Is Intel’s New CPU Identification for Data Security Only a Marketing Gag?
Straight after I read about Intel’s new plans to ensure higher data security over the Internet for e-commerce by implementing a identification number into their upcoming CPUs starting with Pentium III, I felt forced to consult Kim Schmitz, CEO of Data Protect GmbH, a business particularly focussed on data security. Data Protect is currently building up the introduction of their very own authentication procedure, known under the name ‘Dapromas‘. Kim Schmitz and his team has a known expertise in this matter, he as well as the majority of his employees are former hackers. When I told him about Intel’s new plan, he had nothing more than a gentle laugh left over for it. Authenticating yourself with your computer system is a highly dangerous procedure. It may not be known to most of you, but the weakest systems against hacker attacks are systems of end users that are connected to the Internet. Servers are often protected more or less professionally, systems of Internet surfers are wide open to any attack however, and in the most cases the user would never even notice it. The hacker could access any e-commerce business directly from the platform of an end user, obviously using the CPU identification of the system of this user. Thus the so-called ‘trusted, connected PC’ is light years from safe or secure, as a matter of fact it opens hackers a completely new dimension.
This leads to the conclusion that Intel came up with this new idea for no other reason than for marketing. Doesn’t it sound nice that you can make your system a ‘trusted, connected PC’ by simply dropping a Pentium III CPU into it? Wouldn’t AMD’s, IDT’s or TransMeta’s CPUs without this beautiful identification gimmick look as if they are ‘insecure CPUs’? Data security takes a lot more than a half-baked solution as the identification number of future Intel CPUs, the world’s hackers are more powerful than most people realize and their power increases every day whilst more and more computer get connected. If we want to avoid that hackers abuse our information, then we should not jump on Intel’s new bandwagon, we should give them a strong signal of disparagement instead.
Kim Schmitz did me the favor and wrote up a little piece about Intel’s new idea for me, although it’s his 25th birthday today.
Comment from a Data Security Expert
Will Intel’s New CPU Serial Number Boost e-commerce Security? The electronic commerce industry is currently evaluating the unique identification number provided by new Intel CPUs as a means of securely validating the identity of a user wishing to perform a transaction via the Internet. Let’s have a closer look at the level of security that can actually be attained with such a feature. The serial number is tied to the processor chip. To uniquely identify an individual, there would have to be a fixed one-to-one user-processor relationship. While this may be true (at least to a certain extent) for computers used at home, it would be useless in environments where people share computers. Of course, the identification would change with every processor upgrade, change hands legitimately by the computer (or the CPU chip) being sold or given away, and SMP environments would feature multiple unique serial numbers. Additionally, ID-less CPUs will be around for a long time, and even on chips that have it, it can be disabled through software. Therefore, it is unlikely that software will ever rely solely on the CPU serial number to identify a user. Now that we have established that the CPU serial number is fairly useless for verifying the identity of humans, let’s see if it can at least identify a machine securely enough to use it as a base for client-server trust relationship. The serial number is available in the clear to software running on the CPU. Cryptographic challenge-response schemes will have to be implemented in software, and thus suffer from the same vulnerabilities as any other means of storing a cryptographic key in a CPU-readable way: Someone breaking into a CPU-ID protected server can trivially steal its identity and impersonate it on any machine by copying and modifying the server-side software to use the desired ID, or, if this turns out to be too difficult, running it in a virtual machine that emulates the relevant instruction appropriately. This also jeopardizes the usefulness of the ID as a base for copy-protection schemes. Of course, a cryptographically secure implementation would use the serial number as the key to a sufficiently strong hard-wired crypto-algorithm. Unfortunately, chip real estate and export restrictions as well as the unresolveable key management problem rule this out immediately. It looks like Intel’s latest innovation is little more than a marketing gimmick. The only real-world value that it might possibly have is a hardware-based, OS-independent way of creating profiles of and track unsuspecting users. Kim Schmitz, CEO Data Protect GmbH |
Michael Van Loon send me this interesting comment:
Every computer that has an Ethernet card in it already has a unique ID which can be used to identify that computer when it interacts with other computers on the Internet. It is not currently transmitted in every message, but easily could be. Furthermore, unlike Intel’s proposal, there is currently no way to turn it off (though you certainly could configure software to not pass it to a remote host, as long as you were using TCP/IP). What’s more, I’m sure that at least some encryption algorithms may use that Ethernet ID to seed their random number generator, though this is mere speculation on my part. [..] I am a senior software developer at an EDI/EC software tools company. This is where my experience comes from. |
So what is the deal with this CPU ID-number? It is certainly not any new invention and I doubt that Intel is completely unaware of the huge security flaws that come along with it. Could it be that Intel wants to achieve something completely different with it? Wouldn’t it be cool if Intel could check which CPU each and every Internet-user has got? They would know where it came from, where it was bought and who is using it right now. This could be an invaluable information for Intel and we are even paying for it. I guess I will never leave my CPU ID-no. enabled, God knows what Intel really wants to do with it.