Re: Cryptogram: Palladium Only for DRM
Peter N. Biddle wrote: >[...] You can still extract everything in Pd via a HW attack. [...] > >How is this BORE resistant? The Pd security model is BORE resistant for a >unique secret protected by a unique key on a given machine. Your hack on >your machine won't let you learn the secrets on my machine; to me that's >BORE resistant. [...] Yes, but... For me, BORE (Break Once Run Everywhere) depends on the application. You can't analyze Palladium in isolation, without looking at the app, too. It doesn't make sense to say "Palladium isn't susceptible to BORE attacks", if the applications themselves are subject to BORE attacks. For example, if a record company builds an app that stores a MP3 of the latest Britney Spears song in a Palladium vault, then this app will be susceptible to BORE attacks. Extracting that MP3 from any one machine suffices to spread it around the world. It won't comfort the record company much to note that the attacker didn't learn the Palladium crypto keys living on other machines; the damage has already been done. Palladium doesn't make DRM resistant to BORE attacks. It can't. In short, there are some applications that Palladium can't make BORE-resistant. Some apps (e.g., DRM) are simply fundamentally fragile. Maybe a more interesting question is: For which apps does Palladium provide resistance against BORE attacks that is not available by other means? - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Sun donates elliptic curve code to OpenSSL?
According to this: http://www.sun.com/smi/Press/sunflash/2002-09/sunflash.20020919.8.html Sun is donating some elliptic curve code to the OpenSSL project. Does anyone know details that they would care to share on the nature of the donation? -- Perry E. Metzger[EMAIL PROTECTED] - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cryptogram: Palladium Only for DRM
Hi Nomen
I am sending to crypto only as I am not on any of the other aliases you sent
to. Feel free to fwd.
How about "hacked" instead of "broken"? Broken implies that a machine
doesn't work; hacked implies it has been changed somehow but that it still
works. Let's say that a hacked Pd machine is a machine whose root keys have
been discovered through any means outside of the security model for that
machine. So a machine designed to give up its keys or to take keys in from
an outisde source isn't hacked. A machine whose security model includes
protecting the keys from everything, but whose keys have become known, is a
hacked machine. I can certainly imagine situations where Pd will be on a
hacked machine and won't know it.
Once the machine has been hacked, a user (or process, or piece of SW, or
whatever) can unlock all secrets which use the local keys as root keys. So
the symmetric keys used to protect a given piece of data would be
compromised, and all data which uses the same symmetric key can now be
unlocked. Rather than having to hand someone data, you could hand them keys
(presuming they have the data already). The "less global" a secret, the less
vulnerable it is to key hand-offs, but if more than one existence of
something is protected by the same key, that key represents an easily
distributed attack.
Even in cases where a given piece of data is secured with a unique key or
keys, once you have hacked those keys (or more likely the root keys used to
gen those keys) you can decrypt the data itself. If all data in the world
only existed in Pd virtual vaults and was encrypted using different unique
keys, the data itself is still it's own secret. You can still extract
everything in Pd via a HW attack. Now rather than hand off the keys, you
hand off the data.
How is this BORE resistant? The Pd security model is BORE resistant for a
unique secret protected by a unique key on a given machine. Your hack on
your machine won't let you learn the secrets on my machine; to me that's
BORE resistant. Any use of Pd to protect global secrets reduces the BORE
resistance for the information protected by those secrets.
Only the Pd nexus (sorry, new name for the nub, er I mean TOR, er I mean
secure kernel, ...) knows each applications secrets, and it protects those
secrets from everything else absolutely. The nexus won't analyze data and
decide if it should or shouldn't be there; no Pd DRL's. (A DRM scheme on top
of Pd could enforce DRL's for content within its own vault, of course, but
it can't cross the vault boundary to try to enforce a DRL in someone else's
vault.) The goal is to protect data for whomever is asking for protection,
and to keep that data secure for that application. (I must note that we are
basing our design on existing US law. Should the law change and require
different behaviors, or should other countries require different behaviors,
we will need to find a way to comply.)
Palladium systems won't seek out and destroy anything, either locally or
remotely. Additionally the nexus has no understanding of what "legitmate" or
"illicit" means, so Pd really couldn't do this if it wanted to (it doesn't).
Data will be protected by Pd (in memory; on disk). Only applications with
the right hash (or those named by the original hashee) can access any given
piece of data.
P
- Original Message -
From: "Nomen Nescio" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>;
<[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
Sent: Wednesday, September 18, 2002 5:10 PM
Subject: Re: Cryptogram: Palladium Only for DRM
> Peter Biddle writes:
> > Pd is designed to fail well - failures in SW design shouldn't result in
> > compromised secrets, and compromised secrets shouldn't result in a BORE
> > attack.
