Trusted Computing and NGSCB

The problem being addressed

• insecurity for the user, since open platforms are prone to viruses, worms, spyware, participation in DDoS attacks, keyboard keycatchers, etc.
• insecurity for software authors and media content providers, since open platforms allow programs, music files, images etc. to be copied without limit and without loss of quality.

Trusted Computing (TC)

The Trusted Computing Group (TCG) is an alliance of Microsoft, Intel, IBM, HP and AMD which promotes a standard for a "more secure" PC. Microsoft is one of the main drivers; its version of TC is called New Generation Secure Computing Base (NGSCB); formerly known as Palladium. TC provides a computing platform on which you can't tamper with the application software, and where these applications can communicate securely with servers. The original motivation was digital rights management (DRM): music files will be encrypted, and can only be run by recognised application software on a TC platform. The software will prevent you from making copies, and can restrict you in arbitrary other ways, e.g. by playing only a certain number of times, or for a limited period.

Early announcements of TC included much more draconian measures, such as software which would delete ordinary applications and media files if it detected (e.g. by steganographic watermarking) copyright violations which took place outside the scope of TC.

Current motivations and applications for TC extend way beyond DRM. Bill Gates: `We came at this thinking about music, but then we realized that e-mail and documents were far more interesting domains'. Email which cannot be printed or forwarded, and self-destructs after a specified period opens up many possibilities. Similarly, document authors could enforce privacy by restrictng the ways copies are made or extracts taken by cut-and-paste.

As a simple example to illustrate how this would work: You can send an e-mail and set a condition that it may not be forwarded on. The e-mail itself is encrypted and contains the information about the rights you have associated with it. The recipient of the e-mail will only be able to view it when their TC chip agrees that they have the right to do so, and their TC software will display the e-mail in such a way that they will be unable to copy and paste the text into a new e-mail in order to forward it. The same principles will apply to all types of files, notably music and video files. You could create  documents that can only be read in, say, the next week, after which point they become unusable.

How TC works

The attestation protocol (adapted from [2])

• The hardware has a public/private key pair, PK_h and SK_h.
• When an application A is started, it first generates a public/private key pair PK_A and SK_A. The application requests the hardware to certify its public key. The certificate C_A includes a hash of the executable A.  C_A= {PK_A,#A}_SKh.
• The hardware sends the certificate to the application.
• When the application wants to attest its validity to a remote server, it sends the certificate chain (PK_h,C_A) to the server. The server checks:
• PK_h is not revoked.
• The application hash embedded in C_A is on the server's list of applications it trusts.
At this point, the server is assured that C_A comes from an application it trusts.
• The application now authenticates itself by proving knowledge of SK_A. For example, the application and the server can run a key exchange to generate a session key.

Questions to think about/discuss.

1. What is the role of #A
2. Could we invent a protocol which doesn't require the hardware to have a public/private key pair?
3. Why have the key pair for A? Can't we just use the hardware keys?
   

Why TC is a bad thing

• It removes control of the PC from its owner/user, and gives the control to the OS provider. This can easily be abused, e.g. by
• Censorship. Digital objects created with TC remain in the control of their creators. Example from [3]: someone who writes a paper that a court decides is defamatory can be compelled to censor it - and the software company that wrote the word processor could be ordered to do the deletion if she refuses.
• Software lock-in. Companies will recieve TC-Office documents, and will need TC-Office to read them. Moreover, they will need to keep paying the rent for TC-Office in perpetuity, if they want to continue to have access to their archives. You will need it too, in order to read your gas bill.

Will TC take off, or will it die?

• Can be introduced gradually. Can be turned off, so doesn't seem such a threat; but  eventually the price of turning it off will be too great (software and peripheral hardware will require it). Non-TC will soon be perceived as GNU/Linux is today: great because it gives you more freedom, but a pain because it gives you less choice.
• Will be adopted by companies for its security properties, by decision takers who don't understand all the issues. Will work its way into the home by becoming a requirement for teleworkers and content servers.
  

• If TC is a way of making "the Chinese" pay for software, they won't use it. Microsoft is particularly obsessed about the Chinese, but western students and developing countries are probably just as important. If these people don't use it, it may fail.
• It won't work, because
• It will be very hard to get right, without it being extremely painful for the user; again, sufficiently large numbers of people may refuse to use it.
• There will be cracks and workarounds. See, e.g., reports of Microsoft thinking it won't work.

How does TC differ from CSS?

What else is like TC?

• CPRM (Copyright Protection for Recordable Media) is currently primarily a memory-stick copy-protection mechanism (Secure Digital SD format currently taking 30% flash memory market (Oct 2003)), but is proposed to spread to the ATA hard disk standard. Each CPRM-compatible ATA hard drive is individually signed, and authenticates the playback and movement of files on the device against a central server using CPRM-compliant software. So it's the same idea as (and probably part of) TC.
• Many printer cartridges now come with chips that authenticate them to the printer. Printers may refuse to work with third-party or refilled cartridges, or even with genuine cartridges that have passed an expiry date.

Digital rights management

• If you can perceive the content, you can copy it
• Suggests that effective DRM for music, images and video will never be possible
• But doesn't work very well for text, or software
• And even for music/images/video there may be a loss of quality
• Can we have effective DRM without hardware keys?
  
• Can we have effective DRM without being on-line?

1. Smart card does the decryption.
   Problem: smart card very slow (3MHz), and, to make matters worse, this may be public key cryptography which is more computationally expensive
2. Device has trusted software which the user cannot interfere with or change (e.g., dedicated music player)
• Software authenticates itself to the card
• Card releases the key to the software
  
3. Can we do it on a standard PC?
   

Resources

1. Microsoft's papers including some technical information.
   
2. Tal Garfinkel, Mendel Rosenblum, and Dan Boneh. Flexible OS Support and Applications for Trusted Computing gives some detail on a possible protocol (described in these notes).
3. Ross Anderson's Trusted Computing FAQ is an excellent source of information, and has lots of links/references.
   
4. Richard Stallman, Can you trust your computer?
5. A weblog by Seth Schoen which contains some technical details of NGSCB presented very informally.

HP declares war on sharing culture --- The company whose slogan is "Invent" is doing all it can to stifle innovation, new business models and new markets.
P. Biddle, P. England, M. Peinado, B. Willman, Microsoft Corp., The Darknet and the Future of Content Distribution.

End