Security spec gets an upgrade, broader backing

SAN MATEO, Calif. " The Trusted Computing Group passed a milestone in its efforts to improve computer security on Nov. 5, announcing a key update of its specification. The update comes as the TCG adds Sun Microsystems Inc. to its membership and forms a new working group to bring its technology to PDAs.

At the RSA Conference in Amsterdam, the TCG announced it has completed version 1.2 of its trusted platform module (TPM) spec. TPMs are relatively simple chips " currently made by Atmel, Infineon and National " with microcontrollers and solid state storage that can perform hashing algorithms and store encrypted keys for a PC or other systems.

The TPM 1.2 spec includes a handful of new features to enable the chips to generate multiple keys for various applications and services in a manner that allows the system user to remain anonymous. The updated chips should be available in the second half of 2004.

IBM expects it will have shipped as many as 8 million systems, mainly Thinkpad notebooks, using 1.1 version TPMs by the end of this year. To date, Hewlett-Packard has announced a single model desktop with the 1.1 TPM. Both companies said they see value in moving to the new chips.

The chips form a hardware cornerstone for Microsoft Corp.'s Next-Generation Secure Computing Base (NGSCB) that will be built into the next-generation of Windows dubbed Longhorn and expected in 2005. Longhorn will add to the TPM hardware a capability to have a secure execution mode and secure I/O on a desktop PC as well as secure processes on an application by application level."There's a variety of platform opportunities for enabling stronger systems security and attestation" with the new spec, said Jim Ward, president of TCG and senior technical staff member for security strategy at IBM Corp. "I would expect to see some platforms exploit the 1.2 TPM features," before the advent of Longhorn, he added.

Separately, the TCG has formed a handheld working group to take the security architecture to PDAs. Sony Corp., which makes Palm OS-based handhelds, chairs the group.

TCG already has separate teams working on issues related to cellphones, servers and desktops. The cellphone and PDA working groups have no specific milestone targets yet, but those may emerge after the next TCG meeting in Orlando the week of Nov. 17.

In October, Sun joined the TCG which to date has been primarily focused on implementations in a Windows environment. Indeed, Microsoft helped lead the work on the 1.2 version TPM to match up with its Longhorn plans.

"The TCG represents the first standards group to take up systems integrity and a secure boot process, and we believe they have done a lot of good work so far," said Tom Tahan, directory of security technology at Sun. "We don't have any products [using TPMs] yet, but we are studying the technology and determining what we want to do with it," he added."There is a direct application of this technology possible for many platforms that could enhance with a hardware capability security that Java provides in software," Tahan said.

The group is reaching out to other operating systems, especially Linux, to extend its reach more broadly into the server world. Members from Hewlett-Packard's HP-UX team are already participating in the TCG effort.

"We are looking for widespread adoption of this technology to extend trusted computing to all platforms going forward," said Mark Schiller, HP's director of security strategy.

Atmel, one of the first companies to offer TPM chips, recently announced it has shipped 4 million devices to date.