Brian Gladman on TCPA Virtues

12 September 2002

Brian Gladman is an eminent UK security consultant: http://fp.gladman.plus.com/

Intel's September 9, 2002, announcement of its TCPA-related LaGrande technology:

http://www.intel.com/pressroom/archive/speeches/otellini20020909.htm

Press reports of Intel's announcement: http://cryptome.org/intel-crap.htm

Ross Anderson's TCPA/Palladium FAQ:

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

Thanks to M, Microsoft's Palladium FAQ:

http://www.microsoft.com/PressPass/features/2002/aug02/0821PalladiumFAQ.asp

From: "Brian Gladman" <brg@gladman.plus.com>
To: <ukcrypto@chiark.greenend.org.uk>
Subject: Re: Intel to include DRM in new Pentium 4 series processors
Date: Thu, 12 Sep 2002 19:40:32 +0800

Over the last two years I have been briefed in detail on TCPA developments and also briefed in detail (under Non Disclosure Agreements) on a number of implementations of TCPA being undertaken by major companies.

I think Ross is right to suggest that the community at large needs to understand TCPA and its derivatives and hence make a judgement on the impact that this technology will have on the market. I hence thought that it might be helpful if I set out my own position (TCPA is evolving so this is subject to change).

At one level TCPA (I will use this term to cover both TCPA and the related implementations) allows a PC owner to have a higher confidence in the software that is running on their machine. It will offer secure boot protection, secure driver loading and verification and OS metrics that allow a machine owner to determine and verify what OS and what application software runs on their machine. All of these facilities are under the sole control of the machine owner and they can if they wish switch them off (this is the default).

It is true that a company can take GPL'd software and provide it in a form that allows the user to say that it is this particular version of the software that they want to run. The company providing this software has to comply with the GPL (assuming that this holds up legally) and this means that anyone else can compile and sign this software and a PC owner can choose to use this alternative. They can do this themselves if they choose or they can take the software from any Free Software/Open Source distributor that wishes to supply TCPA signed OS or applications software.

Ross and others see this as a threat to the GPL but I am not convinced by these arguments. I want a machine with a secure boot sequence and I am happy to be able to set my machine up in a way that allows me to specify the OS I want to run and check that it has not been modified since I installed it. In my view, when implemented in a way that provides public accountability for design and operation, these are good features. In consequence I feel that an effort to cast these features in a bad light is misguided and is diverting attention form much more important problem areas in TCPA.

A key feature of TCPA is that, subject to the PC owner's permission, remote agents can set up 'trusted boxes' for their use on an owner's PC. Hence, for example, my TCPA enabled PC could have boxes labelled TCPA<BRG>.MicrosoftBox, TCPA<BRG>.WaltDisneyBox and so on. The remote 'owner' of these boxes can then install cryptographic keys and other authorisation tokens in these boxes and couple these to machine metrics so that, for example, any software or content that they supply will only be useable on the machine if it is in a state that they specify. This is Digital Rights Management (DRM) and here I support Ross's desire to ensure that the community at large knows precisely what they will be letting themselves in for in buying and using a TCPA enabled machine.

In my discussions with the companies involved I have put great weight on ensuring that these DRM like facilities are under sole control of the PC owner.

I expect the following to be true:

(a) TCPA features can be switched off completely.
(b) A remote agent requires the explicit permission of the PC owner in order to install a 'trusted box'.
(c) At the point of a contract between a PC owner and such an agent (e.g. a software supplier) the full consequences of the contract will be set out (e.g. no later changes to what the trusted box can do).
(d) A code of ethics on the use of these features will be published and 'agreed' by the community at large.

In the hands of an informed and vigilant owner these safeguards will be sufficient in my view to protect their interests in a DRM sense.

But I am very unsure that this will be sufficient. The big problem here is that most owners will not understand these issues and this may mean that suppliers will be able to use these facilities in such a way that the balance of power in the market will shift away form PC owners to suppliers. And while it is not unreasonable for suppliers to want some way of protecting their 'crown jewels', we all know that this power will not simply be used for this purpose but also to fragment the market and boost profits in the way that DVD suppliers have tried to do with region coding.

Hence, while I disagree with Ross on the GPL issue, I support Ross's concerns here.

But I also have additional worries. While it is true that some TCPA features can help in a limited way to prevent virii, worms etc., other features might well prove to be a hacker's paradise. A user who does not fully understand the nature of the 'trusted boxes' on their machine could easily be persuaded to allow the installation of a box that gave a hacker a powerful influence over the operation of their machine. Those who have studied crypto-virus techniques will immediately recognise the seriousness of this form of attack and that a 'trusted box' would be a pretty well ideal hiding place from which to conduct operations of this kind.

The TCPA way around this is to suggest that the ability to install trusted boxes will be controlled by a third party called a 'privacy CA'. This CA will, in effect, say to the PC owner "the remote agent who wants to install a trusted box on your machine is a good guy" and to the remote agent "the PC on which you want a trusted box can supply one". And I see this as a big problem since I am very sceptical about the security value of third party CAs.

At this stage, therefore, I don't have a problem with TCPA features that are designed to allow PC owners to exert better control over the security of their machines (secure boot, OS signing etc.). But in respect of the DRM features, I am distinctly uneasy about their functionality in the hands of the average PC owner and on the way in which this may change the balance of power in the market. I am also worried that these features might actually help very powerful forms of attack and I am unconvinced about the reliance of key aspects of the architecture on third party CA principles.

I apologise for the length of this post but this is a very important issue and one that deserves careful study. I hope that by setting out my own thoughts I can encourage others to take a look for themselves (TCPA specifications are openly available). In my view it is vital that these developments are subjected to careful and determined open scrutiny before they enter the marketplace.

Finally I want to make it clear that I am consulted on TCPA regularly and also consulted by a number of the companies who are building related implementations. At no time have I ever taken money for this consultation work and where I have signed NDAs these only constrain my ability to reveal proprietary implementation details. At no time have I hidden the fact that I do this work, nor have I ever advertised the fact for self aggrandisement purposes.

Brian Gladman

From: "Brian Gladman" <brg@gladman.plus.com>
To: <ukcrypto@chiark.greenend.org.uk>
Subject: Re: Intel to include DRM in new Pentium 4 series processors
Date: Thu, 12 Sep 2002 21:51:44 +0800

----- Original Message -----

From: "Nicholas Bohm" <nbohm@ernest.net>
To: <ukcrypto@chiark.greenend.org.uk>
Sent: Thursday, September 12, 2002 8:40 PM
Subject: Re: Intel to include DRM in new Pentium 4 series processors

> This seems to imply that the owner of a TCPA machine can use it to verify
> any signatures he wants (i.e. import into TCPA any public keys he trusts)
> and will not be dependent on having keys signed by parties approved by the
> TCPA consortium or anyone else.
>
> Is this in fact a feature of TCPA?

Yes, I believe this to be the case.

Brian