Controversial Security Paper Nixed From Black Hat

coondoggie writes us with a link to the Network World site, as he tends to do. Today he offers an article discussing the cancellation of a presentation which would have undermined chip-based security on PCs. Scheduled during the Black Hat USA 2007 event, the event's briefing promised to break the Trusted Computing Group's module, as well as Vista's Bitlocker. Live demos were to be included. The presenters pulled the event, and have no interest in discussing the subject any more. "[Presenters Nitin and Vipin Kumar's] promised exploit would be a chink in the armor of hardware-based system integrity that [trusted platform module] (TPM) is designed to ensure. TPM is also a key component of Trusted Computing Group's architecture for network access control (NAC). TPM would create a unique value or hash of all the steps of a computer's boot sequence that would represent the particular state of that machine, according to Steve Hanna, co-chair of TCG's NAC effort."

Reason for pull?

[gravos]

So, did they pull because they had a problem with the demos at the last minute, or is there a more sinister conspiracy-type explanation for this retraction?

Re:Reason for pull?

[Baron_Yam]

I would definitely be very interested to find out if it is a case of the presenters discovering they hadn't really done what they claimed, or if they folded under threat of litigation.

This is interesting enough geek news that I expect some tech journalist somewhere will follow up on it.

Re:Reason for pull?

[Rob+T+Firefly]

FTA:

A spokesman for the conference was unable to offer more information. "At their request, they are no longer presenting. That is all the info I have," said the spokesman, Nico Sell, in an e-mail.

(emphasis mine)

Re:Reason for pull?

[j0nkatz]

Who cares???

It's iPhone Day!!!

Re:Reason for pull?

[PoliTech]

As for why they cancelled the presentation, last year Cisco sued Black Hat conference organizers after a security researcher demonstrated a method for running unauthorized code on a Cisco router. That, or there was a deal made.

My question is why would anyone place their information security "Trust" in MS BitLocker, or Indochinese hardware (TPM chips) that likely already contain built in backdoors for John Law, and corporate drones?

Open Source Full disk encryption is fast and free, open source Firewalls and process restricting software are available for those who just can't resist getting infected with the latest malware. Most Open Source security software developers are likely NOT under the control of Big Brother in any form, be it corporate drones or big government fascists.

So while I'm a little disappointed that the Back Hatters decided to forgo the presentation of cracking TPM, since it was never trustworthy or secure to start with, and since anyone serious about security would never use such a faux security scheme at the outset, cracking TPM and "Trusted Computing" was only a curiosity anyway.

The "Trusted Computing Initiative" is simply a way to provide vendors "Plausible Deniability" and to limit liability for allowing exposed data, nothing more.

Re:Reason for pull?

[WED+Fan]

Or, perhaps, like in science, they discovered a flaw in their own methodology that rendered the presentation pointless. It does happen. How many times has someone yelled eureka, only to have some genius say, "Uh, Bob, you still have the machine plugged into the grid, it's not under its own power"?

Re:Reason for pull?

[computational+super]

As for why they cancelled the presentation, last year Cisco sued Black Hat conference organizers after a security researcher demonstrated a method for running unauthorized code on a Cisco router.

And still there are people, even here on Slashdot, who insist that anonymous speech is not a precondition for free speech.

Re:Reason for pull?

[Blue+Stone]

>"Or, perhaps, like in science, they discovered a flaw in their own methodology that rendered the presentation pointless. It does happen

Then why did they not just say that?

Re:Reason for pull?

[doc_doofus]

That's it!!
They have to wait in the latest never ending line for the latest eyeGizmo and so, won't be able to attend. "Queues of more than 100 people have already formed outside the company's flagship store in Manhattan, with one gentleman -- the first to form the line -- now in the 4th day of his vigil on 5th Avenue." (emphasis mine)
http://technology.timesonline.co.uk/tol/news/tech_ and_web/article2005122.ece

Re:Reason for pull?

[billcopc]

This is going to sound horrible but sometimes it's just a cultural thing. Nobody wants to admit they're wrong. Some Americans don't break unless you're holding a big effing gun to their head. Some Indians just never break... I don't know why and I'm certainly not qualified to research it, but anyone who's worked with Indian consultants and staff has run into this brick wall: your guy screwed up royally but adamantly refuses to admit it, like you're going to rip his head off if he does.

Back to the topic: in this case, I wouldn't be all that surprised if the whole thing was a hoax. Let's pretend they didn't crack the system. Let's say they just started talking like they had figured out, but actually hadn't. Their names were on the guest list, and now they're on slashdot. People think there's an exploit when really there isn't. The perceived threat (to TPM manufacturers) is non-negligible, and some of damage is already done, sight unseen.

Have you ever seen a "terrorist" with your own eyes ? Probably not. Are you afraid of them ? Probably yes. As long as there's the seed of doubt, humans will act irrationally.

Re:Reason for pull?

[luckysam]

There is no conspriracy... The presenters' visa to enter USA has been under FBI name check for over a year ...

Re:Reason for pull?

[dr.badass]

This is interesting enough geek news that I expect some tech journalist somewhere will follow up on it. I heard Brian Krebs is already on the case.

Re:Reason for pull?

[stickystyle]

As for why they cancelled the presentation, last year Cisco sued Black Hat conference organizers after a security researcher demonstrated a method for running unauthorized code on a Cisco router. That, or there was a deal made. So then just how "black hat" is this conf?

Re:Reason for pull?

[Allador]

Open Source Full disk encryption is fast and free ... Can you link us? The only whole-disk encryption I'm aware of is from PGP and MS.

I'm assuming here that in your words, 'Full disk encryption' is the same as 'Whole disk encryption'.

Wikipedia also shows that Seagate has a product as well. But I'm not aware of a single open-source 'full disk encryption' implementation out there.

Note that software like TrueCrypt, while amazing, and useful pieces of software, do not do whole disk encryption.

Re:Reason for pull?

[ChatHuant]

My question is why would anyone place their information security "Trust" in MS BitLocker, or Indochinese hardware (TPM chips) that likely already contain built in backdoors for John Law, and corporate drones?

Open Source Full disk encryption is fast and free

And why would you trust it any more than MS or Cisco or others? Using "Open source" as an equivalent of "cryptographically impregnable" is a dangerous misconception. A serious company selling security solutions has a compelling interest to ensure the correctness and robustness of their solution; an anonymous coder doesn't really, even assuming he's a bona fide developer trying to provide a good solution, and not some russian hacker really curious about your credit card number. You could trot out the old chestnut about how with many eyeballs all bugs are shallow, but that's just another misconception. Really, how many people actually bother going line by line through their disk encryption software to make sure that it's solid and not malicious? And how many people have the expertise to even realise there may be a backdoor in the crypto code? A good trojan will not look like if (strcmp(key, "MYSECRETKEY!!!LOLZ") != 0). And even if somebody will go through the code and find that this particular application is bugged, how will users get this information? With Cisco, Microsoft or Apple you'll get a patch sooner or later, or at least e-mail letting you know there is a problem. The process is much more difficult if you use some random application off the Internet; you'll need to scan the security lists, check often for new releases, and generally go through much more effort than a normal user would or even should do.

