Of TCPA, Palladium and Wernher von Braun
And whether you'll be able to trust your computer, RSN...
The Register left the pub fairly early, so we can't be absolutely certain that yesterday's Trusted Computing Masterclass in London passed off without bloodshed, but we're pretty certain it did. The audience was well-behaved, Alan Cox just about kept the lid on cruel jibes about convicted monopolists, and Microsoft Palladium general manager John Manferdelli seemed to take them in good part anyway.
Oddly, the most abrasive moment came towards the end when the Trusted Computing Platform Alliance (TCPA) rep showed signs of being not entirely at one with Microsoft. But more of this strange incident anon. Otherwise, the event made a fair stab at explaining what trusted computing is, how it will be implemented, and what it will mean.
David Everett, smartcard expert and Mondex architect, compered and set the scene, while Stefek Zaba of HP Labs produced an entertaining geeks-eye view of trusted computing, Charles Powell of Infineon attempted to cram a complete exposition of TCPA into 45 minutes, and Manferdelli produced one of the most detailed expositions of Palladium so far. For the opposition, Alan Cox focussed firmly on the issue of who owns the keys, while Ross Anderson of Cambridge Computer Labs did the 'black helicopters' presentation (which doesn't necessarily mean he's wrong - more, too, of this anon).
Manferdelli's presentation is however a good entry point to the debate, as many of the other issues flow from it.
What is Palladium?
Palladium is not secure Windows. Not exactly. Nor is it a standalone OS. Not exactly. Manferdelli presents it as a sort of parallel OS that is securely ringfenced from Windows, but which doesn't run all the time, and which actually you wouldn't want to run all the time.
It works like this. Ordinarily, you're running whatever flavour of Windows Microsoft is shipping when Palladium itself ships. You wish to engage in some form of secure transaction, so you boot Palladium. Palladium boots from within Windows, using the underlying TCPA hardware to establish that it has not been compromised (i.e., it really is running on the hardware, not under emulation, and that there has been no unexpected change in the status of the platform). Having confirmed that the platform really is the platform, it has established identity and can therefore proceed.
Manferdelli's presentation, incidentally, identifies the underlying hardware as "Secure Support Component - Security chip on the motherboard." This does not necessarily, it would seem to us, mean it's TCPA, but he confirms that Microsoft intends to use the TCPA 1.2 part in this role.
Palladium consists of a secure kernel, the "Nexus," with NCAs (Notarized Computing Agents, aka applications) running on this. A content producer or service provider would produce an NCA (e.g. a media player) as a secure mechanism for transacting with the user, but the design approach being taken by Manferdelli's team raises some questions about this.
In order to avoid being compromised by insecurity over on the Windows side, the Nexus uses physical memory that is isolated from Windows, and it is protected against DMA/ busmaster-based attacks. That means you can't use hardware to monitor traffic and figure it out from there, but it also means you can't use hardware. Sort of. Palladium however is not a full, standalone operating system, but is intended to use Windows services to support the secure NCA apps. So, presuming you'd used a secure NCA to buy a limited play movie, you'd be likely to be using the multimedia capabilities over on the Windows side to play it back. This presumably will depend on non-Palladium systems on the Windows side protecting the content stream, which suggests that the clean and simple Palladium Manferdelli outlines will be a lot more complicated in practice. Unless people are happy watching DVDs in 16 colour VGA, but we think not.
Palladium is small, and although it looks to us as if it could be ported onto other platforms, the current target is the x86. It also looks to us as if it could be developed into a standalone OS, but again this appears not to be the intention. Manferdelli says "the Palladium team don't want to get in the middle of an NT test cycle," which suggests its development as a full OS a la NT was considered, but rejected. The use of services from Windows is clearly a consequence of that decision.
But on the other hand, as currently specced Palladium doesn't look very convincing. It's a sort of secure subsystem you can kick in when needed, but when it's not running, Windows is just as secure or insecure as, well, Windows. And in practice it's most likely to be in use when it suits vendors, rather than when it suits you. You personally might want to be sure your system is entirely secure, and that you can establish your identity when you want to, but you're surely most likely to find yourself kicking in Palladium when a vendor wishes you to prove this is your credit card and that it's your money that's about to become their money. Beyond that, you'll still be waiting for a generally-secure OS, and Palladium 1.0 isn't it.
Whose identity is it anyway?
You may reasonably be wondering at this point why it is that the security systems are establishing an identity for your computer, when it's your credit card we're talking about, not the computer's. You may also be wondering why the ID chip has to be in the computer, when it's a design goal that it should cost next to nothing, and could therefore go into a smartcard. This would allow you to establish your identity from any computer with a reader, right?
The counter-argument, which The Register is not entirely convinced by, is that you can only be sure that the transaction is really secure if you can rely on what you communicate via I/O (typically the keyboard) being secure, and on what appears on the screen for you to really be on the screen, rather than faked by some nefarious person. So, in the smartcard scenario you'd have to presume that Outland began where the smartcard ended, rather than where the cable left the PC, and you could therefore not trust what was happening on the PC as being real.
However, this would appear to us to be a very large hammer being used to crack a fairly small nut - the faked screen scenario presumes an absence of security practically everywhere else in the transaction chain, and while this is possible, it seems highly unlikely. Sure, selling TCPA/Palladium as being absolutely secure might be important, but Manferdelli makes no bones about Palladium not being absolutely secure - it's not intended to protect against "sophisticated hardware attacks."
Stefek Zaba's presentation might just have been a little too entertaining, given that in true geek fashion he raised the question of whether TCPA might be devil's spawn, then wound up by describing (actually, singing) Tom Lehrer's "Wernher von Braun" defence:
"Once the rockets are up, who cares where they come down - That's not my department, says Wernher von Braun."
