New Trusted HW Standard For Windows 8 To Support Chinese Crypto 87
An anonymous reader writes "A new version of the Trusted Platform Module, called TPM2 or TPM 2.0 by Microsoft, has apparently been designed specifically for the release of Windows 8 this week. The details of this new standard have been kept secret. But a major update to the original TPM standard, which came out 10 years ago, seems to have been very quietly released on the Trusted Computing web site (FAQ) earlier this month. Following in the footsteps of the original, this version is quite a challenging read (security through incomprehensibility?). But this new version also seems to support some controversial crypto algorithms that were made public by the 'State Encryption Management Bureau' of China for the first time about 2 years ago. This is roughly the time that Microsoft seems to have begun working in earnest on TPM2, Windows 8, and probably even Surface. But that's probably just a coincidence. This crypto is controversial because of serious EU concerns with domestic restrictions on the implementation, use, and importation of cryptography in China."
secret standards? (Score:3)
Re:secret standards? (Score:5, Insightful)
Good crypto is born secret, even in the US (Score:5, Funny)
If it has publicly released, its usefulness is questionable.
Re: (Score:1)
has been...
Re: (Score:3, Interesting)
The algorithm is intentionally obscure to waste processing time as to make brute forcing it impractical.
The private key (the input to the algorithm) is obscure. The algorithm is typically public. The most widely used ones (like AES) are quite public.
You don't know what you're talking about.
Re: (Score:2)
The algorithm is typically public. The most widely used ones (like AES) are quite public.
Perhaps he was harking back to the days of DES, with it's obscure NSA-recommended S-boxes that no-one really understood.
They worked very well... somehow. We think.
Re: (Score:2)
How about NSA's Type I ciphers? They are classified TOP SECRET. Would you say they are "weak" or "badly designed?" Do you think NSA keeps them secret because they believe in security through obscurity?
Surely they keep them secret because they don't want other people/countries using them.
Or do they provide a closed implementation for everyone to use?
Re: (Score:3)
How about NSA's Type I ciphers? They are classified TOP SECRET. Would you say they are "weak" or "badly designed?" Do you think NSA keeps them secret because they believe in security through obscurity?
Surely they keep them secret because they don't want other people/countries using them. Or do they provide a closed implementation for everyone to use?
They keep them secret because (a) they don't want to reveal their design principles to others and (b) because then instead of attackers being able to immediately start with attacking the algorithm they first have to spend quite a bit of effort just finding out what the algorithm is before they can start attacking it (look at all the crap crypto used in things like RFID transponders that took ages to break because the details weren't readily available). NSA also has special algorithms designed for high-risk
Re: (Score:2)
Also, hiding your tec
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Also, STO allows you to more easily em
Security through obscurity flawed saying (Score:1)
My 16 digit CC number along with 4 digit expiry and the 3 digit number on the back are quite secure if I keep them safe and obscure
Re: (Score:2)
Whenever I hear people say "security through obscurity is no security at all" like some mantra first I laugh and then I remind them that passwords are an instant counter argument; the passwords, "password" or "12345678" are not obscure and thus suck. The password "g*&Gug®¥øç¥" on the other-hand rocks (Other than being really hard to remember or type)
Well if you are going to ignore the accepted and industry standard meaning of terms you can laugh at anything. Saying that passwords are "security through obscurity" is like saying "booting windows is a bad idea because you might break them". See Kerckhoffs's principle [wikipedia.org]: "Stated simply, the security of a cryptosystem should depend solely on the secrecy of the key and the private randomizer.[Another way of putting it is that a method of secretly coding and transmitting information should be secure even if ev
Re: (Score:2)
Re: (Score:2)
And lastly good luck breaking into my safe if I don't tell you where it is or what the combo is.
No problem. Just have a 3-year-old [slashdot.org] open it.
It's actually the opposite (Score:4, Insightful)
AES, used by NSA after beeing deemed sufficient for classified information: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security [wikipedia.org]
The NSA/CIA may have quite a few (a lot of) bright minds, but they certainly can't compete with the best worldwide cryptographers.