Now, for everyday low security tasks, such as making relatively sure a nosy 14 year old doesn't get into your "special" files, a generic encryption app is probably ok. For serious proffesional stuff, I wouldn't trust something just because it's open source.

Re:Reason for pull?

[slashnik]

No, it's Wrong Trousers Day
http://www.wallaceandgromitfoundation.org/

Re:Reason for pull?

[PoliTech]

And why would you trust it any more than MS or Cisco or others?

You do make some very good points, but because the Full Disk encryption software is not a chip soldered to my Motherboard. If the encryption software I choose is full of holes, I can then replace it with a certified paid product or another open source product.

The issue here is that the "security" offered by MS and TPM isn't all that secure to start with, and you can't get rid of it whether you want it on there or not ... at least not without abandoning the MS OS and/or the hardware with TPM installed.

For something like truecrypt,http://www.truecrypt.org/ I don't think it's any more inherently insecure than most pay products, and since I actually use it I can personally attest that it is better than most.

Re:Reason for pull?

[PoliTech]

truecrypt,http://www.truecrypt.org/

Re:Reason for pull?

[PoliTech]

Whoops! I hit the submit button before finishing my answer ...

Your right of course If you want whole disk encryption with preboot you need to cough up a hundred bucks or so. If you want hardware based whole disk encryption you won't find any software acceptable because it requires the encryption to be built into the hardware (which I do not yet trust)

But Truecrypt is close enough to be enough (for me anyways).

Re:Reason for pull?

[WNight]

But what financial incentive does a company have to make your encryption secure? Maybe a little if they're 1) good and 2) dedicated. Bruce Schneier has a rep worth keeping.

Microsoft on the other hand? Even MS-bashing aside, they have a horrible reputation for security even still. They offer no guarantees of correctness and no warranties (expressly) in the case of failure, even known problems.

An independent coder on the other hand is at least protecting his files...

Re:Reason for pull?

[DuckDodgers]

And why would you trust it any more than MS or Cisco or others? Using "Open source" as an equivalent of "cryptographically impregnable" is a dangerous misconception. A serious company selling security solutions has a compelling interest to ensure the correctness and robustness of their solution; an anonymous coder doesn't really, even assuming he's a bona fide developer trying to provide a good solution, and not some russian hacker really curious about your credit card number.

See, I've worked for and with the big companies, and primary interest is profit. The emphasis was never on "best security possible", but always on "good enough to sell".

For a comparatively easy example, check Bruce Shneier's analysis of the Micosoft Challenge Handshake Authentication Protocol. http://www.schneier.com/paper-pptpv2.html

The open source developer could be a crook, he could be an amateur that isn't nearly as intelligent about security as he thinks he is, or he could be lazy. I accept that. But there's a decent chance the open source guy is just trying to write good software. The software corporation has to prioritize profit first and good software second, or they won't last long. Even if the developer has good intentions, the accountants trying to make enough money to pay the developer are running the show. I am sympathetic to the accountants' situation - but that doesn't mean I trust them.

How could a presentation "undermine" security?

[benhocking]

If the chip is secure, then no mere presentation can undermine its security. If it's not secure, then there's no security to undermine. Don't shoot the messenger.

Re:How could a presentation "undermine" security?

[AP2k]

...Or kick him down a well.

Re:How could a presentation "undermine" security?

[eviloverlordx]

If the chip is secure, then no mere presentation can undermine its security. If it's not secure, then there's no security to undermine. Don't shoot the messenger.

Agreed. Another possibility is that one of them discovered a flaw with their method. Eleventh-hour bugs right before demos are the most evil ones of all.

Re:How could a presentation "undermine" security?

The problem is that there are still people who believe in the concept of "security through obscurity", which can be undermined quite easily by pointing out the big gaping holes hidden under a few fluffy buzz-words, and if a messenger shows up trying to tell people about it, the owner of those holes will attempt to discourage them through any means available, including "shooting the messenger".
    It's very possible that the whole thing was called off because they didn't want to get treated like Dmitri Skylarov, who enjoyed the US Government's "hospitality" for quite a long time (even after Adobe dropped all charges against him) for pointing out that a supposedly "secure" encryption system was really just another ROT-13 equivalent.

Re:How could a presentation "undermine" security?

[BunnyClaws]

Agreed. Another possibility is that one of them discovered a flaw with their method. Eleventh-hour bugs right before demos are the most evil ones of all.

Ding! Ding! Ding! This more than likely is the case. What is more likely to happen? These guys getting silenced and quietly removing their presentation or these guys figuring out they were wrong and quietly removing their presentation. If there was a threat from the company there would have been a leak about the reason for pulling the plug on the presentation. More than likely the presenter discovered a flaw and quietly pulled the plug.

Re:How could a presentation "undermine" security?

[jimpop]

Another, another possibility is that they previously signed an NDA (possibly having even sold the exploit for $$) and are now contractually prevented from further discussion.

Re:How could a presentation "undermine" security?

[TheSHAD0W]

"The demonstration would include a few live demonstrations. For example, one demonstration will show how to login and access data on a Windows Vista System (which has TPM + BitLocker enabled)," the abstract said.

If they were able to do that, most likely they had what they said they had. I'm betting they were threatened with a lawsuit or a criminal complaint.

Re:How could a presentation "undermine" security?

[aldousd666]

I think it's highly unlikely that they'd have volunteered to present in the case that they didn't actually have the sploit already, but it's possible. I'm guessing (note I said Guessing, not arrogantly postulating, asserting, or stating) that they were bought out. Why not? it's a great exit strategy for a service well performed.

Re:How could a presentation "undermine" security?

[darkvizier]

What is more likely to happen?

I think what's more likely to happen is parties with a business interest in these technologies paying the presenters off to lay low for a time. If I had found a security flaw, and was offered, say $10,000 to shut my mouth about it, I'd do it. It's going to come out anyway, but the delay might be worth millions of dollars... Especially if they manage to find a fix in that time.

Re:How could a presentation "undermine" security?

[_Sprocket_]

What is more likely to happen? These guys getting silenced and quietly removing their presentation or these guys figuring out they were wrong and quietly removing their presentation.

