Schneier on Palladium and the TCPA (was Re: CRYPTO-GRAM, August 15, 2002)

Thu Aug 15 15:40:43 PDT 2002

At 3:53 PM -0500 on 8/15/02, Bruce Schneier wrote:


>              Palladium and the TCPA
>
>
>
> There's been more written about Microsoft's Palladium security initiative
> than about anything else in computer security in a very long time.  My URL
> list of comments, analysis, and opinions goes on for quite a while.  Which
> is interesting, because we really don't know anything about the details of
> what it is or how it works.  Much of this is based on reading between the
> lines in the various news reports, conversations I've had with Microsoft
> people (none of them under NDA), and conversations with people who've had
> conversations.  But since I don't know anything for sure, all of this could
> be wrong.
>
> Palladium (like chemists, Microsoft calls it "Pd" for short) is Microsoft's
> implementation of the TCPA spec, sort of.  ("Sort of" depends on who you
> ask.  Some say it's related.  Some say they do similar things, but are
> unrelated.  Some say that Pd is, in fact, Microsoft's attempt to preempt
> the TCPA spec.)  TCPA is the Trusted Computing Platform Alliance, an
> organization with just under 200 corporate members (an impressive list,
> actually) trying to build a trusted computer.  The TCPA 1.1 spec has been
> published, and you can obtain the 1.2 spec under NDA.  Pd doesn't follow
> the spec exactly, but it's along those lines, sort of.
>
> Pd has been in development for a long time, since at least 1997.  The best
> technical description is the summary of a meeting with Microsoft engineers
> by Seth Schoen of the EFF (URL below).  I'm not going to discuss the
> details, because systems with an initial version of Pd aren't going to ship
> until 2004 -- at least -- andthe details are all likely to change.
>
> Basically, Pd is Microsoft's attempt to build a trusted computer, much as I
> discussed the concept in "Secrets and Lies" (pages 127-130); read it for
> background).  The idea is that different users on the system have
> limitations on their abilities, and are walled off from each other.  This
> is impossible to achieve using only software; and Pd is a combination
> hardware/software system.  In fact, Pd affects the CPU, the chip set on the
> motherboard, the input devices (keyboard, mouse, etc.), and the video
> output devices (graphics processor, etc.).  Additionally, a new chip is
> required: a tamper-resistant secure processor.
>
> Microsoft readily acknowledges that Pd will not be secure against hardware
> attacks.  They spend some effort making the secure processor annoying to
> pry secrets out of, but not a whole lot of effort.  They assume that the
> tamper-resistance will be defeated.  It is their intention to design the
> system so that hardware attacks do not result in class breaks: that
> breaking one machine doesn't help you break any others.
>
> Pd provides protection against two broad classes of attacks.  Automatic
> software attacks (viruses, Trojans, network-mounted exploits) are contained
> because an exploited flaw in one part of the system can't affect the rest
> of the system.  And local software-based attacks (e.g., using debuggers to
> pry things open) are protected because of the separation between parts of
> the system.
>
> There are security features that tie programs and data to CPU and to user,
> and encrypt them for privacy.  This is probably necessary to make Pd work,
> but has a side-effect that I'm sure Microsoft is thrilled with.  Like books
> and furniture and clothing, the person who currently buys new software can
> resell it when he's done with it.  People have a right to do this -- it's
> called the "First Sale Doctrine" in the United States -- but the software
> industry has long claimed that software is not sold, but licensed, and
> cannot be transferred.  When someone sells a Pd-equipped computer, he is
> likely to clear his keys so that his identity can't be used or files can't
> be read.  This will also serve to erase all the software he purchased.  The
> end result might be that people won't be able to resell software, even if
> they wanted to.
>
> Pd is inexorably tied up with Digital Rights Management.  Your computer
> will have several partitions, each of which will be able to read and write
> its own data.  There's nothing in Pd that prevents someone else (MPAA,
> Disney, Microsoft, your boss) from setting up a partition on your computer
> and putting stuff there that you can't get at.  Microsoft has repeatedly
> said that they are not going to mandate DRM, or try to control DRM systems,
> but clearly Pd was designed with DRM in mind.
>
> There seem to be good privacy controls, over and above what I would have
> expected.  And Microsoft has claimed that they will make the core code