But don't let the facts get in the way of your conspiracy theories.
Re: (Score:1)
Which only means that people with SECRET or TOP SECRET clearance will not have the clearance to know if AES is breakable. People above these clearance levels may very well use other forms on encryption that the NSA cannot break, and may very well know AES is breakable by the NSA. It also means that NSA believes the common folk cannot break AES and decrypt SECRET or TOP SECRET information.
Just the devils advocate. I personally do not believe NSA can break AES. But the usage of AES for a particular cl
Re: (Score:3)
may very well know AES is breakable by the NSA
To encrypt top secret documents with algorithms known to be breakable is negligent. If its breakable by the NSA by brute force, NSA doesn't have the worlds fastest computers, so they are not the only ones capable. If its a flaw in the algorithm, its a public algorithm, so the NSA are not the only ones analysing it.
Re:It's actually the opposite (Score:5, Funny)
NSA doesn't have the worlds fastest computers
[citation classified]
Re: (Score:2)
There's obvious proof that the NSA doesn't have the fastest computers on earth -- they aren't a Wall Street trading firm.
Nobody on EARTH spends more staggering amounts of cash on endless tiny incremental upgrades to ensure that their computers are always the fastest computers on earth. They develop their own FPGA-accelerated algorithm accelerators that are hand-tuned to execute their algorithms faster than even the fastest general-purpose computer hardware.
The NSA? They buy Wall Street's cast-offs, and have
Re: (Score:2)
they aren't a Wall Street trading firm.
Would you know if they were?
They develop their own FPGA-accelerated algorithm accelerators that are hand-tuned to execute their algorithms faster than even the fastest general-purpose computer hardware.
So what you're saying is, for those specific purposes, they may have the fastest computers on Earth? ;)
Re: (Score:1)
Perhaps you are unaware that NSA gave us SHA-1, SHA-256 and DSA. The reason NIST holds public competitions is so that the tin-foil hatters wont get in an uproar about NSA creating a "backdoored' standard. It also helps satisfy foreign entities who wouldn't feel comfortable with America controlling and creating such a standard. The fact that anyone from any nation can submit ciphers helps ease this suspicion.
I would agree that the "backdoored" standard is a real threat. Just look at things like chipsets from China with backdoors built in. Kind of reminds me of the TPM initiative. I'm sure there are plenty more.
Re: (Score:1)
I'm more inclined to believe that a one time pad is used for the juicy stuff. Now, if you wish to go around believing anything the NSA says publicly, knock yourself out, but considering their very nature, I don't..
Re: (Score:1)
Why would you ... say that?
Many of the world's best cryptographers work or worked for the NSA or GCHQ.
They invented and have provided proof that they had algorithms 20 years before the civilian world didn't, including PKI.
Now -- just because they once were years ahead does not mean they presently are, but part of the deal with classified systems is there's no way we could ever know until years later if the best /public/ worldwide cryptographers are ahead or behind.
Now, what we do know... is that historicall
Re: (Score:2, Insightful)
Wrong. NSA has been doing crypto decades before the academic world got interested in it. They have a huge head start. For instance, they knew about differential cryptanalysis in the 70's, while the academic world didn't discover it until the early 90's. They knew about public key crypto several years before Diffie independently discovered it. These are only two examples, there are many more.
Second, the number of PhD mathematicians they have specializing in crypto is greater than the rest of the world's
Re: (Score:2)
No it's not, AES is public (among like 100 others), short of using a stupid password, good luck decrypting that one.
Re: (Score:2)
The keys are secret, the algorithm isn't.
This probably has more to do with signed crypto modules than some secret method of encryption. The Chinese probably want to build and sign their own rather than 'trust' something compiled in the EU/USA. Big deal. We'd do the same.