While I definitely agree that its very plausible the researchers simply discovered that they goofed, I would also note that there is historical precedent for other motivations.

Re:How could a presentation "undermine" security?

[geekoid]

YOu would need to put 3 more zeros on that to shut me up, minimum.
Because when it gets found out, I would not be trusted in the future.

Re:How could a presentation "undermine" security?

[quentin_quayle]

benhocking "If the chip is secure, then no mere presentation can undermine its security. If it's not secure, then there's no security to undermine."

The TPM is designed to prevent the hardware owner from having access to at least one of the digital keys within it, and thereby to prevent the hardware owner from having control over software running in the "trusted", walled-off mode. It is therefore a DRM chip, not a "security" chip.

"Secure" in the sense you are using is from the key-holders' point of view, like the U.S. bases being "secure" against the rightful owners of the land who want to evict the occupiers.

It would be more correct to characterize the presentation as one which would help to restore security for the hardware owner whose device would otherwise be compromised by the euphemistically named "trusted computing" intrusions.

Re:How could a presentation "undermine" security?

[Overzeetop]

How about -$100,000 and possible jail time? Not an unusual price for a criminal investigation, say, for a DMCA violation. These guys really do play hardball, and if you're lawyer agrees with their lawyers, you'd have to have quite a set to go to a public forum where the authorities are waiting for you to finish your talk so they can take you downtown, along with your presentation as proof to turn over to the DA.

Not saying it's right...but there are both carrots and sticks, and I have no doubt they are both used.

Re:How could a presentation "undermine" security?

[LifesABeach]

I believe that these people were given an offer, they could not refuse. One has to ask, "Who would benefit by this deafening silence?"

Re:How could a presentation "undermine" security?

[Spy+der+Mann]

...Or kick him down a well.

Where's Lassie when you need her?

Re:How could a presentation "undermine" security?

[jZnat]

If your lawyer agrees with their lawyers, you might have found an awful lawyer! He/she could probably be disbarred for not working for their client to the best of their ability (the lawyer oath and whatnot)...

Re:How could a presentation "undermine" security?

[r_jensen11]

I would just solve the whole presentation problem (assuming that the chip is not secure) by responding to litigation by responding with "False Adversiting"

Re:How could a presentation "undermine" security?

[Big+Nothing]

"your" = belonging to you
"you're" = you are

Interesting meta-commentary

[WalterGR]

coondoggie writes us with a link to the Network World site, as he tends to do.

(emphasis mine.) Interesting. First time for such meta-commentary by a slashdot editor? I don't think we ever saw the same for one of Roland Piquepaille's many submissions...

Re:Interesting meta-commentary

[Aoreias]

coondoggie's profile website in is networkworld.com Roland's links to his blogs are rarely if ever the primary source for the submission, but rather a 'for more information...'

Now crackers will have an advantage...

[denis-The-menace]

Now crackers will have an advantage and the rest of us will be blind-sided.

I don't like the whole [trusted platform module] (TPM) because we consumers are are not trusted in the whole scheme.

But for the few us techies that get this P.O.S. "security" system foisted upon them by their clueless/soldout management, wouldn't be nice to be able to explain why the hacker(s) got through the night before?

Re:Now crackers will have an advantage...

[an.echte.trilingue]

Its not really about consumers. The customers that this system sells to are people who have computers that they let other people use, such as companies or governments. This offers them protection against stupid/disgruntled employees. You will note in the article, the attack is targeted at controlled network access, such as protected networks that you find in say, a bank.

If you see this stuff in your commercial home system, it is mostly because, having spent the money to develop this technology for big customers, manufactures can sell the same machine to you and the big customers without having to change their assembly lines. Of course, the people in marketing try to make it sound interesting to consumers, but it isn't.

Re:Now crackers will have an advantage...

[jeffasselin]

You are mistaken, because you think Microsoft's customer is the end-user or even the corporate buyer but it isn't. Microsoft's customer here is the RIAA and the MPAA and their constituents, and you're just an ATM machine to them.

Re:Now crackers will have an advantage...

[ajs318]

Would that be one of those ATM machines where you type in your PIN number, then?

I seem to recall that they have their electronics on a single PCB board.

Re:Now crackers will have an advantage...

[Allador]

TPM doesnt take away control from you, it gives you (as the machine owner/manager) much more power over what happens.

For example, it gives you, as the company who owns/manages the box, a stable and trusted piece of hardware to do encryption/decryption/signing, along with a key such as a USB drive or a smart-card.

Without something like this, its hard to trust, as the OS could be compromised, but (at least in theory) its much harder (nearly impossible) to crack the TPM hardware.

Of course, if these guys have the real thing, then the current gen of TPM may be blown out of the water.

I hope it's published anyway

[nxsty]

Trusted Computing is one security measure I'd like to see broken.

Re:I hope it's published anyway

[phyrebyrd]

Just virtualize it.

Re:I hope it's published anyway

The whole point of the design, almost the whole reason for having the hardware in the first place, is that you can't virtualize it. Neither a VM nor a computer without the chip can impersonate a computer with the chip, because they don't have the signed crypto keys which are (supposedly unextractably) embedded in the chip. It doesn't help if your VM is running inside a TC computer, because the TC device won't see the computer as running trusted software (it'll see the hypervisor, which will NOT be trusted unless it propagates the TCPA regime into the virtual system, which is what you're trying to avoid). So the chip won't attest to the VM's trustworthiness, and the VM can't do that for itself.

Re:I hope it's published anyway

[ajs318]

Except that there is no way for software to determine whether or not it is running in a virtualised environment. (If there was, that would indicate your virtualisation is not being done right.) Your virtual environment just has to listen for the challenges and send the correct responses. And you can know, by examining the software which is running within the virtualised environment, exactly what response it is expecting.

Re:I hope it's published anyway

[IgnoramusMaximus]

Except that there is no way for software to determine whether or not it is running in a virtualised environment. (If there was, that would indicate your virtualisation is not being done right.) Your virtual environment just has to listen for the challenges and send the correct responses. And you can know, by examining the software which is running within the virtualised environment, exactly what response it is expecting.

You misunderstand the way the TPM works. TPM chip computes a running checksum of a number of hardware CPU operations, such as memory access and/or sequence of instructions executed. Then a software in your VM will be asked to return to the remote party requesting attestation a digest value based on a random number sent to you by the other party and then run through the TPM chip. The VM has no access to the internals of the TPM chip (it is an opaque black box as far as the CPU is concerned) and thus cannot compute the correct response. Only the TPM chip can, which it will refuse to do since your running of the VM has altered the "one and only" sequence of instructions/memory accesses that the TPM continuously monitors.

