Re: Enterprise Right Management vs. Traditional Encryption Tools
Jason Holt wrote: > So I guess the answer to your question is "We'd better > assume that DRM+TPM will be ineffective until we've > subjected a specific implementation of it to the same > level of scrutiny we apply to other cryptosystems, and > since DRM+TPM proposals tend to be much more > complicated than other cryptosystems like SSL, that's > going to take a very long time." TPM can in principle provide effective DRM - it can also provide effective super root access to your computer for FBI and the Motion Picture Association of America - it can do lots of things. So far it has not done any of them. - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Enterprise Right Management vs. Traditional Encryption Tools
Jason Holt wrote: ERM/DRM/TPM are such poorly defined and implemented products that people have started referring to a "DRM fairy" who people assume will wave her wand and solve whatever problem is at hand. I used to try to draw out the mentioner's claims into a concrete proposal that everyone could objectively examine, but the conversation rarely progressed that far. So now I think that, as with other crypto proposals, the onus should now be on the proposer to clearly delineate what they're proposing and convince us that it's complete and correct, rather than us nodding our heads or lashing out at what we assume it means. somewhat aside ... there was an effort in the very early days of the PC to look at (hardware) countermeasures to software (and other) piracy (I don't remember whether i was involved shortly before or after the actual announcement of the PC). starting with 370, the mainframes had unique processor identifications and licensed software was configured for the specific processor. this may have been relatively easy to defeat ... but the numbers and costs involved somewhat created a barrier. It was sufficient to show that some (illegal) action had to have been taken in order to successfully prosecute. because the costs and numbers involved with the PC were so significantly different, individual prosecution was harder to justify ... and so the hardware countermeasures needed to be much more robust. a problem with the investigation at the time was that tamper-evident technologies were way too expensive which contributed to the investigation being shelved. somewhat in the wake of that ... there were various methods like specially encoded floppy disks as countermeasure to piracy (i.e. the floppy disks were not trivially duplicated by normal means). - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Enterprise Right Management vs. Traditional Encryption Tools
On Wed, 9 May 2007, Ali, Saqib wrote: What about DRM/ERM that uses TPM? With TPM the content is pretty much tied to a machine (barring screen captures etc) Will ERM/DRM be ineffective even with the use of TPM? ERM/DRM/TPM are such poorly defined and implemented products that people have started referring to a "DRM fairy" who people assume will wave her wand and solve whatever problem is at hand. I used to try to draw out the mentioner's claims into a concrete proposal that everyone could objectively examine, but the conversation rarely progressed that far. So now I think that, as with other crypto proposals, the onus should now be on the proposer to clearly delineate what they're proposing and convince us that it's complete and correct, rather than us nodding our heads or lashing out at what we assume it means. So I guess the answer to your question is "We'd better assume that DRM+TPM will be ineffective until we've subjected a specific implementation of it to the same level of scrutiny we apply to other cryptosystems, and since DRM+TPM proposals tend to be much more complicated than other cryptosystems like SSL, that's going to take a very long time." - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Enterprise Right Management vs. Traditional Encryption Tools
On Fri, 11 May 2007, Jon Callas wrote: >> What about DRM/ERM that uses TPM? With TPM the content is >> pretty much tied to a machine (barring screen captures etc) >> Will ERM/DRM be ineffective even with the use of TPM? There are two different features of TPM: it can work as an embedded smartcard (to identify computer), and it can be used to vouch for integrity of booted software. The first feature does not add much to DRM, because the attacker has the computer. The second feature can be bypassed if OS or DRM software has exploitable bugs (or with relatively simple hardware techniques, but let someone build a bug-free DRM software first :-) ). > If someone is so impolite that they'll put the TPM chip under > a scanning electron microscope, they can probably just read > the bits off. Actually there is no need for any TPM intrusive methods to bypass the second feature mentioned above (the first one does not need to be bypassed since attacker has the computer). Let us see how TPM works: after reset, CPU sends a sequence of messages that report hashes of the booted software; TPM changes its internal registers (PCRs -- platform configuration registers) as a result; CPU sends a key to be encrypted and a description of PCR values required to decrypt it; TPM returns encrypted blob (it stores PCR requirements inside the blob). Once the blob is saved outside, it can be used to make sure that only required software can access the key: after reset CPU reports hashes of booted software and TPM changes PCRs; CPU send a blob to be decrypted; TPM decrypts it, checks PCR requirements, and return the key stored inside. The crucial assumptions here are that (1) TPM cannot be reset independently of CPU; (2) CPU's boot ROM cannot be changed (note that in many cases the ROM used for boot is actually flash); (3) the bus between CPU and TPM cannot be tampered with. Now, to decrypt any blob there is no need to have a FIB (focused ion beam) or a "scanning electron microscope," because the only thing an attacker needs is to break one of the above assumptions, for example, boot Linux, reset TPM by some hardware manipulation, write a program to send to TPM the needed set of PCR change requests, send the blob, get the decrypted key, and print it out. Note once again that TPM works exactly as expected, the only problem is that the assumptions do not hold. -- Regards, ASK - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Enterprise Right Management vs. Traditional Encryption Tools