Re: (Score:2)
http://opennet.net/chinas-green-dam-the-implications-government-control-encroaching-home-pc
So you'd have the choice of a few domesticly vetted and modified Operating Systems.
microsoft my guess seems up to the task of supporitng chineese censorship at every turn in exchange for being able to do business unmolested, as they have been. I could only speculate they see censorship as a good thing, and further might be able to work it in their ad
China china china. (Score:1)
Your entire computer was made in china, what makes you think you are safe even if your crypto wasn't?
..probably just a coincidence.. (Score:1)
No, as there aren't any.
TPM Of Evil (Score:2)
Well guys, I don't know about you, but I have only one question: Is it a separate chip on the motherboard? Because if it is, I'm hosting SMC desoldering classes the day this thing hits the market. Who'd have thought the day would come when we'd have to modchip our own damn computers...
Re: (Score:2)
I'm too lazy to bother. From what I read, TPM 2.0 will work similar to 1.2. Which means on desktop computers, it ships off, unknowned, and disabled. No need to worry/care about it.
Re: (Score:2)
Correction, unowned and disabled.
TPMs do provide some good security for what they are worth. Not perfect, but it helps immensely with laptops, because if done right, a thief has to be able to get in via the OS, as well as have the proper PIN [1], and perhaps even a USB flash drive with a keyfile on it in order to boot.
[1]: Too many wrong guesses, the TPM won't accept any PIN requests for x amount of time, the value doubling each wrong time.
Re:TPM Of Evil (Score:5, Informative)
Well guys, I don't know about you, but I have only one question: Is it a separate chip on the motherboard? Because if it is, I'm hosting SMC desoldering classes the day this thing hits the market. Who'd have thought the day would come when we'd have to modchip our own damn computers...
Depends on the implementation. Some TPMs are not exactly hard to remove [wikimedia.org](that riser card on the LPC headers is sold as an option for that particular motherboard, so they made it easy to add or remove.
Some, like the chip on which that Asus module is based, or a bunch of the Infineon and Atmel ones, are reasonably civilized TSSOPs. Not hard to remove, allegedly packaged to be hard to tamper with at a chip level; but it's your problem if the firmware/BIOS/whatever flips out and refuses to do anything until the TPM is restored(and each one has a unique, and kept secret from you, RSA key burned in, so you have fun cloning/impersonating it to a hostile chipset...)
If, on the other hand, you have a system with something like the Intel GM45 [intel.com] chipset, you'd better have your microscope and ion beam ready because the TPM is on the same silicon as the motherboard chipset.
The TPMs from the likes of Broadcom are somewhere in the middle: They are integrated directly with some of the company's ethernet(and possibly other; I'm only familiar with the ones in some GigE products) chips; and aren't exactly going to be trivial to remove; but your computer will still work if you take a screwdriver to that part, unlike the Intel ones.
Re:TPM Of Evil (Score:4, Informative)
Don't be ridiculous. You don't have to modchip your motherboard. The TPM chip is, and always has been, something that provides services to the CPU on demand. It can't control your computer. The computer you're using now probably has one already and it may be used for such nefarious purposes as making disk encryption more secure.
Trusted computing has a needlessly bad rap because of kneejerk reactions like this one. In fact it's a flexible and general tool that can be used for many purposes. For example, you can use it to do sensitive operations on a computer compromised by malware. Games can use it to kick out cheaters. Things get especially interesting when you throw Bitcoin in the mix. It makes feasible autonomous agents [bitcoin.it], a form of evolutionary AI in which programs maintain their own wallets and rely on trusted computing technologies to protect them from potentially malicious humans who want to steal their money. You can also use it to make sensitive financial platforms like exchanges more secure against hackers. The actual cryptography needed to move money can be done inside the secure world with the root keys being held in the TPM chip. The secure code (PAL) verifies and sanity checks the requested operations. Even if the host machine is completely rooted and starts submitting false orders, it can only submit requests to the secure subsystem, it can't directly steal the money.
