[e-lang] Logical fallacy in Palladium?
Ka-Ping Yee
e-lang@mail.eros-os.org
Tue, 30 Jul 2002 03:24:32 -0700 (PDT)
There's a puzzle i'm stuck on, and i'm hoping you can help me
figure it out.
All the information i have and the Microsoft literature i have
seen so far seems to claim three things:
1. If the secrets in a single Fritz chip are compromised,
other Fritz chips are not affected.
2. The Fritz chip is designed so you can't use it to obtain
a machine identifier.
3. The Fritz chip can prove to another party that your
computer is running a particular nub.
(In the above, the Fritz chip is the hardware component that
provides crypto facilities, harbours a per-chip private key,
and stores a secure hash of the currently-running nub. I'll
refer to the per-chip key as the "chipkey" for short. The nub
is the security kernel of the operating system, also known as
the Trusted Operating Root.)
As for #1, the Fritz chips are designed so that there is no
master key stored in every chip. Each chip just has a key
unique to the chip. To address #2 (probably to avoid another
uproar like the one that forced Intel to disable the PSN), a
random nonce is added to data before encryption, so a request
to encrypt a constant with the chipkey does not yield a
consistent cookie. And #3 is the whole point of attestation:
it's what these chips are supposed to make possible.
Now, suppose that Intel has manufactured Fritz chips to go with
their processor, and Bill Gates is sitting at home and would
like to download a Disney movie to show on his Palladium-enabled
version of Windows. Disney believes in DRM and is only willing
to offer movies to Palladium-constrained users.
To attest to the fact that Bill is really running Palladium,
the Fritz chip can sign a statement saying "This computer is
running Windows 2005 with Palladium enabled." It must sign
this using the chipkey (that's the only private key it has).
But, presenting that statement to Disney is not enough.
How does Disney know that the attestation is signed by a valid
Fritz chip?
This step is not explained in any of the descriptions i have
read, but there are only three ways i can see this being done:
(a) Intel has a big registry of all the public keys that
correspond to their chipkeys. Every time a new Fritz
chip is made, when the key pair is generated, the
private key goes onto the chip and the public key goes
into their database. Disney sends the attestation to
Intel, Intel verifies it, and returns a confirmation
to Disney over a secure channel.
(b) Intel has a big registry of all the public keys that
correspond to their chipkeys, the same as in (a).
Disney verifies the signature on the attestation, then
queries Intel over the network about the public key.
Intel looks up the public key in their database, and
returns a confirmation to Disney over a secure channel.
(c) Each Fritz chip carries with it a certificate verifying
its validity. Every time a new Fritz chip is made, the
private key goes onto the chip, the public key is signed
using Intel's master private key to yield a certificate,
and the certificate also goes onto the chip. When Bill's
computer requests the movie, it sends the attestation
together with the certificate. Disney checks the
certificate against Intel's public key, then checks the
attestation against the chip's signed public key.
In case (a), in order for Intel to verify the signature, it needs
the public key of the chip, so the attestation must contain the
public key. In case (b), in order for Intel to look up the chip
in their database, Disney must send Intel an identifier that
distinguishes the chip, so the attestation must identify the chip.
In case (c), the certificate identifies the chip.
In all cases, the situation is equivalent to having introduced
a processor serial number -- which they were trying to avoid.
The three claims at the top of this message seem to fundamentally
conflict. I don't see any way that one could satisfy all three
of them. Can you? Do you see any flaws in my reasoning?
-- ?!ng