[ISN] TCPA / Palladium Frequently Asked Questions

From: InfoSec News (isnat_private)
Date: Fri Jun 28 2002 - 01:30:16 PDT

  • Next message: InfoSec News: "[ISN] Tip from Mtn. View sparked online terror probe"

    Version 0.1 26 June 2002 
    1. What are TCPA and Palladium? 
    TCPA stands for the Trusted Computing Platform Alliance (TCPA), an
    initiative led by Intel. Their website is here. Their stated goal is
    `a new computing platform for the next century that will provide for
    improved trust in the PC platform.' Palladium appears to be a
    Microsoft version which will be rolled out in future versions of
    Windows, will build on TCPA hardware, and will add some extra
    features. The Palladium announcement appears to have been provoked by
    a paper I presented on the security issues relating to open source and
    free software at a conference on Open Source Software Economics in
    Toulouse on the 20th June. This paper criticised TCPA as
    anticompetitive. This has been amply confirmed by new revelations over
    the past few days.
    2. What does TCPA / Palladium do, in ordinary English?
    Its obvious application is to embed digital rights management (DRM)  
    technology in the PC. The less obvious implications include making it
    easier for application software vendors to lock in their users.
    3. So I won't be able to play MP3s on my PC any more?
    With existing MP3s, you may be all right for some time. But in future,
    TCPA / Palladium will make it easier to sell music, movies, books and
    other content packaged so that people can play them on their PCs but
    not copy them. You might be allowed to lend your copy of some digital
    music to a friend, but then your own backup copy won't be playable
    until your friend gives you the main copy back. Quite possibly you
    will not be able to lend music at all. (It looks likely that the music
    publisher will be able to make the rules - and to change them at will
    by remote control.)
    4. How does it work?
    TCPA provides for a monitoring component to be mounted in future PCs.  
    The likely implementation in the first phase of TCPA is a `Fritz' chip
    - a smartcard chip or dongle soldered to the motherboard.
    When you boot up your PC, Fritz takes charge. He checks that the boot
    ROM is as expected, executes it, measures the state of the machine;  
    then checks the first part of the operating system, loads and executes
    it, checks the state of the machine; and so on. The trust boundary, of
    hardware and software considered to be known and verified, is steadily
    expanded. A table is maintained of the hardware (audio card, video
    card etc) and the software (O/S, drivers, etc); if there are
    significant changes, the machine must be re-certified. The result is a
    PC booted into a known state with an approved combination of hardware
    and software. Control is then handed over to enforcement software in
    the operating system - this is presumably Palladium if your operating
    system in Windows.
    Once the machine is in this state, Fritz can certify it to third
    parties: for example, he will do an authentication protocol with
    Disney to prove that his machine is a suitable recipient of `Snow
    White'. The Disney server then sends encrypted data, with a key that
    Fritz will use to unseal it. Fritz makes the key available only so
    long as the environment remains `trustworthy'. For this purpose,
    `trustworthy' means that the media player application won't make any
    unauthorised copies of content.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Fri Jun 28 2002 - 04:19:11 PDT