Title: CONTROVERSIAL AND LEGAL ASPECTS OF TRUSTED COMPUTING

Controversial and Legal aspects of Trusted Computing

Controversial issues

Services and transactions supported by computing devices are susceptible to many kinds of risks. Most often the reason for this is that a reliable basis of security is missing. The TCG try to tackle this subject/problem. The solution presented by the TCG is not only favoured but scientists and independent interest groups have expressed concerns.  

A large market share of the IT sector is held by the companies which had founded the TCG. The members of the TCG could use Trusted Computing to strengthen their position on the market and restrict competition. Users of computing devices may also be constricted in the way they can use their devices. So the possible use of the various techniques of the Trusted Computing specifications and their effects arise concerns. 

Criticisms and concerns were expressed for instance by researchers like Ross Anderson [106] and by organisations like the Electronic Frontier Foundation [118] or the Chaos Computer Club in Germany. Thereby especially the former TCPA engendered mistrust by a lack of openness and a closed-door standardisation process. 

In the following we will present controversial issues of Trusted Computing and potential effects of the security, privacy, and customer’s position. 

Attestation and Sealing 

Remote Platform Attestation enables to readout the exact status of a computing device and to detect unauthorized changes to software via a network. For the legitimate user of a remote computer system it is a feature to detect tampering. But also third parties could use this technique to check all software running on the system in order to certificate the system. This third party gets sensible information about the customer’s device and is able to influence privacy by linking requests of the customer because of the usage of unique keys like the Endorsement Key.  

As mentioned in [115] a remote entity should not know all software installed and should get only a minimal set of information. Otherwise this raises serious issues regarding privacy and market dominance and could be used to limit options of the costumer’s device. 

For the attestation of a computer device a hash value of all running programs is created and checked against a database to verify the value as correct. According to [115] the hash value could be invalid if an unknown program is running on the computing device and thus a service provider can deny services. 

A zero knowledge technique for improved privacy was published in the TPM specification 1.2. The direct anonymous attestation (DAA) enhances the privacy of the computer owner and provides a direct attestation without using a third party. This attestation uses unlinkable digital pseudonyms so that service providers cannot link pseudonyms of the same person or device. 

Owner override is a technique proposed by Seth Schoen [118] to combine possible benefits of Trusted Computing with an improved protection of the users’ privacy. His suggestion is that an attestation needs not to reflect the actual state of the software environment. But the owner chooses a picture of his software environment, which can be completely different than reported. 

This would support the freedom of choice in software products and the owner of the platform is informed if the software of his computing device has been changed without his knowledge. 

A further technique of Trusted Computing is Sealing. As mentioned in chapter 3  Sealing can be used to bind data to a single platform or application. Sealed data is protected against unauthorised access and distribution.

The TPM could be used to enforce e.g. software licenses and support Digital Rights Management (DRM) with the help of attestation and sealing. 

DRM can be used to limit the access to all kinds of documents and thus could also provide a kind of censorship. So it is possible to limit the usage of content to a specific platform [118]. The program that has created a file could also prevent any other program from reading it. Thus, the interoperability could be restricted by the techniques of Trusted Computing [118]. 

Harmful software and certification 

Trusted computing could improve the security of today’s computing devices. But the concept of the TCG security model does not prevent any kind of software from running. The security model concentrates on software isolation, so it cannot interfere with other programs. Thus it offers only a minor protection against insecure or harmful software like worms or viruses. A way to distinguish between insecure and secure software is to sign software after an extensive evaluation. Hereupon software is only executed if the signature is valid. Thereby the process of certification has to be open and transparent. An independent organisation should conduct the evaluation. Otherwise this power could be misused by a single authority that could decide if a software or hardware gets a certificate or not. 

A monoculture of operating systems, evoked by software attestation and automatic updates, should be avoided. Otherwise this would make attacks of trusted systems more profitable because if an attack of one system is successful all other system can be breached, too. 

Endorsement key and the TPM  

As mentioned in chapter 4.2.3 the Endorsement Key is a unique key that identifies a single TPM and is the main key for all further operations. The central building block of the security model, the TPM, is hardwired on the motherboard and all important keys are stored and used inside the TPM. According to [120] this may support commercial interests rather than increase the security of a customer’s computing device. To avoid this, the costumer should control all keys and thus decide the purpose of each key. That means the legitimate computer user should get the possibility to erase the endorsement key and replace it by a key of his choice. In specification 1.2 of the TPM the TCG allows the deletion of the endorsement key. But this means that all credentials and certificates linked with the old Endorsement Key are invalid and the TPM-based keys, credentials and certificates have to be revised, which could be very complex for a normal user.  