In other words, TPM is specifically designed to defeat virtualization as the virtualized environment does not have sufficient data to recreate the correct responses, only the raw hardware, executing istructions under the supervision of the TPM chip, has.

Re:I hope it's published anyway

[IgnoramusMaximus]

So add some wires.

You mean helluva a lot of wires. Since the TPM straddles the whole width of data/address busses. In other words you gotta get a specialized board and stick the TPM onto it, following which you have to know precisely the expected memory access/contents change sequences, all the way from the moment the power switch goes into the "on" position on the PC.

Possible? Sure, but at what cost/effort ratio? Furthermore, no more hacking for the unwashed masses unless you've got one of those special, custom modified motherboards + TPM "virtualization" hardware. Stuff which is likely to be more illegal then crack cocaine soon and which can be caught at the border when its being imported from China or who knows where.

Re:I hope it's published anyway

[ajs318]

Whatever happens, the software is looking for a particular response from the TPM chip -- even if it asserts the "challenge" indirectly by address-knocking or something. You can determine from the software what it's looking for, and feed it the right things.

To all intents and purposes, TPM is just a password embedded into the motherboard. All you have to do is examine the hash function and the expected value, and then you can create something that hashes to the same thing. The hash function probably won't be very big in terms of code size. Because it absolutely has to be "live" while the check is being done, it can't be held encrypted, at least not during that phase. It may well be re-scrambled as soon as it finishes.

But maybe you don't even have to brute-force the password ..... because a successful comparison will set a status flag somewhere. Every so often, that flag gets checked and if it is not set, the processor chucks an exception. By the very definition of what virtualisation is, you can make changes deep within the virtualised processor from outside the virtual environment -- that is to say, you can alter status bits, register contents, even the IP; anything really, without so much as missing a clock cycle within the virtual processor.

Re:I hope it's published anyway

[Hizonner]

That would be true if it were local software that was doing the checks. The idea of the TPM is that you can use it to prove to a remote computer, not under your control, that your machine is running "blessed" software. The bank can verify that you're running an OS it's comfortable with. An online DRM system can refuse to hand over the key to decrypt media unless you prove your computer is "uncompromised" (and therefore won't make a copy of either the key or the media). You can virtualize your end, but you can't virtualize the end that's doing the verification. All any of the software running on your computer is doing is acting as a conduit between the remote server and the TPM. If your software messes with the messages passing back and forth, it just makes the verification fail, and the remote computer refuses to play ball. The remote computer will know if it's talking to a VM.

You can also use the technology locally in the way you describe, and people certainly would do so if it every became popular. If they do that, yes, it's hackable as you say. It's probably also hackable without doing the virtualization at all. But that local mode isn't the strongest way to set it up... and, since almost everything interesting is done online these days, having control of what you do online is almost as good as having total control over everything you do with the computer.

I think the real attack on this system is to take advantage of the fact that the "trusted" software itself is going to have bugs. The TPM doesn't check to see that the software is correct, just that it's the expected binary. Not only that, but the TPM itself only checks the BIOS or the bootloader or some such low-level software... that trusted loader is then expected to check the OS kernel, which is then expected to check all the rest of the code that gets loaded, which is then expected to act in the intended way. The chain of trust is long, and the trusted code base is huge, so the assurance is largely theoretical. But virtualization isn't the way to beat it.

Re:I hope it's published anyway

[ajs318]

If the checking is being done remotely, then your computer must be sending properly-formed packets down the network -- because properly-formed packets are the only thing you can send over the network. That kind of nullifies the address-knocking scheme (it doesn't matter what language the Natives speak amongst themselves, if it has to be translated into English before the messenger can deliver it to their Chief far away). There's still a chink in the armour.

TPM is beatable. I'd even go so far as to say "trivially", as long as you understand that I mean that in the strict mathematical sense. Hell, even my own Trusted Computing idea -- which would be where every single CPU had a different instruction set and addressing schema, and could only run code compiled for it, thus precluding distribution of software in binary form; unlike Microsoft's idea, this one is strictly about you, the owner of the computer having absolute control of whatever runs on it -- is beatable, if users are careless enough.

Re:I hope it's published anyway

[IgnoramusMaximus]

If the checking is being done remotely, then your computer must be sending properly-formed packets down the network -- because properly-formed packets are the only thing you can send over the network. That kind of nullifies the address-knocking scheme (it doesn't matter what language the Natives speak amongst themselves, if it has to be translated into English before the messenger can deliver it to their Chief far away). There's still a chink in the armour.

You keep forgetting that each packet is encrypted with a random (per session) key which is generated by the TPM based on the state of the TPM (and thus requires unaltered instruction sequences and memory contents - or helluva of hardware virtualization hacking), a secret key embedded unretrievably in the TPM and a random (per session) number sent by the other party. In other words, in order to crack the thing you either have to build a special-purpose computer, capable of completely isolating and fooling the TPM chip, since any monkeying with the software on its own (such as debugger sessions etc) will alter the internal state of the TPM and thus destroy your per-session decryption keys. Note also that in order to peek at the memory of the "trusted" process one has to somehow defeat the memory isolation between processes which is a pre-requisite of the TPM platform. In other words a custom CPU.

The point of the TPM is that while yes, it is breakable, it is not trivially or cheaply breakable.

Re:I hope it's published anyway

[IgnoramusMaximus]

Since the TPM doesn't do actual encryption on its own, all it would take is one grad student with the right equipment about an afternoon of work to fully compromise (as in extract the keys from) any wide-spread DRM system that relies on TPM. And once the keys are extracted, the test equipment is no longer necessary.

You are wrong. The TPM does both signing of remotely originating certificates and decryption key maintenance. That is one of its chief selling points. The decryption keys generated by the TPM are session specific, i.e. they are thrown away after each transmission of "protected contents" and are based on the remote values as well as the secret hardware-embedded keys within the TPM. TPM can also be used in one of its modes of operation to do on the fly decryption of any stream, instead of the CPU.

So you could, with all that equipment, get the throw-away set of decryption keys, or the actual decrypted contents. But this would not break the system for others, who do not have your specialized hardware. The operation you describe would have to be performed each time for each new session, even with the same contents.

Re:I hope it's published anyway

[BLKMGK]

Suggest further reading on the subject....

Yes, the software is expecting certain kinds of responses blah blah and you can modify the software to accept other inputs as valid. Except that the software is signed and verified at bootup by the TPM. TPM is a chain of trust sort of thing with the root of that trust buried in a chip filled with crypto and digital signatures. Many (damn near all actually) of the suggestions posted here so far violate that chain of trust and will be spotted by the TPM and a flag thrown on the play. Done RIGHT you're not going to be getting around the TPM so easily. Question is, did it get implemented "right"? These guys claimed they found a crack and have now pulled back so who knows.

