New Trusted HW Standard For Windows 8 To Support Chinese Crypto

An anonymous reader writes "A new version of the Trusted Platform Module, called TPM2 or TPM 2.0 by Microsoft, has apparently been designed specifically for the release of Windows 8 this week. The details of this new standard have been kept secret. But a major update to the original TPM standard, which came out 10 years ago, seems to have been very quietly released on the Trusted Computing web site (FAQ) earlier this month. Following in the footsteps of the original, this version is quite a challenging read (security through incomprehensibility?). But this new version also seems to support some controversial crypto algorithms that were made public by the 'State Encryption Management Bureau' of China for the first time about 2 years ago. This is roughly the time that Microsoft seems to have begun working in earnest on TPM2, Windows 8, and probably even Surface. But that's probably just a coincidence. This crypto is controversial because of serious EU concerns with domestic restrictions on the implementation, use, and importation of cryptography in China."

secret standards?

[parodyca]

How does that work

Re:secret standards?

[CanHasDIY]

The same way secret interpretations of law work, I suppose.

Re:secret standards?

Because it's a boring topic about a boring company that makes a boring OS run on boring hardware.

It's also all Slashdot will be posting for the foreseeable future, which makes this a boring website.

Good crypto is born secret, even in the US

[fustakrakich]

If it has publicly released, its usefulness is questionable.

Re:Good crypto is born secret, even in the US

[fustakrakich]

has been...

Re:Good crypto is born secret, even in the US

Is this a joke? You're effectively advocating Security through Obscurity, which is a laughable concept.

Most real encryption techniques are based on something that's in theory publicly knowable but mathematically difficult (as in, hard enough to compute given $$$ processing power that you won't be able to do it in your lifetime). Algorithms that don't fit the bill (because processing technology has gotten better or because they're flawed) are replaced over time by algorithms and key sizes that again fit the bill. The most widely used and secure encryption techniques require no secrecy (except, of course, that you keep your private key secret).

Re:Good crypto is born secret, even in the US

[Synerg1y]

No it's not, AES is public (among like 100 others), short of using a stupid password, good luck decrypting that one.

Re:Good crypto is born secret, even in the US

[PPH]

The keys are secret, the algorithm isn't.

This probably has more to do with signed crypto modules than some secret method of encryption. The Chinese probably want to build and sign their own rather than 'trust' something compiled in the EU/USA. Big deal. We'd do the same.

Re:Good crypto is born secret, even in the US

That's a good way to get the crypto nerds riled up ;)

Re:Good crypto is born secret, even in the US

Oh boy

Re:Good crypto is born secret, even in the US

How about NSA's Type I ciphers? They are classified TOP SECRET. Would you say they are "weak" or "badly designed?" Do you think NSA keeps them secret because they believe in security through obscurity?

Re:Good crypto is born secret, even in the US

The algorithm is intentionally obscure to waste processing time as to make brute forcing it impractical.

The private key (the input to the algorithm) is obscure. The algorithm is typically public. The most widely used ones (like AES) are quite public.

You don't know what you're talking about.

Re:Good crypto is born secret, even in the US

Woosh.

Take your head out of your ass and you might catch on to what someone else is actually saying. Condescending douche.

Re:Good crypto is born secret, even in the US

[RCL]

Actually, why is Security Through Obscurity laughable? Don't underestimate people's psychology. If we don't know how the thing works, we usually have better opinion about its guts than they actually deserve ;) (yeah, this also works in favor of proprietary software). Moreover, if you used publicly available algorithm Foo, but disguised it so it's not obvious that it was Foo, that provides you with an additional layer of protection in case some basic flaw in Foo's design is discovered.

Also, hiding your technology costs your enemy more effort (money, time, etc) to just evaluate whether it's worth attacking you.

There were some studies on how well people solve math tasks and it was found important for people to know that the task given was at all solvable in the first place; without that a priori knowledge a lot of people gave up after the first few hours. So why provide the people (and thus, the enemy) with unnecessary knowledge?

Re:Good crypto is born secret, even in the US

[aiht]

How about NSA's Type I ciphers? They are classified TOP SECRET. Would you say they are "weak" or "badly designed?" Do you think NSA keeps them secret because they believe in security through obscurity?

Surely they keep them secret because they don't want other people/countries using them.
Or do they provide a closed implementation for everyone to use?

Re:Good crypto is born secret, even in the US

[davydagger]

could also be to ensure someone doesn't install an OS which bypasses
http://opennet.net/chinas-green-dam-the-implications-government-control-encroaching-home-pc

So you'd have the choice of a few domesticly vetted and modified Operating Systems.

microsoft my guess seems up to the task of supporitng chineese censorship at every turn in exchange for being able to do business unmolested, as they have been. I could only speculate they see censorship as a good thing, and further might be able to work it in their advantage in the future.

Re:Good crypto is born secret, even in the US

[Lincolnshire+Poacher]

The algorithm is typically public. The most widely used ones (like AES) are quite public.

Perhaps he was harking back to the days of DES, with it's obscure NSA-recommended S-boxes that no-one really understood.

They worked very well... somehow. We think.

