Trusted Computing Overview

Industry Leader in Trusted Systems and Services

Trusted Computing Security for the Digital World

Develop and promote open, vendor-neutral, industry standard specifications for trusted computing building blocks and software interfaces across multiple platforms

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #2 TCG Organization Board of Directors Jim Ward, IBM, President and Chairman, Geoffrey Strongin, AMD, Mark Schiller, HP, David Riss, Intel, Steve Heil, Microsoft, Tom Tahan, Sun, Nicholas Szeto, Sony, Bob Thibadeau, Seagate, Thomas Hardjono, Verisigin

Marketing Workgroup Technical Committee Best Practices Advisory Council Administration Nancy Sumrall, Intel Graeme Proudler, HP Jeff Austin, Intel Invited Participants VTM, Inc.

Position Key Public TPM Work Group Conformance WG GREEN Box: Elected Officers Relations David Grawrock, Intel Manny Novoa, HP BLUE Box: Chairs Appointed by Board Anne Price, RED Box: Chairs Nominated by WG, PR Works TSS Work Group PC Client WG Appointed by Board David Challener, IBM Monty Wiseman, Intel BLACK Box: Resources Contracted by TCG

Events Mobile Phone WG Infrastructure WG Marketing Panu Markkanen, Nokia T. Hardjono, Verisign/ N. Support Smith, Intel VTM, Inc. Peripherals WG Trusted Network Connect – sub wg Jim Wendorf, Philips

Server Specific WG User Auth WG Larry McMahan, HP Laszlo Elteto, SafeNet

Storage Systems Robert Thibadeau, Seagate

Trusted Computing:

Hardware and software behave as designed

WebWeb ServicesServices IdentityIdentity Trust/SecurityTrust/Security Access (WWW) Connectivity (Internet) Processing (PC) Time

Server

• Highly regulated Network SW/HW configuration • Controlled physical access (24x7) • Encryption (IPSec, SSL) • Intrusion detection SW • VPN • Firewalls • Layered firewalls • Anti-virus • Intrusion detection SW • Network segmentation • 24x7 monitoring • Encrypted data Client • Real-time monitoring • Network segmentation • Auditing & analysis • 802.1x (Radius) • Passwords tools • Multi-factor authentication • Anti-virus • Multi-factor user auth. • Domain controllers • User authentication • Configuration monitors • Patch, Configuration, • Patch, Configuration, & • Policy management & Policy Control Policy Control • Configuration monitors • Intrusion detection SW

MismatchMismatch between between security security measures measures and and the the financialfinancial value value of of data data created created & & stored stored on on clients clients

Clients lightly protected relative to servers & network

High value data Financial incentive & created & stored on client readily available means to attack clients

Attacks outpacing today’s Ubiquitous connectivity protection models

Sophisticated attack tools readily available

AA hardened hardened client client can can re reduceduce the the risk risk of of serious serious financialfinancial loss loss and and compromised compromised data data

User Services Q Security at any layer can be defeated by accessing Applications the next lower layer System Services Q Trusted Computing requires security hardware Operating System as the foundation for BIOS Firmware platform security

PC Hardware Q Plus security enablement features in each layer Trusted Hardware

UT UT UT

UT UT

Q Untrusted Q Trusted QQTrustedTrustedUntrustedUntrusted devicesdevices devicesdevices oror components components causecause thethe resultresult cancan communicate tocommunicateto becomebecome securelysecurelyuntrusteduntrusted overover untrusteduntrusted networksnetworks Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #9 The Trusted Platform Module Hardware-based security enhancement • Enhances many aspects of platform security – Specified by Trusted Computing Group (TCG) Major functions today: – Protected non-volatile storage of platform secrets (e.g. encryption/signature keys, etc.) – Special purpose protected processing (e.g. key generation, digital signatures, etc.) – Spoof-resistant platform authentication capability

TPM

217 202 200 187 175 170 152 150 WW PCs 115 In 100 Millions

60 50 35

4 0 2003 2004 2005 2006 2007

Total PCs Shipped TPM-Enabled PCs Shipped

Secure VPNs & Peer-Peer Strong Data Authentication Protection Applications

Trusted Software E-Commerce Privacy Protection Trusted Hardware Components Distributed Trust Infrastructure Transactions

