IBM has updated the security chip embedded in the motherboard of its PCs, eliminating a potential flaw in the system.
Encryption hole plugged, says Big Blue
The latest implementation of IBM’s Embedded Security Subsystem (ESS), which conforms to the TCPA (Trusted Computing Platform Alliance) specification, removes a security risk present in the previous version.
The security chip, integrated into the motherboard, is basically like having a smartcard embedded in your PC. This provides, among other things, a secure area to store encryption keys, used to mathematically scramble data so it can only be decoded by an authorised party. As the keys are stored within the chip, and not on the hard drive, they can’t be stolen and exploited by unauthorised users.
When it comes to decryption, the computer simply feeds data in one end and it pops out the other unscrambled. As the chip is effectively only providing yes/no answers the keys remain secure.
However, with the previous implementation keys were initially created in software running on the PC and then moved to the secure chip. This creates a problem with the actual creation of the keys. According to Antonio Maña from the Gisum Research Group it would be better if the keys were generated by the chip to "guarantee that everything encrypted by a smartcard key has been produced under the control of the card software".
Maña explains, "Most attacks to a system like this will be based on the weakest part, which is the controlling software. The main issue is not how to avoid the private area being compromised but how to guarantee that the chip does what the user wants.
"Unless you have trusted software running on that PC you can not guarantee that this secure system is doing what you want. To solve this you need to authenticate everything (hardware and software) from the start."
With new system, available in IBM's ThinkPad T30 notebook, the creation of keys is now executed inside the chip, improving the security. IBM is also looking to license its ESS client software to third parties, providing enhanced security to a wider market.