Re:Good crypto is born secret, even in the US

[arglebargle_xiv]

How about NSA's Type I ciphers? They are classified TOP SECRET. Would you say they are "weak" or "badly designed?" Do you think NSA keeps them secret because they believe in security through obscurity?

Surely they keep them secret because they don't want other people/countries using them. Or do they provide a closed implementation for everyone to use?

They keep them secret because (a) they don't want to reveal their design principles to others and (b) because then instead of attackers being able to immediately start with attacking the algorithm they first have to spend quite a bit of effort just finding out what the algorithm is before they can start attacking it (look at all the crap crypto used in things like RFID transponders that took ages to break because the details weren't readily available). NSA also has special algorithms designed for high-risk situations where there's a chance the design details will be compromised, if one's needed then something not related to anything else in use will be pulled off the shelf and used. Skipjack was an example of a high-risk algorithm, and it did indeed end up being revealed, and it doesn't tell us anything about other NSA designs.

Re:Good crypto is born secret, even in the US

[Gr8Apes]

I'm surprised you've not been skewered, perhaps it's because there's truth in what you say, but your assumptions are way way off. "Normal people" would behave as you say. Governments and hackers operate on an entirely different level and with different motivations, so making something obscure does not deter them at all. And lastly, wrapping some public function Foo and obscuring it provides you with exactly 0 layers of protection should a flaw with Foo be found. For one example, look at all the vectors associated with the Windows WMF rendering engine, which compromised entire suites of software you weren't even aware of using that "feature", and produced what seemed years of vulnerability reports as more and more products were added to the list as additional vulnerabilities were found.

Re:Good crypto is born secret, even in the US

[RCL]

Ok, you are saying that being obscure changes nothing for governments, but may deter normal people... so the net result is still a plus?

Re:Good crypto is born secret, even in the US

[Gr8Apes]

Nope - because "Normal People" wouldn't be especially interested in the possibility to begin with. Heck, normal people didn't even nick their 3.5 floppies to get double the space, instead buying "approved" 1.44 HD floppies. You think normal people are going to be attempting to crack anything?

Re:Good crypto is born secret, even in the US

[RCL]

Still, even putting aside possible deterrent effect on wannabe hackers and script kiddies who, in my opinion, come from "normal people" (but I don't want to argue about this minor point), I don't see how "security through obscurity" is a "laughable concept" as OP asserted. Provided that you aren't developing underlying tech from scratch but consulting/employing experts in the field, a "smoke screen" around your tech is going to strengthen your security, not weaken it.

Also, STO allows you to more easily employ steganography where applicable.

China china china.

Your entire computer was made in china, what makes you think you are safe even if your crypto wasn't?

Re:China china china.

Yes.

Backdooring the chipsets will work ONCE if you're not lucky. Data still needs to get back to the person doing the listening, and that part is easily detectable. Once it's detected, it's blown. Limits repeat customers. Killswitches are the only strategically wide, general purpose and useful application. There are very niche circumstances, like telecom switching networks (because obviously you have MANY possible covert external datapaths), that are more a risk to hardware backdooring.

Re:China china china.

Which is exactly what the government is concerned about with Huwaei. They claim they have witnessed the devices sending data back to China via covert channels. However, the details on how they found his out are classified (likely so they don't have to reveal NSA techniques or capabilities).

It's actually the opposite

[e065c8515d206cb0e190]

AES, used by NSA after beeing deemed sufficient for classified information: http://en.wikipedia.org/wiki/Advanced_Encryption_Standard#Security

The NSA/CIA may have quite a few (a lot of) bright minds, but they certainly can't compete with the best worldwide cryptographers.

But don't let the facts get in the way of your conspiracy theories.

Re:It's actually the opposite

From that page:
 
The design and strength of all key lengths of the AES algorithm (i.e., 128, 192 and 256) are sufficient to protect classified information up to the SECRET level. TOP SECRET information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect national security systems and/or information must be reviewed and certified by NSA prior to their acquisition and use.

Re:It's actually the opposite

The NSA also has many classified algorithms

Re:It's actually the opposite

Which only means that people with SECRET or TOP SECRET clearance will not have the clearance to know if AES is breakable. People above these clearance levels may very well use other forms on encryption that the NSA cannot break, and may very well know AES is breakable by the NSA. It also means that NSA believes the common folk cannot break AES and decrypt SECRET or TOP SECRET information.
 
Just the devils advocate. I personally do not believe NSA can break AES. But the usage of AES for a particular clearance level proves nothing.

Re:It's actually the opposite

Those aren't facts, those are unsubstantiated assertions---probably because they're hard or impossible to quantify.

We don't know whether the NSA as an organization has a larger or smarter brain than the public research community. What we do know is that NIST and the NSA have become increasingly dependent on public submissions for their public standards. And from government leaks, there's no reason to believe that the NSA possess any surprising capability beyond the imagination of the research community.

The general consensus seems to be that many of the brightest minds in the public research community are at least as competent as the geniuses the NSA keeps in-house. What the NSA does have in its favor is money and strategic focus. Which means it's prudent to assume that many theoretical attacks known by researchers are actually in use by the NSA.

Re:It's actually the opposite

[fustakrakich]

I'm more inclined to believe that a one time pad is used for the juicy stuff. Now, if you wish to go around believing anything the NSA says publicly, knock yourself out, but considering their very nature, I don't..

