Integrating a security chip makes it possible "to view the PC as an endpoint for the delivery of goods and services" in the digital economy, said Geoffrey Strongin, platform security architect at Advanced Micro Devices Inc. (Sunnyvale, Calif.). AMD is one of the PC chip makers readying a security device.

The trend is to move "core security and e-commerce functions out to the edge of the Internet, and place them in all endpoint devices including the user's PC," concurred Steven Sprague, president and chief executive officer at Wave Systems Corp. (Lee, Mass.), which fields the Embassy security chip and is working with AMD on a reference design.

Promoters say that while much effort has gone into securing the network and the server-side infrastructure, until very recently the client has been overlooked. Thanks to advances in Secure Socket Layer software technology, the transmission of data across the Internet is more secure than ever before. But "vulnerability often exists at the PC and at the server," said Cees Jan Koomen, chairman of the board at security-chip vendor Pijnenburg Securealink (Vught, Netherlands), which is also developing a coprocessor.

"You need a cryptographic solution in hardware, placed at the server and PC terminal," he said. That way, "critical information, such as a key, is not available except inside the chip, while the hardware can accelerate the transaction speed."

Driving the security-coprocessor ground swell is an emerging specification being put together by the Trusted Computing Platform Alliance (TCPA), an industry group founded by Compaq, Hewlett-Packard, IBM, Intel and Microsoft.

Final spec at hand

The TCPA recently opened version 0.9 of its spec to peer review. The goal is to finalize the spec by the end of October, said Robert Meinschein, a member of the TCPA technical committee and an engineering manager at Intel Corp.'s Desktop Architecture Lab. Meinschein described the TCPA's mission as increasing trust in a PC, while preserving privacy. "We've had to walk a tightrope here," he said, since it's no easy task to build "trust" into an open computing system without sacrificing that very openness.

In the hope of ensuring privacy, the TCPA spec also provides a mechanism within a PC to generate multiple, unique IDs for different uses ranging from e-trade, banking and shopping to games, Meinschein said. Under a TCPA-defined architecture, IDs can remain anonymous and cannot be cross-related, he said.

In a nutshell, the TCPA spec defines operations that must be performed in a PC subsystem — or, typically, a security chip integrated with an isolated computing engine, independent of a CPU.

The subsystem is designed to provide "a root of trust" for the booting of the platform. It can warn about untrusted software before the software is loaded, for example. Further, a local or remote entity can query the subsystem to obtain system-integrity data describing the current state of the platform's main software environment. The entity can then decide whether the platform's behavior enables it to be trusted for the intended purpose.

The subsystem also provides "a protected information store" feature. It can hold and manipulate confidential data, and will allow the release or use of that data only in the presence of a particular combination of access rights and software environment.

The objective of the TCPA is not to replace but to complement existing security measures. These run the gamut from PC specification for smart cards, biometrics, the Internet Protocol Security protocol and Internet Key Exchange to virtual private networks, public key infrastructure, Secure Socket Layer and the Secure Electronic Transaction specification.

Some security experts, however, are skeptical about how useful TCPA will really be.

Weak link?

"It is unlikely that secure hardware will make any difference in computer security, at least on general-purpose PCs," said Bruce Schneier, chief technical officer at Counterpane Internet Security Inc. (San Jose, Calif.) and author of Secrets and Lies: Digital Security in a Networked World. "Think about it for a second. The idea is that the security protocols are in hardware, and therefore a hacker can't tamper with them. But the hardware protocols communicate with the outside world using software, and the hacker can certainly tamper with the software."

Schneier summed up, "It's like someone bolting the front door shut and leaving the backdoor open. It doesn't matter that part of the security code is in hardware. The part in software is the weak link."

TCPA's Meinschein, however, argued that it's critical to understand what the TCPA spec is set up to do. The current spec is only the first step. The ultimate mission, he said, is to "build a chain of trust" throughout hardware, BIOS, system software and OS. The initial TCPA spec takes that chain up to BIOS, but "we hope to extend the trust all the way to the operating system level," he added.

AMD's Strongin called the TCPA spec "a building block, not an end solution. We fully realize that we haven't solved the whole problem. The operating system, for example, needs to be modified to support and match TCPA capability, and the industry has yet to see further development of the infrastructure components and management tools for TCPA."

The TCPA spec does not define either where to implement such a security subsystem within a PC or how to architect a chip. However, Meinschein said, basic function blocks inside such a chip would include a small processing engine to do digital signing; a set of platform configuration registers; cryptographic SHA-1 hash function; and a random-number generator.

The processing power required for all that is "pretty minimum, very similar to that of a smart card chip," Meinschein said. The biggest difference is that the TCPA-compliant chip "needs to be integrated into a PC platform at a point where it can participate in the early boot process." It also has to offer a set of unique functions defined by the TCPA, such as platform configuration registers.

Card makers converge

Along with chip makers from the PC side like AMD and National Semiconductor Corp., the suppliers of ICs for smart cards are also homing in on security coprocessing as a potentially hot new market. Leading vendors such as STMicroelectronics, Infineon Technologies and Schlumberger are looking to spin their smart card chips into TCPA-compliant devices.

