Trecherous Computing
Ross Anderson posted this article in August 2003. I pasted it here so that our translators may re-write it in languages not availalbe on Ross' page.
Trusted Computing FAQ TC / TCG / LaGrande / NGSCB / Longhorn / Palladium
`Trusted Computing' Frequently Asked Questions
- TC / TCG / LaGrande / NGSCB / Longhorn / Palladium /
TCPA
Version 1.1 (August 2003)
This document is released under the GNU Free Documentation
License. Here are links to translations into Norwegian, Swedish, Finnish, Hungarian, Greek, Romanian, Polish, Lithuanian and
and French.
See also the Economics and Security
Resource Page which gives a lot of background to the issues raised here.
1. What is TC - this `trusted computing' business?
The Trusted
Computing Group (TCG) is an alliance of Microsoft, Intel, IBM, HP
and AMD which promotes a standard for a `more secure' PC. Their
definition of `security' is controversial; machines built
according to their specification will be more trustworthy from the
point of view of software vendors and the content industry, but will
be less trustworthy from the point of view of their owners. In effect,
the TCG specification will transfer the ultimate control of your PC
from you to whoever wrote the software it happens to be running. (Yes,
even more so than at present.)
The TCG project is known by a number of names. `Trusted computing' was
the original one, and is still used by IBM, while Microsoft calls it
`trustworthy computing' and the Free Software Foundation calls it `treacherous
computing'. Hereafter I'll just call it TC, which you can
pronounce according to taste. Other names you may see include TCPA
(TCG's name before it incorporated), Palladium
(the old Microsoft name for the version due
to ship in 2004) and NGSCB
(the new Microsoft name). Intel has just started calling it `safer
computing'. Many observers believe that this confusion is deliberate -
the promoters want to deflect attention from what TC actually does.
2. What does TC do, in ordinary English?
TC provides a computing platform on which you can't tamper with the
application software, and where these applications can communicate
securely with their authors and with each other. The original
motivation was digital
rights management (DRM): Disney will be able to sell you DVDs that
will decrypt and run on a TC platform, but which you won't be able to
copy. The music industry will be able to sell you music downloads that
you won't be able to swap. They will be able to sell you CDs that
you'll only be able to play three times, or only on your birthday.
All sorts of new marketing possibilities will open up.
TC will also make it much harder for you to run unlicensed software.
In the first version of TC, pirate software could be detected and
deleted remotely. Since then, Microsoft has sometimes denied that it
intended TC to do this, but at WEIS 2003 a
senior Microsoft manager refused to deny that fighting piracy was a
goal: `Helping people to run stolen software just isn't our aim in
life', he said. The mechanisms now proposed are more subtle, though.
TC will protect application software registration
mechanisms, so that unlicensed software will be locked out of the
new ecology. Furthermore, TC apps will work better with other TC
apps, so people will get less value from old non-TC apps (including
pirate apps). Also, some TC apps may reject data from old apps whose
serial numbers have been blacklisted. If Microsoft believes that your
copy of Office is a pirate copy, and your local government moves to
TC, then the documents you file with them may be unreadable. TC will
also make it easier for people to rent software rather than buy it;
and if you stop paying the rent, then not only does the software stop
working but so may the files it created. So if you stop paying for
upgrades to Media Player, you may lose access to all the songs you
bought using it.
For years, Bill Gates has dreamed of finding a way to make
the Chinese pay for software: TC looks like being the answer to his prayer.
There are many other possibilities. Governments will be able to
arrange things so that all Word documents created on civil servants'
PCs are `born classified' and can't be leaked electronically to
journalists. Auction sites might insist that you use trusted proxy
software for bidding, so that you can't bid tactically at the
auction. Cheating at computer games could be made more difficult.
There are some gotchas too. For example, TC can support remote
censorship. In its simplest form, applications may be designed to
delete pirated music under remote control. For example, if a protected
song is extracted from a hacked TC platform and made available on the
web as an MP3 file, then TC-compliant media player software may detect
it using a watermark, report it, and be instructed remotely to delete
it (as well as all other material that came through that platform).