What folks seem to forget is that the folks who designed the TPM chip were ALL already aware of all the kinds of things people are suggesting here. The XBOX 360 supposedly uses TPM and apparently trying to tap some of it's data lines is enough for it to shutdown. Data lines are apparently crypto'd when using TPM blah blah so just firing up a logic analyzer gets you pretty much squat. The guys who did this spec weren't dummies and there's big money on the line...

Re:I hope it's published anyway

[Jherek+Carnelian]

TPM can also be used in one of its modes of operation to do on the fly decryption of any stream, instead of the CPU. That statement is misleading. The TPM standard only defines on-the-fly asymmetric decryption, i.e. with public/private keys. Symmetric, like AES, operations are not externally accessible.

So you've got a choice if you have a large amount of data to decrypt, like say a movie. Either you use the TPM's asymmetric algorithms and wait forever because they are so slow, or you use symmetric algorithms like AES outside the TPM and in the host and just the TPM for key mgmt. That's the approach that a system like AACS must use, and thus the #1 public use for TPM is vulnerable to the attack that I originally described.

Re:I hope it's published anyway

[IgnoramusMaximus]

Either you use the TPM's asymmetric algorithms and wait forever because they are so slow, or you use symmetric algorithms like AES outside the TPM and in the host and just the TPM for key mgmt. That's the approach that a system like AACS must use, and thus the #1 public use for TPM is vulnerable to the attack that I originally described.

Not if the AES key is generated per-session, and the contents is encrypted with that session-unique key, based on random tokens supplied by the other end of the connection (i.e. the source of your media file). The fact that the media key is being exported outside of the TPM gets you nothing as that key becomes useless as soon as the session is complete. In order to do you what you described you would have to crack the entire internal mechanism of the TPM, complete with its secret, hardware-embedded master key which is supposed to be inaccessible from the outside of the chip, so that you can generate these session-spanning keys at will. Otherwise the key you managed to snatch from the memory outside of the TPM (a trick requiring hardware mods in order to get past the CPU process memory separation) is useless not only for anybody else, but even for yourself 5 minutes later, with the very same contents from the very same source (which a second time will require a different, TPM generated/certified AES key).

Re:I hope it's published anyway

[Jherek+Carnelian]

Not if the AES key is generated per-session, and the contents is encrypted with that session-unique key, based on random tokens supplied by the other end of the connection (i.e. the source of your media file). And, with AACS, that's a fundamental flaw. Since said source of the media file is not anywhere nearly as well protected and can easily be (and has been) subverted, thus the entropy of the session-unique can easily be eliminated.

Re:I hope it's published anyway

[IgnoramusMaximus]

And, with AACS, that's a fundamental flaw. Since said source of the media file is not anywhere nearly as well protected and can easily be (and has been) subverted, thus the entropy of the session-unique can easily be eliminated.

That depends. There are two obvious ways to make it very difficult: a) demand an online connection to initiate viewing of contents and then send random tokens, not to mention that this will allow the "contents owner" to be able to spy on the poor sod otherwise known as the "consumer" (which is where all the media companies are doing their damnest to get) or b) make sure that the MEGA-UBER-HD-DVD controller is a fully-self-contained, high-entropy (achievable with the right hardware, such as thermal noise based A/D random number generators and what not) source endpoint of the communications and that only it stores (irretrievably I presume) the actual kets of whatever actual encryption scheme is on disk.

Note that this does not fix the fundamental flaw of all DRM systems, i.e. the fact that as soon as someone gets the contents decrypted, by whatever means, then the unencrypted contents can be distributed freely. But it can (if properly implemented) make the process of decryption rather painful (as in very specialized custom hardware etc). It will also remove the possibility of simply sharing the decryption keys, which is how the CSS system is being presently thoroughly defeated on a large scale.

In short, the TPM will reduce very significantly the availability of easy methods of, say, playing one's legally purchased HD-DVD, without the owner grovelling for an approval from MPAA for every viewing, which is what that organization apparently consider its primary reason for existence, as they believe that this will allow them to shorten the life-time of any media drastically and allow them to re-sell the same contents, to the same people, many, many, many times over. And they might be right, given that Joe Sixpack will have very little recourse in the realm of corporate-bought laws to escape, other then to become a "vile pirate criminal" and face penalties harsher then those for rape and murder (as is already the case in some jurisdictions) for possession of the said custom decryption hardware. Given the current trends in American politics and law, I am not very optimistic looking towards the future of this.

Re:I hope it's published anyway

[phyrebyrd]

I was being sarcastic. ;)

Conspiracy shmiracy

[packetmon]

Yanked why? ... Maybe because security experts have already exposed *stolen/old/re-hashed concepts* and they didn't want to be embarrassed...

Probably realized...

[MMC+Monster]

...that there is more money just selling the presentation to the highest bidder. Then present it a year later.

Correct me if I am wrong, but if someone adds something like this to a remote execution virus, they can install a virtual machine underneath Windows (any version) and have access to all data, including encrypted volumes?

Nah... I'm just paranoid.

Re:Probably realized...

[I)_MaLaClYpSe_(I]

This can be done with VBootkit as well. Let's resurrect the BIOS viruses. Note that Nitin and Vipin Kumar are the authors of VBootkit and it was covered previously on Slahdot here: VBootkit Bypasses Vista's Code Signing.

So really...

[Seraphim_72]

...more of a dark gray hat then.

Give it time

[gen0c1de]

Maybe they are putting it on the back burner, not releasing the information and giving it time to get to the point that once they do release it there will be a much bigger effect. As it is now TPM isn't wide spread yet so give it a bit of time and then break it.

Re:Give it time

[Frosty+Piss]

Three possibilities:

* Didn't actually work like they said

* Wanted to make some cash-ola on the "sploit"

Big Corporate Illuminati paid them off.

* Found dead after listening Cowboy Neal drone on and on and on and on...

Your choice.

Who cares:

[PFI_Optix]

Those of us with perfectly good phones who aren't willing to pay $500 for something that doesn't really bring much new to the table.

Cool factor: 10
Usefulness factor: 5 (it really doesn't do much more than my RAZR V3xx)
Budget fact: -1

Burn karma burn!

Hardware companies don't seel to consumers

[Tony]

PC hardware companies have one customer: Microsoft.

They have to sell their hardware to Microsoft. Oh, sure Microsoft doesn't pay for it directly-- they get consumers (both free citizens and corporations) to do that for them. However, the hardware companies must please Microsoft if they hope to be able to sell their hardware.

If Microsoft feels they are beset by an upstart operating system, one that does not have the financial or political clout to become "trusted," they may very well demand their suppliers provide the chips in *all* computers, not just high-end secure commercial systems.

