RE: A talk on Intellectual Property and National Defense
On Tue, 2003-02-04 at 12:36, Trei, Peter wrote: > Dave: > > Adam is correct - I was responding to him. > > 'secure remote attestation that the boot > sequence was followed' > > seems to imply that a net connection back > to Hollywood would be required to boot. That's simply not true. TCPA and Palladium are dangerous [1], but they're not that stupid [2]. Here's a brief outline of the TCPA trusted boot and attestation process. Some details have been left out because I forgot them. If you see a cryptographic or protocol flaw with this system, don't assume it's a flaw in TCPA -- read the spec first: PCR, I think, stands for Platform Configuration Register. They are initially in some known state, and the only way to update them is: new value = SHA1 (old value || input). 1. First boot stage is measured, result goes to PCR0. BIOS runs first boot stage. 2. First boot stage measures second boot stage, result goes to PCR1. First boot stage runs second boot stage. 3. Repeat until OS is loaded. So, no net connection is required for trusted boot. A net connection *is* required for remote attestation (but see below) -- because a net connection is required for remote *anything*! Remote attestation works like this: 1. Remote computer requests platform state, sends nonce (to show that the authentication is online) 2. TPM signs (nonce || PCRs || various certs) with some identity key. TPM's public key is signed by a CA which vouches for the state of the platform when the identity key was created, and the various certs certify that various pieces of the base platform (i.e. the hardware and low-level software bits) will behave as expected. 3. Local machine sends this to remote computer (if desired). The remote computer can then "seal" information to this platform. The idea of sealing is that data is encrypted with a symmetric key, and this symmetric key, along with a list of PCR values is encrypted with a public key. The private key to that public key is stored within (or, more likely, encrypted by a key, which is encrypted by a key, ...) the tamper-resistant TPM, The TPM will refuse to decrypt the symmetric key unless the PCRs stored with it match the current PCRs. So, if you attest that your platform is in a certain state, you're sent data sealed to that platform. If you then change your platform configuration, you'll not be able to read the sealed data. So, while you will need to be online to download these new music, movies, or software, you won't need to be online to play them later. [1] It's beyond the scope of this message to discuss the potential evils of TCPA, Palladium, etc, to fair use, individual rights, societal openness, Free Software, competition in the software market, etc. But the risk is great. [2] I'm always tempted to underestimate the intelligence of those I disagree with, and I suspect others are as well. Often, when I discuss the political problems with TCPA, I'm told that people will always simply crack the system. This comes in part from experience with pure software systems, which of course can't actually work, and in part from wishful thinking. Ultimately, it seems to be a species of the same fallacy discussed in Lessig's book, _Code and Other Laws of Cyberspace_. It's true that, for instance, instrumented RAM will probably make it easy to get content out of the first generation of TCPA systems. But the next generation will stick some measurement of the RAM into a PCR. That will be cracked too, but the cost of a break will keep going up (just as the cost of modchips has increased between psx and ps2 or xbox). And the legal risks to modchip makers have also increased -- recently, several makers of modchips have been shut down. -- -Dave Turner Stalk Me: 617 441 0668 "On matters of style, swim with the current, on matters of principle, stand like a rock." -Thomas Jefferson - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
DRM with remote attestation (Re: A talk on Intellectual Property and National Defense)
No that's not the way it would work. There would be a secure remote attestation certified by the endoresment key which is signed by the hw manufacturer and never leaves the device. Bound to this attestation would be a key exchange which results the device negotiating a shared key with the music server. The music server keys would be sealed with keys derived from your current software state (OS, BIOS etc). Then you can boot anyway you like, online or offline, just if you ever boot without the right state the TPM can't recompute the sealing keys and so you can't access data sealed under that state. Adam -- (Personal comments only) On Tue, Feb 04, 2003 at 12:36:25PM -0500, Trei, Peter wrote: > 'secure remote attestation that the boot > sequence was followed' > > seems to imply that a net connection back > to Hollywood would be required to boot. > > 'All your computer are belong to us'. > > Peter Trei - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: A talk on Intellectual Property and National Defense
Dave: Adam is correct - I was responding to him. 'secure remote attestation that the boot sequence was followed' seems to imply that a net connection back to Hollywood would be required to boot. 'All your computer are belong to us'. Peter Trei > -- > From: Adam Shostack[SMTP:[EMAIL PROTECTED]] > Sent: Tuesday, February 04, 2003 11:42 AM > To: Dave Farber > Cc: Trei, Peter; [EMAIL PROTECTED] > Subject: Re: A talk on Intellectual Property and National Defense > > Dave, > > I think Peter was responding to me, not you. > > And no, I'm not proposing that this be done, but I suspect that the > RIAA and MPAA will go as far as saying no off-net viewing of > controlled media. Recall that they already supported the DIVX system > which required a phone line to work. From their perspective, its > their content, and they're going to squeeze it as much from it as they > can. > > Adam > > On Tue, Feb 04, 2003 at 11:37:20AM -0500, Dave Farber wrote: > | Sorry that is not what I said. Where did you get that from the above? > | > | On 2/4/03 11:28 AM, "Trei, Peter" <[EMAIL PROTECTED]> wrote: > | > | >> Adam Shostack[SMTP:[EMAIL PROTECTED]] writes: > | >> > | >> I believe that DRM systems will require not just an authorized boot > | >> sequence, but a secure remote attestation that that boot sequence was > | >> followed, and a secure attestation as to the versions of the software > | >> on your system. So, while a secure system is needed for AT/DRM, its > | >> not enough. > | >> > | > Let me get this straight - in order to make the RIAA and MPAA richer, > | > we're going to ban off-net computer use? If you're not near a WiFi > | > hotspot you won't be able to boot your laptop? > | > > | > Peter Trei > | > > | > > | > > | > > -- > "It is seldom that liberty of any kind is lost all at once." > -Hume > > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: A talk on Intellectual Property and National Defense
