Computer Security lecture notes

Copyright © 2004 Mark Dermot Ryan
The University of Birmingham
Permission is granted to copy, distribute and/or modify this document
under the terms of the GNU Free Documentation License,

Trusted Computing and NGSCB

In order to provide better security and to prevent software and media piracy, a "locked-down" PC architecture is being developed which has hardware-level cryptographic keys for encryption and authentication. It is tamper-resistant, has curtained memory, and communication with the keyboard, mouse, monitor and printer may be encrypted.

The problem being addressed

Current open platforms (PCs, PDAs, etc.) allow a great deal of flexibility to the user, but this has resulted in

insecurity for the user, since open platforms are prone to viruses, worms, spyware, participation in DDoS attacks, keyboard keycatchers, etc.
insecurity for software authors and media content providers, since open platforms allow programs, music files, images etc. to be copied without limit and without loss of quality.

Trusted Computing (TC)

The Trusted Computing Group (TCG) is an alliance of Microsoft, Intel, IBM, HP and AMD which promotes a standard for a "more secure" PC. Microsoft is one of the main drivers; its version of TC is called New Generation Secure Computing Base (NGSCB); formerly known as Palladium. TC provides a computing platform on which you can't tamper with the application software, and where these applications can communicate securely with servers. The original motivation was digital rights management (DRM): music files will be encrypted, and can only be run by recognised application software on a TC platform. The software will prevent you from making copies, and can restrict you in arbitrary other ways, e.g. by playing only a certain number of times, or for a limited period.

Early announcements of TC included much more draconian measures, such as software which would delete ordinary applications and media files if it detected (e.g. by steganographic watermarking) copyright violations which took place outside the scope of TC.

Current motivations and applications for TC extend way beyond DRM. Bill Gates: `We came at this thinking about music, but then we realized that e-mail and documents were far more interesting domains'. Email which cannot be printed or forwarded, and self-destructs after a specified period opens up many possibilities. Similarly, document authors could enforce privacy by restrictng the ways copies are made or extracts taken by cut-and-paste.

As a simple example to illustrate how this would work: You can send an e-mail and set a condition that it may not be forwarded on. The e-mail itself is encrypted and contains the information about the rights you have associated with it. The recipient of the e-mail will only be able to view it when their TC chip agrees that they have the right to do so, and their TC software will display the e-mail in such a way that they will be unable to copy and paste the text into a new e-mail in order to forward it. The same principles will apply to all types of files, notably music and video files. You could create documents that can only be read in, say, the next week, after which point they become unusable.

How TC works

The hardware is manufactured with a public/private key pair. Ideally, the manufacturing process destroys all records of the private key. The chip is tamper-proof (it self-destructs rather than gives up its private key). Servers need to know the set of valid public keys (or the set of known invalid ones). Memory is curtained, to prevent debuggers and other software getting the private key.

The attestation protocol (adapted from [2])

The hardware has a public/private key pair, PK_h and SK_h.
When an application A is started, it first generates a public/private key pair PK_A and SK_A. The application requests the hardware to certify its public key. The certificate C_A includes a hash of the executable A. C_A= {PK_A,#A}_{SK_h}.
The hardware sends the certificate to the application.
When the application wants to attest its validity to a remote server, it sends the certificate chain (PK_h,C_A) to the server. The server checks:

PK_h is not revoked.
The application hash embedded in C_A is on the server's list of applications it trusts.

The application now authenticates itself by proving knowledge of SK_A. For example, the application and the server can run a key exchange to generate a session key.

Questions to think about/discuss.

What is the role of #A
Could we invent a protocol which doesn't require the hardware to have a public/private key pair?
Why have the key pair for A? Can't we just use the hardware keys?

Why TC is a bad thing

TC has been much criticised by respected commentators, and with good reason.

It removes control of the PC from its owner/user, and gives the control to the OS provider. This can easily be abused, e.g. by

Censorship. Digital objects created with TC remain in the control of their creators. Example from [3]: someone who writes a paper that a court decides is defamatory can be compelled to censor it - and the software company that wrote the word processor could be ordered to do the deletion if she refuses.
Software lock-in. Companies will recieve TC-Office documents, and will need TC-Office to read them. Moreover, they will need to keep paying the rent for TC-Office in perpetuity, if they want to continue to have access to their archives. You will need it too, in order to read your gas bill.

"Trusted Computing" means your PC is more trustworthy from the point of view of software vendors and content providers, but less trustworthy from the point of view of their owners.

Will TC take off, or will it die?

Reasons for thinking it will take off:

Can be introduced gradually. Can be turned off, so doesn't seem such a threat; but eventually the price of turning it off will be too great (software and peripheral hardware will require it). Non-TC will soon be perceived as GNU/Linux is today: great because it gives you more freedom, but a pain because it gives you less choice.
Will be adopted by companies for its security properties, by decision takers who don't understand all the issues. Will work its way into the home by becoming a requirement for teleworkers and content servers.

Reasons for thinking it won't.

If TC is a way of making "the Chinese" pay for software, they won't use it. Microsoft is particularly obsessed about the Chinese, but western students and developing countries are probably just as important. If these people don't use it, it may fail.
It won't work, because

It will be very hard to get right, without it being extremely painful for the user; again, sufficiently large numbers of people may refuse to use it.
There will be cracks and workarounds. See, e.g., reports of Microsoft thinking it won't work.

TC and OSS

For discussion

How does TC differ from CSS?

DVDs have a protection scheme known as Content Scrambling System. Although it appears complex and includes hardware authentication and session key establishment (see, e.g., Greg Kesden's Tutorial on CSS), it is essentially a Break-Once-Run-Everywhere technology (BORE). It was indeed broken, by a 16-year old Norwegian programmer who wrote DeCSS. TC avoids BORE by having different keys in every PC. Even if you succeed in breaking yours, that won't help anyone else.

What else is like TC?

CPRM (Copyright Protection for Recordable Media) is currently primarily a memory-stick copy-protection mechanism (Secure Digital SD format currently taking 30% flash memory market (Oct 2003)), but is proposed to spread to the ATA hard disk standard. Each CPRM-compatible ATA hard drive is individually signed, and authenticates the playback and movement of files on the device against a central server using CPRM-compliant software. So it's the same idea as (and probably part of) TC.
Many printer cartridges now come with chips that authenticate them to the printer. Printers may refuse to work with third-party or refilled cartridges, or even with genuine cartridges that have passed an expiry date.

Resources

Microsoft's papers including some technical information.
Tal Garfinkel, Mendel Rosenblum, and Dan Boneh. Flexible OS Support and Applications for Trusted Computing gives some detail on a possible protocol (described in these notes).
Ross Anderson's Trusted Computing FAQ is an excellent source of information, and has lots of links/references.
Richard Stallman, Can you trust your computer?
A weblog by Seth Schoen which contains some technical details of NGSCB presented very informally.

A longer version of these notes

Some DRM news links

HP declares war on sharing culture --- The company whose slogan is "Invent" is doing all it can to stifle innovation, new business models and new markets.

Security standards could make anti-piracy easier A software-hardware system designed to make personal computers more secure could also improve copy prevention systems 18:35  16  September 2003 New Scientist
Security standards could bolster file-sharing networks Features designed to make unauthorised digital copying more difficult could also strengthen controversial peer-to-peer networks, say US researchers 17:47  03  June 2003 New Scientist
Intel plans secure microprocessors The "virtual vault" will not only protect data against hackers but also provide anti-piracy features 16:53  11  September 2002 New Scientist

End