The problem that needs to be solved is an easy global way for people and devices to obtain trusted copies of the public keys for the people and devices they wish to comunicate with. Having a key in hardware will not do any good, if nobody knows how to get it's public portion. Sure handshaking schemes like the one used in Secure Socket Layer (SSL) could be used, but that doesn't address initiating an e-mail conversation with someone you have never had prior communications. Besides SSL is supposed to depend on a trust authority. I don't see anyone trusting M$ any time soon.

This sounds more like a system for requiring only signed code at the kernel level. They claim it will be a way to secure DRM protected content and to make the OS safe from viri and trojans. But unless M$ or the TCPA wants to get into the business of reviewing every third party device driver that needs to run at kernel level, the tools to create authentic signatures will have to be released as part of the developer kits. Just as requiring signed active X controls was supposed to prevent rogue controls from violating your machine. I doubt palladium will do any better.

Java's Virtual machine is supposed to restrict access of objects outside the virtual environment, but that hasn't kept there from being java viri from being created.

The DVD-CSS system was cracked because there were weaknesses in the algorithms used, but those weaknesses were not readily obvious until a key was compromised. The bigger problem is how do you securely deliver content that can only be played by one device / person? That requires separate encryption in the delivery process of each person that can receive the content. Imagine pressing a custom encrypted DVD for each person who purchase one. Our current streaming methodes are not designed to deliver different content. In the case of the DVD-CSS, they choose to make all DVD's with the same content identical, with a file containing an encrypted version of the content key targeted for each current and future licensed playback device. With the weaknesses in the DVD-CSS algorithm, once one licensee's key was compromised, it wouldn't be long for the entire existing list of keys to be compromised. Revoking a compromised key will make hundreds of customers pissed off because their newly purchased copy of Disney's "The Kid" will not play in their old player.

The infamous Blue screen of death will have a new partner in palladium. Just one bit in the kernel being out of place will crater your system, because the authentication of the segment will fail.

The only good excuse I can think of supporting such a radical new hardware design is to finally divorce the tired old x86 instruction set for something more like the PowerPC instruction set. Or perhaps a hardware implementation of M$ new machine independent executable format.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/93/13743#13743