It won't happen here (was Re: TCPA/Palladium -- likely future implications)

[Marcel Popescu]

From: AARG! Anonymous [EMAIL PROTECTED]

 Think about it: this one innocuous little box holding the TPME key could
 ultimately be the root of trust for the entire world.  IMO we should
 spare no expense in guarding it and making sure it is used properly.
 With enough different interest groups keeping watch, we should be able
 to keep it from being used for anything other than its defined purpose.

Now I know the general opinion of AARG, and I can't say I much disagree. But
I want to comment on something else here, which I find to be a common trait
with US citizens: it can't happen here. The Chinese gov't can do anything
they like, because any citizen who would try to keep watch would find
himself shot. What basic law of the universe says that this can't happen in
the US? What exactly will prevent them, 10 years from now, to say
compelling state interests require that we get to do whatever we want with
the little box? You already have an official gov't against 1st ammendment
policy, from what I've read.

Mark

TCPA/Palladium -- likely future implications (Re: dangers of TCPA/palladium)

[Adam Back]

On Thu, Aug 08, 2002 at 09:15:33PM -0700, Seth David Schoen wrote:
 Back in the Clipper days [...] how do we know that this
 tamper-resistant chip produced by Mykotronix even implements the
 Clipper spec correctly?.

The picture is related but has some extra wrinkles with the
TCPA/Palladium attestable donglization of CPUs.

- It is always the case that targetted people can have hardware
attacks perpetrated against them.  (Keyboard sniffers placed during
court authorised break-in as FBI has used in mob case of PGP using
Mafiosa [1]).

- In the clipper case people didn't need to worry much if the clipper
chip had malicious deviations from spec, because Clipper had an openly
stated explicit purpose to implement a government backdoor -- there's
no need for NSA to backdoor the explicit backdoor.

But in the TCPA/Palladium case however the hardware tampering risk you
identify is as you say relevant:

- It's difficult for the user to verify hardware.  

- Also: it wouldn't be that hard to manufacture plausibly deniable
implementation mistakes that could equate to a backdoor -- eg the
random number generators used to generate the TPM/SCP private device
keys.

However, beyond that there is an even softer target for would-be
backdoorers:

- the TCPA/Palladium's hardware manufacturers endoresment CA keys.

these are the keys to the virtual kingdom formed -- the virtual
kingdom by the closed space within which attested applications and
software agents run.


So specifically let's look at the questions arising:

1. What could a hostile entity(*) do with a copy of a selection of
hardware manufacturer endorsement CA private keys?

( (*) where the hostile entity candidates would be for example be
secret service agencies, law enforcement or homeland security
agencies in western countries, RIAA/MPAA in pursuit of their quest to
exercise their desire to jam and DoS peer-to-peer file sharing
networks, the Chinese government, Taiwanese government (they may lots
of equipment right) and so on).

a. Who needs to worry -- who will be targetted?

Who needs to worry about this depends on how overt third-party
ownership of these keys is, and hence the pool of people who would
likely be targetted.  

If it's very covert, it would only be used plausibly deniably and only
for Nat Sec / Homeland Security purposes.  It if becomse overt over
time -- a publicly acknowledged, but supposedly court controlled
affair like Clipper, or even more widely desired by a wide-range of
entities for example: keys made available to RIAA / MPAA so they can
do the hacking they have been pushing for -- well then we all need to
worry.


To analyse the answer to question 1, we first need to think about
question 2:

2. What kinds of TCPA/Palladium integrity depending trusted
applications are likely to be built?

Given the powerful (though balance of control changing) new remotely
attestable security features provided by TCPA/Palladium, all kinds of
remote services become possible, for example (though all to the extent
of hardware tamper-resistance and belief that your attacker doesn't
have access to a hardware endorsement CA private key):

- general Application Service Providers (ASPs) that you don't have to
trust to read your data

- less traceable peer-to-peer applications

- DRM applications that make a general purpose computer secure against
BORA (Break Once Run Anywhere), though of course not secure against
ROCA (Rip Once Copy Everywhere) -- which will surely continue to
happen with ripping shifting to hardware hackers.

