Trusted chip assures endpoint integrity

Today, network connection requests by clients typically are granted or denied based on a client's ability to prove some or all of his credentials, including passwords, machine certificates and user certificates. But this approach to security ignores the possibility that the client platform contains malicious code such as viruses, Trojans or malware that can spread through the client's network.

One solution is trusted hardware, which is based on chips that can be programmed with digital keys, passwords and certificates that are tamper-proof. Embedding trusted hardware into computing systems provides a reliable, secure way to determine endpoint integrity of clients, and protect networks against internal and external attack. Invalidated or unauthorized systems cannot connect.

The Trusted Computing Group (TCG) was formed last year to develop specifications to be used as building blocks for trusted computing and trusted hardware. The vendor association has 90 members and includes any company that wants to join. TCG's Trusted Platform Module (TPM) is a specification for a hardware chip that stores digital keys, certificates and passwords.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Today, network connection requests by clients typically are granted or denied based on a client's ability to prove some or all of his credentials, including passwords, machine certificates and user certificates. But this approach to security ignores the possibility that the client platform contains malicious code such as viruses, Trojans or malware that can spread through the client's network.

One solution is trusted hardware, which is based on chips that can be programmed with digital keys, passwords and certificates that are tamper-proof. Embedding trusted hardware into computing systems provides a reliable, secure way to determine endpoint integrity of clients, and protect networks against internal and external attack. Invalidated or unauthorized systems cannot connect.

The Trusted Computing Group (TCG) was formed last year to develop specifications to be used as building blocks for trusted computing and trusted hardware. The vendor association has 90 members and includes any company that wants to join. TCG's Trusted Platform Module (TPM) is a specification for a hardware chip that stores digital keys, certificates and passwords.

As the foundation for trusted hardware, TPM provides a strong measure of client and server integrity that must be satisfied before another platform is allowed to connect to the network. The tamper-resistant chip holds keys and certificates associated with the chip and the computing platform on which it resides. Verifiers therefore can decide when it is safe to open the network to a connecting platform.

Trusted platforms implement integrity measurement and integrity reporting using measurement code and platform configuration registers within the TPM hardware.

A trusted platform contains integrity measurement engines and/or agents that collect integrity-related data and store the results in the TPM hardware's platform configuration registers. Integrity measurement engines are verified by other integrity engines as part of the platform's boot-up and operational processes, with a resulting chain of established trust emanating from the TPM chip. The TCG believes the TPM-based approach to integrity measurement and reporting distinguishes its solution from other network connection proposals the IP networking industry is considering because it provides an unassailable barrier.

An IT administrator can program a TPM chip in each client to enforce security policies. After a user platform is booted up, it performs integrity measurements and requests connection to an authentication server. The authentication server forwards the request to the integrity server that verifies the client's integrity. If the client is found to be in the correct configuration with the appropriate BIOS, operating system, patches, anti-virus programs and other elements, the client is granted access to the network.

The TCG also has developed an API called the TCG Software Stack. The association's Trusted Network Connect subgroup is hammering out standards for network device and platform authentication based on core security technologies. Through trusted network connection protocols, platforms can be authenticated before being given full network access. A strong hardware-protected root-of-trust is needed to ensure that malware and improperly configured software cannot report an erroneous status. The TNC specification is scheduled to be released in the first half of next year.