News
IBM Puts Security In the Chip
Claims tighter security with new encryption chip
(Boston) -- In an effort to boost the level of data security on
portable computers, cell phones and other gadgets, IBM Corp. is unveiling
a method for injecting encryption capabilities into the heart of the machines'
circuitry.
There are multiple ways to achieve encryption, the mathematical art of
encoding data to protect it from spying eyes. Specialized software can
do the trick, as can hard-wired chips inside computers.
But IBM researchers contend that unless the encryption function is performed
by a computer's central processing unit, a supremely savvy hacker can
tap into the pathway between the machine's brain and the separate encryption
engine.
To guard against that, IBM announced that it has developed "SecureBlue"
-- a set of encryption circuitry that can be integrated into any processor,
regardless of its manufacturer.
"This thing is trying to be one of the most paranoid devices on
the planet," said Charles Palmer, IBM's head security researcher.
IBM is not the first to seek to integrate encryption into a computer's
central processing functions. Intel Corp.'s upcoming "LaGrande"
technology essentially does that, though it requires interaction with
a separate chip, known as a trusted platform module.
The IBM researchers say they have developed a way to skip that step.
Richard Doherty, an analyst with the Envisioneering Group, said SecureBlue's
design appears flexible enough to bring strong encryption to such new
settings as cell phones and music players.
That could mean enhanced security not only for users who keep sensitive
data on portable devices, but also for content owners who can use encryption
to lock down copyrighted material and prevent it from being freely disseminated.
However, IBM's encryption engine is not simply a module that can be plugged
into existing chips. SecureBlue needs to be woven into a processor from
scratch, mixed in with other transistors somewhat "like hamburger,"
in the description of Bernie Meyerson, chief technologist for IBM's systems
group.
That means SecureBlue, at least for the time being, likely will end up
only in devices made by companies that hire IBM's custom engineering unit.
That group's projects include chips for medical and defense systems and
video game consoles made by Microsoft Corp., Nintendo Co. and Sony Corp.
IBM researchers said SecureBlue already has made its way into one customer's
devices. But they said that company had demanded anonymity.
Considering that software vendors such as PGP Corp. already offer software-based
encryption for portable devices such as BlackBerries, IBM might have to
convince skeptics that SecureBlue significantly raises the bar for security.
Bruce Schneier, founder of Counterpane Internet Security Inc., said more
fully integrating encryption and processing would likely improve a machine's
performance. But he said it was "just stupid" to claim that
hackers would otherwise target the transmission between a computer processor
and a separate encryption engine.
Far more likely, he said, is for someone to try to steal data when it
was unencrypted -- such as when it appeared in plain text on a computer
screen.
"Security is a chain and it's as strong as its weakest link,"
he said. "They're talking about taking a very strong link and making
it a little bit stronger, at best. Maybe."