RE: Free Rootkit with Every New Intel Machine

2007-07-02 Thread Ian Farquhar \(ifarquha\)
Dave Korn wrote:
 Ian Farquhar wrote:
 Maybe I am showing my eternal optimist side here, but to me, this is 
 how TPM's should be used, as opposed to the way their backers 
 originally wanted them used.  A removable module whose connection to a 
 device I establish (and can de-establish, assuming the presence of a 
 tamper-respondent barrier such as a sensor-enabled computer case to 
 legitimize that activity) is a very useful thing to me, as it 
 facilitates all sorts of useful applications.  [...]

 If you can remove it, what's to stop you plugging it into another machine and 
 copying all
 your DRM-encumbered material to that machine?

 It's supposed to identify the machine, not the user.  Sounds to me like what 
 you want is a 
 personally identifying cert that you could carry around on a usb key...

Nothing, but you missed my point.  I'm not interested in the DRM functionality, 
or user-removability.  My point was to look
beyond that original remit.

Specifically, a module which supports authenticated physical removal (with a 
programmed tamper response) *is* useful, especially
for server applications. (*)  Smartcards and secure USB devices might be 
useful for other applications, but not the one I was
describing, because they lack a tamper response.

Note I'm also saying programmable tamper response.  Although I like the idea 
of wiping keys on tamper response, it's not
necessarily the ideal response.  A better possibility (in certain 
circumstances) is the device entering a lockdown mode with
selected and modelled reduced functionality.  Examples of such circumstances 
are where the tamper might be triggerable
maliciously, thus facilitating a DoS attack against the service. 

Ian.

(*) And isn't it interesting how so many desktop systems are now starting to 
run application mixes which really look like
servers?

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-30 Thread David G. Koontz
http://www.nvlabs.in/?q=node/32

Vipin Kumar of of NVLabs had announced a break of TPM and a
demonstration of a break into Bitlocker, (presumably using TPM) to be
presented at Black Hat 2007.  The presentation has been pulled.

Significance to the exchanges on cryptography under this subject stem
from the abstract of the announcement.  It references a paper on
implementing Trusted Computing:

https://www.trustedcomputinggroup.org/news/Industry_Data/Implementing_Trusted_Computing_RK.pdf

From Which Kumar interpolates the graph shown in figure 4 to make the
claim that through the end of 2007 there will be 150 million TPM devices
shipped. The preceding paragraph to figure 4 makes a claim of 20 million
TPM devices shipped in 2005.  The paper is produced by Endpoint
Technologies Associates, Inc., and doesn't give references for how the
numbers were promulgated.  The graph shows a number of TPM devices
shipped per year to exceed 250 million by the years 2010.

The point being that's a lot tchotchkes, even if the claimed numbers are
inflated in a fashion reminiscent of how fast the internet was growing
before the internet bubble burst.

Even conservatively there is in the tens of millions of these devices
sold, although we have no indication how many were actually used for
Trusted Computing purposes.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-30 Thread David G. Koontz
Looking for TPM enterprise adoption.

The current version of TPM was adopted in March o f 2006, which should
have limited TPM up take.

There's an article in Network World
http://www.networkworld.com/allstar/2006/092506-chip-security-papa-gino.html

from September 2006 talking about a restaurant chain being a pioneer in
the use of TPM, apparently a poster boy for Dell.

There's also

http://www.fcw.com/article95422-07-26-06-Web

July 26, 2006, talking about the Army mandating TPM in all their small
computers (PCs), a relatively large enterprise customer.

A 10-Q filed by Wave Systems in May provides providence for the numbers
quoted in NVLabs abstract on their TPM breaker:

http://sec.edgar-online.com/2007/05/10/0001104659-07-038339/Section9.asp

† Adoption of TPMs and Trusted Computing technology is also growing -
according to industry analyst, IDC, shipments of TPMs are expected to
grow from under 25 million units in 2005 to over 250 million units in
2010. More information is available from the IT Compliance Institute.

(looking at the IT Compliance Institute doesn't seem to help)

The IDC is the quoted source for TPM adoption, figuring prominently on
the trudedcomputingroup.org web site and articles derived from publicity.

There's an Executive Summary from IDC:

https://www.trustedcomputinggroup.org/news/Industry_Data/IDC_448_Web.pdf

Predicting TPM 75 percent penetration for world wide Desktop PCs in
2009, 85 percent for mobile computing, and 80 percent for servers.
The only other data point is for 2005, showing a couple of percent for
Desktop PC, three percent for Servers, and 37 percent for mobile PCs

There's a claim the Bitlocker in Vista provided the tipping point for
TPM uptake in:

http://www.investors.com/editorial/IBDArticles.asp?artsec=17issue=20070306

The IDC reference is Worldwide PC Interface and Technologies 2007-2010
Forecast  February 2007, Doc #205155, a Market Analysis

http://idc.com/getdoc.jsp?containerId=205155

At $4500, a bit steep for curiosity's sake.

TPM is the focus of a chapter or section on Security, as seen in the
table of contents

The Papa Gino's Restaurants example for Network World,is indeed a Dell
real world example, one of several mentioned:

https://www.trustedcomputinggroup.org/news/Industry_Data/Endpoint_Technologies_Associates_TCG_report_Jan_29_2007.pdf

The real world examples include a Japanese pharmaceutical company with
20,000 seats

Papa Gino's Pizzas

A US auto rental agency of indeterminate size using HP's security solution.

Three projects underway in Japan, the Japanese Ministry of Economy,
Trade and Industry  funded security initiatives for:

  Sendai Wellness Consortium  (sounds like an HMO)
  IBM's Tokyo Research Laboratory
  Nagoya University Medical Center

The size of these aren't known, but should qualify as respectably sized
enterprises.

This paper is from Endpoint Technologies, again and intended to allay
naysayers of Trusted Computing adoption rates:

Some market watchers may feel that the entire Trusted Computing
movement, championed by the Trusted Computing Group (TCG) with its
Trusted Platform Module (TPM) and related security technologies, is just
a straw man and that it will be years before large numbers of companies
and even individuals adopt TPM based secure computing. For example, IDC
cites, in Trusted Platform Module: Adoption Dynamics, August 30, 2006,
a complex system dynamics model that shows that only the PC hardware
OEMs and the smallest security vendors are fully engaged with the TPM,
and that Microsoft and the major security players remain at best tepid
in their support. Particularly, the authors cite a lack of user pull in
TPM deployment. They conclude that, although many TPM modules will ship
on client systems over the next few years, most will remain inactive.


[There's also anecdotal evidence IDC hasn't always had their cheery
outlook for TPM uptake.]

There are other developments mentioned in the paper:

   The NSA uses TPM for encrypted disk drives

   The US Army is mentioned herein requiring TPM on PCs

   The Federal Deposit Insurance Corporation has recommended that their
   member banks adopt TPM.

 Also, Microsoft appears to have actually jumped on the TPM bandwagon,
supplying impetous over the tipping point:

http://www.pc.ibm.com/us/pdf/idc_compliance_whitepaper.pdf
February 2005, Validation of Hardware Security in PC Clients, sponsored
by IBM and Microsoft

TPM is pretty much required for PC biometric authentication (fingerprints)

  There are a few more poster children marched out:

  A large international pharmaceutical company (perhaps different from

 above)

  A Large Apparel Manufacturer, mentions Sarbannes-Oxley, and
fingerprint access.