Platform Key Management Security Access Digital Control Signatures

Time- TPM Sync Biometrics + Smart Token + Password Security Card + Password Smart + Password Software Card Password Password PKI Previous Password w/SSL Session Trusted Platform Module (Cookies) Web Services Value

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #13 Types of TPM hardened Applications Available from 3rd parties Type Description File/Folder • Keys protected by TPM Encryption • E.g. Wave *, Softex*, IBM*, HP*, Infineon*, Information Security Corp.* Client-based • Username/Password auto fill. User only have to remember one password. TPM app lets user register other passwords and automatically fills them in when password Single Logon dialog is presented. • E.g. Softex*, Wave*, IBM*, Congizance* Protected • Use TPM wrapping/sealing capability to protect sensitive information like credit cards, account numbers, or even biometric templates. Information • Some with auto form filling capabilities Repository • E.g. Wave*, IBM*, Softex* E-mail • Encryption, Signature schemes supporting MS-CAPI or PKCS#11 Integration • E.g. Outlook*, Netscape*, Information Security Corp.* Digital • Digital signature application to E-mail, Adobe’s PDF files, e-purchasing, etc. Signature • E.g. Microsoft*, Adobe*, Wave, Netscape* Enterprise • Platform authentication using TPM Logon • E.g. Cognizance*, Wave Trust Server* Remote • Remote access credentials are protected by the TPM. Can be used for VPN, Wireless 802.1x and similar type authentications. Access • E.g. SecurID*, Checkpoint VPN-1 SecureClient* Hardened PKI • Protect & Manage Certificate Authority issued credentials using TPM • E.g. VeriSign PTA*, Checkpoint*, RSA*

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #14 Summary • The Trusted Computing Group has defined an open security hardware specification • Trusted computing is a core building block for next generation web services • Secure hardware is a requirement and available today • Trusted computing products from multiple vendors are currently shipping

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #17 TCG Membership • 78 Total Members as of August 12, 2004 (7 Promoter, 57 Contributor, 14 Adopter) Contributors Promoters Contributors Agere Systems AMD NTRU Cryptosystems, Inc. ARM NVIDIA Hewlett-Packard ATI Technologies Inc. Philips IBM Atmel Phoenix Intel Corporation AuthenTec, Inc. Renesas Technology Corp. Microsoft Broadcom Corporation RSA Security, Inc. Sony Corporation Comodo SafeNet, Inc. Dell, Inc. Sun Microsystems, Inc. Samsung Electronics Co. Endforce, Inc. SCM Microsystems, Inc. Extreme Networks Adopters Seagate Technology Fujitsu Limited Ali Corporation Shang Hai Wellhope Information Fujitsu Siemens Computers American Megatrends, Inc. Silicon Storage Technology, Inc. Funk Software, Inc. Enterasys Networks Standard Microsystems Corporation Gemplus Foundry Networks STMicroelectronics Giesecke & Devrient Sygate Technologies, Inc. Foundstone, Inc Hitachi, Ltd. Symantec Gateway Infineon Symbian Ltd Industrial Technology Research Inst. InfoExpress, Inc. Synaptics Inc. iPass iPass Texas Instruments M-Systems Flask Disk Pioneers Juniper Networks Transmeta Corporation Legend Limited Group OSA Technologies Trend Micro Lexmark International Silicon Integrated Systems Corp. Utimaco Safeware AG M-Systems Flash Disk Pioneers Softex, Inc. VeriSign, Inc. Meetinghouse Data Communications Toshiba Corporation Vernier Networks Motorola Inc. Winbond Electronics Corporation VIA Technologies, Inc. National Semiconductor Vodafone Group Services LTD nCipher Wave Systems Network Associates Zone Labs, Inc Nokia

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #18 Analyst predictions IDC estimates that in 2007, more than 80 percent of security products will be hardware-based, instead of current software-based tools like anti-virus and firewall software.

IDC expects worldwide spending on security and business continuity to grow twice as fast as IT spending over the next several years, reaching more than $116 billion by 2007.