Remote attestation is useful any time somebody might want to trade or interact with you but have some assurances around how your computer may behave. DRM was one of the original driving motivations indeed, but even here the way the system works is not "evil" in any sense unless you have a truly warped idea of human relations. The technology lets you prove to some online store that you will follow the rules around using the stuff you're buying - like not simply uploading it to a file sharing network. But if you don't find the terms that store requires acceptable, you just don't shop there: they can't actually force you to run any software or put your computer into any particular state. In other words it lets you prove you are doing what you said you'd do, alternatively, it is designed to make it hard to lie - just a mechanical way to enforce contracts. Unless you're routinely in the habit of defrauding people you enter into contracts with, such a capability should not concern you. And the standards are completely open. You can run such an online store on your own Linux box in your bedroom if you like - there's nothing that tips the playing field in favor of Microsoft or other companies (which is why Bitcoin agents can use it).
Re:TPM Of Evil (Score:4, Interesting)
Trusted computing has a needlessly bad rap because of kneejerk reactions like this one. In fact it's a flexible and general tool that can be used for many purposes.
Because I'm lazy, I'll just copy and paste a comment I made in another thread about TPM
Ever since TPM was created, we're always just a few bits and bytes away from having it leveraged against us, by them.
And by "us" I mean "the computer users."
By "them" I mean "the hardware manufacturers and software/media companies."
Example: The newest motherboards don't *need* the ability to disable trusted boot. Heck, it'd have been easier to not include it!
We're more or less at the mercy of a small number of companies and their design decisions.
Re: (Score:2)
" they can't actually force you to run any software or put your computer into any particular state."
It certainly is a good thing that nobody involved in computers, software, internet services, etc. has any significant market power... Also good that nobody would ever attempt to mechanically enforce a contract that gives them greater rights than contract law allows(this is why, for instance, DRM systems never trample on fair use rights...)
Definitely nothing to worry about.
Re: (Score:2)
Don't be ridiculous. You don't have to modchip your motherboard. The TPM chip is, and always has been, something that provides services to the CPU on demand. It can't control your computer.
It can, however, be used to authenticate the BIOS image and the host OS, and completely refuse to run if the machine isn't running a stock BIOS with a manufacturer-signed OS. It's great for securing industrial controllers, web servers, tablet PCs, smartphones, routers, laptops, notebooks, netbooks, embedded systems, desktops, and home entertainment systems who are obviously owned by people just trying to pirate stuff. But no, it doesn't control your computer. Dell and Microsoft do that.
Controversial crypto... Wait, what? (Score:2)
Does this addition enable deployment of TPM in China? (I'd expect it would, why else add it)
Is it controversial because this specific algorithm has a backdoor, giving Chinese users a false sense of security?
Is
Is it controversial because MS can shut down (Score:2)
Is it controversial because MS can shut down china and make them pay for software.
Re: (Score:2)
I was unclear either. I was thinking it included some Chinese crypto algorithms that were previously secret similar to how Clipper/SKIPJACK were in the 1990s.
If the TPM chip contains additional crypto algorithms, big whoop. They wouldn't be useful for Western stuff, but for Chinese stuff, would be important (since they want their own AES for example.)
That is the only real thing I can think of which the EU would be concerned about.
Re: (Score:2)
I was unclear either. I was thinking it included some Chinese crypto algorithms that were previously secret similar to how Clipper/SKIPJACK were in the 1990s.
If the TPM chip contains additional crypto algorithms, big whoop. They wouldn't be useful for Western stuff, but for Chinese stuff, would be important (since they want their own AES for example.)
That is the only real thing I can think of which the EU would be concerned about.
I'd double encrypt with the NSA and Chinese algorithms. I don't trust China or America but I can probably trust them not cooperating to snoop data.
Chink in the Armor? (Score:1, Flamebait)
Is that what Microsoft is getting?
Re: (Score:2)
I take this categorization of my post as an honor. The fact that Microsoft would deal this way with China indicates China has virtual monopolistic power over the products they allow into China when they choose to do it.