This business model, called traitor tracing, has been researched
extensively by Microsoft (and others). In general, digital objects
created using TC systems remain under the control of their creators,
rather than under the control of the person who owns the machine on
which they happen to be stored (as at present). So someone who writes
a paper that a court decides is defamatory can be compelled to censor
it - and the software company that wrote the word processor could be
ordered to do the deletion if she refuses. Given such possibilities,
we can expect TC to be used to suppress everything from pornography to
writings that criticise political leaders.
The gotcha for businesses is that your software suppliers can make it
much harder for you to switch to their competitors' products. At a
simple level, Word could encrypt all your documents using keys that
only Microsoft products have access to; this would mean that you could
only read them using Microsoft products, not with any competing word
processor. Such blatant lock-in might be prohibited by the competition
authorities, but there are subtler lock-in strategies that are much
harder to regulate. (I'll explain some of them below.)
3. So I won't be able to play MP3s on my computer any
more?
With existing MP3s, you may be all right for some time. Microsoft says
that TC won't make anything suddenly stop working. But a recent
software update for Windows Media Player has caused controversy
by insisting that users agree to future anti-piracy measures, which
may include measures that delete pirated content found on your
computer. Also, some programs that give people more control over their
PCs, such as VMware and Total Recorder, are not going
to work properly under TC. So you may have to use a different player -
and if your player will play pirate MP3s, then it may not be
authorised to play the new, protected, titles.
It is up to an application to set the security policy for its files,
using an online policy server. So Media Player will determine what
sort of conditions get attached to protected titles. I expect
Microsoft will do all sorts of deals with the content providers, who
will experiment with all sorts of business models. You might get CDs
that are a third of the price but which you can only play three times;
if you pay the other two-thirds, you'd get full rights. You might be
allowed to lend your copy of some digital music to a friend, but then
your own backup copy won't be playable until your friend gives you the
main copy back. More likely, you'll not be able to lend music at all.
Creeping digital lockdown will make life inconvenient in many niggling
ways; for example, regional coding might stop you watching the Polish
version of a movie if your PC was bought outside Europe.
This could all be done today - Microsoft would just have to download a
patch into your player - but once TC makes it hard for people to
tamper with the player software, and easy for Microsoft and the music
industry to control what players will work at all with new releases,
it will be harder for you to escape. Control of media player software
is so important that the EU antitrust authorities are proposing
to penalise Microsoft for its anticompetitive behaviour by compelling
it to unbundle Media Player, or include competing players in Windows.
TC will greatly increase the depth and scope of media control.
4. How does TC work?
TC provides for a monitoring and reporting component to be mounted in
future PCs. The preferred implementation in the first phase of TC
emphasised the role of a `Fritz' chip - a smartcard chip or dongle
soldered to the motherboard. The current version has five components -
the Fritz chip, a `curtained memory' feature in the CPU, a security
kernel in the operating system (the `Nexus' in Microsoft language), a
security kernel in each TC application (the `NCA' in Microsoft-speak)
and a back-end infrastructure of online security servers maintained by
hardware and software vendors to tie the whole thing together.
The initial version of TC had Fritz supervising the boot process, so
that the PC ended up in a predictable state, with known hardware and
software. The current version has Fritz as a passive monitoring
component that stores the hash of the machine state on start-up. This
hash is computed using details of the hardware (audio card, video card
etc) and the software (O/S, drivers, etc). If the machine ends up in
the approved state, Fritz will make available to the operating system
the cryptographic keys needed to decrypt TC applications and data. If
it ends up in the wrong state, the hash will be wrong and Fritz won't
release the right key. The machine may still be able to run non-TC
apps and access non-TC data, but protected material will be
unavailable.
