可信计算

File:Trusted Computing3.png

可信计算（Trusted Computing, TC）是一项由可信计算组织(Trusted Computing Group, TCG)推动和开发的技术。这个术语来源于可信系统（trusted systems），并且有其特定含义。从技术角度来讲，“可信的（Trusted）”未必意味着对用户而言是“可信赖的（Trustworthy）”。此外，这也意味着可以信任它能够更全面地遵循其设计，而执行它的设计者和其他软件编写者所禁止的行为的概率更低。

可信计算并非没有争议。这项技术的用户者称它将会使计算机更加安全、更加不易被病毒和恶意软件侵害，因此从最终用户角度来看也更加可靠。此外，他们还宣称可信计算将会使计算机和服务器提供比现有更强的计算机安全。而反对者认为可信计算背后的那些公司并不那么值得信任，这项技术给系统和软件设计者过多的权利和控制。他们还认为可信计算会潜在地迫使用户在在线交互过程中失去匿名性，并强制推行一些不必要的技术。最后，它还被看作版权和版权保护的未来版本，这对于公司和其他市场的用户非常重要，同时这也引发了批评，引发了对过份的审查制度关注。

很多著名的安全专家^[1][2]已经表明了对可信计算技术的反对，因为他们相信它将给计算机制造商和软件作者更多实施限制用户如何使用自己的计算机的能力。有一些人关注是可信计算可能（或者本身就是要）起到限制自由软件市场、私有软件开发和更一般化的整个IT市场竞争的作用。其中一些，如Richard Stallman，因此给它起了一个恶称背叛的计算[1]。

不管这场争论和最终产品的形式怎样，在计算机领域拥有重大影响的公司，如Intel和AMD这样的芯片制造商和Microsoft这样的系统软件开发商，都计划在下一代的产品中包括可信计算技术。

与常规的“信任”的定义不同，安全专家将可信系统定义为为了保证更大的系统的安全而必须被信任的部分。例如，美国国防部将可信系统定义为可以违反安全策略的系统；也就是说"一个因为你没有选择而必须信任的系统"。密码学家Bruce Schneier认为"'可信'计算机并不意味着它是可信赖的"。在这些定义下，硬盘控制器的用户必须信任它，相信它在任何情况下都能够诚实地将数据存储磁盘；安全网站的用户必须信任它是安全的，因为用户自己无法验证。在安全领域的说法中信任总是一种折衷或者缺陷；有时根本无法避免，但这不是大家希望的。再作一个比喻，你最好的朋友无法共享你的医疗记录，因为他或她并不拥有这些。而另一方面，你的医生可以共享。可能你信任自己的医生并且认为他或她是一个好人；也有可能你们的镇上只有一个医生，而你只好信任他或她。

关于可信计算的主要争论就是关于信任的含义。可信计算组织讲"技术信任"描述为"如果一个实体的行为总是按照与其的方式和目标进行，那它就是可信的"。批评者将可信系统描述为一个你"被迫信任"的系统，而非它是真正可信赖的。

也有批评者认为，并非总是能够检验可信计算依赖的硬件--可信平台模块，它是平台中最终的核心信任根所在硬件系统。如果实现的有问题，它将为整个平台完整性及其保护的数据带来安全威胁。可信计算组织的规范是开放的，任何人都可以审查，然而厂商实现的最终商业产品却不一定接受这样的审查。

最后一个问题就是，密码学的进步非常快，像可信计算这样用硬件实现的算法可能无意中造就了未来的废弃物。

尽管赞成者声称可信计算增进了安全性，而批评者则反击称不仅安全的不到增强，可信计算还可能推动强制数字权限管理（DRM），伤害到用户的隐私，并对用户强加其他的限制。与可信计算相比，安全计算主要关注匿名性。"安全计算"的宣扬者声称，额外的安全性可以通过其它的方式获得，而不必让用户放弃成为超级用户获得计算机的控制权。

可信计算的赞成者争辩称隐私问题在现有的规范中已经解决 -- 可能是对早期版本规范受到的批评做的相应处理。终端用户对于他们的可信平台模块的使用方法有很多种，然而，第三方可能强制使用一些特定的选项，从而消除了用户选择的好处。

可信计算包括4个核心技术概念，在一个完全可信的系统中它们都是必须的。

1. 安全输入输出
2. 内存屏蔽/受保护执行
3. 封装存储
4. 远程证明

安全输入和输出（I/O）指的是计算机用户与他们认为与之进行交互的软件间的受保护的路径。在当前的计算机系统中，恶意软件有很多途径截取用户与软件进程间传送的数据。例如，键盘监听者和屏幕截取者。安全I/O表现为受硬件和软件保护和验证的信道，采用校验值来验证进行I/O的软件没有受到篡改。将自身注入到信道间的恶意软件会被识别出来。