We're being underwhelmed with hard numbers and numerous examples of
enterprise adoption.












-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe 

Re: Free Rootkit with Every New Intel Machine

2007-06-27 Thread Jacob Appelbaum
Jon Callas wrote:
 
 On Jun 25, 2007, at 7:23 PM, Matt Johnston wrote:
 
 On Mon, Jun 25, 2007 at 04:42:56PM +1200, David G. Koontz wrote:
   Apple (mis)uses
 TPM to unsuccessfully prevent OS X from running on non-Apple Hardware.
 All Apple on Intel machines have TPM, that's what 6 percent of new PCs?

 To nit pick, the TPM is only present in some Apple Intel
 machines and isn't used in any of them. See
 http://osxbook.com/book/bonus/chapter10/tpm/

 Their OS decryption key is just stored in normal firmware,
 unprotected AIUI.

Are you discussing how they handle their encrypted swap, encrypted disk
(via FileVault) or their encrypted sleep image? I was unaware that Apple
had implemented full root file system encryption.

 
 They've apparently stopped shipping TPMs. There isn't one on my MacBook
 Pro from last November, and it is missing on my wife's new Santa Rosa
 machine.
 
 If you want to see if a machine has one, then the command:
 
 sudo ioreg -w 0 | grep -i tpm
 
 should give something meaningful. Mine reports the existence of
 ApplePCISlotPM, but that's not the same thing.
 

A positive match looks like this:

| +-o ApplePCISlotPM  class ApplePCISlotPM, !registered, !matched,
active, busy 0, retain count 8
| +-o TPM  class IOACPIPlatformDevice, registered, matched, active,
busy 0, retain count 6

Regards,
Jacob Appelbaum

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine (aka TPM, AMT)

2007-06-27 Thread Jeff . Hodges
i'd also scrawled:
 my understanding from a person active in the NEA working group [1] (IETF) 
 is that TPMs these days come along for free because they're included on-die
 in at least one of said chips.


[EMAIL PROTECTED] said:
 Check again.  A few months ago I was chatting with someone who works for a
 large US computer hardware distributor and he located one single motherboard
 (an Intel one, based on an old, possibly discontinued chipset) in their
 entire inventory that contained a TPM (they also had all the ex-IBM/Lenovo
 laptops, and a handful of HP laptops, that were reported as having TPMs).  He
 also said that there were a handful of others (e.g. a few Dell laptops, which
 they don't carry) with TPMs.

my bad. I'd neglected to add on enterprise-class systems after come along 
for free (a qualification he did indeed express). WRT to Dell notebooks, 
that'd be the Latitude models.

In fact, with a little searching, i found the Dell pages below [2] that 
indicate TPM is installed on Dell's D-series enterprise class notebooks.


[EMAIL PROTECTED] said:
 One of the driving forces for TPM adoption going forward will be enterprise
 remote or distributed management.

Of course. And that's the driving force behind the IETF NEA (Network Endpoint 
Assessment) working group AFAIK [1].


=JeffH
--

[1] http://www.ietf.org/html.charters/nea-charter.html


[2]
http://www.dell.com/content/topics/global.aspx/solutions/en/latitude_highlight
?c=usl=ens=gen

...
Trusted Platform Module (TPM 1.1)
The TPM, or Trusted Platform Module ships standard on D410, D610  D810. TPM 
is a security hardware device on the system board that will hold computer 
generated keys for encryption. It is a hardware-based solution that can help 
avoid attacks by hackers looking to capture passwords and encryption keys to 
sensitive data.
...

http://www.dell.com/content/learnmore/learnmore.aspx?c=uscs=RC968571l=ens=h
ea~id=smartcard~line=notebooks~mode=popup~series=latit~tab=recommendations


What is TPM?

The TPM, or Trusted Platform Module, is a security hardware device on 
the 
system board that will hold computer generated keys for encryption. It is a 
hardware based solution that can help avoid attacks by hackers looking to 
capture passwords and encryption keys to sensitive data.

When deploying advanced security features like TPM in your environment, the 
archive and recovery of keys protected by the TPM is critical to avoiding the 
risk of data loss or inaccessibility in the event of a system failure.

The security features provided by the TPM are internally supported by the 
following cryptographic capabilities of each TPM: hashing, random number 
generation, asymmetric key generation, and asymmetric encryption/decryption. 
Each individual TPM on each individual computer system has a unique signature 
initialized during the silicon manufacturing process that further enhances its 
trust/security effectiveness. Each individual TPM must have an Owner before it 
is useful as a security device.

TPM Applications

TPM is useful for any customer that is interested in providing an 
addition 
layer of security to the computer system. The TPM, when bundled with an 
optional security software package, can provide overall system security, file 
protection capabilities and protect against email /privacy concerns. TPM helps 
provide security that can be stronger than that contained in the system BIOS, 
operating system, or any non-TPM application.

Which Dell systems support TPM? 

The TPM 1.2 security hardware device comes standard on the following 
LatitudeTM  notebook systems: Latitude D420, D620, D820, OptiPlexTM  desktop 
systems: Optiplex 745, 740 and Dell PrecisionTM  Mobile Workstations M65, M90. 
Dell recommends the use of Microsoft® Windows®  XP Professional XP 
Professional operating system with TPM which includes advanced security, 
mobility and networking features. TPM is currently not supported by Dell on 
Red Hat® Linux®  operating systems. Customers who deploy TPM should also 
purchase Wave Systems Embassy Trust Suite from Dell Software  Peripherals to 
enable full TPM features including key archival and migration.


---
end




-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-27 Thread Hal Finney
Peter Gutmann writes:
 BitLocker just uses the TPM as a glorified USB key (sealing a key in a TPM is
 functionally equivalent to encrypting it on a USB key).  Since BitLocker isn't
 tied to a TPM in any way (I'm sure Microsoft's managers could see which way
 the wind was blowing when they designed it), it's not going to be TPM's killer
 app.

Actually BitLocker can use the TPM's measured boot capability for
additional security.  This requires a TPM-aware BIOS, which hashes
the disk's Master Boot Record into the TPM Platform Configuration
Registers before executing it, as well as measuring other system software
components.

The disk encryption key is sealed to the TPM PCR values and the chip
won't release it if the boot sequence is different.  This means that
if you want to attack by, for example, booting from a Linux Live CD or
an external USB drive, the chip won't relase the encryption key even if
you guess the PIN right.

(Some) details at the BitLocker Drive Encryption Technical Overview page:
http://technet2.microsoft.com/WindowsVista/en/library/ba1a3800-ce29-4f09-89ef-65bce923cdb51033.mspx?mfr=true

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Peter Gutmann
[EMAIL PROTECTED] (Hal Finney) writes:

The idea of putting a TPM on a smart card or other removable device is even
more questionable from this perspective.

It's not just questionable, it's a really, really bad idea.  TPMs are
fundamentally just severely feature-crippled smart cards.  That is, they're
optimised for doing DRM/secure boot/whatever-you-want-to-call-it, but in
practice not much good for doing anything else (even if there are paper and
Powerpoint-slide claims to the contrary).  So you have something with all the
drawbacks of a smart card (external widget that needs to be bought at extra
cost and plugged in) and none of the advantages.

Possibly with Vista's BitLocker disk encryption we will see more use of TPMs.

