Dell to Add Security Chip to PCs
Michael Gile
mgile at mac.com
Fri Feb 4 19:18:29 EST 2005
Dan Kaminsky wrote:
> TCPA eliminates external checks and balances, such as antivirus. As the
> user, I'm not trusted to audit operations within a TCPA-established
> sandbox. Antivirus is essentially a user system auditing tool, and
> TCPA-based systems have these big black boxes AV isn't allowed to analyze.
Actually, as the owner of the Trusted Platform Module (TPM), you have
complete control over the use of your TPM. This means you can prevent
applications from using certain functions of the TPM, including creating
and using keys. In addition, the TCG specifications may in fact enhance
the AV experience by allowing AV programs to ensure audit log integrity
using the Platform Configuration Registers (PCR's, 20-byte registers
that store chained SHA-1 hashes) in conjunction with a stored
measurement log. These PCR's may then be exported in a signed log
(signed by the TPM endorsement key), ensuring that a rogue application
has not tampered with the results of the AV scan.
> Imagine a sandbox that parses input code signed to an API-derivable
> public key. Imagine an exploit encrypted to that. Can AV decrypt the
> payload and prevent execution? No, of course not. Only the TCPA
> sandbox can. But since AV can't get inside of the TCPA sandbox,
> whatever content is "protected" in there is quite conspicuously
> unprotected.
The TCPA (now TCG) does not define a sandbox in which Windows/*nix
applications execute. It simply defines the TPM and the software that
is responsible for ferrying messages back and forth from the TPM in the
appropriate format (TSS - TCG Software Stack). You may be confusing the
work of the TCG with work being done by both Microsoft (NGSCB/Palladium)
and Intel (LaGrande). While MS may use the TPM to bootstrap an OS
capable of executing sandboxed applications, this is not the result of
work done by the TCG, which is a consortium of many companies (including
MS, Intel, HP, IBM, Sun, AMD, etc.) with varying goals.
So, in your example above, once the exploit code is decrypted, it is
*outside* the TPM, and thus subject to all normal system inspection
software. So yes, the AV program could in fact prevent execution of an
exploit encrypted to a key contained within the TPM trust boundary*.
However, a LaGrande/NGSCB system may be subject to the attack you describe.
*I say boundary because the TPM does not in fact store public/private
keypairs internally. Rather it encrypts all keypairs using the Storage
Root Key (SRK) - a 2048-bit RSA keypair - and then exports the key for
storage on the local storage device (most commonly the hard disk).
Another noteworthy aspect of all TPM devices on the market today
(version 1.1 of the TCG specifications) is that they do NOT perform
symmetric encryption, only asymmetric encryption and hashing (RSA and
SHA-1, respectively, as required by the standard).
Regards,
Mike
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list