Dave, I think Peter was responding to me, not you. And no, I'm not proposing that this be done, but I suspect that the RIAA and MPAA will go as far as saying no off-net viewing of controlled media. Recall that they already supported the DIVX system which required a phone line to work. From their perspective, its their content, and they're going to squeeze it as much from it as they can. Adam On Tue, Feb 04, 2003 at 11:37:20AM -0500, Dave Farber wrote: | Sorry that is not what I said. Where did you get that from the above? | | On 2/4/03 11:28 AM, "Trei, Peter" <[EMAIL PROTECTED]> wrote: | | >> Adam Shostack[SMTP:[EMAIL PROTECTED]] writes: | >> | >> I believe that DRM systems will require not just an authorized boot | >> sequence, but a secure remote attestation that that boot sequence was | >> followed, and a secure attestation as to the versions of the software | >> on your system. So, while a secure system is needed for AT/DRM, its | >> not enough. | >> | > Let me get this straight - in order to make the RIAA and MPAA richer, | > we're going to ban off-net computer use? If you're not near a WiFi | > hotspot you won't be able to boot your laptop? | > | > Peter Trei | > | > | > | -- "It is seldom that liberty of any kind is lost all at once." -Hume - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: A talk on Intellectual Property and National Defense
Sorry that is not what I said. Where did you get that from the above? On 2/4/03 11:28 AM, "Trei, Peter" <[EMAIL PROTECTED]> wrote: >> Adam Shostack[SMTP:[EMAIL PROTECTED]] writes: >> >> I believe that DRM systems will require not just an authorized boot >> sequence, but a secure remote attestation that that boot sequence was >> followed, and a secure attestation as to the versions of the software >> on your system. So, while a secure system is needed for AT/DRM, its >> not enough. >> > Let me get this straight - in order to make the RIAA and MPAA richer, > we're going to ban off-net computer use? If you're not near a WiFi > hotspot you won't be able to boot your laptop? > > Peter Trei > > > - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
RE: A talk on Intellectual Property and National Defense
> Adam Shostack[SMTP:[EMAIL PROTECTED]] writes: > > I believe that DRM systems will require not just an authorized boot > sequence, but a secure remote attestation that that boot sequence was > followed, and a secure attestation as to the versions of the software > on your system. So, while a secure system is needed for AT/DRM, its > not enough. > Let me get this straight - in order to make the RIAA and MPAA richer, we're going to ban off-net computer use? If you're not near a WiFi hotspot you won't be able to boot your laptop? Peter Trei - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: A talk on Intellectual Property and National Defense
I believe that DRM systems will require not just an authorized boot sequence, but a secure remote attestation that that boot sequence was followed, and a secure attestation as to the versions of the software on your system. So, while a secure system is needed for AT/DRM, its not enough. To expand a little: By authorized boot sequence, I mean that I can say only software signed by one of these keys may load. Without that, I, or an attacker, can load arbitrary software. By secure remote attestation I mean that the reference monitor has a key, which can't be exported, which can sign attestations as to what software keys are allowed to load sw on my system. Without this, the copyright contoller can't decide if they can rely on your system to act as their agent. Without software versioning attestation, I can just keep my vulnerable copy of the OS around, root it, and run the software of my choice on it. These are not requirements for me to control my own system, but they are needed to prevent me from tinkering. Adam On Tue, Feb 04, 2003 at 09:29:34AM -0500, Dave Farber wrote: | | I sent this to my IP list. One of the major points I made here is that | secure systems (and I am not calling Palladium a secure system) can host DRM | software. So one can have secure systems in which case it will tape either | law or strong market pressure to not have DRM else we can not have secure | systems in which case DRM will most likely be broken endlessly. | | Comments? | | Dave | | Ps please excuse the inability to hear the questions from the floor, I | recorded it will a small digital recorder on the podium. | | From: Dave Farber <[EMAIL PROTECTED]> | Subject: [IP] Streaming REAL Audio now available of my HCSS speech with | To: ip <[EMAIL PROTECTED]> | Date: Wed, 29 Jan 2003 03:27:06 -0500 | Reply-To: [EMAIL PROTECTED] | introduction by John Seely Brown | | There is Real audio version of my Distinguished Lecture | given at the Hawaii International Conference on System Sciences | this Jan in Kona, Hawaii. | | The introduction was given by John Seely Brown | (great intro). The title is Intellectual Property and National Security. | | http://www.vortex.com/rmf/djf-hicss-2003.ram | | PowerPoint available on request. | | Enjoy, | | Dave | | | -- | | | | - | The Cryptography Mailing List | Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED] -- "It is seldom that liberty of any kind is lost all at once." -Hume - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]