How can you ensure that an employee accessing corporate information from home is using a trusted network path? Should remote access be given for e-mail, but not for financial systems? Should a contractor's PC be part of a trusted path to proprietary data?

For most large organizations, managing trust on networks across the entire enterprise is a complicated challenge. MITRE is addressing this problem by combining cryptographic protocols with a trust management framework. "We're investigating how an inexpensive cryptographic computer chip can deal with these issues and help enforce security policies on a network," says Joshua Guttman, a senior principal scientist in MITRE's Center for Integrated Intelligence Systems.

Guttman and his associates have been collaborating with Hewlett-Packard, which has developed a variety of engineering prototype computers that have a trusted platform module (TPM)—which is a cryptographic chip, that has three functions: machine identification, security state, and cryptographic capabilities. (See sidebar.) The TPM is designed to provide a root of trust in hardware to protect against network attacks. The specifications for the chip were originally defined by the Trusted Computer Platform Alliance (TCPA), which includes Hewlett-Packard, IBM, Intel, Microsoft, and about 190 other companies. The TCPA was reorganized in early 2003 into the Trusted Computing Group, an industry standards body.

Cryptographic Protocols and Trust Management

"One of the big problems in information security is graduated trust, or different levels of trust depending on who needs access to what information," notes Guttman. "We want to represent those trust relations in flexible ways and use cryptographic mechanisms that are well integrated with operating systems and protocols."

F. Javier Thayer, a MITRE lead scientist working with Guttman concurs. "MITRE has been doing its own sponsored research in computer security for more than 30 years," says Thayer. "At the same time we've been doing innovative and fundamental work in cryptographic protocols. Combining our expertise in these two areas with the TPM chip gave us a way of getting these areas to interact with each other. We can now provide a trust management process that is sensitive to relationships that have different levels of trust."

Many of the new laptops produced by IBM now have trusted platform modules in them. Guttman expects that before long other manufacturers will also add them. "Other vendors, including Hewlett Packard, are moving the TPM into their standard product lines," he says.

Three Functions of the Trusted Platform Module The Trusted Platform Module (TPM) evolved out of an industry-wide initiative to provide an inexpensive security framework. The TPM chip has three functions. The first is a set of permanent identities for the computer that it's installed in so that you know what computer you are interacting with. The second function records the machine's software configuration, its security properties, and how it was booted up most recently. This is important when an outside laptop is plugged into your corporate network and you want to know if it is safe for the machine to interact with the corporate infrastructure. The third function is cryptographic support, which allows the chip to provide digital signatures for some kinds of messages. The cryptography also protects small amounts of data, which can be cryptographic keys that you might use for a variety of purposes.

Commercial Benefits

Who will first use trust management? In the short term, government agencies will benefit from it, as will organizations that do business with them. Over time, commercial companies will adopt trust management. They'll benefit from establishing electronic trust between different organizations, which is important for ongoing business relations. "Companies need to implement trust in an electronic context that is faithful to their real-world trust relations," says Guttman. "In terms of volume, I suspect that may turn out to be a very big payoff area, especially as the TPM hardware becomes widely available within a few years."

When using a TPM-based computer system, a typical scenario involving cross-organizational access might go like this: You regularly order supplies from certain vendors and you want to let them look into your inventory system so they can see what you're going to need and when you're going to need it. Yet, you want to be sure that when the vendors look at your inventory of their goods, they're not also looking at other sections of your business that could give them an unfair advantage.

"You can now put in control mechanisms so your vendors look at only what you want them to see" says Guttman.

Another scenario is when a visitor brings a laptop into your company and plugs it into your corporate network. You may want to know how the laptop was booted up most recently and if it's safe to interact with the rest of your infrastructure, or if you need to quarantine it and update it so that it will be safe to use.

As computer manufacturers continue to pump out machines with Trusted Platform Modules in them, MITRE is contributing systematic ways of using them effectively. "In the coming years we're likely to see the hardware used not just for local goals such as protecting encrypted data on a disk, but also to build distributed systems with better levels of trust," says Guttman. "The same mechanism and techniques can be used by the government to facilitate trusted computing among its different agencies and suppliers."

—by David Van Cleave

Related Information

Articles and News

• Authentication Tests and the Structure of Bundles
• Strand Spaces: Proving Security Protocols Correct

Technical Papers and Presentations

• Trust Management in Strand Spaces: A Rely-Guarantee Method [PDF, 277KB]