Reference: Security and Business Continuity Remain Highest IT Spending Priorities According to IDC Survey25 Sep 2003

Computer safety standard draft on way, By Liu Baijia (China Daily) Updated: 2004-03-06 08:37

For the medium term, the pace of business continues to accelerate and the challenge is to adapt the IT infrastructure to cope with the changes. Group vice president Steve Prentice said that, in the medium term, CIOs should plan to build a real-time infrastructure for IT.

This will involve a new model of IT to allow resources to be shared dynamically according to business needs. But it can have a huge impact on data center budgets and is inevitable for the longer term. Instead of maintaining a chaotic infrastructure with separate components, enterprises should be providing a set of services that enable the execution of business processes according to service level agreements. It will be a service-oriented architecture.

Reference: Three Challenges for CIOs, Gartner, 17 March 2004

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #20 Risk Management for Enterprises • Most current security efforts follow a similar progression – Network (intranets, firewalls, VPNs, etc.) – Servers (load balancers, HSMs, SSO, web authentication, etc.) – Policies & processes (response plans, disaster recovery, etc.) – Identity & access (badges, tokens, digital certificates, etc.) • Client PC protection is either non-existent or vulnerable – Mobile workers operate both inside and outside the firewall – Mobile devices (laptops) can easily store business critical information insecurely

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #21 Enterprise Client Security Outlook THE NEED • Client security needs are increasing (more sophisticated viruses, worms, spam, etc) • Network security and client software security alone have proven insufficient in protecting data and systems • The increase in laptops puts corporate data further at risk

THE STATUS • PCs are available en masse (IBM, HP, Intel motherboad, Fujitsu) • Businesses are already purchasing (5M+) • Enterprises have needs today for key management • Businesses can add value and increase security 1 PC at a time

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #22 Trusted Computing • Trusted Computing is a concept to protect and strengthen the computing platform against software-based attacks

GoalsGoals

Protect business data and Enable broadly-adoptable communications against current security technologies with and future software attacks immediate utility to business users and IT

Provide opportunities for value- Deploy in a responsible manner added services that maintains user privacy, choice and control

Future Security Technologies Increasing levels of protection CPU & OS Multi-function, hardware- strengthened security with strengthened OS

Platform authentication, Today Today TPM Fixed hardware key storage

User authentication, portable Smart Card hardware key storage

Software Anti-virus, passwords, VPN, Software-Only firewall, SSL, etc.

Time RequiresRequires securitysecurity rootedrooted inin hardwarehardware

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #24 Trusted Device Eco-System Applications and Services Content Communications Services Identity Transactions PC Consumer Electronics Access Cell Phones Control Control Trusted Platform Module PDA Peripherals Embedded Device Attestation Administration Controllers Key Configuration Management Management Security and Trust Services

Application calls CAPI to perform cryptographic ApplicationApplication (CAPI (CAPI enabled) enabled) From ISV functions

CAPI looks for available CAPI sources of crypto services CAPICAPI Interface Interface included in in the system (hardware & Microsoft OS software)

CSP alerts CAPI to the TPM’s presence & routes Cryptographic Service Provider (CSP) appropriate service requests Cryptographic Service Provider (CSP) to the TPM

The service request is From TPM interfaced to the TPM by the TCGTCG Software Software Stack Stack (TSS) (TSS) TSS (i.e. device driver) vendor

TPM provides the crypto service & returns result TPMTPM Hardware Hardware

•• CCustomersustomers willwill paypay forfor TrustedTrusted SystemsSystems

Definitely interested in adding security technology to new computer Probably interested in adding security technology

$25 84%

$50 71%

$75 57%

$100 49%

$200 34% Privacy and the Internet/Hart Research

TCG Technologies

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #28 Goals of the TCG Architecture TCG defines mechanisms that • Protect user keys (digital identification) and files (data) • Protect secrets (passwords) • Enable a protected computing environment

While… • Ensuring the user’s control • Protecting user’s privacy

Design Goal: Delivering robust security with user control and privacy

Privacy Effect of TCG Specifications TCG is committed to ensuring that TCG specifications provide for an increased data capability to secure personally identifiable information

