At 3:53 PM -0500 on 8/15/02, Bruce Schneier wrote:

Palladium and the TCPA

There's been more written about Microsoft's Palladium security initiative than about anything else in computer security in a very long time. My URL list of comments, analysis, and opinions goes on for quite a while. Which is interesting, because we really don't know anything about the details of what it is or how it works. Much of this is based on reading between the lines in the various news reports, conversations I've had with Microsoft people (none of them under NDA), and conversations with people who've had conversations. But since I don't know anything for sure, all of this could be wrong.

Palladium (like chemists, Microsoft calls it "Pd" for short) is Microsoft's implementation of the TCPA spec, sort of. ("Sort of" depends on who you ask. Some say it's related. Some say they do similar things, but are unrelated. Some say that Pd is, in fact, Microsoft's attempt to preempt the TCPA spec.) TCPA is the Trusted Computing Platform Alliance, an organization with just under 200 corporate members (an impressive list, actually) trying to build a trusted computer. The TCPA 1.1 spec has been published, and you can obtain the 1.2 spec under NDA. Pd doesn't follow the spec exactly, but it's along those lines, sort of.

Pd has been in development for a long time, since at least 1997. The best technical description is the summary of a meeting with Microsoft engineers by Seth Schoen of the EFF (URL below). I'm not going to discuss the details, because systems with an initial version of Pd aren't going to ship until 2004 -- at least -- andthe details are all likely to change.

Basically, Pd is Microsoft's attempt to build a trusted computer, much as I discussed the concept in "Secrets and Lies" (pages 127-130); read it for background). The idea is that different users on the system have limitations on their abilities, and are walled off from each other. This is impossible to achieve using only software; and Pd is a combination hardware/software system. In fact, Pd affects the CPU, the chip set on the motherboard, the input devices (keyboard, mouse, etc.), and the video output devices (graphics processor, etc.). Additionally, a new chip is required: a tamper-resistant secure processor.

Microsoft readily acknowledges that Pd will not be secure against hardware attacks. They spend some effort making the secure processor annoying to pry secrets out of, but not a whole lot of effort. They assume that the tamper-resistance will be defeated. It is their intention to design the system so that hardware attacks do not result in class breaks: that breaking one machine doesn't help you break any others.

Pd provides protection against two broad classes of attacks. Automatic software attacks (viruses, Trojans, network-mounted exploits) are contained because an exploited flaw in one part of the system can't affect the rest of the system. And local software-based attacks (e.g., using debuggers to pry things open) are protected because of the separation between parts of the system.

There are security features that tie programs and data to CPU and to user, and encrypt them for privacy. This is probably necessary to make Pd work, but has a side-effect that I'm sure Microsoft is thrilled with. Like books and furniture and clothing, the person who currently buys new software can resell it when he's done with it. People have a right to do this -- it's called the "First Sale Doctrine" in the United States -- but the software industry has long claimed that software is not sold, but licensed, and cannot be transferred. When someone sells a Pd-equipped computer, he is likely to clear his keys so that his identity can't be used or files can't be read. This will also serve to erase all the software he purchased. The end result might be that people won't be able to resell software, even if they wanted to.

Pd is inexorably tied up with Digital Rights Management. Your computer will have several partitions, each of which will be able to read and write its own data. There's nothing in Pd that prevents someone else (MPAA, Disney, Microsoft, your boss) from setting up a partition on your computer and putting stuff there that you can't get at. Microsoft has repeatedly said that they are not going to mandate DRM, or try to control DRM systems, but clearly Pd was designed with DRM in mind.

There seem to be good privacy controls, over and above what I would have expected. And Microsoft has claimed that they will make the core code public, so that it can be reviewed and evaluated. It's about time they realized that lots of people are willing to do their security work for free.

It's hard to sort out the antitrust implications of Pd. Lots of people have written about it. Will Microsoft jigger Pd to prevent Linux from running? They don't dare. Will it take standard Internet protocols and replace them with Microsoft-proprietary protocols? I don't think so. Will you need a Pd-enabled device -- the system is meant for both general-purpose computers and specialized media devices -- in order to view copyrighted content? More likely. Will Microsoft enforce its Pd patents as strongly as it can? Almost certainly.

Lots of information about Pd will emanate from Redmond over the next few years, some of it true and some of it not. Things will change, and then change again. The final system may not look anything like what we've seen to date. This is normal, and to be expected, but when you continue to read about Pd, be sure to keep several things in mind.

1. A "trusted" computer does not mean a computer that is trustworthy. The DoD's definition of a trusted system is one that can break your security policy; i.e., a system that you are forced to trust because you have no choice. Pd will have trusted features; the jury is still out as to whether or not they are trustworthy.

2. When you think about a secure computer, the first question you should ask is: "Secure for whom?" Microsoft has said that Pd allows the computer-owner to prevent others from putting their own secure areas on the computer. But really, what is the likelihood of that really happening? The NSA will be able to buy Pd-enabled computers and secure them from all outside influence. I doubt that you or I could, and still enjoy the richness of the Internet. Microsoft really doesn't care about what you think; they care about what the RIAA and the MPAA think. Microsoft can't afford to have the media companies not make their content available on Microsoft platforms, and they will do what they can to accommodate them. There's often a large gulf between what you can get in theory -- which is what Microsoft is stressing in their Pd discussions -- and what you will be able to have in practice. This is where the primary danger lies.

3. Like everything else Microsoft produces, Pd will have security holes large enough to drive a truck through. Lots of them. And the ones that are in hardware will be much harder to fix. Be sure to separate the Microsoft PR hype about the promise of Pd from the actual reality of Pd 1.0.

4. Pay attention to the antitrust angle. I guarantee you that Microsoft believes Pd is a way to extend its market share, not to increase competition.

There's a lot of good stuff in Pd, and a lot I like about it. There's also a lot I don't like, and am scared of. My fear is that Pd will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet. To the extent that Pd facilitates that reality, it's bad for society. I don't mind companies selling, renting, or licensing things to me, but the loss of the power, reach, and flexibility of the computer is too great a price to pay.

<http://www.theregus.com/content/4/25378.html> <http://www.msnbc.com/news/770511.asp?cp1=1> <http://news.com.com/2100-1001-938973.html?tag=cd_mh> <http://www.eweek.com/article2/0,3959,267488,00.asp> <http://www.internetweek.com/story/INW20020626S0007> <http://www.osopinion.com/perl/story/18379.html> <http://www.infoworld.com/articles/hn/xml/02/06/25/020625hnpalladium.xml> <http://www.newscientist.com/news/news.jsp?id=ns99992449> <http://www.washingtonpost.com/wp-dyn/articles/A51780-2002Jun26.html> <http://www.theregus.com/content/4/25630.html> <http://www.internetweek.com/story/INW20020626S0007>

Seth Schoen's meeting summary: <http://vitanuova.loyalty.org/2002-07-03.html>

Opinions: <http://www.nytimes.com/2002/07/04/business/04SCEN.html> <http://online.securityfocus.com/columnists/96> <http://zdnet.com.com/2102-1107-942699.html> <http://online.securityfocus.com/columnists/93> <http://zdnet.com.com/2102-1107-939817.html> <http://www.theregister.co.uk/content/4/25843.html> <http://www.pbs.org/cringely/pulpit/pulpit20020627.html>

Ross Anderson on TCPA and Palladium: <http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html> <http://www.theregus.com/content/4/25415.html>

TCPA Web site: <http://www.trustedcomputing.org/tcpaasp4/index.asp>

-- ----------------- R. A. Hettinga <mailto: rah@ibuc.com> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'