Although new to the security chip market, National believes it stands a strong chance against those European manufacturers. Coming from a strong PC background, "We not only have tight links to PC OEMs, but also we have expertise to integrate TCPA functions into embedded controllers inside a PC in the future," said Gadi Erlich, technology and architecture group manager at National's Internet appliance group.

The Santa Clara, Calif., company has licensed an accelerator and a cryptographic library from Wave Systems, "to make sure there will be no security holes in our chip," Erlich said.

National's initial offering is a single-chip solution with a minimum of features, priced below $5, according to Erlich. The chip integrates flash memory and embedded DRAM and will have a Low Pin Count (LPC) bus interface. "We may add a USB-compatible bus interface [later]," he said.

STMicroelectronics, for its part, claims proven security architecture and firmware libraries as its advantage. With a product launch scheduled for the first quarter of 2001, the Paris-based chip maker is planning to "offer a complete road map for migration from 8-bit to 32-bit processors covering minimum to optional [security] requirements" on the PC motherboard, said Peter Uehlecke, director of the company's smart card business unit.

STMicroelectronics also plans to include biometric integration options for technologies such as fingerprint recognition. Its TCPA-compliant security chip will be placed on the LPC bus, with a USB connectivity option under development. The price will range from $3 to $5, depending on volume and memory size, Uehlecke said.

Similarly, AMD is working with Wave Systems to develop a TCPA-compliant reference design for PC motherboards, slated to be released early next year. AMD has independently concluded that Wave Systems' security chip, called Embassy, is best placed between the BIOS ROM and the south bridge as an LPC bridge.

That runs counter to the approach of IBM Corp., the first PC company to introduce secure PCs using a security chip jointly developed with Gemplus and Atmel. IBM has that device interfacing to a System Management (SM) bus.

"The SM bus does not satisfy us because of its limited bandwidth," AMD's Strongin said. Where SM bus bandwidth is measured in kilobytes per second, the LPC bus offers on the order of 1 Mbit/s, he said. Architecturally, AMD preferred this configuration "because we wanted to make sure the root of trust remained in the Embassy chip, and [for] the Embassy device to be active throughout the entire boot-up process, so that it can perform a secure boot."

Both AMD and Wave Systems say they are committed to going beyond the current focus of the TCPA spec. While the TCPA initially takes aim at commercial and enterprise applications, "our goal is to extend it to e-commerce and the consumer PC space," Strongin said.

Indeed, Wave Systems' solution differs from other security chips in its programmability. Besides supporting secure boot, TCPA integrity metrics, strong user authentication and secure BIOS upgrade, Embassy comes with metering applications to support various commerce models for consumer entertainment content. Most smart card chips, by contrast, provide fixed applications. "We offer the only programmable solution capable of supporting a variety of security measures and different digital-rights management schemes," said CEO Sprague.

National's Erlich also endorsed the idea of a programmable solution supporting digital-rights management on a PC, but predicted that it will take a while for the majority of PC OEMs to embrace that model. He expects to see many variations on security chips, as vendors differentiate their products in terms of faster acceleration and more memory.

For its part, Pijnenburg Securealink, with a decade of experience in custom security ICs initially designed for the banking industry in Europe, hopes to use its technology's scalability as an advantage. Pijnenburg's solution provides a true random-number generator in hardware, internal secure storage of keys in flash memory and embedded high-performance cryptographic functions running on its ARM processor core. Koomen observed that some combination of programmability and fixed functions are a good compromise.

"Digital-content encryption and digital-rights management are still areas in development," he said. "This by itself is a good reason to have programmability." He added, "There will be fixed engines as well, since real-time content encryption requires high performance."

Where and when?

The industry divides over how soon PC makers will start putting security chips on their motherboards. Saying "we have an initial model working now and we can have the product next year," Koomen predicted that the first TCPA chips won't appear till 2002, and then only in "higher-end PCs. And I expect the price to be more than $5."

Said National's Erlich, "We are expecting at least 20 percent of PC motherboards to feature a security chip socket on the board in the second quarter of 2001." How fast the socket will be filled with actual silicon is another matter. It depends on how soon PC OEMs embrace the TCPA spec, he said.

Some security-chip vendors also worry that the ultimate success of these devices may be out of the hands of chip and system makers alike, and may rest instead with Microsoft. "For the TCPA to succeed, it's absolutely essential to get the support of operating system vendors. I see Microsoft today still sitting on the fence, at best," said one silicon vendor who spoke on the condition of anonymity.

Reached this past week, Stacey Breyfogle, group program manager of Windows hardware strategy at Microsoft, said, "We are completely behind the TCPA. We are totally committed."

However, she noted that OS support for the TCPA spec would come in stages. "Some of the modifications will be made in Whistler, slated for release in the second half of 2001," Breyfogle said. "Others will come in the follow-on versions."

See related chart