Dell to Add Security Chip to PCs

Michael Gile mgile at mac.com
Fri Feb 4 19:18:29 EST 2005 

Dan Kaminsky wrote:
> TCPA eliminates external checks and balances, such as antivirus.  As the 
> user, I'm not trusted to audit operations within a TCPA-established 
> sandbox.  Antivirus is essentially a user system auditing tool, and 
> TCPA-based systems have these big black boxes AV isn't allowed to analyze.
Actually, as the owner of the Trusted Platform Module (TPM), you have 
complete control over the use of your TPM.  This means you can prevent 
applications from using certain functions of the TPM, including creating 
and using keys.  In addition, the TCG specifications may in fact enhance 
the AV experience by allowing AV programs to ensure audit log integrity 
using the Platform Configuration Registers (PCR's, 20-byte registers 
that store chained SHA-1 hashes) in conjunction with a stored 
measurement log.  These PCR's may then be exported in a signed log 
(signed by the TPM endorsement key), ensuring that a rogue application 
has not tampered with the results of the AV scan.

> Imagine a sandbox that parses input code signed to an API-derivable 
> public key.  Imagine an exploit encrypted to that.  Can AV decrypt the 
> payload and prevent execution?  No, of course not.  Only the TCPA 
> sandbox can.  But since AV can't get inside of the TCPA sandbox, 
> whatever content is "protected" in there is quite conspicuously 
> unprotected.
The TCPA (now TCG) does not define a sandbox in which Windows/*nix 
applications execute.  It simply defines the TPM and the software that 
is responsible for ferrying messages back and forth from the TPM in the 
appropriate format (TSS - TCG Software Stack).  You may be confusing the 
work of the TCG with work being done by both Microsoft (NGSCB/Palladium) 
and Intel (LaGrande).  While MS may use the TPM to bootstrap an OS 
capable of executing sandboxed applications, this is not the result of 
work done by the TCG, which is a consortium of many companies (including 
MS, Intel, HP, IBM, Sun, AMD, etc.) with varying goals.

So, in your example above, once the exploit code is decrypted, it is 
*outside* the TPM, and thus subject to all normal system inspection 
software.  So yes, the AV program could in fact prevent execution of an 
exploit encrypted to a key contained within the TPM trust boundary*. 
However, a LaGrande/NGSCB system may be subject to the attack you describe.

*I say boundary because the TPM does not in fact store public/private 
keypairs internally.  Rather it encrypts all keypairs using the Storage 
Root Key (SRK) - a 2048-bit RSA keypair - and then exports the key for 
storage on the local storage device (most commonly the hard disk). 
Another noteworthy aspect of all TPM devices on the market today 
(version 1.1 of the TCG specifications) is that they do NOT perform 
symmetric encryption, only asymmetric encryption and hashing (RSA and 
SHA-1, respectively, as required by the standard).


Regards,
Mike


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list