So manufacturers may have no real choice in the matter.

Re:Fess up

[diodeus]

I think it was the same people who failed to give us the vote on DRM, NAFTA, globalization and the New Coke.

DMCA anyone?

[TheSciBoy]

My guess is that they could not go to the US from fear of being arrested for breaking the DMCA/some other law. I for sure wouldn't go to the US under any circumstances with information on how to defeat any kind of security.

Security by obscurity still seems to be the mantra.

Re:DMCA anyone?

Every security system in existance has a vulnerability, wether its the passwords, the keys, or the algorithms involved. Every security system in existance is only secure while this information is unknown, therefore every security system in existance is essentially 'security through obscurity'.

The term 'security by obscurity' has it's place, but it seems like another phrase in a growing list that Slashbots just seem to latch onto whenever they feel like karma whoring (like 'DMCA invocation').

Re:DMCA anyone?

[_Sprocket_]

Every security system in existance has a vulnerability, wether its the passwords, the keys, or the algorithms involved. Every security system in existance is only secure while this information is unknown, therefore every security system in existance is essentially 'security through obscurity'. Close. The "security through obscurity" mantra is about how much knowledge is required to defeat a system. Knowing the algorithms involved shouldn't be enough. One should have direct access to the system's key(s).

The issue isn't that there's a piece of secret knowledge that unlocks the system. That's a given - passwords, cryptographic keys, etc. are referred to as "secrets" and have nothing to do with the "obscurity" part of the mantra. The issue is whether enough study of a system or general knowledge of a system is enough to bypass it. It is much easier to control a secret (in the cryptographic sense) than the inner workings of a system.

The term 'security by obscurity' has it's place, but it seems like another phrase in a growing list that Slashbots just seem to latch onto whenever they feel like karma whoring (like 'DMCA invocation'). I do agree on this point. One should understand the concept behind a tidy little catch-phrase before trying to use it.

Re:DMCA anyone?

[ajs318]

The point is that with something like public-key encryption using an Open Source algorithm, the only thing that has to be kept secret, and does not even have to be shared with the other party, is the decryption key. And you can prove that (if you've studied enough maths). You are in total charge of the only thing that needs to be kept secret for your communications to be secure.

Whereas, with something like Skype -- which uses a closed-source implementation of christ-knows-what algorithm and handles its own key generation -- there's no way to be sure exactly what needs to be kept secret, or even who else knows it (without reading and understanding the Source Code, you can't be sure that the decryption key is not being made available to anyone else). That's "security by obscurity": someone other than you is in charge of the secrets.

Re:DMCA anyone?

[dpilot]

So you're really saying rather than "security by obscurity", how about "security by threat of Gitmo"?

Re:DMCA anyone?

[thoughtlover]

That's a good thought I didn't consider, much like Dmitry Sklyarov at the 2001 DefCon in Las Vegas.

My initial thought was M$ hired some local henchmen to go rough up them and threaten the same to their family/loved ones. Gee, have I watched "Antitrust" too many times? Did Tim Robbins present such a compelling and chilling version of a person with too much to lose in an industry fraught with theft and scandal? I'd have to say 'yes' because this was my first thought.

Re:DMCA anyone?

[wirelessbuzzers]

The point is that with something like public-key encryption using an Open Source algorithm, the only thing that has to be kept secret, and does not even have to be shared with the other party, is the decryption key. And you can prove that (if you've studied enough maths). Err, not so much. Proofs of security always assume that some problem or another is hard. For instance, if you can't factor numbers or break hashes, then you can't break Rabin's signature scheme (caution: random oracles required; void where prohibited). That's all well and good until someone breaks your hash or factors your public key. Oh, and hey, SHA1 and MD5 (hashes) are both broken.

Often the problem sounds suspiciously like the scheme itself. For instance, Diffie-Hellman-like schemes are secure unless you can solve the so-called "Diffie-Hellman problem."

Block ciphers typically carry no guarantees whatsoever, since they aren't based on the sort of mathematical structure that public-key systems use. The best you can say about them is usually, "Well, we used a conservative design, and haven't been able to break it with certain classes of known existing attacks."

This isn't to say that provable security is useless, just that its guarantees may not be as strong as you think.

Re:DMCA anyone?

[ajs318]

The security of Public Key Encryption depends on you not being able to determine, by inspection alone, how to invert the encryption function. What works so well in current systems is that modulo arithmetic is used -- basically, you have a numbering system that "wraps around" at some point and goes back to zero (like the old Atari 2600 games which only counted scores up to 9999). The encryption function is

Y = (x ** a) % c

implying that the public key tells you a and c; the decryption function is

Y = (x ** b) % c

and the private key tells you b and c; and a, b and c are chosen at the time of key generation such that

(((x ** a) % c) ** b) % c == (((x ** b) % c) ** a) % c == x

Now, when you actually transmit the message, you throw away some important information: you leave out how many times the counter wrapped around. All you have is Y, where

Y = x ** a - d * c

You know a and c, but you don't know d. If you have the proper decryption function, you don't need d. But with only the encryption function available, you end up with fewer equations than variables.

Re:DMCA anyone?

[wirelessbuzzers]

Uh, thanks a lot for the lesson on RSA, but actually I'm a security researcher. (Maybe I'm being trolled? Eh, whatever.)

"Fewer equations than variables" can't ever prove something like this, because there's always enough information to decrypt. That is, an attacker could, if he had lots of time, try every x and see which one encrypts to y. There had better only be one of them, because otherwise the intended recipient can't decrypt either.

While that would take basically forever, you don't need to try every x. You can recover the decryption exponent b (usually called d, for decryption) from a (usually called e, for encryption) if you can find the factors of c (usually called n). Factoring is hard. Nobody knows how to do it in a reasonable amount of time, even on a supercomputer, when n is really big (hundreds of digits). But there's no proof that it can't be done quickly, and n has to be bigger and bigger as people make faster computers and smarter factoring algorithms. Nor is there a proof that you need to factor n. For instance, if a is fairly small (like, say, 3) and some partial information is available about x (say, you know the structure of the message and can guess most of the fields), then you can find x anyway. That's why people usually set a=17 or so.

Re:DMCA anyone?

[ScrewMaster]

Security by obscurity still seems to be the mantra.

Security by ignorance is the mantra.

If someone points out a flaw in your security (whether it be a computer, or a bank, or a firebase) logic dictates that you should hear them out at the very least. If indeed you have problem, thank them and then FIX IT, because they are doing you a favor. What seems to be happening nowadays is the exact opposite. Those who are exposing security issues are intimidated into self-censorship and their knowledge ignored. This is an example of willful ignorance, and there's a price to pay for that level of stupidity. The people pushing this crap on us won't be paying that price: we will.