Re:It's actually the opposite

Why would you ... say that?

Many of the world's best cryptographers work or worked for the NSA or GCHQ.

They invented and have provided proof that they had algorithms 20 years before the civilian world didn't, including PKI.

Now -- just because they once were years ahead does not mean they presently are, but part of the deal with classified systems is there's no way we could ever know until years later if the best /public/ worldwide cryptographers are ahead or behind.

Now, what we do know... is that historically, the NSA changes to the DES boxes strengthened it against a form of cryptanalytic attack that was later published. Although we cannot confirm it did not weaken it against an alternate form of attack (can't prove a negative and all).

The use of AES being sufficient for classified info really proves very little though -- we do know it's not 'good enough' for the higher forms of classification, although when put into modules it can supposedly be used up to top secret.

Now... really, what makes you think they can't compete with the best worldwide cryptographers when... well... they... hire them?

Re:It's actually the opposite

[viperidaenz]

may very well know AES is breakable by the NSA

To encrypt top secret documents with algorithms known to be breakable is negligent. If its breakable by the NSA by brute force, NSA doesn't have the worlds fastest computers, so they are not the only ones capable. If its a flaw in the algorithm, its a public algorithm, so the NSA are not the only ones analysing it.

Re:It's actually the opposite

The algorithm in itself may be flawless (it might even mathematically prove to be flawless), but no can really say if the s-boxes are flawless. And it is true that the NSA does not have all the fastest computers, if they have the knowledge of the flaws in the AES, it is good enough. You dont really need a fast computer when you can reduce the keyspace using the flaws.

Re:It's actually the opposite

[wonkey_monkey]

NSA doesn't have the worlds fastest computers

[citation classified]

Re:It's actually the opposite

Wrong. NSA has been doing crypto decades before the academic world got interested in it. They have a huge head start. For instance, they knew about differential cryptanalysis in the 70's, while the academic world didn't discover it until the early 90's. They knew about public key crypto several years before Diffie independently discovered it. These are only two examples, there are many more.

Second, the number of PhD mathematicians they have specializing in crypto is greater than the rest of the world's top experts combined. This means they have their own (huge) body of scientific literature on the subject that no one outside of the Agency gets to see. At the same time, they get to see all the public literature. As former NSA cryptologist Brian Snow says, "We get to cheat. We read your journals, but you can't read ours."

As an analogy, imagine that there was a secret agency doing physics in 1900. One of the physicists working for them was Max Planck. This agency discovered the quantum theory and begins unlocking the secrets of the atom. By the 1940's they have the bomb. Now imagine that the public world starts getting interested in physics and discovers quantum theory in the 1930's. It isn't until the 1970's that they get the bomb. This is about the way it is with NSA and crypto -- they have a huge head-start. A lot of the work the academic community has done has been discovered independently (and certainly much later) than NSA.

Third, AES is only approved for classified information in NSA approved systems! This means, the hardware and software implementation has to be vetted by them first (likely to prevent side-channel attacks, of which AES is notoriously susceptible). And AES is not used in any really sensitive systems. For that NSA is going to use their classified Type I ciphers.

Re:It's actually the opposite

I don't think anyone is arguing NSA can break a 128 bit (much less a 256 bit) cipher through brute force. I don't care how many machines they have, even the NSA must obey the laws of thermodynamics.

What is a real possibility, however, is that they have done cryptanalysis against it that allows them a "short-cut" in breaking it (i.e. something that significantly reduces the complexity).

As you say, they are not the only ones analyzing it. That's true. But they *are* the one's with the most expertise in cryptanalysis. They have a decades head-start in this field.

Re:It's actually the opposite

What we do know is that NIST and the NSA have become increasingly dependent on public submissions for their public standards.

So? This says nothing about NSA's ability to create or break ciphers. AES is a public algorithm designed to be used by the public. It is not for secret government information, even though it can be used for that as long as NSA vets the implementation (very important caveat).

You seem to be suggesting that NSA is inept and isn't good enough to create ciphers for public consumption. Perhaps you are unaware that NSA gave us SHA-1, SHA-256 and DSA. The reason NIST holds public competitions is so that the tin-foil hatters wont get in an uproar about NSA creating a "backdoored' standard. It also helps satisfy foreign entities who wouldn't feel comfortable with America controlling and creating such a standard. The fact that anyone from any nation can submit ciphers helps ease this suspicion.

And from government leaks, there's no reason to believe that the NSA possess any surprising capability beyond the imagination of the research community.

Which government leaks are you referring to?

The general consensus seems to be that many of the brightest minds in the public research community are at least as competent as the geniuses the NSA keeps in-house. What the NSA does have in its favor is money and strategic focus. Which means it's prudent to assume that many theoretical attacks known by researchers are actually in use by the NSA.

I agree that the NSA people aren't inherently "smarter" than the rest of us. I would, however, argue they have three important things the academics don't:

1) More people working on a given problem
2) FAR more resources and money
3) More academic literature to draw from (literature the public community doesn't get to read).