BitLocker just uses the TPM as a glorified USB key (sealing a key in a TPM is
functionally equivalent to encrypting it on a USB key).  Since BitLocker isn't
tied to a TPM in any way (I'm sure Microsoft's managers could see which way
the wind was blowing when they designed it), it's not going to be TPM's killer
app.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread David G. Koontz
Peter Gutmann wrote:
 David G. Koontz [EMAIL PROTECTED] writes:
 
 There are third party TPM modules, which could allow some degree of
 standardization:
 
 As I said in my previous message, just because they exist doesn't mean they'll
 do anything if you plug them into a MB with the necessary header (assuming you
 have a MB with the header, and it's physically compatible, and electrically
 compatible, and the BIOS is compatible, and ...).
 
 Which MBs have you plugged one of these TPMs into and had it work?

I don't have the luxury of buying tchotchkes to prove a point.  (Ya,
I have no use for this stuff either).  In view of Peters insistence it
was worth looking harder.

I picked on one motherboard, a Gigabyte GA-P3-DQ6 which has the 20 pin
header for the IEI TPM pluggable. After an extensive investigation I
found no direct evidence you can actually do as Peter states and roll
your own building a TPM enabled system. That includes downloading the
BIOS and trying to search it.  Found evidence of a TPM driver, no hard
proof though.  Why the emphasis on doing this as an end user anyway?
Heck you should have seen how hard it was to get DVDs to work with
Windows98 on an Intel D815 motherboard as an end user.  If took the same
level of investigation, and I still got lucky.  The information
necessary is available to OEMs, not generally end users.  Looking across
various vendors motherboards you see statements in the specifications
stating TPM v1.2 support which I'd be inclined to think means BIOS
support.

I looked for mention of the IEI motherboards, and found distributors, no
mention of anyone actually using them other than for industrial use.
The Fujitsu-Siemens motherboards with TPM were similarly for industrial
use.  The idea of system integrity makes sense for say industrial
robotics.  Wonder if someone thought of using ECC memory?

I found a Foxconn motherboard with the same 20 pin connector.  Didn't
find it on their G33 motherboard (Bearlake).  There was no mention of
TPM support in any documentation for the G33 board.  I downloaded the
BIOS for the board with the connector, de-lharc'd it and searched for
strings indicating TPM support.  Didn't find any references at all.  It
appears to be an older Phoenix BIOS.   Same story for Peter - no proof
you could actually use it, worse still, nothing in the BIOS.

I found a Supermicro C2SBA mother board (another G33 Bearlake) that you
can buy today.  TPM enabled, theres a jumper described in the manual to
enable TPM, which allows the BIOS page for it to show up.  Sounds like
solid support.  The manual only has the topside layout.  The jumper is
near the system front edge, and the closest silicon is the ICH9
Southbridge.  Note that the LPC bus is on the Southbridge anyway and
would interconnect to a TPM chip (as well as BIOS FLASH/ROM), There's a
candidate chip near the front panel stuff not to close to the BIOS chip,
I couldn't find a high enough resolution photo to read the label.  There
is no through hole connector footprint for an external TPM manual visible.

If I wanted to buy a TPM motherboard today, I could, a brand new one,
too.  The manual has pictures of the TPM pages in the BIOS console.  The
BIOS should work.  Around $164 in the U.S., real pretty too with all the
copper cooling on it.

Theres also indication of whitebox integrators using the intel
motherboards with TPM in-built.  No indications of volume, which is
probably the real question.


 
 TPM may well end up being present ubiquitously.
 
 Smart cards may well end up being present ubiquitously.
 Hardware RNGs may well end up being present ubiquitously.
 NIC-based crypto may well end up being present ubiquitously.
 Biometric readers may well end up being present ubiquitously.
 Home taping is killing mus... oops, wrong list.
 
 Been there, done that, got the tchotchkes to prove it.

 
 I've seen zero evidence that TPMs are going to be anything other than a repeat
 of hardware RNGs, NIC-based crypto, biometric readers, and the pile of other
 failed hardware silver bullets that crop up every few years.  Wait a  year or
 two and there'll be some other magic gadget along to fix all our problems.

I found a FIPS 140-2 compliance statement from Phoenix dated July 2006,
that mentions all your silver bullets except the biometric readers and
encrypting NIC.

http://csrc.nist.gov/cryptval/140-1/140sp/140sp709.pdf

Someone doesn't think they are all relegated to tchotchkes, just yet. I
was surprised to hear Intels random number chip is still marketed, must
still be used in Type 1 COMSEC stuff.

There is indication that TPM is tied to fingerprint scanners on laptops,
they could be a passing fad.  It'd be nice to see someone demonstrating
spoofing one.

Found something else that supports Peters point of view.  Found a web
page claiming that Intels vPRO doesn't require a TPM chip.  It isn't
clear how closely aligned vPRO is to DMTF.  As far as TPM and DMTF, most
of the hits relating to the two can be traced 

RE: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Hal Finney
Ian Farquhar writes:
 [Hal Finney wrote:]
  It seems odd for the TPM of all devices to be put on a pluggable module as 
  shown here.  The whole point of the chip is to be bound tightly to the 
  motherboard and to observe the boot and initial program load sequence.

 Maybe I am showing my eternal optimist side here, but to me, this
 is how TPM's should be used, as opposed to the way their backers
 originally wanted them used.  A removable module whose connection to
 a device I establish (and can de-establish, assuming the presence of
 a tamper-respondent barrier such as a sensor-enabled computer case to
 legitimize that activity) is a very useful thing to me, as it facilitates
 all sorts of useful applications.  The utility of the original intent
 has already been widely criticised, so I won't repeat that here.  :)

Would that basically be the same as a removable smart card or
crypto token?  Those do exist and I agree that they have many useful
applications.  However their purpose is somewhat different from the TPM,
which is more specialized.


 It also shows those interesting economics at work.  The added utility of
 the TPM module (from the PoV of the user) was marginal at best despite
 all claims, yet it facilitated functionality which was contrary to
 most user's interests.  The content industry tried to claim that the
 TPM module would facilitate the availability of compelling content -
 which they tried to sell as it's user utility - but like most of their
 claims it was a smoke and mirrors trick.

At this point we are reduced to speaking hypothetically.  The TPM has
not provided either much benefit or much harm so far.  It has not (AFAIK)
been used to protect any content, for good or evil.  It has instead only
been used as a sort of glorified, non-removable smart card, which indeed
does not provide much utility.


 Consequently, the razor-edged economics of the motherboard and desktop
 industry has comprehensively rejected TPM except in certain specialized
 marketplaces where higher profit margins are available (eg. Servers,
 corporate desktops).  The chipset manufacturers have also failed to add
 this functionality to their offerings to date.

 Now Vista has added Bitlocker, which arguably adds a user valuable feature
 for which a TPM module is needed (yes, you can run it without TPM, but
 it's painful).  I wonder if we'll start to see more TPM connectors
 appearing, or even full TPM modules on motherboards and cores on south
 bridge dies?

I think the focus is likely still to be on laptop systems where the
benefits of an encrypted file system are especially high.  However if
Bitlocker comes down to the lower level Vistas then we may see TPMs
start to appear on lower end laptops.


 Personally, I'd like to see a TPM implemented as a tamper-respondent
 (ie. Self-powered) module mounted on the motherboard in a socket which
 allows removal detection.  That way you get the flexibility of moving
 the module, with the safety of a programmed response to an unauthorized
 removal.

