New group aims to secure PCs, PDAs, cell phones By Rick Merritt, EE Times April 8, 2003 (2:20 p.m. EST) URL: http://www.eetimes.com/story/OEG20030408S0046 SAN MATEO, Calif. Fifteen companies announced Tuesday [April 8] they have formed the Trusted Computing Group, an industry initiative to define and promote a specification for security in PCs, servers, PDAs and cellphones. The group essentially reboots the efforts of the now-disbanded PC-centric Trusted Computing Platform Alliance (TCPA), this time including participation from Nokia and consumer electronics companies such as Sony and Philips. The Trusted Computing Group (TCG) expects to release a specification for PC security before the end of the year. A spec for cell phones, however, could be as much as two years away. Founding members of the TCG are carryovers from the earlier 190-member TCPA effort. They include AMD, Hewlett-Packard, IBM, Intel and Microsoft. Contributing members include Atmel, Infineon, National Semiconductor, Nokia, Philips, Phoenix Technologies, Sony, ST Microelectronics, VeriSign and Wave Systems. The TCPA defined a trusted platform module (TPM), a basic device with encryption and secure memory capabilities to oversee PC security. However the TPM 1.1 chips now shipping from companies such as Atmel, Infineon and National Semiconductor have not been widely adopted to date and do not conform to concepts for a secure PC execution mode recently defined by Microsoft under a program it called Palladium. The TCG is defining a specification for a 1.2 version TPM and a software stack that will work with the Palladium architecture Microsoft developed in collaboration with Intel Corp. and Advanced Micro Devices. Microsoft will detail this approach publicly for the first time at the Windows Hardware Engineering Conference in May. Microsoft's implementation, which it now calls the Next Generation Secure Computing Base (NGSCB), will require new logic in several PC components including processors, chip sets, graphics processors and I/O devices. Indeed, the concept for a secure operating mode is so broad Microsoft will devote an entire track at WinHEC about 18 hours of content to describing it. Microsoft has not said, however, when it will ship software that complies with NGSCB. Industry watchers expect that code will appear late next year or early in 2005 in the next major version of Windows, dubbed Longhorn. The security scheme will work in conjunction with processor functions Intel Corp. calls Le Grande Technology and has embedded in its next-generation Pentium processor dubbed Prescott, expected to ship later this year. AMD will also support the PC security concepts in its processors though it has not indicated when. The TPM 1.2 modules will include a new session encryption interface and secure state counters that prevent replay security attacks, said Stephen Heil, a technical evangelist for security at Microsoft. The TCG has separate working groups defining those modules, a security software stack and particular needs for both servers and PDAs. The TCG is about to launch a working group to define a specification for secure cellphones, an effort that could take 18 to 24 months. Nokia is expected to be a key contributor to that group in addition to other members still being recruited by the TCG. I would expect to see our membership broaden to include many of the players required for that effort, said Geoffrey Strongin, a security specialist at AMD. Jim Ward, chair of TCG and a security specialist with IBM, said the group would like to create other specifications for platforms such as set-top boxes and video game consoles though no active efforts are currently underway. We are looking to develop a broad specification that can be used by a broad set of products, he said. The industry is coming together, said John Hull, director of marketing for advanced PC products at National Semiconductor. We are thoroughly convinced that the future of the PC rests on three legs: networking, security and manageability. You will have to have all three to play in PCs going forward, he added. Hull said he expects TPM module makers will update their products to comply with the new security spec when Prescott processors roll out this fall. Further in the future, the modules could be integrated into existing PC components such as SuperI/O parts that provide legacy support for serial, parallel, keyboard and floppy controllers. IBM is about the only company in production with systems using the [standalone] TPM 1.1 devices as far as I know, said Hull. Ward said IBM has shipped millions of TPM devices in its PC systems. An HP spokesman said the company has not yet shipped systems with the modules which typically cost about $5. We have to increase the rate of adoption. That's why integration with Super I/O makes a lot of sense. We think this will be a checkbox item going forward, Hull added. As a legally incorporated group, the TCG will enforce reasonable and non-discriminatory licensing of any intellectual property in the spec and define a mechanism to certify compliance to it. The group is also expected to take a more pro-active approach than its predecessor to addressing controversial issues about privacy and digital rights raised by the PC security effort. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com