>
> Could you say something about the sense in which Palladium achieves
> BORE ("break once run everywhere") resistance? It seems that although
> Palladium is supposed to be able to provide content security (among
> other things), a broken Palladium implementation would allow extracting
> the content from the "virtual vault" where it is kept sealed. In that
> case the now-decrypted content can indeed run everywhere.
>
> This seems to present an inconsistency between the claimed strength of the
> system and the description of its security behavior. This discrepancy
> may be why Palladium critics like Ross Anderson charge that Microsoft
> intends to implement "document revocation lists" which would let Palladium
> systems seek out and destroy illicitly shared documents and even programs.
>
> Some have claimed that Microsoft is talking out of both sides of its
> mouth, promising the content industry that it will be protected against
> BORE attacks, while assuring the security/privacy community that the
> system is limited in its capabilities. If you could clear up this
> discrepancy that would be helpful. Thanks...
>
--
Re: Fwd: Physics News Update 605 - liquid crystal random numbergenerator
Charles McElwain wrote: > >James Gleeson, a physicist at Kent State > >University (330-672-9592, [EMAIL PROTECTED]) has come up with a > >cheap, fast solution. He shoots laser light into a sample of liquid > >crystals. But because the sample is subject to a turbulent flow, causing > >haphazard fluctuations in the orientation of the liquid crystals, the > >digitized transmitted light coming from the sample represents a stream of > >random numbers. There's no way a laser's going to be cheaper than a Johnson noise generator. Really, the random number generation has been solved - use a Johnson noise generator for the random bits, and (not withstanding /dev/random's suboptimal behavior) put them through a cryptographic device which will spew out indefinite amounts of random numbers once it's gotten sufficiently seeded. -Bram Cohen "Markets can remain irrational longer than you can remain solvent" -- John Maynard Keynes - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Fwd: Physics News Update 605 - liquid crystal random numbergenerator
>Date: Wed, 18 Sep 2002 14:27:56 -0400 >From: [EMAIL PROTECTED] >Subject: Physics News Update 605 > >PHYSICS NEWS UPDATE >The American Institute of Physics Bulletin of Physics News >Number 605 September 18, 2002 by Phillip F. Schewe, Ben Stein, and James >Riordon > >[...] >FAST, CHEAP RANDOM NUMBERS. The keys needed to encrypt credit card >transactions and other crucial information floating in cyberspace often rely >on an infusion of random numbers. Generating true random numbers is >actually harder than it seems since the generation process generally follows >some deterministic algorithm, permitting the possible reappearance of >unwanted predictability. James Gleeson, a physicist at Kent State >University (330-672-9592, [EMAIL PROTECTED]) has come up with a >cheap, fast solution. He shoots laser light into a sample of liquid >crystals. But because the sample is subject to a turbulent flow, causing >haphazard fluctuations in the orientation of the liquid crystals, the >digitized transmitted light coming from the sample represents a stream of >random numbers. Gleeson believes that because his device depends on >standard liquid-crystal-display technology, his compact device can be used >for many processes requiring random-number generation. (Applied Physics >Letters, 9 September 2002.) > >*** >PHYSICS NEWS UPDATE is a digest of physics news items arising >from physics meetings, physics journals, newspapers and >magazines, and other news sources. It is provided free of charge >as a way of broadly disseminating information about physics and >physicists. For that reason, you are free to post it, if you like, >where others can read it, providing only that you credit AIP. >Physics News Update appears approximately once a week. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Cryptogram: Palladium Only for DRM
People just keep piling up reasons to justify the SW suicide this is taking. Perry is very right when he explains that a company that payed a certain number of licenses has the right to deal with them in a manner that they could be used in the purpose they were bought to. If a company spends a few thousand dollars on hardware and software, it has every right to use that software in a way that reachs it's purpose in the quantity that it was licensed too. However, it is condemnable that a company can make use of 100 when they licensed 10, a model in wich many companies still incur. But if someone tells me i have to pay an extra server license because i need to install that SW in a brand new system, in preparation to replace the older one in a 24x7 enviroment, i can tell you that is not going to happen. And do you know why? Because there are ALTERNATIVES! That's why market is such a beautifull place. When some product becomes too screwy with itself, someone puts out another, different, and sometimes the difference is the key to success, not just the improvement. Sometimes it just needs to be a little different. In a world where there are plenty of alternatives, i don't give a damn for M$ and their bull, just because the time i have to license every step i make on a computer is the time i go for the alternatives. And my friends, we know that there are alternatives. And if M$ is great it is because we make it great, and we can make it smaller again, and we can even create other SW monster, we have the power to. M$ is not even the best solution around, it's probably the one that most people know about. That can also change. Licensing of SW is dying because someone can make people believe HW and SW are the same thing, but they aren't and that is a fact. HW is supposed to last and SW is supposed to work. So, a 1 on 1 licensing is something that will never be apliable in a real world with real problems. Well, unless a messiah comes that can break every stupid crack M$ has on their products, then the world would be perfect. But there it is, this isn't a perfect world after all. By the way, godbless cardioreaders aren't M$, or else we would be paying for every heartbeat when we are in the hospital. Good work everybody, JFA - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Gary Shapiro: P2P File Sharing is Legal and Moral