> public, so that it can be reviewed and evaluated.  It's about time they
> realized that lots of people are willing to do their security work for free.
>
> It's hard to sort out the antitrust implications of Pd.  Lots of people
> have written about it.  Will Microsoft jigger Pd to prevent Linux from
> running?  They don't dare.  Will it take standard Internet protocols and
> replace them with Microsoft-proprietary protocols?  I don't think so.  Will
> you need a Pd-enabled device -- the system is meant for both
> general-purpose computers and specialized media devices -- in order to view
> copyrighted content?  More likely.  Will Microsoft enforce its Pd patents
> as strongly as it can?  Almost certainly.
>
> Lots of information about Pd will emanate from Redmond over the next few
> years, some of it true and some of it not.  Things will change, and then
> change again.  The final system may not look anything like what we've seen
> to date.  This is normal, and to be expected, but when you continue to read
> about Pd, be sure to keep several things in mind.
>
> 1.  A "trusted" computer does not mean a computer that is trustworthy.  The
> DoD's definition of a trusted system is one that can break your security
> policy; i.e., a system that you are forced to trust because you have no
> choice.  Pd will have trusted features; the jury is still out as to whether
> or not they are trustworthy.
>
> 2.  When you think about a secure computer, the first question you should
> ask is: "Secure for whom?"  Microsoft has said that Pd allows the
> computer-owner to prevent others from putting their own secure areas on the
> computer.  But really, what is the likelihood of that really
> happening?  The NSA will be able to buy Pd-enabled computers and secure
> them from all outside influence.  I doubt that you or I could, and still
> enjoy the richness of the Internet.  Microsoft really doesn't care about
> what you think; they care about what the RIAA and the MPAA
> think.  Microsoft can't afford to have the media companies not make their
> content available on Microsoft platforms, and they will do what they can to
> accommodate them.  There's often a large gulf between what you can get in
> theory -- which is what Microsoft is stressing in their Pd discussions --
> and what you will be able to have in practice.  This is where the primary
> danger lies.
>
> 3.  Like everything else Microsoft produces, Pd will have security holes
> large enough to drive a truck through.  Lots of them.  And the ones that
> are in hardware will be much harder to fix.  Be sure to separate the
> Microsoft PR hype about the promise of Pd from the actual reality of Pd 1.0.
>
> 4.  Pay attention to the antitrust angle.  I guarantee you that Microsoft
> believes Pd is a way to extend its market share, not to increase competition.
>
> There's a lot of good stuff in Pd, and a lot I like about it.  There's also
> a lot I don't like, and am scared of.  My fear is that Pd will lead us down
> a road where our computers are no longer our computers, but are instead
> owned by a variety of factions and companies all looking for a piece of our
> wallet.  To the extent that Pd facilitates that reality, it's bad for
> society.  I don't mind companies selling, renting, or licensing things to
> me, but the loss of the power, reach, and flexibility of the computer is
> too great a price to pay.
>
>
> <http://www.theregus.com/content/4/25378.html>
> <http://www.msnbc.com/news/770511.asp?cp1=1>
> <http://news.com.com/2100-1001-938973.html?tag=cd_mh>
> <http://www.eweek.com/article2/0,3959,267488,00.asp>
> <http://www.internetweek.com/story/INW20020626S0007>
> <http://www.osopinion.com/perl/story/18379.html>
> <http://www.infoworld.com/articles/hn/xml/02/06/25/020625hnpalladium.xml>
> <http://www.newscientist.com/news/news.jsp?id=ns99992449>
> <http://www.washingtonpost.com/wp-dyn/articles/A51780-2002Jun26.html>
> <http://www.theregus.com/content/4/25630.html>
> <http://www.internetweek.com/story/INW20020626S0007>
>
> Seth Schoen's meeting summary:
> <http://vitanuova.loyalty.org/2002-07-03.html>
>
> Opinions:
> <http://www.nytimes.com/2002/07/04/business/04SCEN.html>
> <http://online.securityfocus.com/columnists/96>
> <http://zdnet.com.com/2102-1107-942699.html>
> <http://online.securityfocus.com/columnists/93>
> <http://zdnet.com.com/2102-1107-939817.html>
> <http://www.theregister.co.uk/content/4/25843.html>
> <http://www.pbs.org/cringely/pulpit/pulpit20020627.html>
>
> Ross Anderson on TCPA and Palladium:
> <http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html>
> <http://www.theregus.com/content/4/25415.html>
>
> TCPA Web site:
> <http://www.trustedcomputing.org/tcpaasp4/index.asp>

-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'