On May 9, 2007, at 5:01 PM, Ali, Saqib wrote: Hi Jon, Rights management systems work against polite attackers. They are useless against impolite attackers. Look at the way that entertainment rights management systems have been attacked. The rights management system will be secure so long as no one wants to break them. There is tension between the desire to break it and the degree to which its users rely on it. At some point, this tension will snap and it's going to hurt the people who rely on it. A metaphor involving a rubber band and that smarting is likely apt. What about DRM/ERM that uses TPM? With TPM the content is pretty much tied to a machine (barring screen captures etc) Will ERM/DRM be ineffective even with the use of TPM? Thanks Saqib Ali Your comment of barring screen captures etc. is a bit like saying that won't a bank be safe from robberies barring someone waving a gun in a teller's face, etc. Yeah, sure, but doesn't that kinda miss the point? DRM works if the attackers are polite. The less polite they are, the less well it works. DRM systems for media are probably more immune to "analog hole" attacks ERM systems. Imagine that someone ERM protected an email showing things that Gonzales couldn't remember when he was testifying to Congress, or in some stock scandal, etc. A photo of a screen with a cell phone camera would be sufficient. We have not (yet) seen an attack where someone got a pre-release of a movie and then pointed a camera at a laptop screen, but we will. If you add in a TPM, it depends entirely on how impolite the attackers are, as well as the construction of the TPM. One of the recent attacks against AACS involved the attackers unsoldering the chip and attacking it directly. That's pretty rude, but it worked. If someone is so impolite that they'll put the TPM chip under a scanning electron microscope, they can probably just read the bits off. Very few smart cards can survive that. Remember, this is all a trade-off between the cost of the device and the devotion of the attacker. TPM chips have to be very cheap, because the customer is ultimately paying for it. That means its defenses can't be very thorough. Furthermore, while the owner of the device is the attacker, you can't afford very many defenses. If a music player, for example, went DOA because it it was dropped, went over/under temperature, and so on, it would be a financial nightmare, as you probably have to replace them under warranty. People who hate DRM would buy devices, monkeywrench them, and then demand a refund. ERM systems have the advantage that in general the attackers are more polite. More people want to break AACS than rights-controlled analyst reports. However, once something really juicy happens, like just needing the content registration key for a document that will get a politician in jail -- well, plenty of people can hack that. Now, all of a sudden, the attackers won't be polite, and that metaphor I made about a rubber band snapping will seem modest. Really, you're much better off with real crypto and personnel policies. Jon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Enterprise Right Management vs. Traditional Encryption Tools
Hello, On 08/05/07 20:16, Ali, Saqib wrote: > I was recently asked why not just deploy a Enterprise Right Management > solution instead of using various encryption tools to prevent data > leaks. > > Any thoughts? The "encryption tools" function according to simple, well understood, and more-or-less enforceable security models. Their assumptions are well understood and, most importantly, match the environments they run on. They solve a simple problem, and solve it effectively. Rights management solutions have complex security models, and run in environments that do not always satisfy the assumptions. They aim at providing complex functionality, but they often (always?) fail to deliver due to their over-complexity and unrealistic assumptions. If your security needs can be met by the simple functional model of the "encryption tools", then you will prefer to enjoy the assurance and the reasonable robustness they provide, which is the most desirable feature after all. Hagai. -- Hagai Bar-El - Information Security Analyst T/F: 972-8-9354152 Web: www.hbarel.com - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Enterprise Right Management vs. Traditional Encryption Tools
Hi Jon, Rights management systems work against polite attackers. They are useless against impolite attackers. Look at the way that entertainment rights management systems have been attacked. The rights management system will be secure so long as no one wants to break them. There is tension between the desire to break it and the degree to which its users rely on it. At some point, this tension will snap and it's going to hurt the people who rely on it. A metaphor involving a rubber band and that smarting is likely apt. What about DRM/ERM that uses TPM? With TPM the content is pretty much tied to a machine (barring screen captures etc) Will ERM/DRM be ineffective even with the use of TPM? Thanks Saqib Ali - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
Re: Enterprise Right Management vs. Traditional Encryption Tools
On May 8, 2007, at 10:16 AM, Ali, Saqib wrote: I was recently asked why not just deploy a Enterprise Right Management solution instead of using various encryption tools to prevent data leaks. Any thoughts? What problem are you trying to solve? If you're dealing with a rights-management problem, such as how do you give someone a document that they can read on the screen but not print, you aren't going to solve that with a cryptosystem. However, rights management systems have characteristics that are different. Rights management systems work against polite attackers. They are useless against impolite attackers. Look at the way that entertainment rights management systems have been attacked. The rights management system will be secure so long as no one wants to break them. There is tension between the desire to break it and the degree to which its users rely on it. At some point, this tension will snap and it's going to hurt the people who rely on it. A metaphor involving a rubber band and that smarting is likely apt. One way this fails is the good old "analog hole." People can still take pictures of their screens. Another way this fails is for people to rely upon rights management as a cover for sloppiness, anger, or mendacity. If you think you can revoke a message or send Mission Impossible documents, you will. Someday, someone on the receiving end will use the analog hole. Oops. Imagine the case where a tech support person tells off an obnoxious customer, who takes a picture of the screen. Furthermore, there are subtle problems with rights-management and policy. Let's suppose that I run an organization that needs to archive documents. I therefore *must* reject documents that I cannot archive. I have personally stuck more to having crypto be a form of access control (once you get to a document, you have it) than as use control because: * The former problem is hard enough * We know that DRM of any sort will untimately fail * Human nature will lead people to get into trouble *because* of rights management. I think that the operational issue -- that rights management *cannot* work -- trumps everything else, and turns the social issues (if you can tell someone off and deny it, will you?) into -- into nothing other than a information bomb. You're going to end up looking like Wile E. Coyote, with a blackened face and stunned, blinking eyes. Jon - The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]