They also have more focus, as you mentioned. This is important because academics have so many other responsibilities (teaching classes, going to conferences, etc.) NSA cryptologists have none of that to worry with -- they can literally sit around Ft. Meade until they solve a problem. Academics usually don't have such a luxury. I see people like Adi Shamir publishing papers on all sorts of varied and unrelated topics. People like him, though brilliant, aren't very focused. I would imagine at NSA, you work on a problem until you solve it. You probably don't waste time publishing papers on Bitcoin (as Shamir did recently).

Re:It's actually the opposite

[Miamicanes]

There's obvious proof that the NSA doesn't have the fastest computers on earth -- they aren't a Wall Street trading firm.

Nobody on EARTH spends more staggering amounts of cash on endless tiny incremental upgrades to ensure that their computers are always the fastest computers on earth. They develop their own FPGA-accelerated algorithm accelerators that are hand-tuned to execute their algorithms faster than even the fastest general-purpose computer hardware.

The NSA? They buy Wall Street's cast-offs, and have the SECOND-fastest computers on Earth.

Re:It's actually the opposite

[wonkey_monkey]

they aren't a Wall Street trading firm.

Would you know if they were?

They develop their own FPGA-accelerated algorithm accelerators that are hand-tuned to execute their algorithms faster than even the fastest general-purpose computer hardware.

So what you're saying is, for those specific purposes, they may have the fastest computers on Earth? ;)

Re:It's actually the opposite

[Gr8Apes]

Perhaps you are unaware that NSA gave us SHA-1, SHA-256 and DSA. The reason NIST holds public competitions is so that the tin-foil hatters wont get in an uproar about NSA creating a "backdoored' standard. It also helps satisfy foreign entities who wouldn't feel comfortable with America controlling and creating such a standard. The fact that anyone from any nation can submit ciphers helps ease this suspicion.

I would agree that the "backdoored" standard is a real threat. Just look at things like chipsets from China with backdoors built in. Kind of reminds me of the TPM initiative. I'm sure there are plenty more.

Re:It's actually the opposite

Surprisingly, one time pads are rarely used. Atmospheric noise used to be the gold standard, now you use a laser and a single photon counter. Still a pain in the neck. If it's THAT important, you send a carrier. Usually a person with a) a blue piece of paper, b) a special passport and/or c) heavily armed buddies to physically transport the message. Since I wasn't a State Department type, I only did a) and c). Both worked quite nicely.

Actually, I do believe the overwhelming majority of NSA stuff that isn't politicized. When politics is involved, even the NSA gets twitchy. Otherwise, they're notoriously honest whenever they decide to be open. It's only when they're not saying anything that you need to be suspicious.

Re:It's actually the opposite

OTP's are rarely used because they suck. Who cares if they are unbreakable if key management and distribution is such a PITA. For one, you have to have truly random keys (very hard to generate in any large quantity). You cannot use keys twice (see VENONA project) and the key has to be as long as the message (which means huge keys that have to be stored somewhere insecurely). Finally, you have to distribute the keys somehow, which means face-to-face or by trusted courier. A real pain.

There was an article published recently about a now retired CIA spook who's job it was to break into foreign embassies and steal their OTP's. He was a master safe cracker -- the best the government had at the time. So, he would sneak into the embassy at night (with help from CIA moles on the inside), crack the safe, take out the pads, photograph them, and put them back. The embassies were none the wiser and continued using the compromised pads. The only reason this guy is talking now is because he had a falling out with the CIA and was pushed out. (It's a highly interesting read).

What he did illustrates the problem with OTPs - the pads themselves are highly vulnerable to theft or compromise. And even worse, once they are compromised there is no way to know that they were.

..probably just a coincidence..

[nurb432]

No, as there aren't any.

Re:..probably just a coincidence..

Yep!

TPM Of Evil

[girlintraining]

Well guys, I don't know about you, but I have only one question: Is it a separate chip on the motherboard? Because if it is, I'm hosting SMC desoldering classes the day this thing hits the market. Who'd have thought the day would come when we'd have to modchip our own damn computers...

Re:TPM Of Evil

Who'd have thought the day would come when we'd have to modchip our own damn computers...

Microsoft.

Well, okay, that's not really accurate. In their version of things, roving squads of Redmond Thought Police would quickly come by to "humanely" quell any attempts at modchipping their property, removing the question of whether or not you have to and replacing it with whether you're allowed to without swift and severe punishment.

Re:TPM Of Evil

[mlts]

I'm too lazy to bother. From what I read, TPM 2.0 will work similar to 1.2. Which means on desktop computers, it ships off, unknowned, and disabled. No need to worry/care about it.

Re:TPM Of Evil

[mlts]

Correction, unowned and disabled.

TPMs do provide some good security for what they are worth. Not perfect, but it helps immensely with laptops, because if done right, a thief has to be able to get in via the OS, as well as have the proper PIN [1], and perhaps even a USB flash drive with a keyfile on it in order to boot.

[1]: Too many wrong guesses, the TPM won't accept any PIN requests for x amount of time, the value doubling each wrong time.

Re:TPM Of Evil

[fuzzyfuzzyfungus]

Well guys, I don't know about you, but I have only one question: Is it a separate chip on the motherboard? Because if it is, I'm hosting SMC desoldering classes the day this thing hits the market. Who'd have thought the day would come when we'd have to modchip our own damn computers...