The operating system security kernel (the `Nexus') bridges the gap
between the Fritz chip and the application security components (the
`NCAs'). It checks that the hardware components are on the TCG
approved list, that the software components have been signed, and that
none of them has a serial number that has been revoked. If there are
significant changes to the PC's configuration, the machine must go
online to be re-certified: the operating system manages this. The
result is a PC booted into a known state with an approved combination
of hardware and software (whose licences have not expired). Finally,
the Nexus works together with new `curtained memory' features in the
CPU to stop any TC app from reading or writing another TC app's
data. These new features are called `Lagrande
Technology' (LT) for the Intel CPUs and `TrustZone'
for the ARM.
Once the machine is in an approved state, with a TC app loaded and
shielded from interference by any other software, Fritz will certify
this to third parties. For example, he will do an authentication
protocol with Disney to prove that his machine is a suitable recipient
of `Snow White'. This will mean certifying that the PC is currently
running an authorised application program - MediaPlayer, DisneyPlayer,
whatever - with its NCA properly loaded and shielded by curtained
memory against debuggers or other tools that could be used to rip the
content. The Disney server then sends encrypted data, with a key that
Fritz will use to unseal it. Fritz makes the key available only to the
authorised application and only so long as the environment remains
`trustworthy'. For this purpose, `trustworthy' is defined by the
security policy downloaded from a server under the control of the
application owner. This means that Disney can decide to release its
premium content only to a media player whose author agrees to enforce
certain conditions. These might include restrictions on what hardware
and software you use, or where in the world you're located. They can
involve payment: Disney might insist, for example, that the
application collect a dollar every time you view the movie. The
application itself can be rented too. The possibilities seem to be
limited only by the marketers' imagination.
5. What else can TC be used for?
TC can also be used to implement much stronger access controls on
confidential documents. These are already available in a primitive
form in Windows Server 2003, under the name of
`Enterprise rights management' and people are experimenting with them.
One selling point is automatic
document destruction. Following embarrassing email disclosures in
the recent anti-trust case, Microsoft implemented a policy that all
internal emails are destroyed after 6 months. TC will make this easily
available to all corporates that use Microsoft platforms. (Think of
how useful that would have been for Arthur Andersen during the Enron
case.) It can also be used to ensure that company documents can only
be read on company PCs, unless a suitably authorised person clears
them for export. TC can also implement fancier controls: for example,
if you send an email that causes embarrassment to your boss, he can
broadcast a cancellation message that will cause it to be deleted
wherever it's got to. You can also work across domains: for example, a
company might specify that its legal correspondence only be seen by
three named partners in its law firm and their secretaries. (A law
firm might resist this because the other partners in the firm are
jointly liable; there will be many interesting negotiations as people
try to reduce traditional trust relationships to programmed rules.)
TC is also aimed at payment systems. One of the Microsoft visions is
that much of the functionality now built on top of bank cards may move
into software once the applications can be made tamper-resistant. This
leads to a future in which we pay for books that we read, and music we
listen to, at the rate of so many pennies per page or per minute. The
broadband industry is pushing
this vision; meanwhile some far-sighted people in the music
industry are starting to get scared at the prospect of Microsoft
charging a percentage on all their sales. Even if micropayments don't
work out as a business model - and there are some
persuasive arguments why they won't - there will be some
sea-changes in online payment, with spillover effects for the user.
If, in ten years' time, it's inconvenient to shop online with a credit
card unless you use a TC platform, that will be tough on Mac and
GNU/linux users.
The appeal of TC to government systems people is based on ERM being
used to implement `mandatory access control' - making access control
decisions independent of user wishes but based simply on their
status. For example, an army might arrange that its soldiers can only
create Word documents marked at `Confidential' or above, and that only
a TC PC with a certificate issued by its own security agency can read
such a document. That way, soldiers can't send documents to the press
(or email home, either). Such rigidity doesn't work very well in large
complex organisations like governments, as the access controls get in
the way of people doing their work, but governments say they want it,
and so no doubt they will have to learn the hard way. (Mandatory
access control can be more useful for smaller organisations with more
focused missions: for example, a cocaine smuggling ring can arrange
that the spreadsheet with this month's shipment details can be read
only by five named PCs, and only until the end of the month. Then the
keys used to encrypt it will expire, and the Fritz chips on those five
machines will never make them available to anybody at all, ever
again.)