Interesting idea, although it's not clear what you would do with it.
The TPM architecture is enormously complex but it is entirely focused
on binding a TPM to a platform.  Breaking that rule would invalidate so
much of the TPM design that you might do better starting with a new chip
with its own functions and purpose.

Hal Finney

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Dave Korn
On 26 June 2007 00:51, Ian Farquhar (ifarquha) wrote:

 It seems odd for the TPM of all devices to be put on a pluggable module as
 shown here.  The whole point of the chip is to be bound tightly to the
 motherboard and to observe the boot and initial program load sequence.
 
 Maybe I am showing my eternal optimist side here, but to me, this is how
 TPM's should be used, as opposed to the way their backers originally wanted
 them used.  A removable module whose connection to a device I establish
 (and can de-establish, assuming the presence of a tamper-respondent barrier
 such as a sensor-enabled computer case to legitimize that activity) is a
 very useful thing to me, as it facilitates all sorts of useful
 applications.  The utility of the original intent has already been widely
 criticised, so I won't repeat that here.  :)   

  If you can remove it, what's to stop you plugging it into another machine
and copying all your DRM-encumbered material to that machine?

  It's supposed to identify the machine, not the user.  Sounds to me like what
you want is a personally identifying cert that you could carry around on a usb
key...


cheers,
  DaveK
-- 
Can't think of a witty .sigline today

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread David G. Koontz
David G. Koontz wrote:

 
 I picked on one motherboard, a Gigabyte GA-P3-DQ6 which has the 20 pin
 header for the IEI TPM pluggable. After an extensive investigation I
 found no direct evidence you can actually do as Peter states and roll
 your own building a TPM enabled system. That includes downloading the
 BIOS and trying to search it.  Found evidence of a TPM driver, no hard
 proof though.  Why the emphasis on doing this as an end user anyway?
 Heck you should have seen how hard it was to get DVDs to work with
 Windows98 on an Intel D815 motherboard as an end user.  If took the same
 level of investigation, and I still got lucky.  The information
 necessary is available to OEMs, not generally end users.  Looking across
 various vendors motherboards you see statements in the specifications
 stating TPM v1.2 support which I'd be inclined to think means BIOS
 support.

I found another Gigabyte board GA-N680SLI-DQ6 with TPM, available from
Ascent here in New Zealand.  I looked at the BIOS for it.  It was close
to brand new and mentioned it would take loadable drivers and didn't
have reference to TPM.   This leads creedence to the requirement for OEM
access to enable TPM.  The TPM driver wasn't available on the download
page for the board.  This board has the IEI 20 pin connector on it.

The IEI page provides no links to documentation.  The page shows various
software management interfaces that are specific to TPM chip vendors, so
I looked for them up.  There are three modules based on infineon, atmel
and sinosun TPM chips.

Looking at the Infineon TPM v1.2 page we see the complete information
isn't publicly available.  There is no indication of how to do PC-BIOS
integration, no in depth datasheet/manual, etc.  It's probably not
possible to to implement under windows without a partnership.

I checked the Atmel site and the public information there was sparse.

The Sinosun site has some basic information on management software.
These would require your're are in partnership, although I found an
advertisement for the Sinosun TPM software management tools ($26.99 US)
http://www.orbitmicro.com/global/20pinsinosuntpmmoduleswmanagementtool-p-4385.html
Orbit Micro is a system integrator and IEI distributor and probably can
provide a white box solution.

You're still at the mercy of the Motherboard/PC vendor for BIOS support.

The Supermicro motherboard with integrated TPM has a BIOS that is TPM
aware..  It probably uses an ST19WP18-TPM-C from Standard Microsystems
(Found by searching their FAQ, another board with TPM).

There is some information on software development environment:
http://www.st.com/stonline/products/families/smartcard/sc_support.htm

This compares the three TPM chip versions:
http://www.st.com/stonline/stappl/productcatalog/app?path=/comp/stcom/PcStComOnLineQuery.showresultquerytype=type=product$$view=tablequerycriteria=RNP139=1120.0
and prompted examination of the their pdf files, the sections on the
back on software.

The drivers are actually in ROM on the ST chips, with a flag system for
the host BIOS, allowing the same BIOS to work with or without TPM.  This
may explain  some of the lack of visibility in some BIOS images. The
windows drivers are embedded, too.  The -TMP-C version used by the
Supermicro motherboard talks about the use of Embassy Security Center
suite from Wave Systems.  There is a right to use license transfered
with the chip: http://www.st.com/stonline/press/news/year2004/p1499m.htm
also mentioned: http://www.tonymcfadden.net/tpmvendors_arc.html#software
The last link gives insight into the Atmel software, too.

The IEI pluggable TPM module web page shows software interfaces from
three different vendors for the three different chips it uses.  The
Winbond chip is shown being administered by Wave's ESC.  No indication
of licensing terms.

For open source/linux afficionados there's jtpmtools:

http://trustedjava.sourceforge.net/  (probably ripe for a tcl wrapper)

And information on the Open Trusted Computing web site:
http://www.opentc.net

(http://www.wavesys.com/products/TPM_Matrix.html  describes the
currently available TPM products from various system vendors.)

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Alexander Klimov
On Mon, 25 Jun 2007, Hal Finney wrote:
 The idea of putting a TPM on a smart card or other removable device is
 even more questionable from this perspective.  A TPM which communicates
 via an easily accessible and tamperable bus is almost useless for the
 security concepts behind the Trusted Computing Group architecture.

Even if a TPM is soldered to the motherboard it does not mean
that unsoldering is an esoteric art. There is a difference
between what media hypes about TPM and what TCG technical
documents say [1]:

   It is not expected that a TPM will be able to defeat
   sophisticated physical attacks.

 The exception might be if there were additional hardware to encrypt
 the bus, but that is not part of the standard spec.

Encrypted bus requires encryption cores on both ends and key
distribution resistant to MitM attacks. I suspect that if you
system already has so many crypto blocks in it, it would be
cheaper to implement TPM inside.

 So this would allow a removable TPM but it has to be logically bound
 to the motherboard via cryptography, presumably something like an
 encrypted bus.

To logically bound TPM to the motherboard it is enough for BIOS
`loader' that hashes the rest of the BIOS, to include unique ID of the
motherboard into the hash.


[1] https://www.trustedcomputinggroup.org/groups/tpm/TPM_1_2_Changes_final.pdf


-- 
Regards,
ASK

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-26 Thread Jon Callas


On Jun 25, 2007, at 7:23 PM, Matt Johnston wrote:


On Mon, Jun 25, 2007 at 04:42:56PM +1200, David G. Koontz wrote:

  Apple (mis)uses
TPM to unsuccessfully prevent OS X from running on non-Apple  
Hardware.
All Apple on Intel machines have TPM, that's what 6 percent of new  
PCs?


To nit pick, the TPM is only present in some Apple Intel
machines and isn't used in any of them. See
http://osxbook.com/book/bonus/chapter10/tpm/

Their OS decryption key is just stored in normal firmware,
unprotected AIUI.


They've apparently stopped shipping TPMs. There isn't one on my  
MacBook Pro from last November, and it is missing on my wife's new  
Santa Rosa machine.


If you want to see if a machine has one, then the command:

sudo ioreg -w 0 | grep -i tpm

should give something meaningful. Mine reports the existence of  
ApplePCISlotPM, but that's not the same thing.


