On Fri, 11 May 2007, Jon Callas wrote:
>> What about DRM/ERM that uses TPM? With TPM the content is
>> pretty much tied to a machine (barring screen captures etc)
>> Will ERM/DRM be ineffective even with the use of TPM?

There are two different features of TPM: it can work as an embedded
smartcard (to identify computer), and it can be used to vouch for
integrity of booted software. The first feature does not add
much to DRM, because the attacker has the computer. The second feature
can be bypassed if OS or DRM software has exploitable bugs (or
with relatively simple hardware techniques, but let someone
build a bug-free DRM software first :-) ).

> If someone is so impolite that they'll put the TPM chip under
> a scanning electron microscope, they can probably just read
> the bits off.

Actually there is no need for any TPM intrusive methods to
bypass the second feature mentioned above (the first one does
not need to be bypassed since attacker has the computer). Let us
see how TPM works:

  after reset, CPU sends a sequence of messages that report
  hashes of the booted software;

  TPM changes its internal registers (PCRs -- platform
  configuration registers) as a result;

  CPU sends a key to be encrypted and a description of PCR
  values required to decrypt it;

  TPM returns encrypted blob (it stores PCR requirements inside the

Once the blob is saved outside, it can be used to make sure that
only required software can access the key:

  after reset CPU reports hashes of booted software and TPM
  changes PCRs;

  CPU send a blob to be decrypted;

  TPM decrypts it, checks PCR requirements, and return the key
  stored inside.

The crucial assumptions here are that (1) TPM cannot be reset
independently of CPU; (2) CPU's boot ROM cannot be changed (note
that in many cases the ROM used for boot is actually flash);
(3) the bus between CPU and TPM cannot be tampered with.

Now, to decrypt any blob there is no need to have a FIB (focused
ion beam) or a "scanning electron microscope," because the only
thing an attacker needs is to break one of the above
assumptions, for example, boot Linux, reset TPM by some hardware
manipulation, write a program to send to TPM the needed set of
PCR change requests, send the blob, get the decrypted key, and
print it out.

Note once again that TPM works exactly as expected, the only
problem is that the assumptions do not hold.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to