more TCPA stuff (Re: "trust me" pseudonyms in TCPA)

[Adam Back]

On Mon, Aug 05, 2002 at 07:42:45AM -0700, Mike Rosing wrote:
> On Mon, 5 Aug 2002, Adam Back wrote:
> > The corresponding public key is certified by the secure hardware
> > manufacturer, I think.
> 
> Are all the keys certified?  Are any copied outright?

Note there is one key that is endorsed, so per machine there is one
key, singular.

On the other interpretation of your question: do we trust that the
manufacturer didn't take a copy of the key while certifying it?

Good quesion.  

The scenario is analogous to the pre-generated private key on a smart
card.  Do you trust what the hardware vendor did with it?  Did they
generate the private key it off chip and keep a copy?  Did they
generate the private key on chip but export it at the time of
certifying the public key?

Except in this case the smart card is attached to your motherboard,
mediates control of the platform and is called the "TPM" Trusted
Platform Module.

While there are approaches to having third party audits of the
process, publishing the source code, etc; it's still typically not a
very transparent affair as it's in tamper resistant hardware, plus
vulnerable to plausibly deniable snafus, and undetectable backdooring
even if it is generated on TPM.

> But I'm confused, so keep at it and maybe I'll figure something out!

Effectively I think the best succinct description of the platforms
motivation and function is that:

"TCPA/Palladium is an extensible, general purpose programmable dongle
soldered to your mother board with centralised points belonging to
Microsoft/IBM/Intel/".

It seems to me there is both strong possibility for it becoming a
focus for future government attempts at policy malware and legislated
technology implementation, and a focus RIAA/MPAA/WIPO polices imposing
futher expansionist and monopoly propping legislation and legislated
technology implementation to enforce the worst excesses of DMCA.


The technology components are very interesting.  The implications of
what can be done with sealing, secure boot-strapping and remote
attestation are a departure from what people were thinking was
possible with general purpose computing.  As anonymous points out it
makes possible all kinds of applications and changes the nature of
what can be cryptographically assured.

With current non-TCPA platforms the limit of what can be
cryptographically assured is for example what can be encrypted with
password, or other cryptographic mechanism.

Cryptographic assurance is also known as "data separation" -- the
concept that the crytography is able to completely cover the
applications policy restrictions without leaving "trusted" software
components necessary to enforce policies too complex to implement with
encryption / data separation.

With TCPA you can build general purpose policy code which does not
exhibit cryptographic assurance, and yet due to the TCPA platform
assures similar levels of security assurance.  That's a huge change in
world view in the domain of security applications.

In slightly more detail, you can either build applications rooted in
the remote attestation, sealing and secure boot-strapping functions I
described in an earlier post.  Or you can add your own custom policy
and even applications inside a hardware assured code compartment which
the user can not access or tamper with.

One aspect of the implications is the implementation and security
possibilities it lends to DRM applications.  Personally I don't find
this aspect a good thing because I think current copyright law has
reached a state of being a net negative for society and freedom, and
that it's time to rescind them and start-over.


I think we should try analyse as William Arbaugh suggested in [7] what
is desirable, what is safe to implement, and ways to change the
platform to remove the negative aspects.


>From my current understanding, the worst problem is the centralised
control of this platform.  If it were completely open, and possible to
fix it's potential dangers, it would bring about a new framework of
secured computing and could be a net positive.  In it's current form
with centralised control and other problems it could be a big net
negative.

Adam

[7] "The TCPA; What's wrong; What's right and what to do about",
William Arbaugh, 20 Jul 2002
   
http://www.cs.umd.edu/~waa/TCPA/TCPA-goodnbad.html