Depends on the implementation. Some TPMs are not exactly hard to remove(that riser card on the LPC headers is sold as an option for that particular motherboard, so they made it easy to add or remove.

Some, like the chip on which that Asus module is based, or a bunch of the Infineon and Atmel ones, are reasonably civilized TSSOPs. Not hard to remove, allegedly packaged to be hard to tamper with at a chip level; but it's your problem if the firmware/BIOS/whatever flips out and refuses to do anything until the TPM is restored(and each one has a unique, and kept secret from you, RSA key burned in, so you have fun cloning/impersonating it to a hostile chipset...)

If, on the other hand, you have a system with something like the Intel GM45 chipset, you'd better have your microscope and ion beam ready because the TPM is on the same silicon as the motherboard chipset.

The TPMs from the likes of Broadcom are somewhere in the middle: They are integrated directly with some of the company's ethernet(and possibly other; I'm only familiar with the ones in some GigE products) chips; and aren't exactly going to be trivial to remove; but your computer will still work if you take a screwdriver to that part, unlike the Intel ones.

Re:TPM Of Evil

[IamTheRealMike]

Don't be ridiculous. You don't have to modchip your motherboard. The TPM chip is, and always has been, something that provides services to the CPU on demand. It can't control your computer. The computer you're using now probably has one already and it may be used for such nefarious purposes as making disk encryption more secure.

Trusted computing has a needlessly bad rap because of kneejerk reactions like this one. In fact it's a flexible and general tool that can be used for many purposes. For example, you can use it to do sensitive operations on a computer compromised by malware. Games can use it to kick out cheaters. Things get especially interesting when you throw Bitcoin in the mix. It makes feasible autonomous agents, a form of evolutionary AI in which programs maintain their own wallets and rely on trusted computing technologies to protect them from potentially malicious humans who want to steal their money. You can also use it to make sensitive financial platforms like exchanges more secure against hackers. The actual cryptography needed to move money can be done inside the secure world with the root keys being held in the TPM chip. The secure code (PAL) verifies and sanity checks the requested operations. Even if the host machine is completely rooted and starts submitting false orders, it can only submit requests to the secure subsystem, it can't directly steal the money.

Remote attestation is useful any time somebody might want to trade or interact with you but have some assurances around how your computer may behave. DRM was one of the original driving motivations indeed, but even here the way the system works is not "evil" in any sense unless you have a truly warped idea of human relations. The technology lets you prove to some online store that you will follow the rules around using the stuff you're buying - like not simply uploading it to a file sharing network. But if you don't find the terms that store requires acceptable, you just don't shop there: they can't actually force you to run any software or put your computer into any particular state. In other words it lets you prove you are doing what you said you'd do, alternatively, it is designed to make it hard to lie - just a mechanical way to enforce contracts. Unless you're routinely in the habit of defrauding people you enter into contracts with, such a capability should not concern you. And the standards are completely open. You can run such an online store on your own Linux box in your bedroom if you like - there's nothing that tips the playing field in favor of Microsoft or other companies (which is why Bitcoin agents can use it).

Re:TPM Of Evil

[TubeSteak]

Trusted computing has a needlessly bad rap because of kneejerk reactions like this one. In fact it's a flexible and general tool that can be used for many purposes.

Because I'm lazy, I'll just copy and paste a comment I made in another thread about TPM

Ever since TPM was created, we're always just a few bits and bytes away from having it leveraged against us, by them.
And by "us" I mean "the computer users."
By "them" I mean "the hardware manufacturers and software/media companies."

Example: The newest motherboards don't *need* the ability to disable trusted boot. Heck, it'd have been easier to not include it!
We're more or less at the mercy of a small number of companies and their design decisions.

Re:TPM Of Evil

Don't be ridiculous.

Not ridiculous at all.

You don't have to modchip your motherboard. The TPM chip is, and always has been,

And always will be?

something that provides services to the CPU on demand. It can't control your computer.

The whole point of it is to allow somebody who is not the owner of the computer to take and keep control.

The computer you're using now probably has one already

Disabled and inaccessible in most cases. M$ has been working hard however to make sure it is not optional however. As usual dishonest players are boiling the frog. The entire purpose of TPM is to allow M$ to control their customers and arbitrarily manipulate them with no checks and balances. The free market and unethical companies in action.

and it may be used for such nefarious purposes as making disk encryption more secure.

Irrelevant distraction. The primary purpose is to allow vendors, one in particular, to control their customers sufficiently well so that they can do everything from planned obsolescence to blocking competition to blocking first sale doctrine to market segmentation to removing content to blocking people they and they alone arbitrarily decide is not in their interest.

Trusted computing has a needlessly bad rap because of kneejerk reactions like this one.

It's not in the slightest kneejerk, it is appropriate reaction to marketing spam that completely ignores the massive downsides.

In fact it's a flexible and general tool that can be used for many purposes.

That's part of the problem. It's all or nothing. If the given privilege could be restricted to what the the key owner publicly claims is the privilege they want/need so that the owner can make an informed judgment about whether to allow it then it might be okay but that's not the case at all.

Remote attestation is useful any time somebody might want to trade or interact with you but have some assurances around how your computer may behave.

"Your" computer? The fact that you don't control it means that you don't own it. Your entire post ignores that central point. TPM does not give limited, appropriate privileges. It gives total privileges.

