TPM Hardware Offers Easier Security

Opinion: Current implementations are lacking, but hardware-based Trusted Platform Modules offer users a more secure future.

The good news is that in less than five years—if we survive that long—we may be able to take PC security for granted. That isnt to say all the worlds data and networks will be completely locked down, just that we wont have to worry nearly so much as we do today.

There will still be bad guys, of course, but they will have to work much harder and the reward for their criminal efforts may not be as great as it is today. A high level of security will be built into the systems and devices we use.

A key development—which most users will see when they purchase a new PC with Windows Vista on it—is the Trusted Platform Module, a chip that promises to dramatically improve hardware and network security.

If the module proves trustworthy, and there is every reason to believe it will, analysts expect it to become a standard component of PCs and other devices beginning, well, now.

/zimages/2/28571.gifRead more here about why analysts think hardware-based Trusted Platform Modules are the wave of the future.

The TPM, which can be included in processor chip sets or built on as a discrete device, stores encryption keys in whats been called an electronic, hardware-based lockbox. The reason this matters is because cryptographic information stored in software can never be completely secure.

Back in 2000, nCipher, a company located in Cambridge, England, proved that software-based security could be cracked by looking for random numbers stored in main memory. Using the algorithm developed by nCipher, an intruder could take control of a PC with only software security and collect its private keys.

With a TPM chip installed, cryptographic operations are handled in hardware, which offers a greater degree of protection. Is this perfect protection? What do you think? But TPM has been in development since 1999, when IBM pioneered the technique, and has wide industry support.

TPM-equipped computers are already available from IBM, HP, Lenovo, and Dell. Gateway, Fujitsu-Siemens, and Toshiba have announced plans to join the TPM party as well.

Current implementations are not common, however, at least in part due to poor user interfaces, the type only a corporate security boss could love (and users despise).

Microsoft has built TPM support into Windows Vista and Intel is expected to implement the TPM standard in its chip sets.

All this should come together on many users desktops when new Vista-compliant hardware is installed in 2006 and beyond. Vista, of course, includes a number of other security features, independent of TPM.

/zimages/2/28571.gifClick here to read about Seagates hardware-encrypted notebook hard drive.

By the time Vista ships in mid-to-late 2006, TPM proponents expect that the user interface issues will be solved and TPM will become a standard way to implement hardware security, used for authenticating hardware on a network or maintaining the keys for hard drives and other encrypted resources.

What TPM wont do, however, is authenticate the user sitting at the keyboard. For that, I am expecting biometrics, especially fingerprints, to prevail. With a fingerprint reader, users could "prove" their identities to the computer for log-on. TPM would then authenticate the computer onto the network and provide access to encrypted key chains and hard drives.

With the proper software, this could be made transparent to users. Fingerprint authentication would actually be simpler than what users do today: remember or write down passwords.

With TPM, it would be easy for users to create different passwords for every service or site that requested one, all accessible with a single fingerprint and automatically dispensed as required.

Each of these passwords could be strong and individual. This would prevent criminals from discovering the single, often weak, password that opens all a users accounts.

Analyst firm IDC predicts that TPM adoption for both business and consumer PC hardware will ramp up to near ubiquity by 2010. TPM technology is also being developed for other platforms, including servers and wireless devices, and, if successful on desktops, might find wide adoption on these platforms as well.

So thats the good news. The bad news, of course, is that we have to get from today to five years from now. But since TPM can be expected to ramp up starting fairly soon, perhaps the road ahead will be less bumpy—and more secure—than the one weve traveled so far.

/zimages/2/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.