IBM bakes security into processors

Researchers at IBM have come up with a way to hardwire encryption technology into a microprocessor, promising a more secure way to store data.

IBM plans to announce availability of the new technology, dubbed Secure Blue, on Monday. The Armonk, N.Y.-based company envisions its idea and technology will be used in digital media players, electronic organizers, cell phones, computers and devices used by the government and the medical and financial industries.

With Secure Blue, data is encrypted and decrypted as it runs through a processor, according to IBM. It is maintained encrypted in the device memory, or RAM. One of the few times data would not be scrambled is when it is actually displayed.

"There is a lot of concern about leakage of data," Charles Palmer, manager security and privacy at IBM, said in an interview. "If you have an architecture where that information is always encrypted, you go a long way to protect your data."

Secure Blue requires a few circuits to be added to a microprocessor, taking up a small percentage of the overall silicon real estate, according to IBM. The encryption and decryption happens on-the-fly, without any processor overhead, the company said.

The hardwired security technology can be used for multiple purposes, not all of which necessarily serve the device owner. It can protect data when a person's computer or device is lost, stolen or hacked, for example. But content owners can also use it for enforcement of copyright, called digital rights management (DRM), which critics have called a scourge to user freedom.

"This is a technology that can solve a lot of problems," Palmer said. "It can be used for DRM, it can be used for systems management, and it can be used for protecting my information on the BlackBerry." The future will decide how it will be used. IBM on Monday is only announcing availability of the technology, Palmer noted.

The idea of hardware-based security is not new. Millions of laptops already contain a chip called a Trusted Platform Module, or TPM, which offers protected storage of encryption keys, passwords and digital certificates. The idea of the TPM is also coming to servers and mobile phones.

"The TPM is a step in the right direction," Palmer said. "But it is not a bulk encryption device, and it would probably melt if you try to use it for an encrypted anywhere capability."

IBM has built a prototype of Secure Blue using its own PowerPC processor technology. However, the system will work with any processor design, including those from Intel and Advanced Micro Devices that are used in PCs. An IBM representative said the company has not had discussions with Intel or AMD on including Secure Blue in their processors.

[jatos]

Whos been nicking ideas?

Isn't a similar principle used in the XBOX 360?

[bugmenot]

Only way of getting DRM on Linux

It can't be don in software as the software and the system must remain open. Hardware decoders are the only way of getting DRM on Linux. The interface to the decoder would have to be open, and there'd have to be mechanisms for moving keys as you change platform.

[sauce214]

Hardware Upgrades

What happens if you want to upgrade your hardware in the future or if you have a hardware failure. Will all your data that is encrypted on the hd not be accessible with a different cpu?

[requiem--2008]

That's what backups are for...

...you do have backups, don't you?

(Seriously, if your hard disk crashes and starts
plowing furrows into the platters, you'll have
the same problem.)

[requiem--2008]

So what does this protect against?

I can see it working to stop someone reading
data off the RAM chips if they got them out of
the machine and into cold storage fast enough,
but I can get very close to level of protection
through software alone.

What I wonder is, does this do anything to
protect against malicious software? I suspect
not, but the article does not say.