尽管安全（I/O）提供针对软件攻击的防护，但它未必提供对基于硬件的攻击的防护，例如物理插入用户键盘和计算机键值的设备。

内存屏蔽扩展了当前的内存保护技术，提供了对内存敏感区域（如放置密钥的区域）的全面隔离。甚至操作系统也无法访问屏蔽的内存，所以其中的信息在侵入者获取了OS的控制权的情况下仍然是安全的。

封装存储从当前使用的软件和硬件配置衍生出的密钥，并用这个密钥加密私有数据，从而实现对它的保护。这意味着该数据仅在系统拥有同样的软硬件组合的时候才能读取。例如，用户在他的计算机上保存自己的日记，不希望其他的程序或计算机读取它。这样一来，病毒可以查找日记，读取它，并将它发给其他人。Sircam 病毒所作的与此类似。即使日记使用了口令保护，病毒可能运行字典攻击.或者病毒可以修改用户的日记软件，用户使用软件打开日记时通过软件泄漏其中内容。使用封装存储，日记被安全地加密，只有该计算机上未被修改的日记软件才可以打开它。

远程证明使得用户或其他人可以检测到该用户的计算机的修改。这样它可以避免向不安全或安全受损的计算机发送私有信息或重要的命令。远程证明机制通过硬件生成一个证书，声明那些软件正在运行。用户可以将这个证书发给远程的一方以表明他的计算机没有被篡改。

远程证明通常与公钥加密结合来保证发出的信息只能被发出证明要求的程序读取，而非其它窃听者。

再用一次日记的例子，用户的日记软件可以将日记发送给其他的机器，但是只能在他们能够证明运行的是一份安全的日记软件。与其他的技术结合起来，远程证明可以为日记提供一个更加安全的路径：通过键盘输入以及在屏幕显示时受到安全I/O的保护，内存屏蔽在日记软件运行时保护日记，而封装存储在它存储到硬盘的时候保护它，并且远程证明保护它在其它计算机使用时不受非授权软件的破坏。

可信计算的反对者指出，保护计算机不受病毒和攻击者影响的安全机制同样会限制其属主的行为。他们争辩道这使得反竞争成为可能，而这可能伤害那些购买可信计算机的人们。

剑桥大学的密码学家Ross Anderson非常关切的一个问题是"可信计算可能支持远程审查[...] 一般而言，支持可信计算的计算机系统的属主所创建的数字对象将始终受到其控制，而非那些控制数字对象存储在的计算机的人[...] 所以有些人写了被法庭认定为诽谤的文章，其作者将被迫进行审查—并且如果作者拒绝，编写文字处理软件的公司可能被命令删除该文章。在这种可能之下，我们可以预料可信计算将被用于压制包括色情文学到对政治领导人的批评在内的任何事"

他进一步讲到：

"[...]软件提供者可以使得你很难转相其竞争者的产品。简单而言，Word可以加密你的所有文档，而密钥只能由微软的产品访问；这将意味着你只能使用微软的产品读取，而非其它竞争者的字处理软件。"

"[...]对微软而言最重要的好处在于可信计算可以大规模增加从微软产品（如Office）转向其竞争产品（如Open Office）的代价。例如，现在如果一个律师事务所从Office转向使用OpenOffice，那它将不得不安装软件，培训雇员并转换现有的文件。在5年内，一旦他们收到来自于数以千计的客户的可信计算保护的文档，他们将不得不从每个客户获得许可（以签名的数字证书的形式），以将这些文件迁移到新的平台。律师事务所实际上根本不像这样做，所以他们被束缚得更深，这又使得微软可以大规模提高价格。"

Anderson总结道"最根本的问题在于取得可信计算基础设施的人将获取巨大的权力。拥有这样的权力就像迫使所有人都使用同一个银行、同一个会计或同一个律师。而这种权力可以以多种形式被滥用。"

In the diary example, sealed storage protects the diary from malicious programs like viruses, but it doesn't distinguish between those and useful programs, like ones that might be used to convert the diary to a new format, or provide new methods for searching within the diary. A user who wanted to switch to a competing diary program might find that it would be impossible for that new program to read the old diary, as the information would be "locked in" to the old program. It could also make it impossible for the user to read or modify his or her diary except as specifically permitted by the diary software. If he or she were using diary software with no edit or delete option then it could be impossible to change or delete previous entries.