I personally do not think the Chinese can be trusted and would not believe they would play fair. For god's sake, there are people in their country who make fake baby formula and medicine which have killed people. There is no way I can trust them.
The most interesting part (Score:3, Interesting)
From the FAQ: "TPM 2.0 is intended to be usable for a very broad range of platforms from embedded systems to mobile devices to PCs to servers." In other words, TCG is not dead but actively pushing TPMs to new platforms.
A use case: in case of theft, the permanent storage of your device can be protected against reading the flash memory (of course, assuming your device is locked in the first place) in the same fashion as Bitlocker works on PCs. The secret key with which your corporate data is encrypted can be stored in the TPM bound to a password and/or PCRs. (Assuming, of course, that the TPM itself is not hacked using physical attacks (DPA, etc.). But at least, it raises the bar for the average thief.)
The TPM has non-DRM uses (Score:3)
If you ignore all the weird DRM-ish uses (which are basically unsupported for now anyway [1]), the TPM makes a nice cryptographic token. Unfortunately, TPM v1.1 hard-coded the OAEP label to "TPM", which made it incompatible with everything. TPM v2.0 fixes this -- the label is now user-specified. That means that you can use it for modern hardware crypto (sadly, using SHA-1, which should be phased out).
[1] For meaningful DRM, you need an endorsed TPM, which most vendors don't provide. See http://www.privacyca.com/ekcred.html [privacyca.com]
Re: (Score:2)
I think that page is wrong, most TPMs do have EKs. Infineons certainly do and IIRC they're the most popular model. However this does not change your point that the DRM use case was never really functional and work on it seems to have been largely abandoned, perhaps due to the staggering complexity involved.
Making DRM work for things like movies was probably always going to be a non-starter on platforms as heterogenous as the PC. To make it work there'd have needed to be not only unbelievably tight synchroni
Trusted Computer (Score:1)
How can you trust a computer when it can't be examined what the code is actually doing? How can you trust a computer when Microsoft are involved?
Won't be buying a PC with that "trusted" junk on it.
Why does Slashdot hate China? (Score:2)
Over the least few months there has been a relentless barrage of negative stories about China. Many commentators seem to assume that any technology China has is stolen, all Chinese products are cheap crap and contain government backdoors, and all Chinese people are somehow brainwashed by the government.
China is a big place. There is a huge diversity of people. They have some really strong R&D, lots of good scientists doing cutting edge work. They make some damn good products, for example world class hif
Re: (Score:2)
It's a hive of cynics. Are the negative stories about China really all that different from negative stories about the US?
This is a TCG/TPM-Lib thing. Not a MSFT thing. (Score:4, Informative)
The headline is slighly misleading. It's not MSFT's spec, it's the Trusted Computing Group (TCG) and their TPM spec.
One of the goals of the new TPM spec was to allow a better way to replace some algorithms because the original TPM spec entangle SHA1 hash in such a way (with the PCR extension mechanism) that it was difficult to replace that hash algorithm when weakness was discovered that algorithm and people wanted to replace it. Once you change the design and open that up you should probably include the usual suspects.
Some interesting additional algorithms added to the support library were SM3_256 [ietf.org] and SM4 (the hash and symmetric key algorithms mandated for use in chinese DRM), WHIRLPOOL512 [wikipedia.org] (hash function from NESSIE). In addition of the normal RSA public key stuff, they've also added ECC, ECDSA, ECDH, ECDAA, ECSCHNORR (a smattering of ellipitic curve based standards) to the mix in order to help gain acceptance in those markets that want/need shorter key lengths that are available to EC-derived algorithms that presumably have similar security to their RSA counterparts with longer keys.
Interestingly, although they include the SHA2 family of hash functions as an SHA1 upgrade, the newly minted SHA3 was strangely absent. Also, I don't think they have included SM2 [ietf.org] (the chinese ECC signature technique), but that's probably just an oversight. I expect both of these omissions to be remedied with the next release.
These oppressive govs have high level crypto. (Score:1)