Cryptogram: Palladium Only for DRM

bear bear at sonic.net
Mon Sep 16 20:33:11 EDT 2002 


On Mon, 16 Sep 2002, AARG!Anonymous wrote:

>are far from silly.  As we move into an era where more individuals use
>electronic banking systems, we face the risk that viruses can inflict
>serious financial costs on their victims.  The next Nimda could empty
>your bank account and transfer its entire contents irreversibly to an
>overseas server.  Given this threat, the defenses above seem not only
>desirable, but absolutely necessary to protect people from massive theft
>and fraud.  Ordinary cryptography and CPU process architectures are not
>enough to provide this type of security.

You know what?

Any designer of financial services software should know better than
designing something which stores sufficient information on the local
machine to enable a signon to the account. Simply speaking, it is a
fundamental of financial services software that there must not be
adequate information on the machine to enable authentication without
an explicit user action. If posession of the machine alone is
sufficient to authenticate with financial services, then we are
back to the situation where thieves would break into the houses of
the wealthy to steal all their money -- except now they would do
it by stealing the computer instead of by stealing a big box of
jewelry, silverware, and gold coins.

Machine-based signon makes the PC into a thing that has to be locked
up in the safe at all times, just like a big pile of gold coins
sitting on the desk as far as thieves are concerned.  It would
remove all the protections normally associated with bank vaults
and Federal Deposit Insurance.

If anyone builds a system that allows authentication based solely
on information stored on the machine, they should not be surprised
when insurance companies which are sane refuse to insure
transactions mediated thereby, and refuse to ensure accounts
subject to such transactions.

Pd does not change this fundamental fact.  If it's possible for
software, including Palladium-dependent software, to sign on and
authenticate with the bank without having human input to the
authentication step, then it's possible for a thief in posession
of the machine to create a situation where the bank is fooled
into thinking that something is a legitimate transaction, when
it is not.

And if it is *not* possible for software to authenticate with the
bank without human input, whether or not it is palladium-dependent,
because there is not sufficient information on the machine to
enable an authentication, then it is not possible for the "next
nimda" to empty your bank account.  That is what we refer to as
a sane design, with or without Palladium.

Thus your argument defeats itself.  You can't have it both
ways.  This is why "single signon" is insane from a security
point of view, along with any software that permits it.

Machine-based authentication is suicidal for financial
applications, with or without Palladium in the mix.  It
gives thieves a motive to break into people's homes, which
makes those people less safe as well as risking their money.

Schneier reached exactly the same conclusion about Pd that I did,
for exactly the same reasons.

				Ray Dillinger



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list