Jon

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-25 Thread David G. Koontz
Peter Gutmann wrote:
 Ian Farquhar (ifarquha) [EMAIL PROTECTED] writes:
 
 For example: the Gigabyte GA-965QM-DS2 (rev 2.0) which features security
 enhancement by TPM.  More common (ASUS, Foxconn) was the TPM Connector,
 which seemed to be a hedged bet, by replacing the cost of the TPM chip with
 the cost of a socket.
 
 Those are actually misleading, since there's no certainty that you'll be able
 to find anything that'll actually plug into them.  That is, not only are the
 TPM whatever-they-are-that-goes-there's almost impossible to find, but if you
 do find one there's no guarantee that it'll actually work when plugged into
 the header. In practice this is just a way of adding the TPM keyword to your
 marketing without having to actually do anything except include a dummy header
 on the MB.

There are third party TPM modules, which could allow some degree of
standardization:

http://www.ieiworld.com/en/news_content.asp?id=erbium/projectOBJ00244201news_cate=Newsnews_sub_cate=Product

The IEI TPM module is used in their own motherboards and some VIA
motherboards.  They actively market the pluggable modules.  Thinkpads
appear to use a different connector:
https://www.cosic.esat.kuleuven.be/publications/article-591.pdf
30 pins instead of 20 pins.  The Low Pin Count bus is an ISA bus
replacement is specified as the TPM interface, and isn't defined for
connector use, so a connector pin out isn't standardized.

http://www.intel.com/design/chipsets/industry/25128901.pdf  (the spec)

 
 (For people who don't work with the innards of PCs much, most motherboards
 have assorted unused headers, sites for non-installed ICs, and so on, as a
 standard part of the MB.  The TPM header is just another one).
 
 Peter.
 

In addition to pluggable modules, TPM can also be an assembly bill of
materials option, where you have a  chip and a few passive components
not stuffed for non-enterprise PCs or notebooks.  The advantage of a
pluggable module would be to allow late binding build configurations
when you can't adequately forecast demands.

Even the low costs of TPM hardware, patent licenses, BIOS licenses,
etc., are probably enough to prevent blanket inclusion in personal
computers not intended for enterprise use today.  TPM can also be built
into chip sets like Intels Bearlake, which removes the hardware cost.
TPM may well end up being present ubiquitously.

One of the driving forces for TPM adoption going forward will be
enterprise remote or distributed management. http://www.dmtf.org/home
Doing distributed management with TPM allows some degree of security
that would otherwise be missing. Distributed management is  the purpose
of Intels vPro and iAMT initiatives.  Note that the distributed
management push is relatively recent, going mainline in the last year or
so and may  signal an upcoming acceleration in TPM adoption.  Also of
note is that the membership list for the Distributed Management Task
Force contains most of the big name PC sellers.

Distributed management can be OS 'gnostic, the driving need is the
ability to handle large volumes of software updates and security
patches. While some OS's require large volumes of security patches,
others are evolving fast enough to require automated  updates. We're
pretty much guaranteed to see see enterprise adoption across all platforms.

Linux supports TPM devices directly, as will Solaris.  Apple (mis)uses
TPM to unsuccessfully prevent OS X from running on non-Apple Hardware.
All Apple on Intel machines have TPM, that's what 6 percent of new PCs?
 There is a virtual TPM in Xen, IBM would tell you that you can't
operate a trusted computer with out a security server for providing
virtual TPM storage.  They're willing to sell you one and Microsoft
doesn't want you to operate Vista virtually without a trustworthy
Trusted Platform Module.

It may be inappropriate to build a system with absolute trust in TPM to
protect intellectual property.  There are other architectures that can
do better, say a blade server running a virtual copy of an OS.  The
element providing greater security is removing the potentially malicious
end-user from physical access, and not allowing access beyond the
virtual machine.  Thin clients and web applications come to mind for
protecting corporate secrets, too.  TPM is predicated on the notion that
the corporate universe is comprised of fully capable computers.  The
idea for Trusted Computing comes mainly from hardware vendors, so the
bias isn't surprising.

No one likes the idea of TPM on their personal machines,it's really
driven by enterprise needs, although you could imagine a market for a
service intended to keep your personal Windows PC updated.  There can be
useful side effects to having TPM on personal computers.  TPM could
provide secure storage for keys to software or hardware encrypted disk
drives, the alternative might imply uncovering the equivalent of master
keys over questionable channels during boot up. Secure Disks with
hardware 

Re: Free Rootkit with Every New Intel Machine

2007-06-25 Thread Peter Gutmann
David G. Koontz [EMAIL PROTECTED] writes:

There are third party TPM modules, which could allow some degree of
standardization:

As I said in my previous message, just because they exist doesn't mean they'll
do anything if you plug them into a MB with the necessary header (assuming you
have a MB with the header, and it's physically compatible, and electrically
compatible, and the BIOS is compatible, and ...).

Which MBs have you plugged one of these TPMs into and had it work?

TPM may well end up being present ubiquitously.

Smart cards may well end up being present ubiquitously.
Hardware RNGs may well end up being present ubiquitously.
NIC-based crypto may well end up being present ubiquitously.
Biometric readers may well end up being present ubiquitously.
Home taping is killing mus... oops, wrong list.

Been there, done that, got the tchotchkes to prove it.

I've seen zero evidence that TPMs are going to be anything other than a repeat
of hardware RNGs, NIC-based crypto, biometric readers, and the pile of other
failed hardware silver bullets that crop up every few years.  Wait a  year or
two and there'll be some other magic gadget along to fix all our problems.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Free Rootkit with Every New Intel Machine

2007-06-25 Thread Leichter, Jerry
| ...Apple is one vendor who I gather does include a TPM chip on their
| systems, I gather, but that wasn't useful for me.
Apple included TPM chips on their first round of Intel-based Macs.
Back in 2005, there were all sorts of stories floating around the net
about how Apple would use TPM to prevent OS X running on non-Apple
hardware.

In fact:

- Some Apple models contain a TPM module (the Infineon TPM1.2);
some (second generation) don't;

- No current Apple model contains an EFI (boot) driver for the
module;

- No current version of OS X contains a driver to access the
module for any purpose;

- Hence:  OS X doesn't rely on TPM to block execution on non-
Apple hardware.  In fact, there is an active hacker's
community that gets OS X to run on hackintosh's -
an announcement of OS X on a Sony Vaio made the
rounds just a couple of days ago.  Apparently the
only real difficulty is writing appropriate boot
and other low-level drivers.

Amit Singh, the author of the definitive reference on OS X internals,
has written and distributed an OS X driver for the TPM on those
machines that have it.  For all kinds of details, see his page at:

http://www.osxbook.com/book/bonus/chapter10/tpm/

-- Jerry

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-25 Thread Hal Finney
David G. Koontz writes:
 There are third party TPM modules, which could allow some degree of
 standardization:

 http://www.ieiworld.com/en/news_content.asp?id=erbium/projectOBJ00244201news_cate=Newsnews_sub_cate=Product

 The IEI TPM module is used in their own motherboards and some VIA
 motherboards.  They actively market the pluggable modules.  Thinkpads
 appear to use a different connector:
 https://www.cosic.esat.kuleuven.be/publications/article-591.pdf
 30 pins instead of 20 pins.