- general purpose unreadable sandboxes to run general purpose
CPU-for-rent computing farms for hire, where the sender knows you
can't read his code, you can't read his input data, or his output
data, or tamper with the computation.

- file-sharing while robustly hiding knowledge and traceability of
content even to the node serving it -- previously research question,
now easy coding problem with efficient

- anonymous remailers where you have more assurance that a given node
is not logging and analysing the traffic being mixed by it


But of course all of these distributed applications, positive and
negative (depending on your view point), are limited in their
assurance of their non-cryptographically assured aspects:

- to the tamper resistance of the device

- to the extent of the users confidence that an entity hostile to them
doesn't have the endorsement CA's private key for the respective
remote servers implementing the network application they are relying
on


and a follow-on question to question 2:

3. Will any software companies still aim for cryptographic assurance?

(cryptographic assurance means you don't need to trust someone not to
reverse engineer the application -- ie you can't read the data because
it is encrypted with a key derived from a password that is only stored
in the users head).

The extended platform allows you to build new classes of applications
which aren't currently buildable to cryptographic levels of 

Re: TCPA/Palladium -- likely future implications

[James A. Donald]

--
On 9 Aug 2002 at 17:15, AARG! Anonymous wrote:
 to understand it you need a true picture of TCPA rather than the 
 false one which so many cypherpunks have been promoting.

As TCPA is currently vaporware, projections of what it will be, 
and how it will be used are judgments, and are not capable of 
being true or false, though they can be plausible or implausible.

Even with the best will in the world, and I do not think the 
people behind this have the best will in the world, there is an 
inherent conflict between tamper resistance and general purpose 
programmability.  To prevent me from getting at the bits as they 
are sent to my sound card or my video card, the entire computer, 
not just the dongle, has to be somewhat tamper resistant, which is 
going to make the entire computer somewhat less general purpose 
and programmable, thus less useful.

The people behind TCPA might want to do something more evil than 
you say they want to do, if they want to do what you say they want 
to do they might be prevented by law enforcement which wants 
something considerably more far reaching and evil, and if they
want to do it, and law enforcement refrains from reaching out and 
taking hold of their work, they still may be unable to do it for 
technical reasons. 

--digsig
 James A. Donald
 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG
 D7ZUyyAS+7CybaH0GT3tHg1AkzcF/LVYQwXbtqgP
 2HBjGwLqIOW1MEoFDnzCH6heRfW1MNGv1jXMIvtwb

Re: TCPA/Palladium -- likely future implications

[Mike Rosing]

On Fri, 9 Aug 2002, AARG! Anonymous wrote:

 : Allow computers separated on the internet to cooperate and share data
 : and computations such that no one can get access to the data outside
 : the limitations and rules imposed by the applications.

 It seems to me that my definition is far more useful and appropriate in
 really understanding what TCPA/Palladium are all about.  Adam, what do
 you think?

Just because you can string words together and form a definition doesn't
make it realizable.  Once data is in the clear it can be copied, and no
rules can change that.  Either the data is available to the user, and
they can copy it - or the data is not available to the user, and there's
nothing they can do when their machine does somebody elses calculations.

 I have a couple of suggestions.  One early application for TCPA is in
 closed corporate networks.  In that case the company usually buys all
 the computers and prepares them before giving them to the employees.
 At that time, the company could read out the TPM public key and sign
 it with the corporate key.  Then they could use that cert rather than
 the TPME cert.  This would protect the company's sensitive data against
 eavesdroppers who manage to virtualize their hardware.

And guess what?  I can buy that today!  I don't need either TCPA or
Palladium.  So why do we need TCPA?

 Think about it: this one innocuous little box holding the TPME key could
 ultimately be the root of trust for the entire world.  IMO we should
 spare no expense in guarding it and making sure it is used properly.
 With enough different interest groups keeping watch, we should be able
 to keep it from being used for anything other than its defined purpose.

Man, I want the stuff you are smoking!  One attack point is the root of
trust for the whole world!!???!!!  Take another hit dude, and make sure
you see lots of colors too.

Patience, persistence, truth,
Dr. mike