6. OK, so there will be winners and losers - Disney might win
big, and some smartcard makers might go bust. But surely Microsoft and
Intel are not investing nine figures just for charity? How will they
make money out of it?
For Intel, which started the whole TC thing going, it was a defensive
play. As they make most of their money from PC microprocessors, and
have most of the market, they can only grow their company by
increasing the size of the market. They were determined that the PC
will be the hub of the future home network. If entertainment is the
killer application, and DRM is going to be the critical enabling
technology, then the PC has to do DRM or risk being displaced in the
home market.
Microsoft, who are now driving TC, were also motivated by the desire
to bring entertainment within their empire. But they also stand to win
big if TC becomes widespread. There are two reasons. The first, and
less important, is that they will be able to cut down dramatically on
software copying. `Making the Chinese pay for software' has been a big
thing for Bill; with TC, he can tie each PC to its individual licenced
copy of Office and Windows, and lock bad copies of Office out of the
shiny new TC universe.
The second, and most important, benefit for Microsoft is that TC will
dramatically increase the costs of switching away from Microsoft
products (such as Office) to rival products (such as OpenOffice). For example, a law
firm that wants to change from Office to OpenOffice right now merely
has to install the software, train the staff and convert their
existing files. In five years' time, once they have received
TC-protected documents from perhaps a thousand different clients, they
would have to get permission (in the form of signed digital
certificates) from each of these clients in order to migrate their
files to a new platform. The law firm won't in practice want to do
this, so they will be much more tightly locked in, which will enable
Microsoft to hike its prices.
Economists
who have studied the software industry concluded that the value of a
software business is about equal to the total costs of its customers
switching out to the competition; both are equal to the net present
value of future payments from the customers to the software vendor.
This means that an incumbent in a maturing market, such as Microsoft
with its Office product, can grow faster than the market only if it
can find ways to lock in its customers more tightly. There are some
ifs and buts that hedge this theory around, but the basic idea is well
known to software industry executives. This explains Bill G's comment
that `We
came at this thinking about music, but then we realized that e-mail
and documents were far more interesting domains'.
7. Where did the technical ideas come from?
The TC concept of booting a machine into a known state is implicit in
early PCs where the BIOS was in ROM and there was no hard drive in
which a virus could hide. The idea of a trusted bootstrap mechanism
for modern machines seems to have first appeared in a paper by Bill
Arbaugh, Dave Farber and Jonathan Smith, ``A Secure and Reliable
Bootstrap Architecture'', in the proceedings of the IEEE Symposium
on Security and Privacy (1997) pp 65-71. It led to a US patent:
``Secure and Reliable Bootstrap Architecture'', U.S. Patent No.
6,185,678, February 6th, 2001. Bill's thinking developed from work he
did while working for the NSA on code signing in 1994, and originally
applied to rebooting ATM switches across a network. The Microsoft folk
have also applied for patent
protection on the operating
system aspects. (The patent texts are here and here.)
There may be quite a lot of prior art. Markus Kuhn wrote about the TrustNo1
Processor years ago, and the basic idea behind a trustworthy
operating system - a `reference monitor' that supervises a computer's
access control functions - goes back at least to a
paper written by James Anderson for the USAF in 1972. It has been
a feature of US military secure systems thinking since then.
8. How is this related to the Pentium 3 serial number?
Intel started an earlier program in the mid-1990s that would have put
the functionality of the Fritz chip inside the main PC processor, or
the cache controller chip, by 2000. The Pentium serial number was a
first step on the way. The adverse public reaction seems to have
caused them to pause, set up a consortium with Microsoft and others,
and seek safety in numbers. The consortium they set up, the Trusted
Computer Platform Alliance (TCPA), was eventually incorporated and
changed its name to TCG.