The linkage of the most important keys to the hardware of a computer device instead to a concrete user is a further deficiency of the specification [120]. The TPM is designed in a way that allows creation, usage and storage of keys only inside it and does not release them normally. That means for instance a software license for a certain computing device could be bound to hardware integrated keys. Substituting a computer device could require in the future to purchase also new software licenses, if the keys could not be transferred to the new computing device. Binding the keys on a portable device, so that the user can transfer important keys to other computer devices, is a potential solution. Smart Card systems could be used for the most security benefits in a more flexible way. 

Implementation and Backdoors 

A computer owner cannot verify if the trusted computing hardware has been implemented according to the published specifications. This is an important problem of all cryptographic hardware [118]. Implemented backdoors or undocumented features can endanger the whole security concept. The cryptographic hardware has access to important and secret information and has also opportunities to leak this information through hidden channels. These channels are difficult to identify and thus the security of all involved information is questionable. So third parties would obtain unauthorised access to private information. 

The implementation according to the specification only including documented features has to be assured. Only if the operations of a cryptographic hardware are transparent the computing device could be protected. If an accurate examination of the cryptographic hardware is not possible (because of integration or insufficient documentation) the cryptographic component becomes a black box. Weis, Lucks, and Bogk [120] advise that design and production have to be controlled by trustworthy, international institutions.  

Implementing real secure components is not a trivial task. For the area of available TC components this was analysed in [116]. It was shown that various bootloaders used for Trusted Computing contain bugs and ways to attack the chain of trust. Moreover they show that with very little effort it was possible to reset the TPM without resetting the whole platform. This would lead to a Trusted Computing base which reports a state of the platform which does no reflect the true state of that platform. 

Integration 

There are some endeavours by the members of the TCG to integrate the TPM into other hardware components. A combination of cryptographic functions with other hardware building blocks like the CPU (see also LaGrande of Intel) or I/O-components (see also the Super I/O chip set of IBM) complicates evaluation. According to [120] this is not appropriate because functions of the cryptographic component are mixed with other functions. So it is not clear which function belongs to which part of the component and thus it is difficult to examine and verify the cryptographic component. The cryptographic component should be implemented separately in order to facilitate safety-related verification processes. 

Cryptographic issues 

Cryptographers approve that the TCG uses well evaluated and standardised algorithms like RSA and SHA-1. But techniques like SHA-1 will not fulfil near future security requirements and should be substituted by better techniques [120]. 

The conversion of the implemented cryptographic chips from the TCG TPM specification 1.1b to 1.2, which has introduced a lot of security-related improvements, is a slow process. So the obsolete version was still integrated much later than the new specification was released. Because of the hardwired implementation of the cryptographic component an update of cryptographic functions is only possible by changing the cryptographic hardware component.  

Hardware Attacks 

Recent research has shown that it is very easy to attack the Trusted Computing base if the attacker is allowed to mount attacks against the hardware. Although one can argue that this is not a security breach as the TCG does not claim to protect against hardware attacks. But on the other side the possibility of successful hardware attacks has to be taken into account when designing distributed systems based on Trusted Computing. As history teaches chances are high that this will be not always the case. A possible scenario would be if users are requested to store personal data on a server secured with the help of Trusted Computing. Of course a user can use remote attestation to try to convince himself that the data is protected on the remote system. But as Trusted Computing does not prevent hardware attacks he can never be sure that the operator of the server (or some other person getting physical access to the server) will not learn the confidential data of the user. 

Open Source Software and Patents 

In order to ensure that only software runs on trusted devices that have no security hole, all computer programs should be evaluated and signed in future. That means an extensive and expensive evaluation of software is necessary before signing them. If an open source program would be signed, only this version gets a signature and thus changing its source code would make the signature invalid. So this kind of certification process is a contradiction to the Gnu Public License, which allows the modification of source code [120]. 

For example a part of NGSCB technology of Microsoft is covered by patents so it is uncertain if other developers could use this technology. Patents may restrict the development and usage of trusted computing in the sector of open source  

General 

The concept of trusted computing is an extensive one but it should not be used solely. People might tend to become less sensitive for privacy / secure threats and problems, because they believe (assume), that the technology in itself is highly secure and everything now is safe due to the use of Trusted Computing. If trusted computing is not 100% secure (the highly realistic view) measures to prevent privacy breaches as well as logging and auditing might fail e.g. manipulated by an attacker. 

But Trusted Computing for enhancing the security / privacy (of business processes) might force users to eventually use Trusted computing. By this they also get all the negative things arising from Trusted Computing like threats to privacy e.g. due to the identifying endorsement key or lose of control. 

On the one hand the TCG still work on the specifications so security and privacy related issues might be improved. Also the process of standardisation is open for large groups of people. On the other hand hardwired cryptographic component based on the TPM specifications are implemented in notebooks and computer systems, which could not be updated.