As it turned out later, the proponents of Palladium and TCPA are a tad sensitive about Wernher von Braun remarks. But unfortunately, that really is their position. Of themselves neither TCPA nor Palladium are bad, because they simply establish a secure identity and enable secure transactions. But as Manferdelli says, what you do with Palladium is "totally up to users and to the writers of applications" (our emphasis). So any badness associated with Palladium stems from the kinds of NCAs that are produced and what they are used for. They define "where the rockets come down."
That's not Manferdelli's fault, and it's not Microsoft's fault. Well, not that department, anyway. One can envisage scenarios where content providers could use Palladium to destroy compromised content, and indeed one does not have to envisage too hard. Microsoft, for example, has said quite a bit about how its secure media player technology can be used to deal with compromised devices, and the company is already checking IDs at Windows Update and denying service to compromised installations. Plus, according to the latest licences, the company reserves itself the right to "disable your ability to copy and/or play Secure Content." So although Manferdelli's department may be clean, it's still reasonable to worry about the other departments. And about what the entertainment business might do if given access to this kind of power.
Zaba, rationally enough, points out you can't have ideological controls in trusted computing platforms, and that this really has to be dealt with at the political level. True enough, but in the interim we'll likely be hearing a lot from Wernher von Braun.
The open source angle
Alan Cox concentrated on the issues of who owns the platform and who owns the key, neatly using Xbox as an example. If you own the keys, then you have the ability to do what you like with the systems you've bought. Your changing the software would clearly have an impact on the trustworthiness of the keys, and people who had established a trust relationship prior to the change would quite possibly then not trust you. So you just go back to them and establish a new relationship, cool, and Alan's happy with that.
But if you don't own sufficient keys to change the system, and somebody else has the rights to say what you can and cannot do with the system, then the system is, in Cox's view, inherently insecure. Which is the case with Xbox. Cox also points out that where you don't own the keys, then "a third party can say you trust your cable provider" (we suspect Cox's cable provider may be something of an issue for him). More seriously, keys could be interfered with in the name of national security, and even the possibility of this happening clearly destroys trust.
As regards the GPL, Cox reckons that distributing GPL'd code tied to a system where the owner cannot change the keys is probably a licence violation. This however is a fairly academic point at the moment, because the circumstances under which Palladium will be distributed outside Microsoft have yet to be defined.
In principle, it seems perfectly feasible for a Linux or A N Other OS to run alongside Palladium in pretty much the same way as Windows is intended to. Microsoft says it will publish the Palladium source code for scrutiny, but doesn't specify the conditions under which it will do so, although it seems fairly obvious that it will do so under some form of 'look, don't touch' licence. Will you be able to get a Palladium licence without Windows? No data as yet. What will it cost? Again, not specified.
So until Microsoft starts to set out its stall on these, developers outside the company won't be able to get much further than 'what if?' Some of the responses in the Q&A session at the end of the day however indicated that there's little chance of Palladium being positioned as a general platform other developers can build with and on. The underlying assumption seemed to be that people developing for Palladium would actually be developing NCAs, players and the like, and that the standards-defining was to be done by the custodians of TCPA and Palladium. So if you asked about developing Palladium itself, you still got an answer about developing a player.
Bringing up the rear, Ross Anderson seemed deeply pessimistic, at least about the medium term. Trusted computing will happen, and it will not happen initially in a way that will be to the advantage of the user. The backlash (Zaba's "political level") will however tend to correct this. Anderson insists that TCPA has an underlying agenda of "fixing the software theft problem, dealing with free software and satisfying the NSA-FBI," and while the extent to which this has been overtly documented is maybe debatable, there is a relentless logic to it.
If vendors have the ability to use trusted computing to lock users into their formats and reject rival formats as 'insecure,' then at least some of them will. If trusted computing tends to isolate or lock out open source, well, some vendors might think that a handy side-effect. And if the security services come knocking, point out that there is good service your system can do in the name of national security, then are you going to turn them away?
Further into helicopterland, Anderson sees TCPA as potentially undermining the Gutenberg inheritance. His argument goes that the invention of moveable type allowed the widespread dissemination of information, and stopped it being suppressed easily (e.g. Tyndale got 50,000 translated New Testaments out before they caught him and strung him up). But if the ability to destroy all copies exists, then by virtue of a court order the controlling entity could be forced to destroy them. The Church of Scientology, for example, could compel the deletion of all copies of the Fishman Affidavit, which it regards as highly damaging, but which it has already had removed from some sites on the basis that it owns the copyright.
And what if the US, in the name of national security, could pull the plugs on every copy of Microsoft Office in China? Or what if the Chinese merely thought the US had this ability? It's really, as Cox pointed out, down to who owns the keys, and if it's not clear that nobody owns the keys (which would presumably be the open source solution) then it doesn't really work. Who do you trust? Nobody? Good, let's put Nobody in charge then... ®
About that near clash between Charles Powell and John Manferdelli. Manferdelli did not, as far as we could detect, say much to justify Powell flying off the handle, but Powell exploded thus: "It is not Microsoft's name, it is Infineon's name... [what happens] will not be dictated by a software vendor or an application vendor." What the hell was that about, one wonders? The TCPA people seemed - appropriately enough - chippy, defensive and paranoid. Whenever they walk into a room, presumably they expect everyone to think they're evil, and there to be a Microsoft hit-man with a lead-filled sock standing behind the door. As far as the latter is concerned, there may be significance in TCPA 1.2 not having quite made it to Manferdelli's overheads. And one does wonder why it takes 190 members to define a very small and very cheap ID chip on a motherboard. Maybe Microsoft wonders that too.
Sponsored: Customer Identity and Access Management