Trusted Computing FAQ TCPA / Palladium / NGCSB

Trusted Computing Frequently Asked Questions - TCPA / Palladium / NGSCB / Longhorn / TCG Version 1.0 Ross Anderson Translations into German, Spanish, Italian, Dutch, Chinese, Norwegian, Swedish, Finnish, Hungarian, Greek, Hebrew and French. This document is released under the GNU Free Documentation License. Additions since July 2002 are at the foot of this document. See also the Economics and Security Resource Page which gives a lot of background to the issues raised here. Microsoft has renamed Palladium NGSCB - for `Next Generation Secure Computing Base' and pronounced `enscub', while TCPA has been renamed (somewhat brusquely) as TCG - for the Trusted Computing Group. Meanwhile, opposition is mounting. Expect further twists and turns as the battle develops. And read on ... 1. What are TCPA and Palladium? TCPA stands for the Trusted Computing Platform Alliance, an initiative led by Intel. Their stated goal is `a new computing platform for the next century that will provide for improved trust in the PC platform.' Palladium is software that Microsoft says it plans to incorporate in future versions of Windows; it will build on the TCPA hardware, and will add some extra features. Palladium has recently been renamed NGSCB while TCPA has been renamed TCG; however I'll continue to refer to them here by their original names as they are still more widely used. 2. What does TCPA / Palladium do, in ordinary English? It provides a computing platform on which you can't tamper with the applications, and where these applications can communicate securely with the vendor. The obvious application is digital rights management (DRM): Disney will be able to sell you DVDs that will decrypt and run on a Palladium platform, but which you won't be able to copy. The music industry will be able to sell you music downloads that you won't be able to swap. They will be able to sell you CDs that you'll only be able to play three times, or only on your birthday. All sorts of new marketing possibilities will open up. TCPA / Palladium will also make it much harder for you to run unlicensed software. Pirate software can be detected and deleted remotely.

It will also make it easier for people to rent software rather than buying it; and if you stop paying the rent, then not only does the software stop working but so may the files it created. For years, Bill Gates has dreamed of finding a way to make the Chinese pay for software: Palladium could be the answer to his prayer. There are many other possibilities. Governments will be able to arrange things so that all Word documents created on civil servants' PCs are `born classified' and can't be leaked electronically to journalists. Auction sites might insist that you use trusted proxy software for bidding, so that you can't bid tactically at the auction. Cheating at computer games could be made more difficult. There is a downside too. There will be remote censorship: the mechanisms designed to delete pirated music under remote control may be used to delete documents that a court (or a software company) has decided are offensive - this could be anything from pornography to writings that criticise political leaders. Software companies can also make it harder for you to switch to their competitors' products; for example, Word could encrypt all your documents using keys that only Microsoft products have access to; this would mean that you could only read them using Microsoft products, not with any competing word processor. 3. So I won't be able to play MP3s on my PC any more? With existing MP3s, you may be all right for some time. Microsoft says that Palladium won't make anything suddenly stop working. But a recent software update for Windows Media Player has caused controversy by insisting that users agree to future anti-piracy measures, which may include measures that delete pirated content found on your computer. Also, some programs that give people more control over their PCs, such as VMware and Total Recorder, are unlikely to work under TCPA. So you may have to use a different player - and if your player will play pirate MP3s, then it seems unlikely to be authorised to play the new, protected, titles. It is up to an application to set the security policy for its files, using an online policy server. So Media Player will determine what sort of conditions get attached to protected titles, and I expect Microsoft will do all sorts of deals with the content providers, who will experiment with all sorts of business models.

