Difference between TCPA-Hardware and a smart card (was: example: secure computing kernel needed)

Seth David Schoen schoen at loyalty.org
Sun Jan 4 05:31:49 EST 2004

David Wagner writes:

> To see why, let's go back to the beginning, and look at the threat
> model.  If multiple people are doing shared development on a central
> machine, that machine must have an owner -- let's call him Linus.  Now
> ask yourself: Do those developers trust Linus?
> If the developers don't trust Linus, they're screwed.  It doesn't how
> much attestation you throw at the problem, Linus can always violate their
> security model.  As always, you've got to trust "root" (the system
> administrator); nothing new here.
> Consequently, it seems to me we only need to consider a threat model
> where the developers trust Linus.  (Linus need not be infallible, but the
> developers should believe Linus won't intentionally try to violate their
> security goals.)  In this case, owner-directed attestation suffices.
> Do you see why?  Linus's machine will produce an attestation, signed
> by Linus's key, of what software is running.  Since the developers trust
> Linus, they can then verify this attestation.  Note that the developers
> don't need to trust each other, but they do need to trust the owner/admin
> of the shared box.  So, it seems to me we can get by without third-party
> attestation.

You could conceivably have a PC where the developers don't trust
Linus, but instead trust the PC manufacturer.  The PC manufacturer
could have made it extremely expensive for Linus to tamper with the PC
in order to "violate [the developers'] security model".  (It isn't
logically impossible, it's just extremely expensive.  Perhaps it costs
millions of dollars, or something.)

There are computers like that today.  At least, there are devices that can
run software, that are highly tamper-resistant, and that can do attestations.
(Now there is an important question about what the cost to do a hardware
attack against those devices would be.)  It seems to me to be a good thing
that the ordinary PC is not such a device.  (Ryan Lackey, in a talk
about security for colocated machines, described using devices like
these for colocation where it's not appropriate or desirable to rely on
the physical security of the colocated machine.  Of course, strictly
speaking, all security always relies on physical security.)

I don't know how the key management works in these devices.  If the
keys used to sign attestations are loaded by (or known to) the device
owner, it wouldn't help with the case where the device owner is
untrusted.  If the keys are loaded by the manufacturer, it might
support a model where the owner is untrusted and the manufacturer is

Seth David Schoen <schoen at loyalty.org> | Very frankly, I am opposed to people
     http://www.loyalty.org/~schoen/   | being programmed by others.
     http://vitanuova.loyalty.org/     |     -- Fred Rogers (1928-2003),
                                       |        464 U.S. 417, 445 (1984)

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list