IBM Puts Security In the Chip

Claims tighter security with new encryption chip

(Boston) -- In an effort to boost the level of data security on portable computers, cell phones and other gadgets, IBM Corp. is unveiling a method for injecting encryption capabilities into the heart of the machines' circuitry.

There are multiple ways to achieve encryption, the mathematical art of encoding data to protect it from spying eyes. Specialized software can do the trick, as can hard-wired chips inside computers.

But IBM researchers contend that unless the encryption function is performed by a computer's central processing unit, a supremely savvy hacker can tap into the pathway between the machine's brain and the separate encryption engine.

To guard against that, IBM announced that it has developed "SecureBlue" -- a set of encryption circuitry that can be integrated into any processor, regardless of its manufacturer.

"This thing is trying to be one of the most paranoid devices on the planet," said Charles Palmer, IBM's head security researcher.

IBM is not the first to seek to integrate encryption into a computer's central processing functions. Intel Corp.'s upcoming "LaGrande" technology essentially does that, though it requires interaction with a separate chip, known as a trusted platform module.

The IBM researchers say they have developed a way to skip that step.

Richard Doherty, an analyst with the Envisioneering Group, said SecureBlue's design appears flexible enough to bring strong encryption to such new settings as cell phones and music players.

That could mean enhanced security not only for users who keep sensitive data on portable devices, but also for content owners who can use encryption to lock down copyrighted material and prevent it from being freely disseminated.

However, IBM's encryption engine is not simply a module that can be plugged into existing chips. SecureBlue needs to be woven into a processor from scratch, mixed in with other transistors somewhat "like hamburger," in the description of Bernie Meyerson, chief technologist for IBM's systems group.

That means SecureBlue, at least for the time being, likely will end up only in devices made by companies that hire IBM's custom engineering unit. That group's projects include chips for medical and defense systems and video game consoles made by Microsoft Corp., Nintendo Co. and Sony Corp.

IBM researchers said SecureBlue already has made its way into one customer's devices. But they said that company had demanded anonymity.

Considering that software vendors such as PGP Corp. already offer software-based encryption for portable devices such as BlackBerries, IBM might have to convince skeptics that SecureBlue significantly raises the bar for security.

Bruce Schneier, founder of Counterpane Internet Security Inc., said more fully integrating encryption and processing would likely improve a machine's performance. But he said it was "just stupid" to claim that hackers would otherwise target the transmission between a computer processor and a separate encryption engine.

Far more likely, he said, is for someone to try to steal data when it was unencrypted -- such as when it appeared in plain text on a computer screen.

"Security is a chain and it's as strong as its weakest link," he said. "They're talking about taking a very strong link and making it a little bit stronger, at best. Maybe."


comments powered by Disqus

Subscribe on YouTube