Selling Python Software

John J. Lee jjl at pobox.com
Wed Nov 5 02:53:47 CET 2003


bokr at oz.net (Bengt Richter) writes:

> On Tue, 04 Nov 2003 09:03:51 GMT, "Andrew Dalke" <adalke at mindspring.com> wrote:
> 
> >Bengt Richter:
> >> OTOH, we are getting to the point where rather big functionality can be put
> >> on a chip or tamper-proof-by-anyone-but-a-TLA-group module. I.e., visualize
> >> the effect of CPUs' having secret-to-everyone private keys, along with
> >> public keys,
> >
> >Actually, we aren't.  There have been various ways to pull data of
> >of a smart card (I recall readings some on RISKS, but the hits I
> >found are about 5+ years old).  In circuit emulators get cheaper and
> >faster, just like the chips themselves.  And when in doubt, you can
> >buy or even build your own STM pretty cheap -- in hobbiest range
> >even (a few thousand dollars).
> 
> Even if you knew exactly where on a chip to look, and it wasn't

(Which knowledge is bound to become available -- I don't think any
leak is required.)


> engineered to have the key self-destruct when exposed, what would

Exposed to what?


> you do with the key?  You'd have the binary image of an executable
> meant to execute in the secret-room processing core. How would you

No, you already have that -- it's on your hard drive (the current
scheme is only about the processor & associated gubbins, if I read
Ross Anderson's page right).


> make it available to anyone else?
[...]

Copy it.

I think the idea is something like this (got from Ross Anderson's TC
FAQ).  The processor makes sure that a single process can only see
it's own memory space.  The processor also has a private key, and
knows how to take an md5 sum (or whatever), sign it with the key, and
send that off to the software author's server along with your
identity.  The server checks that it was signed with your processor's
private key, and that you've paid for the software, and a sends a
signed message back that tells your machine "OK".  Obviously (hmm... I
should hesitate to use that word about anything related to security!),
if you have your machine's private key, you can play
"man-in-the-middle".

Presumably the next phase is to make hard drives, etc. 'trusted'.  I
couldn't find much useful stuff on this on the web.  Anybody have any
good links to overviews of this?


John




More information about the Python-list mailing list