Ross's TCPA paper

Derek Atkins derek at ihtfp.com
Mon Jun 24 07:34:52 PDT 2002 

I, for one, can vouch for the fact that TCPA could absolutely
be applied to a DRM application.  In a previous life I actually
designed a DRM system (the company has since gone under).  In
our research and development in '96-98, we decided that you need
at least some trusted hardware at the client to perform any DRM,
but if you _did_ have some _minimal_ trusted hardware, that would
provide a large hook to a fairly secure DRM system.

Check the archives of, IIRC, coderpunks... I started a thread entitled
The Black Box Problem.  The issue is that in a DRM system you (the
content provider) wants to verify the operation of the client, even
though the client is not under your control.  We developed an online
interactive protocol with a sandbox environment to protect content,
but it would certainly be possible for someone to crack it.  Our
threat model was that we didn't want people to be able to use a hacked
client against our distributation system.

We discovered that if we had some trusted hardware that had a few key
functions (I don't recall the few key functions offhand, but it was
more than just encrypt and decrypt) we could increase the
effectiveness of the DRM system astoundingly.  We thought about using
cryptodongles, but the Black Box problem still applies.  The trusted
hardware must be a core piece of the client machine for this to work.

Like everything else in the technical world, TPCA is a tool..  It is
neither good nor bad; that distinction comes in how us humans apply
the technology.

-derek

"Lucky Green" <shamrock at cypherpunks.to> writes:

> Anonymous writes:
> > Lucky Green writes regarding Ross Anderson's paper at: 
> > Ross and Lucky should justify their claims to the community 
> > in general and to the members of the TCPA in particular.  If 
> > you're going to make accusations, you are obliged to offer 
> > evidence.  Is the TCPA really, as they claim, a secretive 
> > effort to get DRM hardware into consumer PCs? Or is it, as 
> > the documents on the web site claim, a general effort to 
> > improve the security in systems and to provide new 
> > capabilities for improving the trustworthiness of computing platforms?
> 
> Anonymous raises a valid question. To hand Anonymous additional rope, I
> will even assure the reader that when questioned directly, the members
> of the TCPA will insist that their efforts in the context of TCPA are
> concerned with increasing platform security in general and are not
> targeted at providing a DRM solution.
> 
> Unfortunately, and I apologize for having to disappoint the reader, I do
> not feel at liberty to provide the proof Anonymous is requesting myself,
> though perhaps Ross might. (I have no first-hand knowledge of what Ross
> may or may not be able to provide).
> 
> I however encourage readers familiar with the state of the art in PC
> platform security to read the TCPA specifications, read the TCPA's
> membership list, read the Hollings bill, and then ask themselves if they
> are aware of, or can locate somebody who is aware of, any other
> technical solution that enjoys a similar level of PC platform industry
> support, is anywhere as near to wide-spread production as TPM's, and is
> of sufficient integration into the platform to be able to form the
> platform basis for meeting the requirements of the Hollings bill.
> 
> Would Anonymous perhaps like to take this question?
> 
> --Lucky Green
> 
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

-- 
       Derek Atkins
       Computer and Internet Security Consultant
       derek at ihtfp.com             www.ihtfp.com

More information about the cypherpunks-legacy mailing list