Remote attestation could cause other problems. Currently web sites can be visited using a number of web browsers, though certain websites may be formatted (intentionally or not) such that some browsers cannot decipher their code. Some browsers have found a way to get around that problem by emulating other browsers. For example, when Microsoft's MSN website briefly refused to serve pages to non-Microsoft browsers, users could access those sites by instructing their browsers to emulate a Microsoft browser. Remote attestation could make this kind of emulation irrelevant, as sites like MSN could demand a certificate stating the user was actually running an Internet Explorer browser.

One of the early motivations behind trusted computing was a desire by media and software corporations for stricter Digital Rights Management (DRM): technology to prevent users from freely sharing and using potentially copyrighted or private files without explicit permission. Microsoft has announced a DRM technology that it says will make use of trusted computing.

Trusted computing can be used for DRM. An example could be downloading a music file from a band: the band's record company could come up with rules for how the band's music can be used. For example, they might want the user to play the file only three times a day without paying additional money. Also, they could use remote attestation to only send their music to a music player that enforces their rules: sealed storage would prevent the user from opening the file with another player that did not enforce the restrictions. Memory curtaining would prevent the user from making an unrestricted copy of the file while it's playing, and secure output would prevent capturing what is sent to the sound system.

Once digital recordings are converted to analog signals, the (possibly degraded) signals could be recorded by conventional means, such as by connecting an audio recorder to the card instead of speakers, or by recording the speaker sounds with a microphone. Even trusted computing cannot defeat the analog hole.

Without remote attestation, this problem would not exist. The user could simply download the song with a player that did not enforce the DRM restrictions, or one that lets him convert the song to a normal "unrestricted" format such as MP3.

One commonly stated criticism of Trusted Computing, is that sealed storage could prevent them from moving sealed files to the new computer. This limitation might exist either through poor software design or deliberate limitations placed by content creators. The migration section of the TPM specification requires that it be impossible to move certain kinds of files except to a computer with the identical make and model of security chip. If an old model of chip is no longer produced it becomes impossible to move the data to a new machine at all; the data is forced to die along with the old computer.

Moreover, critics are concerned that TPM is technically capable of forcing spyware onto users, with e.g. music files only enabled on machines that attest to informing an artist or record company every time the song is played. In a similar vein, a news magazine could require that to download their news articles, a user's machine would need to attest to using a specific reader. The mandated reader software could then be programmed not to allow viewing of original news stories to which changes had been made on the magazine's website. Such "newest version" enforcement would allow the magazine to "rewrite history" by changing or deleting articles. Even if a user saved the original article on his or her computer, the software might refuse to view it once a change had been announced.

Because a TC-equipped computer is able to uniquely attest to its own identity, it will be possible for vendors and others who possess the ability to use the attestation feature to zero-in on the identity of the user of TC-enabled software with a high degree of certainty.

Such a capability is contingent on the reasonable chance that the user at some time provides user-identifying information, whether voluntarily or indirectly. One common way that information can be obtained and linked is when a user registers a computer just after purchase. Another common way is when a user provides identifying information to the website of an affiliate of the vendor.

While proponents of TC point out that online purchases and credit transactions could potentially be more secure as a result of the remote attestation capability, this may cause the computer user to lose expectations of anonymity when using the Internet.

Critics point out that this could have a chilling effect on political free speech, the ability of journalists to use anonymous sources, whistleblowing, political blogging and other areas where the public needs protection from retaliation through anonymity.

In response to privacy concerns, researchers developed direct anonymous attestation which allows a client to perform attestation while limiting the amount of identifying information that is provided to the verifier.

All these problems come up because trusted computing protects programs against everything, even the owner. A simple solution is to let the owner of the computer override these protections. This is called owner override, and it is only currently outlined as a suggested fix.

Activating owner override would allow the computer to use the secure I/O path to make sure the owner is physically present, to then bypass restrictions. Such an override would allow remote attestation to a user's specification, e.g., to create certificates that say Internet Explorer is running, even if a different browser is used. Instead of preventing software change, remote attestation would indicate when the software has been changed without owner permission.

Some Trusted Computing Group members have viewed owner override as a potential danger to the TC program ^{[來源請求]}. Owner override, they believe, defeats the trust in other computers since remote attestation is not enforced centrally. Owner override offers the security and enforcement benefits to a machine owner, but does not prevent another owner from waiving rules or restrictions on her own computer. Under this scenario, once data is sent to someone else's computer, whether it be a diary, a DRM music file, or a joint project, that other person controls what security, if any, their computer will enforce on their copy of those data.

One of the fundamental premises behind trusted computing is that the owner cannot be trusted.^[3] It is assumed that the user will—through negligence or willful intent—attempt to compromise their own system. For example, an IT administrator could not ensure that notebook computers are running a specified operating system.

