Technometria

Home
Why Technometria?
RSS
Atom
Podcast Feed
Add to Google

Recommend This Site

About Phil

Brief Bio
Contact Info
Phil on Twitter
Speaking
InfoWorld
Photo Albums
Video Favorites
CTO Breakfast

Essays

2006
2005
2004
2003
CIO White Papers

Software

Packages

Topic Guides

Digital ID Policies
Internet Application Performance
Setting Up a Linux Server
Public Service Tips

Categories

Blog TagCloud

Archives

February 2010
January 2010
December 2009
November 2009
October 2009
September 2009
August 2009
July 2009
June 2009
May 2009
April 2009
March 2009
February 2009
January 2009
December 2008
November 2008
October 2008
September 2008
August 2008
July 2008
June 2008
May 2008
April 2008
March 2008
February 2008
January 2008
December 2007
November 2007
October 2007
September 2007
August 2007
July 2007
June 2007
May 2007
April 2007
March 2007
February 2007
January 2007
December 2006
November 2006
October 2006
September 2006
August 2006
July 2006
June 2006
May 2006
April 2006
March 2006
February 2006
January 2006
December 2005
November 2005
October 2005
September 2005
August 2005
July 2005
June 2005
May 2005
April 2005
March 2005
February 2005
January 2005
December 2004
November 2004
October 2004
September 2004
August 2004
July 2004
June 2004
May 2004
April 2004
March 2004
February 2004
January 2004
December 2003
November 2003
October 2003
September 2003
August 2003
July 2003
June 2003
May 2003
April 2003
March 2003
February 2003
January 2003
December 2002
November 2002
October 2002
September 2002
August 2002
July 2002
June 2002
May 2002

Utah Tech Organizations

BYU Unix User's Group
Provo Linux User's Group
Utah Valley Linux User's Group
Ubuntu Utah
Salt Lake LUG
USU Free Software and Linux Club
Greater Utah BSD User Group
Utah PHP Users Group
Utah Python User Group
Utah Ruby Users Group
Ogden Area LUG
Southern Utah Unix Users Group
UtahSAINT

Copyright

Copyright © 2002-2009 PJW LC. Some rights reserved. Technometria is a trademark of PJW LC in the United States and other countries.

« Intel QX3 Microscope and OS X | Main | Structuring Citations »

TPM and Positive ID

There’s an article at MSNBC about how Trusted Computing Platform (TCP) chips, already installed in many computers, could be used to provide “positive ID” on the Internet and end anonymity. I find articles dealing with Internet identity in the mainstream media usually scare me—and this one is no exception.

What scares me is the willingness people have to sweep aside technical hurdles, privacy concerns, and practicality in wide-eyed optimism about how technology will eventually solve all our Identity problems.

With a TPM onboard, each time your computer starts, you prove your identity to the machine using something as simple as a PIN number or, preferably, a more secure system such as a fingerprint reader. Then if your bank has TPM software, when you log into their Web site, the bank’s site also “reads” the TPM chip in your computer to determine that it’s really you. Thus, even if someone steals your username and password, they won’t be able to get into your account unless they also use your computer and log in with your fingerprint. (In fact, with TPM, your bank wouldn’t even need to ask for your username and password — it would know you simply by the identification on your machine.)

The same would go for online merchants — once you’d registered yourself and your computer with an Amazon or an e-Bay, they’d simply look for the TPM on your machine to confirm it’s you at the other end. (Of course you could always “fool” the system by starting your computer with your unique PIN or fingerprint and then letting another person use it, but that’s a choice similar to giving someone else your credit card.)

Another plus for the TPM is that your computer will be able to make sure that it’s really a legitimate e-commerce site you’re connected to, and not some phishing-style fraud. There would still, of course, be ways that you could access your bank or e-commerce accounts from other computers when you were traveling, but the connection wouldn’t be as secure as using your own computer. Plans are already underway to put TPMs into smartphones and other portable devices as well.
From Let’s see some ID, please - The Practical Futurist - MSNBC.com
Referenced Thu Dec 15 2005 09:51:22 GMT-0700 (MST)
MasterCard paypass advertisement
MasterCard paypass advertisement

The first question that comes to mind is why do I want to use a 30lb desktop as a security fob. Wouldn’t it make more sense to just use security fobs if that’s the problem we’re trying to solve. Oh, I remember why: people don’t like them.

Ironically, as I read the article an ad for MasterCard’s paypass token based payment system was shown to me (see right). So while the industry is trying to sneak heavyweight DRM into our living rooms under the guide of “making us safer,” MasterCard is giving us RFID based payment solutions with, as far as I can tell, single factor authenticate (if you have it, you can use it). I believe people will almost always opt for convenience over security and privacy. This is an example of that.

The article gives a nod to fears that TPM could be used in draconian ways, but then blithely states:

And should a media or software company come up with overly Draconian restrictions on how its movies or music or programs can be used, consumers will go elsewhere. (Or worse: Sony overstepped with the DRM on its music CDs recently and is now the target of a dozen or so lawsuits, including ones filed by California and New York.)
From Let’s see some ID, please - The Practical Futurist - MSNBC.com
Referenced Thu Dec 15 2005 09:56:08 GMT-0700 (MST)

I’m not sure it’s that easy. With TPM as part of the landscape, there may not be much recourse. TPM is like the Sony rootkit installed in the hardware. When you buy it and the OS that activates it, you’ll be implicitly stating that you accept the controls it places on you.

I think we’re in great danger of changing the nature of not only the Internet, but computing itself. With only a few mainstream processor manufacturers, we’re at their mercy. We could easily see a world where only the applications Microsoft or Apple has “approved” would run on your machine. That scares me.

Posted by windley on December 15, 2005 9:45 AM

See related posts:

 Share this article on Facebook
 Email this article to a friend
  Post this article to del.icio.us
 Format this article for printing
 Get the SNUrlfor this page

3 Comments

Comment from Tyler Larson at December 15, 2005 11:07 AM

While hardware-based authentication is useful, I don't think the TPM chip is the way to go.

Their usefulness over software-based solutions lies in the fact that private keys in software can be copied, meaning that you can't be certain that someone else hasn't stolen it. If the key is burned irretrievably into the hardware, you can at least be certain of exclusive possession in all but the most extreme James-Bond-ish scenarios.

That being said, hardware keying has been available for years in USB and smart-card form, and few people have even taken note. The TPM chip provides no greater advantage from a technological standpoint than the existing technology. And the drawbacks that the TPM chip presents are frightenly extensive.

The only (and I do mean ONLY) advantage to the consumer that the TPM chip can offer is ubiquity (we don't use RSA chips to authenticate with the bank because we don't HAVE RSA chips). And even that is a potential disadvantage because it's more likely to be used improperly.

Comment from vark at December 17, 2005 8:05 PM

Discussed at vark.blogspot.com 12/17 entry.
The article is mostly FUD. The technology might or might not catch on, but it would need a strong selling point, some kind of killer app to offset the disadvantages.

Comment from vark at December 17, 2005 8:06 PM

Discussed at vark.blogspot.com 12/17 entry.
The article is mostly FUD. The technology might or might not catch on, but it would need a strong selling point, some kind of killer app to offset the disadvantages.
On the other hand, it's good news for the severed-finger industry.