Remote attestation is useful any time somebody might want to trade or interact with you but have some assurances around how your computer may behave.

Actually, remote attestation is useful when somebody wants to arbitrarily control what you do on your hardware. Since there's no check and balances that means an arbitrarily high level of control. Breaking ownership and the free market

DRM was one of the original driving motivations indeed,

It is the only driving motivation. Everything else is either a smokescreen or a bonus.

but even here the way the system works is not "evil" in any sense

It is a tool designed specifically by non-owners to control your computer and do things that may or may not be in your interest with no way for any owner to determine which. It is evil.

unless you have a truly warped idea of human relations.

It's people like you that are warped. Unethical companies are slobbering over getting this level of control over their customers/victims. You fail to acknowledge that DRM is totally one sided with an extremely strong commercial incentive for it to be misused in ways that far exceed the law and common sense.

there's nothing that tips the playing field in favor of Microsoft or other companies

M$ already has extreme market power. DRM locks it in. Being able to run the same DRM in your bedroom is irrelevant.

When I was young and foolish I used to write commercial DRM software. I've grown up now and don't. I've seen DRM from both sides and it is quite clear that DRM does far more harm than good. If the legal system worked DRM would've been banned until at a minimum a comprehensive legal structure was in pla

Re:TPM Of Evil

[fuzzyfuzzyfungus]

" they can't actually force you to run any software or put your computer into any particular state."

It certainly is a good thing that nobody involved in computers, software, internet services, etc. has any significant market power... Also good that nobody would ever attempt to mechanically enforce a contract that gives them greater rights than contract law allows(this is why, for instance, DRM systems never trample on fair use rights...)

Definitely nothing to worry about.

Re:TPM Of Evil

[plover]

Don't be ridiculous. You don't have to modchip your motherboard. The TPM chip is, and always has been, something that provides services to the CPU on demand. It can't control your computer.

It can, however, be used to authenticate the BIOS image and the host OS, and completely refuse to run if the machine isn't running a stock BIOS with a manufacturer-signed OS. It's great for securing industrial controllers, web servers, tablet PCs, smartphones, routers, laptops, notebooks, netbooks, embedded systems, desktops, and home entertainment systems who are obviously owned by people just trying to pirate stuff. But no, it doesn't control your computer. Dell and Microsoft do that.

Re:TPM Of Evil

Wrong. TPM 2.0 platform hierarchy ships enabled and you cannot disable it. Only the platform manufacturer can choose to do so.

Controversial crypto... Wait, what?

[JaredOfEuropa]

This Chinese crypto is controversial "because of serious EU concerns with domestic restrictions on the implementation, use, and importation of cryptography in China". That doesn't explain much. As I understand it, TPM cannot be deployed in China because of restrictions on crypto in that country.
Does this addition enable deployment of TPM in China? (I'd expect it would, why else add it)
Is it controversial because this specific algorithm has a backdoor, giving Chinese users a false sense of security?
Is it controversial because this algorithm has a backdoor, giving the Chinese government a way to subvert TPM in any device?

In short, I have trouble understanding what the hubbub is about.

Re:Controversial crypto... Wait, what?

Following in the footsteps of other Slashdot summaries, this summary is quite a challenging read.

Re:Controversial crypto... Wait, what?

[mlts]

I was unclear either. I was thinking it included some Chinese crypto algorithms that were previously secret similar to how Clipper/SKIPJACK were in the 1990s.

If the TPM chip contains additional crypto algorithms, big whoop. They wouldn't be useful for Western stuff, but for Chinese stuff, would be important (since they want their own AES for example.)

That is the only real thing I can think of which the EU would be concerned about.

Re:Controversial crypto... Wait, what?

"...the [Chinese] Encryption Regulations are extremely broad. They restrict the development, production, sale, use, and even repair of commercial encryption products. Moreover, the Encryption Regulations severely limit the sale of foreign-made commercial encryption products in China. Specifically, the Encryption Regulations mandate that only SCA [China's State Cryptography Administration] authorized entities are allowed to sell SCA-approved encryption products in China. Both the importation and exportation of commercial encryption products and equipment containing commercial encryption technologies must be approved by the SCA. Foreign organizations, non-Chinese foreign nationals in China, including short term visitors, are required to obtain a licence from the SCA before using any encryption product in China. Diplomatic organizations are specifically exempted."
http://www.kslaw.com/imageserver/KSPublic/library/publication/2011articles/11-11WorldECRCloutierCohen.pdf

Re:Controversial crypto... Wait, what?

TPM is a sinister attempt by the powers that be to track unsuspecting citizens.
They want to know where you are, and what you're doing.
It's the big eye on the wall, and the big finger up your ass.

Re:Controversial crypto... Wait, what?

[Chrisq]

I was unclear either. I was thinking it included some Chinese crypto algorithms that were previously secret similar to how Clipper/SKIPJACK were in the 1990s.

If the TPM chip contains additional crypto algorithms, big whoop. They wouldn't be useful for Western stuff, but for Chinese stuff, would be important (since they want their own AES for example.)

That is the only real thing I can think of which the EU would be concerned about.

I'd double encrypt with the NSA and Chinese algorithms. I don't trust China or America but I can probably trust them not cooperating to snoop data.