9. Why call the monitor chip a `Fritz' chip?
It was named in honour of Senator Fritz Hollings of South Carolina,
who worked
tirelessly in Congress to make TC a mandatory part of all consumer
electronics. (Hollings' bill failed; he lost his chairmanship of the
Senate Committee on Commerce, Science and Trasportation, and he's
retiring in 2004. But the Empire will be back. For example, Microsoft
is spending a fortune in Brussels promoting a draft Directive on IP
enforcement which is seriously
bad stuff.)
10. OK, so TC stops kids ripping off music and will help
companies keep data confidential. It may help the Mafia too, unless
the FBI get a back door, which I assume they will. But apart from
pirates, industrial spies and activists, who has a problem with
it?
A lot of companies stand to lose out directly, such as information
security vendors. When it first launched TC as Palladium, Microsoft
claimed that Palladium would stop spam, viruses and just about
every other bad thing in cyberspace - if so, then the antivirus
companies, the spammers, the spam-filter vendors, the firewall firms
and the intrusion detection folk could all have their lunch
stolen. That's now been toned down, but Bill Gates admits
that Microsoft will pursue the computer security market aggressively:
"Because it's a growth area, we're not being that coy with them about
what we intend to do."
Meanwhile, the concerns about the effects on competition
and innovation continue to grow. The problems for innovation are
well explained in a recent
New York Times column by the distinguished economist Hal Varian.
But there are much deeper problems. The fundamental issue is that
whoever controls the TC infrastructure will acquire a huge amount of
power. Having this single point of control is like making everyone
use the same bank, or the same accountant, or the same lawyer. There
are many ways in which this power could be abused.
11. How can TC be abused?
One of the worries is censorship. TC was designed from the start to
support the centralised revocation of pirate bits. Pirate software
won't run in the TC world as TC will make the registration process
tamper-resistant. But what about pirated songs or videos? How do you
stop someone recording a track - if necessary by putting microphones
next the speakers of a TC machine, and ripping it into an MP3? The
proposed solution is that protected content will contain digital
watermarks, and lawful media players that detect a watermark won't
play that song unless it comes with an appropriate digital certificate
for that device. But what if someone hacks a Fritz chip and does a
transaction that `lawfully' transfers ownership of the track? In that
case, traitor tracing technology will be used to find out which PC the
track was ripped from. Then two things will happen. First, the owner
of that PC will be prosecuted. (That's the theory, at least; it
probably won't work as the pirates will use hacked PCs.) Second,
tracks that have been through that machine will be put on a blacklist,
which all TC players will download from time to time.
Blacklists have uses beyond music copying. They can be used to screen
all files that the application opens - by content, by the serial
number of the application that created them, or by any other criteria
that you can program. The proposed use for this is that if everyone in
China uses the same copy of Office, you do not just stop this copy
running on any machine that is TC-compliant; that would just motivate
the Chinese to use normal PCs instead of TC PCs. You also cause every
TC-compliant PC in the world to refuse to read files that have been
created using this pirate program. This will put huge pressure on the
Chinese. (The precedent is that when spammers started using Chinese
accounts, many US ISPs simply blackholed China,
which forced the government to crack down on spam.)
The potential for abuse extends far beyond commercial bullying and
economic warfare into political censorship. I expect that it will
proceed a step at a time. First, some well-intentioned police force
will get an order against a pornographic picture of a child, or a
manual on how to sabotage railroad signals. All TC-compliant PCs will
delete, or perhaps report, these bad documents. Then a litigant in a
libel or copyright case will get a civil court order against an
offending document; perhaps the Scientologists will seek to blacklist
the famous Fishman
Affidavit. A dictator's secret police could punish the author of
a dissident leaflet by deleting everything she ever created using that
system - her new book, her tax return, even her kids' birthday