It seems odd for the TPM of all devices to be put on a pluggable module
as shown here.  The whole point of the chip is to be bound tightly
to the motherboard and to observe the boot and initial program load
sequence.  Any steps to decouple the TPM and facilitate separating it
from a motherboard will only make attacks on its security model easier
and make the chip less useful for its stated purpose.

The idea of putting a TPM on a smart card or other removable device is
even more questionable from this perspective.  A TPM which communicates
via an easily accessible and tamperable bus is almost useless for the
security concepts behind the Trusted Computing Group architecture.  (The
exception might be if there were additional hardware to encrypt the bus,
but that is not part of the standard spec.)

The other direction that has been mentioned, putting the TPM onto the CPU
die, would make more sense for security, but I don't know of any chips
that actually do that.  However with the future trend towards increased
CPU parallelism and addition of extra cores for additional functionality,
it would seem to be a natural extension, if TPMs catch on.

I tried hunting through the TCG specs to see if they say anything about
this, but it's a maze.  Eventually there is supposed to be a Platform
Conformance Credential which certifies that a particular platform (e.g.
motherboard + associated chips) satisfies some criteria and has gone
through a certification process.  But I couldn't find anything specific
about what security features a trusted platform is supposed to have.

The TPM Design Principles doc says:

https://www.trustedcomputinggroup.org/specs/TPM/Main_Part1_Rev94.zip

 11.2   RTR to Platform Binding

 Start of informative comment

 When performing validation of the EK and the platform the challenger
 wishes to have knowledge of the binding of RTR to platform. The RTR
 is bound to a TPM hence if the platform can show the binding of TPM
 to platform the challenger can reasonably believe the RTR and platform
 binding.  The TPM cannot provide all of the information necessary for
 the challenger to trust in the binding. That information comes from the
 manufacturing process and occurs outside the control of the TPM.

 End of informative comment

 1. The EK is transitively bound to the Platform via the TPM as follows:
 a. An EK is bound to one and only one TPM (i.e., there is a one to one
 correspondence between an Endorsement Key and a TPM.)
 b. A TPM is bound to one and only one Platform. (i.e., there is a one
 to one correspondence between a TPM and a Platform.)
 c. Therefore, an EK is bound to a Platform. (i.e., there is a one to
 one correspondence between an Endorsement Key and a Platform.)

Here, the RTR is the Root of Trust for Reporting, aka the on-chip
Endorsement Key (EK) which the TPM uses to sign platform and software
configuration info as part of its Remote Attestation capability.
This text would seem to argue against a removable TPM.

Here's a quote from one of the PC-related specs:

https://www.trustedcomputinggroup.org/specs/PCClient/TCG_PCClientImplementationforBIOS_1-20_1-00.pdf

 1.2.12.1.2   Binding Methods
 Start of informative comment

 The method of binding the TPM to the motherboard is an architectural and
 design decision made by the respective manufacturer and is not specified
 here. There are two types of binding: physical and logical. Physical
 binding relies on hardware techniques while logical binding relies on
 cryptographic techniques. The nature and strength of each method is
 defined by the TPM's or the Platform's Protection Profile.

 Example:

 The TPM is a physical chip soldered to the Host Platform. Here the
 Endorsement Key is physically bound to the TPM (it's inside it) and the
 TPM is physically bound to the Host Platform by the solder. The required
 strength of each binding is determined by the Protection Profile.

 End of informative comment

So this would allow a removable TPM but it has to be logically bound
to the motherboard via cryptography, presumably something like an
encrypted bus.

As Peter Gutmann noted, most TPM systems are relatively expensive business
laptops where the chip is sold as a security chip, although in practice
it doesn't do much.  Possibly with Vista's BitLocker disk encryption we
will see more use of TPMs.  I saw the other day that Microsoft was about
to make BitLocker available to home users (it's only in the high-end
Vistas now) but changed their mind at the 

RE: Free Rootkit with Every New Intel Machine

2007-06-25 Thread Ian Farquhar \(ifarquha\)
 It seems odd for the TPM of all devices to be put on a pluggable module as 
 shown here.  The whole point of the chip is to be bound tightly to the 
 motherboard and to observe the boot and initial program load sequence.

Maybe I am showing my eternal optimist side here, but to me, this is how TPM's 
should be used, as opposed to the way their
backers originally wanted them used.  A removable module whose connection to a 
device I establish (and can de-establish,
assuming the presence of a tamper-respondent barrier such as a sensor-enabled 
computer case to legitimize that activity) is a
very useful thing to me, as it facilitates all sorts of useful applications.  
The utility of the original intent has already
been widely criticised, so I won't repeat that here.  :)

It also shows those interesting economics at work.  The added utility of the 
TPM module (from the PoV of the user) was marginal
at best despite all claims, yet it facilitated functionality which was contrary 
to most user's interests.  The content industry
tried to claim that the TPM module would facilitate the availability of 
compelling content - which they tried to sell as it's
user utility - but like most of their claims it was a smoke and mirrors trick.

Consequently, the razor-edged economics of the motherboard and desktop industry 
has comprehensively rejected TPM except in
certain specialized marketplaces where higher profit margins are available (eg. 
Servers, corporate desktops).  The chipset
manufacturers have also failed to add this functionality to their offerings to 
date.

Now Vista has added Bitlocker, which arguably adds a user valuable feature for 
which a TPM module is needed (yes, you can run it
without TPM, but it's painful).  I wonder if we'll start to see more TPM 
connectors appearing, or even full TPM modules on
motherboards and cores on south bridge dies?

Personally, I'd like to see a TPM implemented as a tamper-respondent (ie. 
Self-powered) module mounted on the motherboard in a
socket which allows removal detection.  That way you get the flexibility of 
moving the module, with the safety of a programmed
response to an unauthorized removal.

Ian.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-25 Thread Matt Johnston
On Mon, Jun 25, 2007 at 04:42:56PM +1200, David G. Koontz wrote:
   Apple (mis)uses
 TPM to unsuccessfully prevent OS X from running on non-Apple Hardware.
 All Apple on Intel machines have TPM, that's what 6 percent of new PCs?

To nit pick, the TPM is only present in some Apple Intel
machines and isn't used in any of them. See
http://osxbook.com/book/bonus/chapter10/tpm/

Their OS decryption key is just stored in normal firmware,
unprotected AIUI.

Matt

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Free Rootkit with Every New Intel Machine

2007-06-24 Thread Ian Farquhar \(ifarquha\)
I agree with Peter here.  I also tried to procure a motherboard with a TPM chip 
- to play with Bitlocker mostly - and came to
the same conclusion.

I did find a few MBs, mostly from Intel, and a couple of other vendors.  All of 
these were corporate-style MB's, as opposed to
the gamer/enthusiast style I needed.

For example: the Gigabyte GA-965QM-DS2 (rev 2.0) which features security 
enhancement by TPM.  More common (ASUS, Foxconn) was
the TPM Connector, which seemed to be a hedged bet, by replacing the cost of 
the TPM chip with the cost of a socket.

I also went looking for a TPM on some other delivery mechanism (USB stick?  PCI 
card?  Anything...) but didn't turn anything up
I was actually able to purchase at the time (but maybe not now - see the 
BCM5751 below).