What this tells me is that the people involved in "Trusted Computing" and all the rest of that balderdash are less interested in providing better security to their customers, as they are in providing the appearance of better security so that people will buy into their program to the tune of billions of dollars. Consequently, when anyone comes out with information that says, "Hey, this isn't as secure as you're claiming!" the immediate reaction is to try and shut them up.

Rather than subjecting our systems and our data to the tender mercies of law enforcement and corporate America, it would be far more effective if we simply learned how to secure them using the tools we already have. "Trusted Computing" is a non-solution in search of a problem to make it marketable, or at least palatable.

it never existed in the first place.

[SuperBanana]

Scheduled during the Black Hat USA 2007 event, the event's briefing promised to break the Trusted Computing Group's module, as well as Vista's Bitlocker. Live demos were to be included. The presenters pulled the event, and have no interest in discussing the subject any more.

Maybe because it never existed?

1.Announce you're going to present how to break Vista / TCM
2.Collect $$$$ from registrations
3.Claim the presentation is "cancelled"
4.Profit!

Re:it never existed in the first place.

[geekoid]

Look at the history of the people who where going to present it.

I would give the benefit of the doubt to them.

Nitin and Vipin Kumar are the creators of VBootkit

[I)_MaLaClYpSe_(I]

Nitin and Vipin Kumar are the creators of VBootkit and they were covered previously on Slashdot here: VBootkit Bypasses Vista's Code Signing.

Paid off?

[Fr05t]

I don't know how likely it is, but since no one has mentioned it I figured I would. Maybe they were simply offered a big pile of cash to keep quiet, and never speak of it again??

Occam's razor

[Opportunist]

What takes fewer assumptions: To assume that MS or some other bigwhig of the TPA crowd sent them some Ahnulds with an "...or else" message, or to assume that they found out that either their presentation is flawed or that their findings aren't so new at all? Or maybe they want to up the hype (after all, they do have a security consulting company)?

Seriously. Keep the conspiracy low.

Re:Occam's razor

[Darby]

What takes fewer assumptions: To assume that MS or some other bigwhig of the TPA crowd sent them some Ahnulds with an "...or else" message, or to assume that they found out that either their presentation is flawed or that their findings aren't so new at all?

You're going to slit your throat holding your razor backwards like that.

The first obviously takes fewer assumptions. MS and various other companies have demonstrated repeatedly that that is *exactly* how they do business on a regular basis. So the only assumption needed to consider that choice reasonable is that they'll continue to do exactly what they've always done in the way they've always done it.

For the second, you're assuming that the people in question are shady characters (any evidence of that?), who are willing to risk destroying any credibility they might have over a half ass attempt to drum up publicity?

Seriously, if you're trying to apply Occam's razor you need to pay a little bit of attention to facts otherwise you'll completely screw it up like you just did.

Re:Occam's razor

[Opportunist]

Either takes assumptions to come to the desired (i.e. existing) effect. The question is, who has to lose more from disclosing the basic reason for their withdrawal, and how likely is it to happen.

Assumption: MS using legal muscle or threats to quench information about faulty TPA.
Effect of exposure: MS getting flak from the community. Ok, doesn't faze them as we know. MS getting flak from the content providers relying on TPA. Would hurt them seriously more.
Risk of exposure: High, a lot of people would actually love to push this information.

Assumption: There is no flaw in TPA and they tried to create some hype and FUD around it.
Effect of exposure: Complete loss of any kind of credibility for them.
Risk of exposure: Medium. It's quite hard to prove that something is secure if you don't know the flaw.

Assumption: There is a flaw, but they try to make money out of it rather than spreading it.
Effect of exposure: Virtually none. They have a security counceling company, it's their right to use that information to make money.
Risk of exposure: Low. And if, who cares?

Personally, I go with the third assumption. It makes the most sense.

Re:Occam's razor

[Darby]

Personally, I go with the third assumption. It makes the most sense.

No, it really doesn't.
The first choice you listed takes no real assumptions at all. We *know* that that is *exactly* what MS does in these situations, hence not only is it perfectly reasonable to assume they'd keep doing what they always do, it is the default assumption when dealing with them about anything.

Now, it's perfectly possible that the third choice is actually correct, but you will never get there using the information available plus Occam's razor because Occam's razor will give you choice one every time because it requires the fewest assumptions.

Adding in more information, like the other response to my post (assuming it's true) could push you in another direction, but assuming people will continue to act in the manner they've always acted is very basic simple common sense.

rings a bell

[sacrilicious]

Presenters Nitin and Vipin Kumar's presentation...

Wasn't there some movie about this? Nitin and Kumar go to Black Hat, or some such?

Don't give up so easily

[HalAtWork]

Don't shoot the messenger.

Not only that, but the messengers shouldn't give up so easily. They have a responsibility to disclose their findings instead of letting people rely on insecure solutions, or letting them fall victim to losing control of what their PC can/can't do.

Re:Don't give up so easily

[azrider]

Not only that, but the messengers shouldn't give up so easily. They have a responsibility to disclose their findings instead of letting people rely on insecure solutions, or letting them fall victim to losing control of what their PC can/can't do.

When you are not the messenger that's easy to say

Re:Don't give up so easily

[computational+super]

No, there aren't. If there was an anonymous channel that could be used to disclose security flaws, that channel would be used to anonymously trade music, or movies, or something "even worse" and its supporters would be jailed for enabling it.

Until an anonymous channel is created that doesn't require the support of non-anonymous administrators, there won't be any anonymous way to communicate anything.

Re:Don't give up so easily

[Crazy+Eight]

Uh... they could probably post it anonymously on the internet...

Re:No conspiracy theory required

[ajs318]

That'd be Hanlon's Razor -- "Never ascribe to malice that which can adequately be explained by incompetence".

Re:Nitin and Vipin Kumar are the creators of VBoot

[0bjectiv3]

Yes, but when will Nitin an Kumar go to White Castle?

Yeah...

[MightyMartian]

Because we all know that hiding your head in the sand is a sound means of securing systems.

(Golf clap)

[Kadin2048]

I was wondering how long it was going to take someone to work some totally non sequitur U.S.-bashing into a technical discussion ... and there you went and did it!

...and that problem is transport...

[Valdrax]

...Or kick him down a well.

So our country can be free?

Re:...and that problem is transport...

[aminorex]

You betcha! The bottom of the well is our designated free speech zone!.

Re:Money talks...

[deviceb]

exactly... perhaps they just saw more $ to be made on a different route.

