[extropy-chat] FWD (SK) RFC: copy protection report

Eugen Leitl eugen at leitl.org
Thu Dec 1 20:21:53 UTC 2005 

On Thu, Dec 01, 2005 at 10:24:19AM -0800, Adrian Tymes wrote:

> > Assuming, it's not palladium-plated, or nagscabbed.
> 
> There are ways to remove these things.

The system is not going to be officially FIPS 140-1/140-2 certified
and is probably not even going to be tamper-responding. However, do 
you know many who could launch an attack like several described in
http://www.cl.cam.ac.uk/~mgk25/sc99-tamper.pdf (notice that the
state of the art in protection has advanced since), given that
you only extract *a single key*? That's got to be some truly expensive
piece of software to warrant the effort. 

Would you spend 200 k$ in order to be able to make copies of one
piece of software? 
 
> > The XBox
> > key was only snarfed because bus traffic was in clear. If
> > the lane between CPU and chipset is encrypted, or if the key
> > resides within the CPU itself and executes cypher the 
> > user never sees plain in the first place.
> 
> Hacker: "Ooh!  A *challenge*!"
> (a short while later)
> Hacker: "Okay, kiddies, here's how you get the cypher..."

Perhaps I wasn't entirely clear. Your hacker will get one (1) key.
He will not get a meta-method by which other keys can be extracted.
This is different from DVD and BluRay.
 
> One can also open up the CPU itself (or maybe the chipset), with the
> right tools.

Etching away the packaging (assuming, it won't destroy the secret) alone
gives you nothing. 

"Invasive Attacks
Depackaging of Smartcards

Invasive attacks start with the removal of the chip package. We heat the card plastic until it becomes flexible. This softens the glue and the chip module can 
then be removed easily by bending the card. We cover the chip module with 20�50 ml of fuming nitric acid heated to around 60  C and wait for the black epoxy res
in that encapsulates the silicon die to completely dissolve (Fig. 1). The procedure should preferably be carried out under very dry conditions, as the presence
 of water could corrode exposed aluminium interconnects. The chip is then washed with 2

The next step in an invasive attack on a new processor is to create a map of it. We use an optical microscope with a CCD camera to produce several meter large 
mosaics of high-resolution photographs of the chip surface. Basic architectural structures, such as data and address bus lines, can be identified quite quickly
 by studying connectivity patterns"

Noticed something? Remember, all you for your pain is just one (1) key.
 
> True.  As has been pointed out, various executives at major vendors
> like Microsoft and Intel keep trying to push this and then having to
> back off when (almost never if) it degenerates into a public relations
> fiasco (minor or, occasionally, major).

TPM is being shipped in many systems as we speak. Just as in DRM
(the rights are being taken away from you), with TPM the computer
no longer trusts its owner (and the owner no longer can trust his
computer).
 
> > Don't act too paranoid, but they're changing it *right now*.
> 
> Of course.  That's why this thread exists right now: someone's boss is
> trying to implement this right now, and our friend seeks
> counter-arguments to stop that right now.

The general public a) is not aware what it is buying b) does not
oppose DRM because it craves premium content so badly it waives
its firstborn in the EULA.
 
> > No, I would just let the installer pull a critical part of the
> > code from a remote server after authentication. Easy, and pretty
> > difficult to defeat.
> 
> Nope.  Just get one legit install, then pull that critical part of the
> code onto others.

Here's an Office install. Please fashion an installable package from it.
Oh, I forgot, it's self-decrypting from system fingerprint, so you'll
have do some extra work.

Can *you* do it? Do you know many people who can? If you don't -- mission
accomplished.
 
> > Extra points for computing a hardware
> > fingerprint,
> > and generate that code server-side as-u-wait (works especially well 
> > for firmware).
> 
> Compare two installs.  See where they differ.  That's where the

1) You will need *two* installs
2) Have you ever compared two live installations?
3) Have you heard of chaff? Watermarks?

> fingerprint lies.  Figure how to generate the fingerprint, and you've

Have fun tracing the (obfuscated and stripped) installer. I have truly
not expected demigod hackers on this list, I must admit.

> got infinitely many installs.  (And, what if the user changes their
> hardware?  They expect it to still work, and may be motivated to change

Three strikes, and you're out (have to call the support line).

> to your competitor if, say, swapping hard drives once a drive breaks
> invalidates the fingerprint and requires purchasing another install.)

Yes, ain't DRM a bitch.
 
> > You wrote the application in the first place. Why do you need an 
> > expert for online unlockin? A child of ten could program it.
> 
> Am expert for unlocking, period.  A child of ten would put it in a
> separate subroutine, where it can simply be removed from the rest of
> the code (or altered to return whatever the value for "authorized" is)
> by any user with a hex editor.

You might be surprised that things have changed since the Commodore 64 days.
There aren't too many users with hex editors these days, and you don't really
want to handle a 300 MByte installation at that level.

-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBM: 48.07100, 11.36820            http://www.leitl.org
8B29F6BE: 099D 78BA 2FD3 B014 B08A  7779 75B0 2443 8B29 F6BE
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://lists.extropy.org/pipermail/extropy-chat/attachments/20051201/3b022d43/attachment.bin>

More information about the extropy-chat mailing list