - the Smart Card providing user authentication and the Embedded Security Manager providing device authentication. However, some customers may choose to use the Embedded Security Chip, and the secure storage feature it provides, to take the place of Smart Card functions.

Q . What is attestation?
A . Attestation is a core feature of Trusted Computing in which a platform communicates (or attests to) its state of operation. An example of attestation would be a system that measures a platforms current anti-virus definition file and stores that measurement on the TPM. When the platform wishes to prove what virus definition file is in use, the platform would attest to measurement of the AV def file by performing a digital signature of the measurement and sending the signed message to the entity requiring information regarding the AV def file.

Q . Why does a unique identifier have to be on the platform?
A . It is not possible to provide attestation without some form of identity associated with that attestation. The unique identifier provides this identity and is the basis for attestation.
However, because of our concern for privacy, the TCG has specified TCG technology in such a way that this unique identifier is never directly used - only indirectly, and aliased through the use of certificates issued by the owner's selected Trusted Third Party (TTP). The unique identifier is designed for use only to create a certificate request for an aliased ID from the TTP. The owner of the platform has control over the exposure and use of both the unique identifier and all aliased IDs held by the TPM.
There are two ways the owner controls this, as provided for in the TPM specification: The first is through the use of authentication. All uses of the TPM and the aliased ID's associated with it require authentication, which the owner controls. Second, the owner may disable the use of the TPM through the use of commands, physical "switches," or both. Remote enabling without the owner's permission is protected against by a requirement of physical presence (which means you have to be at the PC yourself) to "gate" these commands.

Q . What kinds of protections are in place to protect my personal information?
A . Any personally identifiable information (PII) contained within the aliased ID is entered at the discretion of the platform user. It may contain as little or as much PII as allowed or required by the application the user chooses to use. A platform user may disable the TPM at any time for a particular login session. This helps enforce the user's right to privacy.

Q . Can any of this be used to track my personal information on the Web?
A . At the heart of TCG privacy technology is the use of multiple aliased IDs. This increases the difficulty of someone conducting traffic analysis used to "track" network usage and subvert privacy.

Q . Are the unique keys in a TPM generated, and the public keys recorded by a Trusted Third Party (TTP), at the time of manufacture? If not, could a piece of software generate a key pair, pretend to be a TPM, and have the public key certified?
A . The unique key in the TPM, known as the endorsement key (EK), is generated during manufacturing. To validate that the EK comes from a valid TPM the manufacturer creates an endorsement credential that states that the EK in question comes from a valid TPM. So while anyone could create a SW EK and claim it comes from a valid TPM they would not have a valid endorsement credential to accompany that claim. This implies that those who rely on an EK validate that it comes from a valid TPM.

Q . Does ProtectTools Embedded Security enhance third-party security solutions?
A . Yes, other security solutions are able to take advantage of the ProtectTools Embedded Security through the use of industry-standard interfaces such as Microsoft CAPI and PKCS11. ProtectTools Embedded Security has also been certified under the RSA Secured Partner program - embedded security provides enhanced security when using the RSA SecurID software token for multi-factor authentication.

Q . What happens if the PC is re-imaged?
A . Effectively all keys/secrets stored through the TPM are lost and the user needs to recover those keys. HP ProtectTools Embedded Security Manager provides a recovery mechanism for restoring keys on the same platform (re-imaged).