Cryptographers Find Fault With Palladium

FrzrBrn writes "Whitfield Diffie and Ronald Rivest raised concerns about Microsoft's Next-Generation Secure Computing Base (formerly Palladium) at the RSA Conference in San Francisco on Monday. They are (naturally) concerned about vendor lock-in and having computers turned against their owners. See the story at EE Times."

Sidenote about RSA

[preternatural]

The inventors of the RSA algorithm (Ron Rivest, Adi Shamir, and Len Adleman) were awarded the Turing Award on Monday. This was announced at the opening of the RSA conference. More information can be found in this article.

This sums it up

[Target+Drone]

From the article: The Microsoft approach "lends itself to market domination..."

Does anyone think Microsoft would have it any other way?

info on dr. Diffie e.g. karma whoring at its best

[thanasakis]

Whitfield Diffie, who holds the position of Distinguished Engineer at Sun Microsystems Laboratories is best known for his 1975 discovery of the concept of public key cryptography, for which he was awarded a Doctorate in Technical Sciences (Honoris Causa) by the Swiss Federal Institute of Technology in 1992.

For a dozen years prior to assuming his present position in 1991, Diffie was Manager of Secure Systems Research for Northern Telecom, functioning as the center of expertise in advanced security technologies throughout the corporation. Among his achievements in this position was the design of the key management architecture for NT's PDSO security system for X.25 packet networks.

Diffie received a Bachelor of Science degree in mathematics from the Massachusetts Institute of Technology in 1965. Prior to becoming interested in cryptography, he worked on the development of the Mathlab symbolic manipulation system --- sponsored jointly at Mitre and the MIT Artificial Intelligence Laboratory --- and later on proof of correctness of computer programs at Stanford University.

Since 1993, Diffie has worked largely in public policy, in the area of cryptography. He has testified twice to the House and twice to the Senate. His position --- in opposition to limitations on the business and personal use of cryptography --- has been the subject of articles in the New York Times Magazine, Wired, Omini, and Discover. The subject has also been covered on the Discovery Channel, Equinox TV in Britain, and the Japanese TV network NHK.

Notariety has provoked a number of awards, including: IEEE Information Theory Society Best Paper Award for 1979, IEEE Donald E. Fink award for 1981, the 1994 Pioneer Award, given by The Electronic Frontiers Foundation for contribution to the quality of life in cyberspace, the 1996 National Computer Systems Security Award given jointly by NIST and NSA, the 1997 Louis E. Levy Medal from the Franklin Institute in Philadelphia, the First ACM Paris Kanellakis Award for contribution to theory and practice in computer science, the IEEE Information Society Golden Jubilee Award for invention of the Diffie-Hellman key exchange protocol.

Not A Crypto Fault

[rsmith-mac]

Just as a note, contrary to what most people's initial reaction is, the article does not talk about any cryptographic flaw in the system. Diffie is arguing the merits(or lack thereof) of a system that the user doesn't hold the key to; Palladium itself hasn't been proven insecure(yet).

The alleged benefit of the CBDTPA, Pd, etc.

[yerricde]

Is there any way whatsoever in which this would help Joe User or Joe Hacker(not to be confused with Joe Cracker)?

The excuse given for the CBDTPA, which may apply to Pd as well, is that more authors would be willing to publish works in a digital restrictions management system than in a system that grants all fair use rights by default.

The big picture

[vinsci]

For the big picture of this story see the TCPA / Palladium / NGSCB / TCG Frequently Asked Questions

It is well worth a read giving an insightful historical perspective and with translations to a number of other languages available.

Not all authors will switch to DRM

[yerricde]

Optional as in you won't need it if you don't want to [use any new copyrighted works]

You assume that all authors would switch over to a digital restrictions management system. This may be true of the studios in the Motion Picture Association of America, but there remains a thriving community built around limited free sharing of copyrighted works, especially computer programs.

And if you claim that free software won't be allowed to boot on future computers, I don't find that substantiated. What I've read of the Palladium specification states that Palladium comes into play only when the system is booted with Palladium support turned on in the BIOS, and only for those processes that import palladium.dll. From Microsoft's marketing material: "A 'Palladium'-enhanced computer must continue to run any existing applications and device drivers." And the TCPA TPM FAQ (pdf) states that "The trust model the TCPA promotes for the PC is: the owner runs whatever OS or applications they want".

The key is not the point

[xpl_the_myst]

The number of bits in the key is not the issue. In fact, most secure protocols like SSL use a decent size so that brute forcing is not worthwhile.

The point actually is that any theoretical construct like a cryptographic scheme or a TCP protocol needs practical implementation in code. And this is where the bugs creep in. And with things like Microsoft, those bugs are as common as snow in Greenland. And so all these hackers/crackers out there working their fingers on their keyboards and peering into bright screens into the fading night can 'hack' Palladium.

Microsoft has taken on itself to make errors wherever possible and remain as human as any one of us. Trust them to repeat their humanity and come up with enough holes in their Palladium implementation to let most hacks through.

_Correction_

[jstockdale]

Ummm, exactly WHY do you think the NSA seems to have suddenly stopped contributing code to the NSA security enhanced linux project?

I suppose the NSA stopping all development on SE Linux is the reason that they just posted updates one week ago to SE Linux, as well as in January 2003, December 2002, and October 2002, all of which took place after this article reported them dropping the project (August 2002).

Not to flame, but just check your sources first next time ;)

Re:It's called "Boiling the frog"

[cyberformer]

It may be a logical fallacy, but the our legal system isn't built on logic. Lawyers use a system of precedents, so the slope is extremely slippery.

For example, one reason that the Supreme Court gave for not striking down the latest Mickey Mouse copyright extension act (in Eldred v. Ashcroft) was that it had not struck down other previous copyright extensions. Give an inch and they take a mile.

Re:Cryptographers Find Fault With Palladium

[OneEyedApe]

I am well aware that I am part of a small minority, and I tried to indicate that. For most business types, moving to Linux would indeed be difficult.

And I do hope that your transition over to Linux goes well for you and your business. Best of luck.

there was a thread..

[Dave_bsr]

there was a thread yesterday wherein many farkers were talking about how this action by MS was frustrating, and that they wanted to switch.

here.

just a not-so geeky viewpoint there.