Trusted Computing Introduction and Resources
Computers play a major role in our daily lives, both personally and professionally. We sign up for antivirus protection, we visit websites deemed "safe," and we do our best to generate unique and strong passwords for all our online tools and applications. But that's not always enough to keep us safe.
In discussing the topic of internet and computer security, we'd be remiss to leave out the subject of trusted computing. While it's not something commonly addressed, it's widely becoming a standard that software vendors and hardware manufacturers are encouraged to follow. Chances are good that the device you're reading this on right now runs on a trusted computing base.
Keep reading for a brief rundown on what trusted computing is, what it does for your computer's security, and the potential risks associated with it.
Understanding Trusted Computing
In early 2016, Steve Hanna of Infineon was asked about the origins of trusted computing and the Trusted Computing Group. He said, "The level of sophistication of attacks is always growing, and we needed to provide the best security possible and do it through a standardized mechanism."
The Trusted Computing Group (or TCG) is a group of software vendors and hardware manufacturers working together to establish and define computer security specifications. In so doing, it is their goal to create an industry standard for "trusted computing" that any software or hardware provider can use when building their platforms.
The basic guiding principle behind trusted computing is that we need to make computing platforms more secure at the hardware and software level. If everything is hidden behind encryption built into a computer's hardware, it should be a lot more difficult for hackers to obtain access to sensitive and private information.
Microsoft, working in conjunction with the TCG, has established four means for properly devising a trusted computing platform:
- Memory Curtaining: this feature keeps programs from reading or writing upon any other program's memory.
- Secure I/O (input/output): this feature prevents screen-grabbers and other spyware from seeing what is on a computer screen.
- Sealed Storage: this feature provides a more secure means for storing encryption keys and passwords other than right on your desktop (alongside the documents and programs they're meant to protect).
- Remote Attestation: this feature detects and notifies users of any unwarranted or unlawful changes to their software or hardware.
It's important to note two things about the TCG's trusted computing model.
The first is that this four-pronged approach does create an inherently more secure environment within computer hardware and software. But just because it has the ability to prevent security breaches at the root platform, that does not mean it's 100% effective. Users of trusted computing systems will still need to remain vigilant and to maintain other security measures.
The second point is perhaps a more controversial one to mention, but it's worth discussing: there is growing opposition to trusted computing — and for good reason.
Reasons to Feel Dubious About Trusted Computing
Those who support trusted computing will tell you that the system is meant to protect the end users, to make it easier for them to keeping their computers safe. Those who don't support it will tell you that, while trusted computing was built with good intentions, it has become something more insidious.
These are just some of the potential issues commonly associated with trusted computing:
- Trust: in order for users to agree to using a trusted computer, it means they need to trust the software or hardware developer and their means of encrypting it. But if a security breach occurs at the third party's site or if the third party introduces an error within their own systems, who will protect the user from any trickle-down effects?
- Lack of standards control: even though the TCG has established a set of standards that they ask trusted computing vendors to follow, those standards are not enforced or monitored.
- Owner override: as it stands now, computer users and owners cannot override the safety protocols built into their machines. Because of this, users have no way of overriding restrictions or to make edits to otherwise safe software or hardware.
- Loss of data: there is a possibility that if a user loses access to their machine or the computer breaks down without warning, that they will lose access to all their data since ownership is tied to the machine and not to the user.
- Incompatible software: if a user switches to a new "trusted" device that deems one of the user's programs of choice as unsafe, they may lose access to all their old data from the incompatible software.
- Market effect: software and hardware developers will have a leg-up on the competition if they can dictate which software or hardware can be accessed on their trusted devices. This not only harms the competition, but also makes it difficult for users to pick and choose the programs they use.
- No anonymity: part of the idea behind trusted computing is that each machine will have a unique identifier. Because of this, there is concern that other people (like online vendors) can use attestation to narrow down the identity of the end user.
- Freedom of speech violations: there are some who believe that the four components to trusted computing will prevent people from using copyrighted material under the privileges of Fair Use. There are others who think that, due to the lack of anonymity in trusted computing systems, journalists and others trying to invoke the right of free speech may no longer be able to do so safely.
Ultimately, the main problem with trusted computing is the fact that users are losing control. With trusted computing, third-party software and hardware manufacturers can rewrite the rules and define the who, what, and why of using a computer.
Trusted Computing Resources
Unfortunately, there isn't a lot of information available about trusted computing outside of what the Trusted Computing Group has put out. And because so much about trusted computing depends on the readers' own tech savviness, it can be difficult to truly understand the risks and benefits if you're not in the business of IT.
If you want a good place to begin your education on trusted computing, we suggest you check out these resources:
- Trusted Computing Group: there's a lot of information available on this website about trusted computing and the TCG.
- "Where Trust Begins" Infographic (PDF): this infographic, created and released by the TCG, does a good job in explaining why we need more security for our computers.
- Trusted Computing: this Wikipedia page translates a highly technical concept into more relatable terms for the end user.
- Trusted Computing: Promise and Risk: for anyone involved in IT, the Electronic Frontier Foundation has a solid write-up on the pros and cons of trusted computing.
Is Trusted Computing Trustworthy?
Trusted computer, trusted PC, trusted platform. Whatever you want to call it, the built-in hardware and software technology to make your devices more trustworthy is already here. While the underlying technology may not be the easiest to understand, it's still your responsibility as a user to know what trusted computing is as well as how it may affect (positively and negatively) your personal and professional computing experience.
Further Reading and Resources
We have more guides, tutorials, and infographics related to using the internet safely:
- Is the Password Dead?: this infographic looks at the future where we no longer need passwords.
- 8 Ways to Create (And Remember!) Secure Passwords: creating great passwords that you can remember isn't as hard you might think.
- 8 Worst Security Breaches: even the pros get hacked. Find out about the eight biggest security breaches on the internet.
How to Create the Perfect Password
Confused about how to create a great passowrd? Check out our infographic, How to Create the Perfect Password.