[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Confinement (even with TPMs) and DRM are not mutually exclusive

From: Jonathan S. Shapiro
Subject: Re: Confinement (even with TPMs) and DRM are not mutually exclusive
Date: Wed, 07 Jun 2006 13:29:37 -0400

On Wed, 2006-06-07 at 11:24 +0200, Bas Wijnen wrote:
> > > So the user knows if the device is "direct".  The program doesn't need to
> > > know.
> > 
> > Um. No. Anybody who has looked at the trusted path issues in electronic
> > voting can explain at great length that it is *extremely* difficult for
> > either the user or the computer to know this, and that all currently
> > feasible mechanisms for this rely on some form of very carefully
> > implemented DRM that permits end-to-end authentication of a closed
> > device at the user end.
> This surprises me.  If the system holds a capability to the keyboard, and
> passes it to one user session at a time, revoking it again at logout, why is
> it hard to keep track of it?

The problem is that the system never held a capability to the keyboard.
What it held was a capability to the PS/2 (or USB) keyboard port. It has
no idea what is actually connected out there. For example, it has no
idea whether a keyboard sniffer has been attached or whether this may be
a radio keyboard.

Similarly, a server cannot tell if the user is actually logged in at a
terminal at all -- it can only tell that it has received input from a
connection that appears to constitute an authentication sequence.

In order to build an end-to-end trusted path, the computer must be able
to authenticate that the terminal device is in fact an authentic
terminal device. It must establish an end to end encrypted session to
preclude tampering in the middle of the connection, and it must then
assume that the user is taking responsibility for physical security
(which, in the voting scenario, is not that unreasonable).

Your original statement was that the system could trust the terminal. In
many circumstances this is "true enough" in practice that we can get
useful work done, but it definitely is NOT true if we are dealing with
anything sensitive. In particular, it is not true for credit

Keyboard stuffing attacks are not hypothetical. They have been a joy of
hackers for years.


reply via email to

[Prev in Thread] Current Thread [Next in Thread]