Is it controversial because MS can shut down

[Joe_Dragon]

Is it controversial because MS can shut down china and make them pay for software.

Chink in the Armor?

[BoRegardless]

Is that what Microsoft is getting?

Re:Chink in the Armor?

[BoRegardless]

I take this categorization of my post as an honor. The fact that Microsoft would deal this way with China indicates China has virtual monopolistic power over the products they allow into China when they choose to do it.

I personally do not think the Chinese can be trusted and would not believe they would play fair. For god's sake, there are people in their country who make fake baby formula and medicine which have killed people. There is no way I can trust them.

The most interesting part

[Citral]

From the FAQ: "TPM 2.0 is intended to be usable for a very broad range of platforms from embedded systems to mobile devices to PCs to servers." In other words, TCG is not dead but actively pushing TPMs to new platforms.

A use case: in case of theft, the permanent storage of your device can be protected against reading the flash memory (of course, assuming your device is locked in the first place) in the same fashion as Bitlocker works on PCs. The secret key with which your corporate data is encrypted can be stored in the TPM bound to a password and/or PCRs. (Assuming, of course, that the TPM itself is not hacked using physical attacks (DPA, etc.). But at least, it raises the bar for the average thief.)

The TPM has non-DRM uses

[johndoe42]

If you ignore all the weird DRM-ish uses (which are basically unsupported for now anyway [1]), the TPM makes a nice cryptographic token. Unfortunately, TPM v1.1 hard-coded the OAEP label to "TPM", which made it incompatible with everything. TPM v2.0 fixes this -- the label is now user-specified. That means that you can use it for modern hardware crypto (sadly, using SHA-1, which should be phased out).

[1] For meaningful DRM, you need an endorsed TPM, which most vendors don't provide. See http://www.privacyca.com/ekcred.html

Re:The TPM has non-DRM uses

[IamTheRealMike]

I think that page is wrong, most TPMs do have EKs. Infineons certainly do and IIRC they're the most popular model. However this does not change your point that the DRM use case was never really functional and work on it seems to have been largely abandoned, perhaps due to the staggering complexity involved.

Making DRM work for things like movies was probably always going to be a non-starter on platforms as heterogenous as the PC. To make it work there'd have needed to be not only unbelievably tight synchronization between what are effectively two different operating systems running in parallel (using hardware virtualization) but also trusted paths through to the video and sound chips, that is, you have to be able to encrypt video/audio data to the hardware without the drivers or OS controlling access being able to actually read that data. Then if you want to close the analogue hole the hardware has to enforce that you play audio via some kind of Cinavia like watermarking engine. It's just an incredibly difficult engineering problem and in the end Microsoft (who was driving most of that use case) lost interest and focused on the Xbox 360 instead, which implements basically the same thing but without the need to support lots of random hardware and software combinations, or work with standards bodies. It works a lot better as a result.

Trusted Computer

[Wowsers]

How can you trust a computer when it can't be examined what the code is actually doing? How can you trust a computer when Microsoft are involved?

Won't be buying a PC with that "trusted" junk on it.

Re:Trusted Computer

Oh, so you're only going to be purchasing Open Hardware from now on? Because pretty much every PC made in the last 5 years has had a TPM chip.

Though I think you just don't understand what it is, honestly. There's a lot of FUD going around both ways about this.

Re:Trusted Computer

How can you trust a computer when it can't be examined what the code is actually doing? How can you trust a computer when Microsoft are involved?

Won't be buying a PC with that "trusted" junk on it.

That's kind of like saying "I'm not staying in that hotel because they put a safe in each closet."

Railing against trusted boot is like saying "I'm not staying in that hotel because they have ways of keeping unregistered guests out of the rooms."

BTW, the trust is about identity. When you see someone familiar, you know what to expect from them. When you see someone who is not familiar, not so much. Same with this "trusted junk". All it does is identify when the software is familiar. It doesn't say that it can be trusted, you have to decide. But it is kind of handy when it says: "You know, there's some software that you have not previously approved from an unknown source that is getting ready to run on your computer. Is this what you want?"

Why does Slashdot hate China?

[AmiMoJo]

Over the least few months there has been a relentless barrage of negative stories about China. Many commentators seem to assume that any technology China has is stolen, all Chinese products are cheap crap and contain government backdoors, and all Chinese people are somehow brainwashed by the government.

China is a big place. There is a huge diversity of people. They have some really strong R&D, lots of good scientists doing cutting edge work. They make some damn good products, for example world class hifi gear.

This crypto standard is open, peer reviewed and seems reasonably solid. Obviously, like all encryption, it will be under continuous scrutiny. As for back doors, considering the US record on attacking other country's IT infrastructure the Chinese are the ones who should be worried.

Re:Why does Slashdot hate China?

[poity]

It's a hive of cynics. Are the negative stories about China really all that different from negative stories about the US?

Re:Why does Slashdot hate China?

Americans... Everywhere

always have to have someone to hate, they already have multiple generations that don't know what peace is.
stumbling from one confrontation to another like a raging teenager.

Re:Why does Slashdot hate China?

Obviously written by a European.

This is a TCG/TPM-Lib thing. Not a MSFT thing.