Open Platform Development Model TCG is committed to preserving the open development model that enables any party to develop hardware, software or systems based on TCG Specifications. Further, TCG is committed to preserving the freedom of choice that consumers enjoy with respect to hardware, software and platforms

Platform Owner and User Control TCG is committed to ensuring owners and users of computing platforms remain in full control of their computing platform, and to require platform owners to opt-in to enable TCG features

Backwards Compatibility TCG commits to make reasonable efforts to ensure backward compatibility in future specifications for currently approved specifications

• Benefits for today’s applications – Hardware protection for keys used by data (files) and communications (email, network traffic) – Hardware protection for Personally Identifiable Information (Digital IDs) – Hardware protection for passwords stored on disk – Lowest cost hardware security solution : no token to distribute or lose, no peripheral to buy or plug in, no limit to number of keys, files or IDs

• Benefits for new applications – Safer remote access through a combination of machine and user authentication – Enhanced data confidentiality through confirmation of platform integrity prior to decryption

*Other names and brands may be claimed as the property of others Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #32 TPM Overview • TPM= Trusted Platform Module – a hardware device that is attached to a platform. – Contains Encryption Engine and Protected Storage • Single, permanent Public / Private key-pair called the Endorsement Key Pair – The TPM cannot be moved between platforms • Works for Mobile, Desktop and Server Platforms

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #33 Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #34 TCG Applications

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #35 Managing the Trusted Platform Problem: Security requires the platform owner/user to set policies, determine how to apply security, and manage the overall operations.

Solution: Platform OEMs and ISVs provide simple to use management software to make it easy for users to turn on the TPM, apply polices, and manage their trusted platforms

Problem: In a corporate network that is open to business partners, how can I be sure that the people connected to the network are people I can trust?

Solution: • Use clients equipped with TPMs to store and protect certificates used for VPN access – (Check Point VPN-1) • Provide valid users with Smart cards for token-based authentication to the client/network/servers – (GemPlus readers and cards, IBM TPM-equipped clients, any certificate-enabled server application),

Problem: Sales and traveling executives require secure access to sensitive information resources from insecure locations

Solution: • All traveling clients are equipped with 3Com Embedded Firewall (EFW) NICs • 3Com EFW NIC binds to client TPM • Company exterior gateway only accepts network connection from known 3Com EFW NICs • Client TPM requires valid Smart card to authenticate the user • Result: Only known users can authenticate to company clients. Only known clients can authenticate and connect to company gateway. Connection is hardware-based VPN with firewall built in.

Problem: Sensitive files must be Vault protected, but still shared View

Solution: • Document management using TPMs is integrated into Windows and MS Office applications • TPM creates and stores encryption keys • Document vaults can be shared, even across internet connections

Right Click

MSMS O Officeffice Icons Icons & & Menu Menu

Problem: Electronic documents must be stored on a long term basis. – The documents include legal status information about citizens. – It must be possible to demonstrate that the documents have not been altered since the time of archival.

Solution: • Documents archived from a TPM-enabled PC • Documents in Acrobat PDF format • Document is signed by archivist at time of archival – Acrobat requires archivist authentication to the TPM for each signature – Signature requires archivist’s fingerprint and Smart card to authorize

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #42 Model 5: Building access / default PC protection: Problem: Separate security access issues: • Provide a token-based physical access mechanism that can also be used for network authentication • Provide full hard drive encryption that is transparent to the user, always operational and provides hardware-based security of the encryption keys

Solution: • GemPlus Smart cards for physical and logical access • TPM-enabled clients using Utimaco’s Safe Guard Easy full hard drive encryption software, featuring support for the TPM as a key storage / platform binding tool.

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #43 Model 6: Client/Server Mutual Authentication Problem: Highly sensitive, high-value e-Business application that requires – assurance of who the transacting user is and – assurance that the server software has not been changed in any way by any one

Solution: • Server runs SE Linux modified to use a TPM for attestation of secure boot and integrity of software configuration • User PC is TPM-equipped – TPM requires strong authentication of the user, including a Smart card – User transaction will interrogate the server, requiring a status of “unchanged” before it will allow transaction to proceed Demonstration of this application performed by IBM Research at Fall ’03 IDF

Problem: Federated identity systems need strong, multifactor authentication for high value web services – Strength of initial user authentication into networks of federated identity determine the level of trust and non-repudiation for web services – Authentication contexts are defined and communicated by Liberty Alliance, Web Services – Federation, and SAML protocols

Solution: • TPM attestation credentials combined with user PIN/passwords are authenticated through TCG Trusted Third Party server to provide access to Identity Provider servers and then passed to Federation Gateway servers. • Initial strong authentication of user identity is communicated within ‘trust circles’ to other federated identity partners as basis for determining strength of authentication.

