The Encrypted Chip

What will IBM's new hardware-based security technology be used for?

IBM recently announced an effort to enmesh data security in the chips found in cell phones, PDAs, and other portable devices. More than half of all unprotected data can be found on these gadgets, says the company, and encryption that relies on software is not as secure as encryption built into hardware.

Some experts believe that IBM's new technology could be useful in certain instances, such as when a PDA containing sensitive, proprietary information goes missing. But the technology also raises the hackles of those who fear it might one day be used by companies -- in the entertainment industry, in particular -- to further restrict people's uses of copyrighted material. Content providers, the argument goes, could use such a chip to lock movies, music, or television shows to a gadget or computer, keeping them from being distributed.

This new IBM technology, called SecureBlue, is meant to address some of the limitations of software security, especially in portable electronics, says Guerney Hunt, senior manager for distributed infrastructures, IBM Research. "This kind of encryption technique was developed because it's increasingly possible for these devices to fall into the wrong hands," he says. "Software cryptography has to be turned on and turned off, and it can be defeated by software attacks." But if the security and tamper protection is incorporated into the chip, he says, sensitive information cannot be removed without destroying the chip.

SecureBlue is a set of chip circuitry that uses a common type of encryption called Advanced Encryption Standard. When data enters a chip with SecureBlue technology, it encounters an extra processing step that encrypts the data as it travels throughout the chip and onto other device components such as the hard drive. Hardware encryption does not replace security software, but rather helps to protect data that might otherwise slip past the radar of security software.

For instance, when programs run, they copy small amounts of information to a hard drive, where it may be unintentionally stored, explains Burt Kaliski, vice president of research at RSA Security, a Bedford, MA-based digital security company. As this happens, encryption software might not account for all the data that is stored on the hard drive of a device. This is "one of the vulnerabilities of a computer system," says Kaliski. But if the data is encrypted from the start, he says, that vulnerability is addressed and all of the data is securely in the hardware of the device. Kaliski adds that going after unencrypted remnants of data stored on hard drives is a "very sophisticated attack" that would be difficult to carry out.

But some industry observers aren't so impressed. David Wagner, professor of computer science at the University of California, Berkeley, says that encrypting the chip doesn't address the majority of cybercrime. "Encryption isn't the main problem we face today in the security field," he says; instead, most threats come from viruses, worms, and online identity theft. "There are certainly some applications that can benefit from hardware acceleration of cryptography," says Wagner, but most computer users "don't need this fancy stuff. Existing technology is adequate for many purposes."