Slashdot Mirror
Cryptographers Find Fault With Palladium
FrzrBrn writes "Whitfield Diffie and Ronald Rivest raised concerns about Microsoft's Next-Generation Secure Computing Base (formerly Palladium) at the RSA Conference in San Francisco on Monday. They are (naturally) concerned about vendor lock-in and having computers turned against their owners. See the story at EE Times."
The inventors of the RSA algorithm (Ron Rivest, Adi Shamir, and Len Adleman) were awarded the Turing Award on Monday. This was announced at the opening of the RSA conference. More information can be found in this article.
Does anyone think Microsoft would have it any other way?
Just as a note, contrary to what most people's initial reaction is, the article does not talk about any cryptographic flaw in the system. Diffie is arguing the merits(or lack thereof) of a system that the user doesn't hold the key to; Palladium itself hasn't been proven insecure(yet).
Is there any way whatsoever in which this would help Joe User or Joe Hacker(not to be confused with Joe Cracker)?
The excuse given for the CBDTPA, which may apply to Pd as well, is that more authors would be willing to publish works in a digital restrictions management system than in a system that grants all fair use rights by default.
Will I retire or break 10K?
It is well worth a read giving an insightful historical perspective and with translations to a number of other languages available.
Trusted Computing FAQ | Free Dawit Isaak!
Optional as in you won't need it if you don't want to [use any new copyrighted works]
You assume that all authors would switch over to a digital restrictions management system. This may be true of the studios in the Motion Picture Association of America, but there remains a thriving community built around limited free sharing of copyrighted works, especially computer programs.
And if you claim that free software won't be allowed to boot on future computers, I don't find that substantiated. What I've read of the Palladium specification states that Palladium comes into play only when the system is booted with Palladium support turned on in the BIOS, and only for those processes that import palladium.dll. From Microsoft's marketing material: "A 'Palladium'-enhanced computer must continue to run any existing applications and device drivers." And the TCPA TPM FAQ (pdf) states that "The trust model the TCPA promotes for the PC is: the owner runs whatever OS or applications they want".
Will I retire or break 10K?
The number of bits in the key is not the issue. In fact, most secure protocols like SSL use a decent size so that brute forcing is not worthwhile.
The point actually is that any theoretical construct like a cryptographic scheme or a TCP protocol needs practical implementation in code. And this is where the bugs creep in. And with things like Microsoft, those bugs are as common as snow in Greenland. And so all these hackers/crackers out there working their fingers on their keyboards and peering into bright screens into the fading night can 'hack' Palladium.
Microsoft has taken on itself to make errors wherever possible and remain as human as any one of us. Trust them to repeat their humanity and come up with enough holes in their Palladium implementation to let most hacks through.
This sig is empty.
Ummm, exactly WHY do you think the NSA seems to have suddenly stopped contributing code to the NSA security enhanced linux project?
;)
I suppose the NSA stopping all development on SE Linux is the reason that they just posted updates one week ago to SE Linux, as well as in January 2003, December 2002, and October 2002, all of which took place after this article reported them dropping the project (August 2002).
Not to flame, but just check your sources first next time
**AA: a bunch of mindless jerks who'll be the first against the wall when the revolution comes