(This essay hits many very effective points. One of the key things that needs to be borne in mind, however, is the fact that technological proposals currently on the table are implementations of the notion, foreign to American society and jurisprudence, of creators' "moral rights" -- a term basically saying that creators dictate how information may be used. This essay nevertheless clearly represents a very significant step forward in the discourse. Forwarded from POLITECH. -- Seth) Original Message Date: Wed, 18 Sep 2002 22:35:19 -0700 From: Declan McCullagh <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Some background: http://www.ce.org/press_room/press_release_detail.asp?id=10027 http://www.ce.org/press_room/speech.doc http://news.com.com/2100-1023-958324.html?tag=cd_mh File photo: http://www.mccullagh.org/image/d30-25/gary-shapiro.html -Declan --- Speech by Gary Shapiro, President and CEO of the Consumer Electronics Association. The Campaign to Have Copyright Interests Trump Technology and Consumer Rights We are at a critical juncture in history when the inevitable growth of technology is conflicting with the rising power and strength of copyright owners. How we resolve this tension between copyright and technology will define our future ability to communicate, create and share information, education and entertainment. Today I would like to share with you my views on this situation and the questions we must confront as we wind through this confusing, but historic maze. There is no doubt that this eras rapid shift to digital and other technology is changing the rules of the game. Reproduction, transmission and storage technology all are progressing exponentially, resulting in an unprecedented power to copy, send and save all forms of media. Reproduction technology has become incredibly cheap and reliable. Transmission technology, including satellite, cable, broadcast, wired or wireless, and often connecting through the Internet, has linked everyone at ever increasing speeds and competitive pricing. Storage technologies also quickly have expanded in capacity as total storage media costs have plummeted. With each new technology, the fears of the music and motion picture industries have grown. With television and the VCR, it was going to be the end of movies. With CDs and cassettes, it was the supposed harm from real-time transfers and one-at-a-time copies. Todays technologies make these perceived threats seem naïve and harmless. With high-speed connectivity and the Internet, its not buying a CD and making a copy for a friend; its downloading from a stranger or making available thousands of copies with the touch of a keystroke. The growth of reproduction, storage and transmission technology has terrified copyright owners. The RIAA claims that 3.6 billion songs are downloaded each month. The RIAA also estimates that $4.5 billion has been lost by the music industry due to pirating. And the motion picture industry also sees the writing on the wall. Fox Group CEO and News Corp. President Peter Chernin in an August 21 keynote speech at an Aspen conference claimed that Spiderman and the latest Star Wars movie were downloaded four million times following the weekend after their release. Based on these and similar threats the content community has gone on a scorched earth campaign attacking and burning several new recording and peer-to-peer technologies. They have used the Congress, media and courts to challenge the legality of technology and morality and legality of recording. In the same Aspen speech, Chernin attacked computers as untrustworthy and the Internet as primarily used for pornography and downloading. I believe that hardware and software companies have a mutual interest in working together, so that they can sell more products. For years, consumer electronics companies have been working with both the recording and motion picture industries on developing technological measures that meet the needs of both industries. For instance, the DVD standard includes anti-copying protection. It also includes an anti-fast forward technology designed to ensure copyright warnings are shown, but instead is being used to require consumers to sit through movie previews. CE companies also have provided digital interfaces that allow consumers to share content among their own devices while restricting unauthorized redistribution to the Internet. By protecting content at the source, content providers can be assured their intellectual property rights are respected, while consumers can enjoy unimpeded personal use. However, source protection should not be used to mislead consumers to purchase CDs that can only be played on certain CD players. Indeed, despite the cooperative efforts, the copyright community has declared war on technology and is using lawsuits, legislatures and clever public relations to restrict the ability to sell and use
