中文网站
  Advanced Search
Read the latest Blogs from IT professionals in the field. Read and write community created documents. Need IT help? Ask our staff. Connect with your peers. Check our Tech Shop for posters, books and software tools. Home
HomeInformation, Computer and Network SecurityBasic Security Technologies

Trusted Computing Technologies

Trusted computing, a concept introduced by the Trusted Computing Group (TCG), is intended to address various security problems in a computer system when it is connected to the network or stolen. With Trusted Computing the computer will consistently behave in specific ways, and those behaviors will be enforced by hardware and software. Enforcing this Trusted behavior is achieved by loading the hardware with a unique ID and unique master key and denying even the owner of a computer knowledge and control of their own master key.

Trusted computing encompasses five key technology concepts, of which all are required for a fully trusted system.

1. Endorsement key: a 2,048-bit RSA public and private key pair, which is created randomly on the chip at manufacture time and cannot be changed.

2. Secure input and output: refers to a protected path between the computer user and the software with which they believe they are interacting.

3. Memory curtaining / protected execution: extends common memory protection techniques to provide full isolation of sensitive areas of memory.

4. Sealed storage: protects private information by binding it to platform configuration information including the software and hardware being used. 5. Remote attestation: allows changes to the user's computer to be detected by authorized parties.

The possible applications of the trusted computing technologies are:

  • Protecting hard-drive data: Windows Vista Ultimate and Enterprise make use of a Trusted Platform Module to facilitate BitLocker Drive Encryption. The Trusted Platform Module is used to securely bootstrap and access decryption keys for volume level hard drive encryption. This is done via the Trusted Platform Module's Platform Configuration Registers.
  • Digital rights management: It allows companies to create a Digital rights management system which would be very hard to circumvent, though not impossible. An example is downloading a music file. Remote attestation could be used so that the music file would refuse to play except on a specific music player that enforces the record company's rules. Sealed storage would prevent the user from opening the file with another player or another computer.
  • Identity theft protection: Take for example, online banking. Remote attestation could be used when the user is connecting to the bank's server and would only serve the page if the server could produce the correct certificates. Then the user can send his encrypted account number and PIN, with some assurance that the information is private to him and the bank.
  • Preventing cheating in online games: Some players modify their game copy in order to gain unfair advantages in the game; remote attestation, secure I/O and memory curtaining could be used to verify that all players connected to a server were running an unmodified copy of the software.
  • Protection from viruses and spyware: Digital signature of software will allow users to identify applications modified by third parties that could add spyware to the software. For example, a website offers a modified version of a popular instant messenger that contains spyware as a drive-by download. The operating system could notice the lack of a valid signature for these versions and inform the user that the program has been modified.
  • Protection of biometric authentication data: Biometric devices used for authentication could use trusted computing technologies (memory curtaining, secure I/O) to assure the user that no spyware installed on his/her PC is able to steal sensitive biometric data. The theft of this data could be extremely harmful to the user because while a user can change a password if he or she knows that the password is no longer secure, a user cannot change the data generated by a biometric device.
  • Verification of remote computation for grid computing: to be used to guarantee participants in a grid computing system are returning the results of the computations they claim to be instead of forging them. This would allow large scale simulations to be run (say a climate simulation) without expensive redundant computations to guarantee malicious hosts are not undermining the results to achieve the conclusion they want.

While the trusted computing technologies are gradually adopted by many technology vendors such as Microsoft in its Vista platform, Intel in its chip design (Trusted Platform Module), there are still many criticisms for areas to improve.

‹ SSL VPN: Secure Socket Layer Virtual Private NetworkupWindows Vista ISV security features for the Internet Explore (IE) based applications ›