It has also been compellingly argued that many of the assumptions which underly TC are impractical "in the real world," to the extent that many users will find it pragmatically necessary to employ Owner Overrides on a regular basis, or simply decline to use the features altogether ... even if this puts them at odds with software vendors who may wish to insist upon its use. Template:Citation-needed

Any hardware component, including the TC hardware itself, has the potential to fail, or be upgraded and replaced. A user might rightfully conclude that the mere possibility of being irrevocably cut-off from access to his or her own information, or to years' worth of expensive work-products, with no opportunity for recovery of that information, is unacceptable. Legal restrictions on the use and dissemination of information, or mandating its reliable storage for a period of time that may extend to many years in the future, may also, it has been argued, preclude the practical application of TC technology in many of the ways now contemplated. The concept of basing ownership or usage restrictions upon the verifiable identity "of a particular piece of computing hardware" may be perceived by the consumer as inadequately answering the question, "what do I do when it breaks?"

• Apple computers with Intel processors use a TPM module as a copy protection for their operating system, OS X.
• Since 2004, most major manufacturers have shipped systems (usually laptops) that have included Trusted Platform Modules, with associated BIOS support.^[4] In accordance with the TCG specifications, the user must enable the Trusted Platform Module before it can be used.
• The Linux kernel has included trusted computing support since version 2.6.13, and there are several projects to implement trusted computing for Linux. In January 2005, members of Gentoo Linux's "crypto herd" announced their intention of providing support for TC - in particular support for the Trusted Platform Module.^[5] There is also a TCG-compliant software stack for Linux named TrouSerS, released under an open source license.
• Some limited form of trusted computing can be implemented on current versions Microsoft Windows with third party software.
• The Enterpise and Ultimate editions of Windows Vista will make use of a Trusted Platform Module if it is present in a system to facilitate BitLocker Drive Encryption.^[6]

1. ^ ZDNet
2. ^ Schneier
3. ^ Schoen, Seth. Trusted Computing:Examples of Abuse of Remote Attestation:Part 4.Computer Owner as Adversary? (PDF). Trusted Computing: Promise and Risk. 2003 [2006-03-13]. 
4. ^ Tony McFadden. TPM Matrix. March 26 2006 [2006-05-05].  请检查|date=中的日期值 (帮助)
5. ^ Trusted Gentoo. Gentoo Weekly Newsletter. January 31 2005 [2006-05-05].  请检查|date=中的日期值 (帮助)
6. ^ Windows Vista Beta 2 BitLocker™ Drive Encryption Step-by-Step Guide. Microsoft TechNet. 

• Trusted Computing Group (TCG) — Trusted computing standards body, previously known as the TCPA.
• 'Trusted Computing' Frequently Asked Questions — Anti-TC FAQ by Cambridge University security director and professor Ross Anderson.
• TrouSerS - The open-source TCG Software Stack with a good FAQ , explaining possible problems you could have using a TPM .
• TCPA Misinformation Rebuttal and Linux drivers from the IBM Watson Research - Global Security Analysis Lab
• Experimenting with TCPA/TCG Hardware, Or: How I Learned to Stop Worrying and Love The Bear. Technical Report TR2003-476, CS, Dartmouth College. December 2003. and the "Enforcer" Linux Security Module
• Next-Generation Secure Computing Base (NGSCB) — Microsoft's trusted computing architecture
• Palladium and the TCPA — from Bruce Schneier's Crypto-Gram newsletter.
• Against-TCPA
• Interesting Uses of Trusted Computing
• Can you trust your computer? — essay by the FSF
• Technically Speaking blog's "Microsoft Meeting" article -- Explains "sealed storage" in more depth than this article, yet without going into all the mathematics
• Trust Computing: Promise and Risk, a paper by EFF (Electronic Frontier Foundation) staff technologist Seth Schoen.
• Microsoft's Machiavellian manoeuvring (ZDNet UK) by Bruce Schneier
• LAFKON - A movie about Trusted Computing. Video opposed to Trusted Computing
• The Trusted Systems Problem: Security Envelopes, Statistical Threat Analysis, and the Presumption of Innocence," Homeland Security - Trends and Controversies, IEEE Intelligent Systems, Vol. 20 No. 5, pp. 80-83 (Sept./Oct. 2005) (discussing trusted systems more generally as a security strategy for homeland security). See also, The Trusted Systems Project, a part of the Global Information Society Project (GISP), a joint research project of the World Policy Insitute (WPI) and the Center for Advanced Studies in Sci. & Tech. Policy (CAS) (The Trusted Systems Project examines the policy implications of using trusted systems strategies for security or social control).
• Trusted Mobile Platform - a set of specifications that define security features for mobile devices, jointly developed by IBM, Intel, and NTT DoCoMo.
• Jason F. Reid, William J. Caelli: DRM, Trusted Computing and Operating System Architecture 2005