Difference between TCPA-Hardware and a smart card (was: example: secure computing kernel needed)

Rick Wash rwash at citi.umich.edu
Tue Dec 23 14:38:40 EST 2003 

On Sun, Dec 21, 2003 at 08:55:16PM -0800, Carl Ellison wrote:
>
> 	IBM has started rolling out machines that have a TPM installed. 
> [snip ...]
> Then again, TPMs cost money and I don't know any private individuals who are
> willing to pay extra for a machine with one.  Given that, it is unlikely
> that TPMs will actually become a popular feature.

Personally, I own a laptop (T30) with the TPM chip, and I paid extra for the
chip, but that is because I am a researcher interested in seeing what I can
get the chip to do.

I think that it is possible that they will sell a lot of TPM chips.  IBM is
currently calling it the "IBM Security Subsystem 2.0" or something like
that, which sounds a lot less threatening and more useful than "trusted
platform module".  It depends a lot on the marketing strategy.  If they can
make it sound useful, that will take them far.
 
> 	Some TPM-machines will be owned by people who decide to do what I
> suggested: install a personal firewall that prevents remote attestation.
> With wider dissemination of your reasoning, that number might be higher than
> it would be otherwise.

Agreed.  The first thing I did when writing code was to figure out how to
turn it off.  THen I figured out how to enable most of the functionality
while disabling the built-in attestation key.
 
> 	Meanwhile, there will be hackers who accept the challenge of
> defeating the TPM.  There will be TPM private keys loose in the world,
> operated by software that has no intention of telling the truth to remote
> challengers.  

And this will be simplier than most people think.  From what I understand
about the current TPM designs, the TPM chip is NOT designed to be
tamper-resistant.  The IBM researchers told me that it is possible to read
the secrets from the TPM chip with a standard bus reader.  I've been meaning
to wander over to the Computer Engineering department and borrow one of
those to verify this claim.

Based on this, it shouldn't be hard for a set of people to extract their 
keys from their TPM chips and spread them around the internet, emulating a
real TPM.  This I see as a major stumbling block for DRM systems based on
TCPA.  TCPA works very well against purely-software threats, but as far as
protecting against computer owners and determined attackers, I'm not so
sure.

> 	At this point, a design decision by the TCPA (TCG) folks comes into
> play.  There are ways to design remote attestation that preserve privacy and
> there are ways that allow linkage of transactions by the same TPM.  
>
> 	Either of these outcomes will kill the TCG, IMHO.

I agree.  This is why to make the TPM a success, specifically for something
like DRM, the companies advocating it will have to convince the users that
it is a good thing.  This is the same problem they have now.  They have to
make the users *want* to use the trusted DRM features and *not* want to
subvert them.   They can do this by making the DRM features mostly unseen
and providing cheap and effective ways for people to get the media that they
want in the formats that they want.  If they try to fight their own users,
there will be enough ways of getting around TCPA for the users to fight
back.
 
> 	You postulated that someday, when the TPM is ubiquitous, some
> content providers will demand remote attestation.  I claim it will never
> become ubiquitous, because of people making my choice - and because it takes
> a long time to replace the installed base - and because the economic model
> for TPM deployment is seriously flawed.  

Well, there are a couple things that could change this.  If other, non-DRM
uses of the TPM chip become popular (say for example that everyone wants to
use it to encrypt their hard drive), then that could speed deployment of the
chip, since that functionality is also bundled with the remote attestation
functionality.  I know that then creates a market for a chip that does what
is needed without the remote attestation functionality, but it then becomes
business, not technology, that determines which people buy.

> If various service or content providers elect not to allow me service
> unless I do remote attestation, I then have 2 choices: use the friendly
> web service that will lie for me - or decline the content or service.

Correct.  However, this is where copyright and other government-granted
monopolies come into play.  If I want a specific piece of copyrighted
material (say, a song), I have to either deal with the copyright owner
(RIAA) on their terms (remote attestation), not get the song, or break the
law.  None of those three alternatives sound very good.   The best chance is
education of the masses, so everyone chooses one of the latter two and makes
it economically infeasible for the RIAA to maintain their draconian terms.
Then we have a useful piece of hardware in our computers (TCPA), subsidised
largely by people like the RIAA, but who can't use it for economic reasons.
That would be the ideal outcome.

There are many legitimate uses of remote attestation that I would like to
see.  For example, as a sysadmin, I'd love to be able to verify that my
servers are running the appropriate software before I trust them to access
my files for me.  Remote attestation is a good technical way of doing that.
ANd its nice that people like the RIAA are pushing to have such hardware
built into my machines, because now I don't have to do the push.  All I have
to do is make sure I can use their hardware for my purposes, which seems
like the case right now.

  Rick Wash

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list