There's a slightly out of date matrix of products here:

http://www.tonymcfadden.net/tpmvendors_arc.html

I too have heard rumors of TPM functionality being included in either North or 
South Brigdes, but I haven't seen that happen yet
(aside from Intel, few vendors release detailed chipset datasheets anyway).  
Winbond do have a Trusted IO series of chips
which are basically LPC controllers plus the TPM chip (all now not recommended 
for new designs), and Transmeta did embed the
TPM in the TM5800.  Apparently Broadcomm also did embed a TPM on their BCM5751 
and BCM5751M ethernet controllers.

Interestingly, you will find the BCM5751 on several high end motherboards, but 
the presence of TPM functionality isn't often
mentioned.  Riii :)

Apple is one vendor who I gather does include a TPM chip on their systems, I 
gather, but that wasn't useful for me.

Ian.

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Peter Gutmann
Sent: Saturday, 23 June 2007 10:49 PM
To: [EMAIL PROTECTED]
Cc: cryptography@metzdowd.com
Subject: Re: Free Rootkit with Every New Intel Machine

[EMAIL PROTECTED] writes:

my understanding from a person active in the NEA working group (IETF) 
is that TPMs these days come along for free because they're included 
on-die in at least one of said chips.

Check again.  A few months ago I was chatting with someone who works for a 
large US computer hardware distributor and he located
one single motherboard (an Intel one, based on an old, possibly discontinued 
chipset) in their entire inventory that contained a
TPM (they also had all the ex-IBM/Lenovo laptops, and a handful of HP laptops, 
that were reported as having TPMs).  He also said
that there were a handful of others (e.g. a few Dell laptops, which they don't
carry) with TPMs.

I've seen all sorts of *claims* of TPM support, but try going out and buying a 
PC with one (aside from IBM/Lenovo and the
handful of others) - you have to look really, *really* hard to find anything, 
and if you do decide you specifically want a
TPM-enabled MB or laptop you're severely restricting your options (unless it's 
a Lenovo).

Unless something truly miraculous happens, TPMs are destined to end their lives 
as optional theft-discouragement gadgets for
laptops (assuming they're running Windows XP, or possibly Vista if you can find 
the drivers).  They've certainly failed to make
any impression on the desktop market.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


RE: Free Rootkit with Every New Intel Machine

2007-06-24 Thread Peter Gutmann
Ian Farquhar (ifarquha) [EMAIL PROTECTED] writes:

For example: the Gigabyte GA-965QM-DS2 (rev 2.0) which features security
enhancement by TPM.  More common (ASUS, Foxconn) was the TPM Connector,
which seemed to be a hedged bet, by replacing the cost of the TPM chip with
the cost of a socket.

Those are actually misleading, since there's no certainty that you'll be able
to find anything that'll actually plug into them.  That is, not only are the
TPM whatever-they-are-that-goes-there's almost impossible to find, but if you
do find one there's no guarantee that it'll actually work when plugged into
the header. In practice this is just a way of adding the TPM keyword to your
marketing without having to actually do anything except include a dummy header
on the MB.

(For people who don't work with the innards of PCs much, most motherboards
have assorted unused headers, sites for non-installed ICs, and so on, as a
standard part of the MB.  The TPM header is just another one).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-23 Thread Peter Gutmann
[EMAIL PROTECTED] writes:

my understanding from a person active in the NEA working group (IETF) is that
TPMs these days come along for free because they're included on-die in at
least one of said chips.

Check again.  A few months ago I was chatting with someone who works for a
large US computer hardware distributor and he located one single motherboard
(an Intel one, based on an old, possibly discontinued chipset) in their entire
inventory that contained a TPM (they also had all the ex-IBM/Lenovo laptops,
and a handful of HP laptops, that were reported as having TPMs).  He also said
that there were a handful of others (e.g. a few Dell laptops, which they don't
carry) with TPMs.

I've seen all sorts of *claims* of TPM support, but try going out and buying a
PC with one (aside from IBM/Lenovo and the handful of others) - you have to
look really, *really* hard to find anything, and if you do decide you
specifically want a TPM-enabled MB or laptop you're severely restricting your
options (unless it's a Lenovo).

Unless something truly miraculous happens, TPMs are destined to end their
lives as optional theft-discouragement gadgets for laptops (assuming they're
running Windows XP, or possibly Vista if you can find the drivers).  They've
certainly failed to make any impression on the desktop market.

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-23 Thread Ivan Krstić
Peter Gutmann wrote:
 I've seen all sorts of *claims* of TPM support, but try going out and buying a
 PC with one

Of the 25 business laptop models that HP offers on its site right now,
only 5 don't have a TPM installed.

-- 
Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-22 Thread Jeff . Hodges

[EMAIL PROTECTED] said:
 With TPMs it's a bit different, they're absent from the hardware by default

in case you're referring to the TCPA (trusted computing platform alliance) 
TPM..

my understanding from a person active in the NEA working group (IETF) is that 
TPMs these days come along for free because they're included on-die in at 
least one of said chips. I don't recall whether he said it was the network 
interface (NIC) and/or one of the others. So anyway, he said 
...enterprise-class systems (eg Dell Latitudes) mostly all already contain, 
TPMs and various network gear manufacturers have boxes that speak to them 
already, and NEA is just trying to standardize the protocols...

I've noticed my latitude systems do in fact have a bios option for 
enabling/disabling their TPMs. (mine are disabled)

the way in that IT depts ensure that vic...er...employees don't turn 'em off 
(as I understand it) is they set the BIOS admin password on their assets 
(computers) before their give them out.

=JeffH


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-21 Thread Stephan Neuhaus

Peter Gutmann wrote:

-- Snip --


This is very scary.  I bet that our Minister of the Interior would love 
it, though, since he has been pushing a scheme for stealth examination 
of suspects' computers (called Federal Trojan).  Technology like this 
would be a large first step towards making this possible.



[...]
- Built in web interface on every machine (port 16994)


Apart from all the other things that are wrong with this scheme,

* you can't trust the output of netstat anymore;
* in other words, what you see with netstat may not be the same as what 
someone else sees with nmap; and
* if the web interface has a vulnerability, you have an unshutdownable 
vulnerable service running on your machine.


Fun,

Stephan

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-21 Thread Ivan Krstić
Peter Gutmann wrote:
 [...] a register article saying Intel released its new platform Centrino Pro
 which includes Intel Active Management 2.5. An article with some more info is
 here:

It appears Active Management is a setting that can be disabled normally
from the BIOS, like with TPMs today:

http://support.intel.com/support/motherboards/desktop/sb/cs-020837.htm

I couldn't find a conclusive statement one way or the other, but I
expect it'll also be turned off by default for consumer machines. That
still leaves a slew of open questions, but makes it less initially
alarming, I'd say.

-- 
Ivan Krstić [EMAIL PROTECTED] | GPG: 0x147C722D

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


wrt Network Endpoint Assessment (was: Re: Free Rootkit with Every New Intel Machine)

2007-06-21 Thread Jeff . Hodges

of potential related interest is..

Network Endpoint Assessment (NEA): Overview and Requirements 
http://www.ietf.org/internet-drafts/draft-ietf-nea-requirements-02.txt

note term remediate/remediation.

relevant snippage below. see also..

http://www.ietf.org/html.charters/nea-charter.html


=JeffH

snip/

1. Introduction 

Today, most network providers can leverage existing standards-
based technologies to restrict access to their network based 
upon criteria such as the requesting system's user or host-based 
identity, source IP address or physical access point.  However 
these approaches still leave the network resident systems 
vulnerable to malware-based attack, when an authorized but 
infected system is admitted and the malware is able to spread 
throughout the internal network. 
 
