TPMs Make E-Commerce Safer

Opinion: Trusted Platform Modules will put e-commerce transactions on the user's side of the network.

I got interesting responses to my recent column on Trusted Platform Modules, which I see as having a great future in resolving some of our security problems. TPMs, if youve never heard of them, are chips that store cryptographic information needed to unlock hard drives, authenticate network log-ons and perform similar tasks.

/zimages/6/28571.gifClick here to read more about David Courseys column on TPMs.

Heres an e-mail I received from reader Jason Barkeloo, who apparently warned me of the pending rise of TPMs some time ago:

"Dig deep into the recesses of your mind. Do you recall our discussion of TPMs about a year or two ago?

"Hint: The developer board from Intel (x86) that Apple is now using has an Infineon TPM on it. No surprise why Jobs moved so quickly! The Trusted Computing Group (TCG) really has some legs under it now. Watch out! A secured Pixar movie coming to your desktop soon."

Jason says that what excites him about TPMs is their role in electronic transactions because they can turn the transaction into the passing of anonymous certificates, which still make sure the money and the product get to their proper destinations. Hacking such a certificate would not give criminals access to personal information such as credit card numbers.

"I want to do the transaction for the movie on my side of the network, not on the server-side. Server-side is akin to walking into Kmart and handing the clerk your wallet and asking him/her to photocopy and store your information. You wouldnt do that and it is why the current ecommerce structure is broken. With a TPM you can control the transaction from your side of the network and the server (and administrator) has no control over it. This I like. This is client-side control."

The column also mentioned a 2000 study by nCipher that proved software-based security to be inherently insecure, if the hacker is determined enough. Following the columns appearance, the company sent me a current report, this one a 2005 survey of 237 security decision-makers.

The survey found that "25 percent of respondents have already deployed or plan to deploy TPM-enabled desktop and laptop computers within the next two years, demonstrating that enterprises increasingly want to protect keys within dedicated hardware security components."

/zimages/6/28571.gifFor more insights from David Coursey, check out his Weblog.

According to nCipher, while this reflects an impressive adoption rate for a relatively new technology, 28 percent of respondents didnt know what their plans were regarding the new TPM-based security features.

I dont find the lack of knowledge about TPM to be too surprising, but as I said in the column and John Spooner reported in a related story, TPM has begun to generate a great deal of attention and is starting to come onto the radars of almost everyone in data security.

/zimages/6/28571.gifCheck out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at Security Center Editor Larry Seltzers Weblog.