[slew]

The headline is slighly misleading. It's not MSFT's spec, it's the Trusted Computing Group (TCG) and their TPM spec.

One of the goals of the new TPM spec was to allow a better way to replace some algorithms because the original TPM spec entangle SHA1 hash in such a way (with the PCR extension mechanism) that it was difficult to replace that hash algorithm when weakness was discovered that algorithm and people wanted to replace it. Once you change the design and open that up you should probably include the usual suspects.

Some interesting additional algorithms added to the support library were SM3_256 and SM4 (the hash and symmetric key algorithms mandated for use in chinese DRM), WHIRLPOOL512 (hash function from NESSIE). In addition of the normal RSA public key stuff, they've also added ECC, ECDSA, ECDH, ECDAA, ECSCHNORR (a smattering of ellipitic curve based standards) to the mix in order to help gain acceptance in those markets that want/need shorter key lengths that are available to EC-derived algorithms that presumably have similar security to their RSA counterparts with longer keys.

Interestingly, although they include the SHA2 family of hash functions as an SHA1 upgrade, the newly minted SHA3 was strangely absent. Also, I don't think they have included SM2 (the chinese ECC signature technique), but that's probably just an oversight. I expect both of these omissions to be remedied with the next release.

These oppressive govs have high level crypto.

[__aasehi2499]

So why can't the people of these countries have high level crypto too, so that these oppressive govs can't oppress them any more by reading their electronic communications and stored documents???

Security through obscurity flawed saying

[EmperorOfCanada]

Whenever I hear people say "security through obscurity is no security at all" like some mantra first I laugh and then I remind them that passwords are an instant counter argument; the passwords, "password" or "12345678" are not obscure and thus suck. The password "g*&Gug®¥øç¥" on the other-hand rocks (Other than being really hard to remember or type)

My 16 digit CC number along with 4 digit expiry and the 3 digit number on the back are quite secure if I keep them safe and obscure but become very insecure if I hand them out willy-nilly.

And lastly good luck breaking into my safe if I don't tell you where it is or what the combo is.

The only flaw is when you completely depend upon the obscurity. If my safe is made from tinfoil then when you find it you will crack it pretty quickly. But obscurity is often a significant part of security. Again let's have a race. You try to crack my safe made from tinfoil that I hid and I'll try to crack your top of the line safe that you deliver to my welding/grinding shop. Obviously the best safe would be both tough and hidden.

So the line should be security and obscurity.

Re:Security through obscurity flawed saying

[Chrisq]

Whenever I hear people say "security through obscurity is no security at all" like some mantra first I laugh and then I remind them that passwords are an instant counter argument; the passwords, "password" or "12345678" are not obscure and thus suck. The password "g*&Gug®¥øç¥" on the other-hand rocks (Other than being really hard to remember or type)

Well if you are going to ignore the accepted and industry standard meaning of terms you can laugh at anything. Saying that passwords are "security through obscurity" is like saying "booting windows is a bad idea because you might break them". See Kerckhoffs's principle: "Stated simply, the security of a cryptosystem should depend solely on the secrecy of the key and the private randomizer.[Another way of putting it is that a method of secretly coding and transmitting information should be secure even if everyone knows how it works. "

Re:Security through obscurity flawed saying

[WhiteDragon]

And lastly good luck breaking into my safe if I don't tell you where it is or what the combo is.

No problem. Just have a 3-year-old open it.

Re:Security through obscurity flawed saying

[EmperorOfCanada]

Ah but that is exactly what groups like the NSA do. They use algorithms that nobody knows. I suspect, and would bet, that they have crack teams working on cracking known algorithms in order of popularity. The mere fact that their system is unknown or obscure gives it extra security. If they crack any of the better know algorithms I doubt they will go Eureka!, quick, publish our crack in CS101 magazine. But good luck cracking theirs the one that you don't even know exists. It might have some big holes but they are obscured.

If you look at the history of hacks they usually depend on bad security implementation of well known systems. So an SQL injection attack works best if your database is using a well known SQL. The same vulnerability of the poor cleaning of input doesn't work as well if you use an obscure database, say adabas. The hacker would have to first identify the odd database and then cobble together the injection. The same with OSs. Windows his generally hacked first due to its very commonality. Mac is probably next, then linux, and then BSD. In reverse order of obscurity. Thus if I needed a super secure system I check out BSD first just for that reason alone. Plus it seems that BSD has attracted the most paranoid types.

Clearly.. who's in who's pocket and where?

This crypto is controversial because of serious EU concerns with domestic restrictions on the implementation, use, and importation of cryptography in China.

NSS

Crypto Agility

TPM 2.0 was designed so that new algoirthms could easily be added when needed. "When needed" means both when an old one gets broken and when it is necessary to satisfy the laws of a country in which the TPM is sold. If a manufacturer needs GOST to sell in Russia, they can petition the TCG to give the GOST algorithms identifiers, add some low level support funcitons (encrypt/decrypt a blot, hash, etc.) and their TPM suppors GOST. They don't have to rototill the whole spec as was necessary with TPM 1.2.

The Slashdot Title's department name...

made me laugh hard enough that I spit my coffee onto my monitor. Thanks.

Re:Don't know about "hate" but... apk

Unreal apk. You post verifiable facts and they down mod you.