As a result, network operators need a proactive mechanism to 
assess the state of systems joining or present on the network to 
determine their status relative to network compliance policies.  
For example, if a system is determined to be out of compliance 
because it is lacking proper defensive mechanisms such as 
firewalls, anti-virus software or the absence of critical 
security patches, there needs to be a way to safely repair 
(remediate) the system so that it can be subsequently trusted to 
join and operate on the network.  The NEA technology strives to 
provide a mechanism to report the configuration of an endpoint 
for evaluation against network compliance policy.  Such a 
mechanism could offer a useful tool for the network operators'
arsenal but should be recognized as not being a complete 
endpoint compliance solution in and of itself.  
 
NEA typically involves the use of special client software 
running on the requesting system that observes and reports on 
the configuration of the system to the network infrastructure.  
The infrastructure has corresponding validation software that is 
capable of comparing the system configuration information with 
network compliance policy and providing the result to 
appropriate authorization entities that make decisions about 
network and application access.  Some systems may be incapable 
of running the NEA client software (e.g. printer) or be 
unwilling to share information about its configuration.  In 
these cases the network infrastructure might decide to disallow 
or limit access to the network. 
 
In many cases, the admission decision is provisioned to the 
enforcement mechanisms on the network and/or system requesting 
access.  The decision might allow for no access, limited or 
quarantined access (possibly to allow for remediation), or full 
access to the network.  While the NEA Working Group recognizes 
there is a link between an assessment and the enforcement of the 
assessment decision, the mechanisms and protocols for 
enforcement are not in scope for this specification. 
 
Architectures, similar to NEA, have existed in the industry for 
some time and are present in shipping products, but do not offer 
interoperability.  Some examples of such architectures include: 
Trusted Computing Group's Trusted Network Connect [TNC], 
Microsoft's Network Access Protection [NAP], Cisco's Network 
Admission Control [CNAC]).  These technologies assess the 
software or hardware configuration of endpoint devices for the 
purposes of monitoring or enforcing compliance to an 
organization's policy.  These architectures are not 
interoperable because they are implemented using primarily non-
standards based technologies. 
 
The NEA working group is working on defining standard protocols 
so as to enable interoperability between devices from different 
vendors allowing network owners to deploy truly heterogeneous 
solutions. This document describes the requirements for NEA 
candidate technologies and protocols.  
 
snip/

 4. Problem Statement 
 
NEA technology may be used for several purposes.  One use is to 
facilitate endpoint compliance checking against an 
organization's security policy when an endpoint connects to the 
network.  Organizations often require endpoints to run an IT-
specified OS configuration and have certain security 
applications enabled, e.g. anti-virus software, host intrusion 
detection/prevention systems, personal firewalls, and patch 
management software.  An endpoint that is not compliant with IT 
policy may be vulnerable to a number of known threats that might 
exist on the network. 
 
Without NEA technology, ensuring compliance of endpoints to 
corporate policy is a time-consuming and difficult task.  Not 
all endpoints are managed by a corporation's IT organization, 
e.g. lab assets and guest machines.  Even for assets that are 

Re: Free Rootkit with Every New Intel Machine

2007-06-21 Thread Peter Gutmann
=?UTF-8?B?SXZhbiBLcnN0acSH?= [EMAIL PROTECTED] writes:

It appears Active Management is a setting that can be disabled normally from
the BIOS, like with TPMs today:

http://support.intel.com/support/motherboards/desktop/sb/cs-020837.htm

With TPMs it's a bit different, they're absent from the hardware by default
:-).

Peter.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: Free Rootkit with Every New Intel Machine

2007-06-11 Thread James A. Donald

Initially I did not believe it, thought it must be hype or hoax.

Nope, it is a rootkit in hardware.

http://www.intel.com/business/vpro/index.htm

: : Isolate security tasks—in a separate
: : environment that is hidden to the user
: :
: : [...]
: :
: : Perform hardware and software inventory on
: : PCs—even if they don't have management
: : applications installed or they are powered
: : down, which increases reporting accuracy for
: : licensing, maintenance contracts, and audits.
: :
: : Deploy software patches to PCs more
: : efficiently—even if they are powered down or
: : their OS is inoperable, without disrupting or
: : slowing down the user's workflow.

(The last paragraph means without the user knowing, and even if the 
user is doing his best to stop you)


-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Free Rootkit with Every New Intel Machine

2007-06-09 Thread Peter Gutmann
(Forwarded with permission from a NZ security mailing list, some portions
 anonymised)

-- Snip --

[...] a register article saying Intel released its new platform Centrino Pro
which includes Intel Active Management 2.5. An article with some more info is
here:

http://www.newsfactor.com/news/Intel-Debuts-Fourth-Gen-Centrino-Tech/story.xhtml?story_id=0210025GSEV9

It got me interested, so I started taking a look around. Intel has some good
info here:

http://softwarecommunity.intel.com/articles/eng/1032.htm

And for all of you in the Web 2.0 generation with short attention spans for
reading the doc, here is video that explains it all, I found myself getting
more and more concerned the further it went:

http://softwarecommunity.intel.com/videos/home.aspx?fn=3D1066

Essentially, all new Intel machines (and a number of current Intel servers)
come with free hardware rootkit functionality, which is operational and
accessible when the machine is powered off, and in the case of laptops, even
when they are unplugged and powered off.

There is the mention of code signing, TLS and PKI magic to allay your security
concerns however...

There are a few new things with this that go beyond generic remote IP KVM:

- NIC based TCP/IP filters configurable remotely
- Handy magic bypass for TCP/IP filters [1]
- Remote BIOS updates over the network
- Remote IDE redirection, as in boot off CDROM over the network
- Persistent storage even if you change hard disks
- It doesn't appear to have a method for disabling it (well, I can't find
  anything about it, seems crazy if there isn't)
- Built-in, on chip. I can understand a decent size company wanting IP-KVM.
  But I don't want my personal laptop with IP-KVM.
- Authentication can be done on Kerberos. We're talking AD.
- Built in web interface on every machine (port 16994)
- handy well documented SDK for building whatever you need to interact with
  this
- ...

This is clearly an awesome management tool. Being able to update your
antivirus while your machine is disconnected from the network is helpful.
Being able to id all your assets even though they are powered off is great. My
concerns are around doomsday scenarios like the below:

Worm is released that gets a domain admin account, worm sets up floppy booting
across the network, floppy is boot-and-nuke [2]. Worm reboots every server in
the company and securely wipes them with single pass. Worm then updates bios
on every machine to broken state, enables TCP/IP filters to prevent the NIC
from being used to talk to the OS ever again, then disables the AMT.

Note, this is OS agnostic, will take out your OSX, Windows and Linux boxen.
The hardware would probably be rendered useless, barring opening up the box
and flipping some jumpers or replacing something. A smart user noticing the
reboot and noticing the disk was being wiped (assuming you didn't change dban
to say now making your computer faster by optimizing the cache flux
capacitor) would have to unplug power and network to stop it, which is harder
if you're a laptop user with wireless.

/end is nigh rant

While parts of this are possible now, its just not nearly as powerful or
ubiquitous.

[1] TCP-over-Serial-over-LAN 
http://softwarecommunity.intel.com/articles/eng/1222.htm
[2] http://dban.sourceforge.net/

-- Snip --

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]