You might get CDs that are a third of the price but which you can only play three times; if you pay the other two-thirds, you'd get full rights. You might be allowed to lend your copy of some digital music to a friend, but then your own backup copy won't be playable until your friend gives you the main copy back. More likely, you will not be able to lend music at all. These policies will make life inconvenient for some people; for example, regional coding might stop you watching the Polish version of a movie if your PC was bought outside Europe. This could all be done today - Microsoft would just have to download a patch into your player - but once TCPA / Palladium makes it hard for people to tamper with the player software, and easier for Microsoft to control upgrades and patches, it will be harder for you to escape, and will therefore be a more attractive way of doing business. 4. How does it work? TCPA provides for a monitoring and reporting component to be mounted in future PCs. The preferred implementation in the first phase of TCPA is a `Fritz' chip - a smartcard chip or dongle soldered to the motherboard. When you boot up your PC, Fritz takes charge. He checks that the boot ROM is as expected, executes it, measures the state of the machine; then checks the first part of the operating system, loads and executes it, checks the state of the machine; and so on. The trust boundary, of hardware and software considered to be known and verified, is steadily expanded. A table is maintained of the hardware (audio card, video card etc) and the software (O/S, drivers, etc); Fritz checks that the hardware components are on the TCPA approved list, that the software components have been signed, and that none of them has a serial number that has been revoked. If there are significant changes to the PC's configuration, the machine must go online to be re-certified. The result is a PC booted into a known state with an approved combination of hardware and software (whose licences have not expired). Control is then handed over to enforcement software in the operating system - this will be Palladium if your operating system is Windows.

Once the machine is in this state, Fritz can certify it to third parties: for example, he will do an authentication protocol with Disney to prove that his machine is a suitable recipient of `Snow White'. This will mean certifying that the PC is currently running an authorised application program - MediaPlayer, DisneyPlayer, whatever. The Disney server then sends encrypted data, with a key that Fritz will use to unseal it. Fritz makes the key available only to the authorised application and only so long as the environment remains `trustworthy'. For this purpose, `trustworthy' is defined by the security policy downloaded from a server under the control of the application owner. This means that Disney can decide to release its premium content to a given media player application in return for a contract that the application will not make any unauthorised copies of content, will impose a certain set of conditions (including what level of security has to be set in TCPA). This can involve payment: Disney might insist, for example, that the application collect a dollar every time you view the movie. In fact, the application itself can be rented too, and this is of great interest to software companies. The possibilities seem to be limited only by the marketers' imagination. 5. What else can TCPA and Palladium be used for? TCPA can also be used to implement much stronger access controls on confidential documents. For example, an army might arrange that its soldiers can only create Word documents marked at `Confidential' or above, and that only a TCPA PC with a certificate issued by its own security agency can read such a document. This is called `mandatory access control', and governments are keen on it. The Palladium announcement implies that the Microsoft product will support this: you will be able to configure Word so that it will encrypt all documents generated in a given compartment on your machine, and share it only with other users in a defined group. Corporations will be able to do this too, to make life harder for whistleblowers. They can arrange that company documents can only be read on company PCs, unless a suitably authorised person clears them for export. They can also implement timelocks: they can arrange, for example, that all emails evaporate after 90 days unless someone makes a positive effort to preserve them. (

Think of how useful that would have been for Enron, or Arthur Andersen, or for Microsoft itself during the antitrust case.) The Mafia might use the same facilities: they could arrange that the spreadhseet with the latest drug shipments can only be read on accredited Mafia PCs, and will vanish at the end of the month. This might make life harder for the FBI - though Microsoft is in discussions with governments about whether policemen and spies will get some kind of access to master keys. But, in any case, a whistleblower who emails a document to a journalist will achieve little, as the journalist's Fritz chip won't give him the key to decipher it. TCPA / Palladium also seems destined for use in electronic payment systems. One of the Microsoft visions appears to be that much of the functionality now built on top of bank cards may move into software once the applications can be made tamper-resistant. This is needed if we are to have a future in which we pay for books that we read, and music we listen to, at the rate of so many pennies per page or per minute. Even if this doesn't work out as a business model - and there are good arguments why it won't - there is clearly a competitive issue for a number of online payment systems, and there may be spillover effects for the user. If, in ten years' time, it's inconvenient to shop online with a credit card unless you use a TCPA or Palladium platform, then this could move a lot of people over to the system. 6. OK, so there will be winners and losers - Disney might win big, and smartcard makers might go bust. But surely Microsoft and Intel are not investing nine figures just for charity? How do they propose to make money out of it? My spies at Intel tell me that it was a defensive play. As they make most of their money from PC microprocessors, and have most of the market, they can only grow their company by increasing the size of the market. They are determined that the PC will be the hub of the future home network. If entertainment is the killer application, and DRM is going to be the critical enabling technology, then the PC has to do DRM or risk being displaced in the home market. Microsoft were also motivated by the desire to bring all of entertainment within their empire.