Comment From A Data Security Expert
Swipe to scroll horizontally
| Will Intel's New CPU Serial Number Boost e-commerce Security?The electronic commerce industry is currently evaluating the unique identification number provided by new Intel CPUs as a means of securely validating the identity of a user wishing to perform a transaction via the Internet. Let's have a closer look at the level of security that can actually be attained with such a feature.User identificationThe serial number is tied to the processor chip. To uniquely identify an individual, there would have to be a fixed one-to-one user-processor relationship. While this may be true (at least to a certain extent) for computers used at home, it would be useless in environments where people share computers. Of course, the identification would change with every processor upgrade, change hands legitimately by the computer (or the CPU chip) being sold or given away, and SMP environments would feature multiple unique serial numbers. Additionally, ID-less CPUs will be around for a long time, and even on chips that have it, it can be disabled through software. Therefore, it is unlikely that software will ever rely solely on the CPU serial number to identify a user.Machine identificationNow that we have established that the CPU serial number is fairly useless for verifying the identity of humans, let's see if it can at least identify a machine securely enough to use it as a base for client-server trust relationship.The serial number is available in the clear to software running on the CPU. Cryptographic challenge-response schemes will have to be implemented in software, and thus suffer from the same vulnerabilities as any other means of storing a cryptographic key in a CPU-readable way: Someone breaking into a CPU-ID protected server can trivially steal its identity and impersonate it on any machine by copying and modifying the server-side software to use the desired ID, or, if this turns out to be too difficult, running it in a virtual machine that emulates the relevant instruction appropriately. This also jeopardizes the usefulness of the ID as a base for copy-protection schemes.Of course, a cryptographically secure implementation would use the serial number as the key to a sufficiently strong hard-wired crypto-algorithm. Unfortunately, chip real estate and export restrictions as well as the unresolveable key management problem rule this out immediately.ConclusionIt looks like Intel's latest innovation is little more than a marketing gimmick. The only real-world value that it might possibly have is a hardware-based, OS-independent way of creating profiles of and track unsuspecting users.Kim Schmitz, CEO Data Protect GmbH |
Michael Van Loon send me this interesting comment:
Swipe to scroll horizontally
| Every computer that has an Ethernet card in it already has a unique ID which can be used to identify that computer when it interacts with other computers on the Internet. It is not currently transmitted in every message, but easily could be. Furthermore, unlike Intel's proposal, there is currently no way to turn it off (though you certainly could configure software to not pass it to a remote host, as long as you were using TCP/IP).What's more, I'm sure that at least some encryption algorithms may use that Ethernet ID to seed their random number generator, though this is mere speculation on my part.[..]I am a senior software developer at an EDI/EC software tools company. This is where my experience comes from. |
So what is the deal with this CPU ID-number? It is certainly not any new invention and I doubt that Intel is completely unaware of the huge security flaws that come along with it. Could it be that Intel wants to achieve something completely different with it? Wouldn't it be cool if Intel could check which CPU each and every Internet-user has got? They would know where it came from, where it was bought and who is using it right now. This could be an invaluable information for Intel and we are even paying for it. I guess I will never leave my CPU ID-no. enabled, God knows what Intel really wants to do with it.
