Palladiated Handheld Security Spec

R.A. Hettinga rah at shipwright.com
Thu Oct 28 16:57:42 EDT 2004 

<http://www.eweek.com/print_article/0,1761,a=138221,00.asp>

EWeek




'Palladium' Echoes in New Handheld Security Spec


October 27, 2004
 By   Mark Hachman


 Intel, IBM and NTT DoCoMo have released a specification to create a
"trusted mobile platform," which appears to take the foundation of
Microsoft's own trust initiative, "Palladium," into the mobile space.

 The three companies placed the Trusted Mobile Platform specification on
the Internet for public review. An executive at Santa Clara, Calif.-based
Intel said the company hopes to have TMP products on the market by 2005,
although the timing will be heavily dependent on OEM participation.

 ADVERTISEMENT

The problem is that, as of now, the TMP group does not include a
participating handset OEM, an operating-system manufacturer, a
radio-component manufacturer, an application provider or a manufacturer of
the trusted platform module (TPM) components that will be used to secure
the platform.

 The lack of these elements led one analyst to state that the triumvirate
will need many more players to achieve the critical mass it will need to
move forward. But things move quickly in the mobile space, other analysts
said, and even an aggressive 2005 launch date might not be out of reach.

 The goal is to provide a means of "trust" inside a mobile platform,
similar to the "Palladium" initiative Microsoft Corp. began floating in
2002 and later referred to as the Next Generation Secure Computing Base.


NGSCB is supposed to be a feature of Longhorn, Microsoft's next-generation
OS. In May, Microsoft said it would tweak the Palladium architecture to
make it simpler for developers to produce compatible applications.

 Like Palladium, the TMP initiative is designed to secure mobile commerce
and protect the system from viruses and/or worms designed to modify the
internal code.

 Intel's contributions are as a chip provider, while DoCoMo contributed the
"key usage scenarios" that guided the research into creating the
specification, said Jeff Krisa, director of marketing for Intel's cellular
handheld group.

 Next Page: A lack of support from key vendors.
 Intel has already placed some elements of the TMP within its "Bulverde"
wireless applications processor, known as the PXA27X family, Krisa said.

 "The level of digital rights management will be implemented on the
software level within the middleware, and will procedurally determine what
you can pass forward and save on the handset as well," Krisa said, adding
that it will be managed by IBM's WebSphere team.

 IBM contributed software "expertise," June Namioka, a spokeswoman for
IBM's Asia-Pacific headquarters in Tokyo, said in an interview. Intel's
Krisa said work focused on some of the higher-end software protocols used
by the technology.

 One analyst called IBM's involvement significant. "Enterprise wireless
apps are more of a concern for the average IT manager than for the average
consumer," said Julie Ask, a wireless analyst with Jupitermedia Corp.'s
JupiterResearch division. "The risk isn't so much in bringing down my
phone, it's hacking into my system or making sure the workers on the
factory floor can't talk to one another, which could be disastrous."

 However, the initiative currently lacks the support of a number of other
key vendors. For his part, Krisa said the 2005 launch date is "highly
dependent on other members, middleware ecosystem and OS vendors." A
representative from Symbian, a U.K.-based provider of embedded OSes, did
not return a call for comment.

 Although both the hardware and software specifications were released
Wednesday, the software document indicates that it was authored June 23.

 Analyst reaction was mixed. "Without having details, I see this '05 thing
as questionable," said Neil Strother, senior analyst with In-Stat/MDR in
Phoenix. "Even if they move quickly, I'm skeptical."

 If you want to build trust in the trust model, "you have to get the
banking guys on board," he said.

 Cliff Raskind, director of wireless enterprise strategies at Boston-based
Strategy Analytics, said his first impression was that the triumvirate
didn't have the clout that a trio of Microsoft, Intel and Cisco Systems
Inc. might have in trying to establish standards for the Wi-Fi space.
Wireless, by contrast, encompasses too many players. "You need buy-in
across the board," he said.

Click here to learn what vendors were plugging at this week's CTIA Wireless
show.

On the other hand, the life cycle for phones has shrunk to between six and
eight months, forcing handset makers and carriers alike to implement new
technology quickly or risk losing market share, analysts said. In a recent
executive study, JupiterResearch found that 30 percent of the respondents
cited poor device security as their chief barriers to adopting new wireless
devices. Thirty-one percent cited poor network security.

 "Things do move quickly in the mobile space, and Intel is very serious in
growing its communications business and putting in the marketing dollars to
do so," JupiterResearch's Ask said.


"When you announce with a carrier, that's good," Ask added. "I'm not sure
if it's going to turn into a North American thing, though, versus a
Japanese one." Asian carriers are usually on the leading edge of OS and
technology advances, she said. Other analysts pointed out that NTT DoCoMo
is a major player only in the GSM space, and a European and American
carrier would need to sign on.

 None of the analysts reached for comment said they had been briefed on the
TMP technology, which they found unusual.

 The TMP initiative creates a "boundary of trust" around some of the
central components within the handheld system. The system initially boots
from a trusted OS stored on a secure ROM, and through the applications
processor that's checked against the Trusted Platform Module, or TPM. Data
stored on removable devices such as flash cards must be securely encrypted,
and the specification also lists the SIM card, used to identify the phone
to the carrier, as a trusted device that can authenticate the user.

 Intel's Krisa said the Trusted Computing Group, which oversees the TPM
specifications, will have to come up with a derivative designed for mobile
handsets to minimize the platform's power consumption.


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list