Cryptogram: Palladium Only for DRM
David Wagner
daw at mozart.cs.berkeley.edu
Thu Sep 19 22:49:03 EDT 2002
Peter N. Biddle wrote:
>[...] You can still extract everything in Pd via a HW attack. [...]
>
>How is this BORE resistant? The Pd security model is BORE resistant for a
>unique secret protected by a unique key on a given machine. Your hack on
>your machine won't let you learn the secrets on my machine; to me that's
>BORE resistant. [...]
Yes, but...
For me, BORE (Break Once Run Everywhere) depends on the application.
You can't analyze Palladium in isolation, without looking at the app,
too. It doesn't make sense to say "Palladium isn't susceptible to BORE
attacks", if the applications themselves are subject to BORE attacks.
For example, if a record company builds an app that stores a MP3 of
the latest Britney Spears song in a Palladium vault, then this app
will be susceptible to BORE attacks. Extracting that MP3 from any one
machine suffices to spread it around the world. It won't comfort the
record company much to note that the attacker didn't learn the Palladium
crypto keys living on other machines; the damage has already been done.
Palladium doesn't make DRM resistant to BORE attacks. It can't.
In short, there are some applications that Palladium can't make
BORE-resistant. Some apps (e.g., DRM) are simply fundamentally fragile.
Maybe a more interesting question is: For which apps does Palladium
provide resistance against BORE attacks that is not available by other
means?
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list