The quest for the holy grail

Trusted or trustworthy computing has long been a goal of both industry and government, but attaining it remains elusive.Part of the problem is the difficulty in defining the concept. When computer systems exchange information, you need to make sure the inputs and outputs are valid and unaltered. But how do you gauge ? or trust ? such assertions?"You can ask 10 people, and you'll get 10 different answers," said Bud Wilson, information technology director at the government solutions unit of TechTeam Global Inc.Most people in industry interpret "trustworthy computing" to mean secure computing, Wilson said, but that is too broad to be a good definition. Microsoft Corp. has a trustworthy-computing initiative, which refers to a reliable, repeatable software development process.To the standards organization Trusted Computing Group, trusted computing refers to security controls based on its specifications built into hardware platforms. The standards body has given us the Trusted Platform Module chip for storing cryptographic keys, passwords and digital certificates, which is becoming common in laptop and desktop PCs.Then there is the trusted system according to the National Information Assurance Partnership, which refers to platforms that have been evaluated under the Common Criteria at Evaluation Assurance Level 4 or above for role-based access control, controlled access and labeled security protection profiles. So far, evaluated systems include Sun Microsystems Inc.'s Trusted Solaris Operating System Version 8, Red Hat Enterprise Linux Version 5 and the XTS-400 Secure Trusted Operating Program from BAE Systems Information Technology."I'm not sure there is a generally accepted definition," said Ron Ross, senior computer scientist at the National Institute of Standards and Technology.Ross is struggling to write a definition of trustworthy systems for the upcoming Special Publication 800-39, "Managing Enterprise Risk," which is part of a series of NIST publications on computer security. It is expected to be available this month.The focus of trustworthy computing in government is on enabling cross-domain data sharing so people can access data on networks handling differing levels of security classification from a single computer. This would help eliminate the need for multiple computers on a single desk and simplify data sharing within and among agencies. DOD and the intelligence community are working on a platform to enable this type of sharing with an eye toward the holy grail of trusted computing. "We're going to converge at some point between the DOD and the civilian agencies," Ross said.The Trusted Computing Group's Trusted Platform Module is probably the most visible element in enabling cross-domain information sharing. The group ? consisting of industry heavyweights such as Advanced Micro Devices Inc., Hewlett-Packard Co., Intel Corp. and Microsoft ? has developed a specification for building a secure microcontroller for laptops, desktop PCs or server motherboards. The controller generates cryptographic keys for signing documents and computer-based transactions. It also provides a description of the computer's hardware, which can be a source of nearly irrefutable identification for that computer.The Defense Department sees the TPM as a primary tool for securing sensitive-but-unclassified information on portable devices. In July, a DOD directive required the encryption of all sensitive data on laptops, personal digital assistants and removable storage devices using Federal Information Processing Standard 140-2 compliant tools. The department requires that all servers, desktop PCs, laptops and PDAs purchased include the TPM chip.Storing the keys and digital certificates for these functions on a dedicated piece of hardware keeps them more secure from external attacks and malicious code, the department said. TPM's hashing function can be used to ensure the integrity not only of documents stored on a computer but also of applications and other pieces of hardware on the computer, said Michael Willett, senior research director at the TCG. He called the TPM a security metric."Hashing is a way to take a cryptographic snapshot," he said. A hashing algorithm creates a unique numerical digest of a document, a piece of software or the code on a computer chip. The original contents cannot be derived from this digest or hash, but any change in the content results in a different hash. Comparing before-and-after hashes can reveal alterations, enabling detection of unauthorized tampering with documents or applications.The TPM also can be used as an interface for security functions being defined in specifications for trusted-storage devices. TCG has released a draft of the specifications for public comment.The TPM focuses on the computing platform, which is only half the equation, Willett said."As a storage guy, to me, that's the sound of one hand clapping," he said. Storage devices are "where data spends most of its useful life," and that is where security belongs. A working group began developing trusted-storage specifications about three years ago and released the 230-page document in June.Although the draft specifications are not expected to be ready until late this year, TCG said they are complete, and storage and application vendors can begin using them to design secure products.Specifications are provided for cryptography, public-key cryptography and digital signatures, hashing, random number generation and secure storage.Willett said the major hard-drive manufacturers who participated in development of the trusted-storage specification plan to incorporate the specifications in their products. The first application announced is full-disk encryption.Another secure-storage application likely to appear soon will be application locking, which will tie disks or other devices such as USB drives to a single computer. Secure-storage devices and their host computers will authenticate on another through a handshake protocol that TPM manages.TCG said an estimated 250 million devices with TPM chips installed have been shipped, and another 50 million are expected this year."There are chips bolted to most laptops, and it is appearing in servers," Willett said. The DOD mandate is expected to be a major catalyst in making the chips ubiquitous, and applications using the chip, such as BitLocker in Microsoft's Windows Vista operating system, are beginning to appear.But there has so far been a paucity of applications using the chip, and awareness of the chip and its functionality is growing slowly."There are a lot of reasons for that," Wilson said. "It's becoming pervasive in the hardware space. The early adopters are the financial sector and the DOD. Beyond that, it's a little bit early."But even with approaching ubiquity, many users and privacy advocates have reservations about the TPM and trusted computing in general. The big question for many users is: "Whom are you trusting?""I'm not a big fan of trusted computing," Wilson said. Its adoption makes sense within closed organizations such as DOD or a bank where close regulation is accepted, but consumers and other nonregulated users are likely to balk at it, he said.Others aren't as leery. "It's a good and helpful effort to increase the level of trust in the general computing environment," said Ed Hammersla, chief operating officer at Trusted Computer Solutions. TPM can help enable cross-domain information sharing, he said.Ross points out that trusted computing ultimately depends on more than technology built into hardware and software. It depends on a trusted relationship among the parties sharing information and between the users and their systems. This requires some way for each to judge the other's trustworthiness. This, in turn, requires the ability to demonstrate a level of compliance with a set of security requirements: a matter of technology and policy.Developers need to give more attention to software development and system-engineering processes, Ross said. Full trust can best be achieved when the applications and operating systems running on trusted-hardware platforms have been built from the ground up to standards of trustworthiness rather than merely evaluated for compliance with a set of specifications at the end of the process."We have focused an awful lot on the evaluation side, and we haven't spent enough time on the development process for good software," Ross said. "You cannot evaluate your way to good software."