Re: CRIME TCPA ideas

From: Seth Arnold (sarnold@private)
Date: Tue Feb 18 2003 - 00:11:27 PST

Next message: Seth Arnold: "Re: CRIME OCIPEP AV03-008 - Microsoft Windows XP Password Vulnera bility"

Previous message: Wil Cooley: "CRIME PASA Meeting Tuesday, 18 Feb 2003 (2nd announcement)"
In reply to: Shaun Savage: "CRIME TCPA ideas"
Next in thread: Shaun Savage: "Re: CRIME TCPA ideas"
Reply: Shaun Savage: "Re: CRIME TCPA ideas"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Feb 17, 2003 at 05:54:48PM -0800, Shaun Savage wrote:
> I have aquired a TCPA enabled PC and working to get an Open source
> program that checks the abilities of the TCPA PC. I was hoping for a
> hardware crypto accelorator, but it is slow and does not do much except
> ~ protect the keys.

IBM has generously released GPL-licensed software to control the TCPA
chips on their T30 laptops, and potentially other TCPA chips on IBM
hardware. http://www.research.ibm.com/gsal/tcpa/

It is _not_ designed as a generic hardware crypto accelerator. You can
find a list of reasonably cheap hardware accelerators at
http://www.openbsd.org/crypto.html
The OpenSSL website may document other choices in the "engine" section
of their software.

If you'd like to spend a little more money on crypto accelerators,
IBM sells a module in use in ATM machines, the 4758; sun has a similar
offering. Both are PCI devices with microcontrollers and dedicated memory
and are designed with well-funded attacks in mind. (IBM's 4758 is the
only device to be certified at FIPS-140 level 4 (one of three devices,
a second also being an IBM device), though one of Ross Anderson's grad
students found some flaws in its API a few months ago.)

3com also has a dedicated crypto nic with embedded firewall built in,
produced in collaboration with secure computing. GPL drivers are
available for them, as well. (3c99x, I think is the model name.) It
won't do SSL acceleration, though. Just VPN-like things.

> Should TCPA hardware be on the PC's and what right do/should users have
> in regard to TCPA hardware?

My .sig, randomly chosen, is rather applicable. :) (In fact, Crispin
said it in relation to TCPA, but I think it applies rather nicely to
other fields as well. :)

Personally, I look forward to getting a TCPA-enabled machine. I want
a secure bootstrap process that will load a kernel I trust, which will
load applications I trust. I think TCPA can provide that, but I could be
wrong about its capabilities in providing secure boot procedures.

On the other hand, I don't care a whit for Disney's movies, and I don't
run Word, so my opinion may be biased. I won't lose anything either way.
Other people might. Check out Ross Anderson's TCPA FAQ.
http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

-- 
"Security for who?" -- Crispin Cowan

application/pgp-signature attachment: stored

Next message: Seth Arnold: "Re: CRIME OCIPEP AV03-008 - Microsoft Windows XP Password Vulnera bility"
Previous message: Wil Cooley: "CRIME PASA Meeting Tuesday, 18 Feb 2003 (2nd announcement)"
In reply to: Shaun Savage: "CRIME TCPA ideas"
Next in thread: Shaun Savage: "Re: CRIME TCPA ideas"
Reply: Shaun Savage: "Re: CRIME TCPA ideas"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Feb 18 2003 - 00:29:01 PST