Re:Fess up

[SiliconEntity]

Alright, who has been requesting this trusted computing platform bullshit? Speak up! I want to know the name of the one consumer who said "Yes, I really want computers that can be uniquely identified. I hate the freedom that being anonymous brings."

I do want a trusted computing platform. That's because I know how they work, and you don't. You think it limits what code you can run and takes away your anonymity. But those are all lies, fed to you by opponents of the technology, which you have blindly accepted.

The truth is that TC technology lets you prove the software configuration you are running, if you want to. That's it. This will be able to be done per-application, so that you can prove you are running a particular app while keeping other details private. I can think of many good reasons for this; yes, good, privacy-protecting reasons; even good, anonymity-protecting reasons.

But because of people like you who believe the Big Lie, the technology I need to improve privacy and anonymity on the net is being killed even in its moment of birth.

Clarity

[benhocking]

In case it wasn't clear, I did not write the summary nor the article that the summary references. I was just pointing out that, regardless of how one feels about DRM or TPM and what is being secured against, the concept that a presentation could undermine security implies a security based on obscurity, which is no security at all.

Re:Fess up

[PitaBred]

Unless they're Luddites, people aren't opponents of a technology for no good reason. TPM depends on someone else, somewhere, attesting to... something. The point is, it's out of your and my control, which means that there's someone else in control, who holds the keys. For my security, I don't trust anyone else holding the keys in these TPM chips. Apparently, you do.

I'm all for more security. I just don't think this is the right way to go about it, and all I can see it realistically being used for is for on the consumer side limiting peoples rights to use media how they want. For businesses, it may provide some additional security, but even then I'm dubious that proper permissions and access control don't fix that already.

Vendors want TPM, not consumers.

[fahrbot-bot]

Remember: TPM is there so the vendors can trust the PC, not the consumers (hardware owners) - who are, as far as the vendors are concerned, untrustworthy...

Re:Fess up

[SiliconEntity]

Unless they're Luddites, people aren't opponents of a technology for no good reason. TPM depends on someone else, somewhere, attesting to... something.

How can you object to people attesting to things? People attest to things all the time. Do you get up in arms over the Good Housekeeping Seal of Approval? Do you insist that it is an infringement on your freedom that you can't use their Seal dishonestly in business?

Or how about the Verisign root CA key? This is the foundation for SSL security on the net. Do you think they should publish the private part so that anyone can forge signatures by that key and make their own attestations? That would destroy its security.

Secure attestation is the foundation of commerce in the whole world, as well as in the smaller world of the net. The TPM merely applies that same principle on a finer scale, allowing you to attest to the nature of your own software.

For my security, I don't trust anyone else holding the keys in these TPM chips. Apparently, you do.

No one else holds the keys in the TPM. Only the TPM holds the keys. The TPM owns the keys and never lets them go. That makes the TPM, from the security perspective, an autonomous agent; a little robot that obeys certain rules. Everyone knows what the rules are, and thanks to the keys embedded in the TPM which never leave, everyone can tell when a TPM is making a statement. This gives people confidence in what the TPM says.

That's the essence of this enormous threat that everyone is so up in arms over. That there could be an entity in the world that makes verifiable statements of known facts. The bottom line is that people want the ability to make their TPMs lie. Apparently no one can abide the presence of an honest agent in their life.

I call this complete bullshit. I have no desire to defraud or lie to anyone. Yet I want to preserve my own privacy and anonymity. These goals are completely consistent. And the TPM actually serves these goals. Because people know its rules and can trust what it says, the TPM can make statements about what I am doing that are reassuring to others, without me having to reveal any more information than necessary or any details. The TPM allows local filtering of outgoing information so as to add MORE privacy while allowing a degree of remote trust that is unimaginable today.

I could go on and on, but what's the point? You either won't understand or won't believe me. I have read thousands of pages of TPM documentation and understand this technology as well as anyone. You have read a few web sites that are totally biased in their presentation. Unfortunately millions of others are like you, and almost no one is like me.

MOD UP!!!

[Ayanami+Rei]

The hack does not specifically concern the TPM, from what I understand it just fools Vista into thinking the TPM validated it. But any further operations using the TPM would fail, so...

I think that's a pretty good reason to pull the presentation.

Re:Fess up

[m50d]

I can think of many good reasons for this; yes, good, privacy-protecting reasons; even good, anonymity-protecting reasons.

Out with it, then. What are these reasons?

Re:Why can't I get to my own private key?

[SiliconEntity]

If TCPA is such a great thing for users like me, why can't I have access to the private keys in the TPM within my own computer?

Because, as I explained, the point of the TPM is to be an autonomous agent whose statements can be trusted. If you had access to the TPM's keys, you could get it to lie for you, that is, you could lie on its behalf. That would make its statements useless as they would have no truth value, and would eliminate the whole purpose of the technology.

You might as well ask why you can't have a copy of Verisign's private root key. Because that would make assertions by Verisign worthless. It's the same principle for the TPM.

Only by giving the TPM keys that it and only it controls can we gain trust in assertions signed by that key. The only reason you would want those keys is so you can get the TPM to make false assertions. Why is lying so important to you? Why is honesty such a threat? That's the real question here.

Re:Fess up

[SiliconEntity]

I can think of many good reasons for this; yes, good, privacy-protecting reasons; even good, anonymity-protecting reasons.

Out with it, then. What are these reasons?

How about this for starters: Securing Peer-to-Peer Networks using Trusted Computing (Google cache). This technology can make P2P networks much more immune to attack and surveillance from outside, protecting the privacy and anonymity of participants.

Re:Fess up

[SiliconEntity]

How can you object to people attesting to things? People attest to things all the time.

Because in this case, attestation means requiring a specific set of applications. If you are not using exactly the applications required by a particular service, you'll be locked out of that service. Bad for free software, bad for the free market, bad for the customer, but great for application vendors who can win themselves "trusted" status!

No, that's not what it means. Attestation does not mean requiring a specific set of applications. It means having the ability to believably report what software you are running.

There is no such thing as vendors who win "trusted" status. There is no such thing as "trusted" vendors. Special or "trusted" vendors are not a TCG concept. No group has more or better access to the TPM than anyone else.

I think I should be able to use whatever applications I want on my own machine.

You can!

I think I should be able to modify them.

You can!

But TCPA stops me doing that, by forcing me to adopt applications that are considered to be "trusted".

No, it doesn't. You can run whatever applications you want.

What it does do is allow you to report your software configuration reliably and believably. Maybe someone else won't talk to you unless you are running a certain software config. That's their prerogative. You can always tell them to get lost. They can't make you do anything you don't want to do. You can run whatever software you want and do whatever you want.

What you can't do is to force other people to behave as you would like them to. They have freedoms too.