Service Provider TCG n tio A Attestation ra e d Server e -F S W User Service Identity Federation Liberty Provider Device Provider Gateway Alliance w/TPM B O A • Credentials Logon S Identity IS - • PIN / PW Federation S A M L Service Authentication Provider Context C (TCG Strong Authentication)

Problem: Secure backup, recovery, and migration of keys held in trusted hardware platforms – Management of the ‘secrets’ held in trusted platform hardware requires security based tools to protect the secrets during life cycle management systems management tasks

Solution: Key Transfer Manager, Wave Systems – KTM Client: Allows users to locally back up and recover specified TPM keys to any local storage including disk, USB key, or smartcard – KTM Server: Enterprise server to securely communicate to TPMs in order to backup, recover, and migrate keys to existing or new TPM platforms

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #47 Model 9: Consumer Authentication for Secure Internet Shopping Transactions Problem: Authentication of user identity by merchant and bank for Internet shopping transactions – Current authentication using ID with password has high rate of fraud for Internet transactions – Need to transfer transaction liability from merchant to consumer’s bank

Solution: Caisse d’Epargne French Banking Example • User is issued certified credentials and keys from bank. • Credentials and keys are held in TPM in user device • At checkout, merchant requests authentication of user from bank utilizing 3-D Secure protocol (VISA / Mastercard). • Bank determines user identity based on TPM based credentials and TCG Trusted Third Party server. • Bank verifies user identity back to merchant for transaction

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #48 Model 9: Caisse d’Epargne Demonstration, Cartes, 2003 ID TRONIC (3D-Secure) with TPM

3- Redirection to the CE back office

CE back office WAVE Attestation 7- CE back office informs the Credential Manager web merchant of the success CE Web merchant 6- CE back office verifies the 4- ID Tronic identification signature, verifies that TPM hardware keys are used 1- Article process : Challenge sent to 2- Payment the user selection phase 5- The user uses his CE secret key to sign the challenge

8- CE back office informs the user of the success End user already registered with a TPM, a CE key and a CE certified credential

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #49 Model 10: Strong Authentication and eSIGN Digital Signatures Problem: Web Services utilizing eSIGN compliant digital signatures need strong user authentication and non- repudiation – Legally valid digital signatures are enhanced with non- repudiation of the user identity – Digital signatures applied from trusted platforms minimize fraud risks

Solution: • User and platform credentials are authenticated using TPM Digital signatures based on the digital certificate held in the TPM • Optionally, TPM based time services for time stamping can be provided. • Currently implemented in eSIGN Transaction Management Suite

Copyright© 2004 Trusted Computing Group - Other names and brands are properties of their respective owners. Slide #50 Model 11: TPM Hardware Authentication to Standard Microsoft VPNs Problem: Only allow VPN access from trusted platforms – Digital certificates used for VPN access are stored in software – Adding hardware level authentication needs to be done with minimal changes to the existing VPN server systems

Solution: • PCs with TPMs store VPN credentials in hardware storage • A TCG Trusted Third Party server generates Attestation Identity Keys which are used to authenticate VPN requests are coming from trusted platforms • Microsoft’s Active Directory, VPN, and Certificate Servers can easily add support for authentication using digital certificates and AIKs from trusted platforms to control VPN access

1. User Request for VPN Access MS 8. User VPN PC VPN Session w/ TPM Server Established

2. Valid 3. Needs Request? 4. Request Certificate AIK key 5. Request MS Active Certificate Directory using AIK TCG Attestation credential Credential Manager MS Digital 7. Directory Certificate Updated with Server AIK/Cert 6. AIK Checked for Validity