From ygingras@ygingras.net Wed Sep 4 18:58:57 2002 Return-Path: Delivered-To: yyyy@localhost.example.com Received: from localhost (jalapeno [127.0.0.1]) by jmason.org (Postfix) with ESMTP id BC18716F21 for ; Wed, 4 Sep 2002 18:58:47 +0100 (IST) Received: from jalapeno [127.0.0.1] by localhost with IMAP (fetchmail-5.9.0) for jm@localhost (single-drop); Wed, 04 Sep 2002 18:58:47 +0100 (IST) Received: from outgoing.securityfocus.com (outgoing2.securityfocus.com [66.38.151.26]) by dogma.slashnull.org (8.11.6/8.11.6) with ESMTP id g84HEjZ12085 for ; Wed, 4 Sep 2002 18:14:46 +0100 Received: from lists.securityfocus.com (lists.securityfocus.com [66.38.151.19]) by outgoing.securityfocus.com (Postfix) with QMQP id 5AE888F334; Wed, 4 Sep 2002 10:00:16 -0600 (MDT) Mailing-List: contact secprog-help@securityfocus.com; run by ezmlm Precedence: bulk List-Id: List-Post: List-Help: List-Unsubscribe: List-Subscribe: Delivered-To: mailing list secprog@securityfocus.com Delivered-To: moderator for secprog@securityfocus.com Received: (qmail 11511 invoked from network); 4 Sep 2002 00:48:18 -0000 Content-Type: text/plain; charset="iso-8859-1" From: Yannick Gingras To: secprog@securityfocus.com Subject: Re: Secure Sofware Key Date: Tue, 3 Sep 2002 21:03:40 -0400 User-Agent: KMail/1.4.2 References: <20020829204345.91D1833986@LINPDC.eclipsys.qc.ca> <20020903192326.C9DA533986@LINPDC.eclipsys.qc.ca> <15733.15859.462448.155446@cerise.nosuchdomain.co.uk> In-Reply-To: <15733.15859.462448.155446@cerise.nosuchdomain.co.uk> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Message-Id: <200209032103.44905.ygingras@ygingras.net> X-Spam-Status: No, hits=-11.5 required=7.0 tests=AWL,IN_REP_TO,KNOWN_MAILING_LIST,QUOTED_EMAIL_TEXT, REFERENCES,SIGNATURE_SHORT_DENSE,SPAM_PHRASE_01_02, USER_AGENT,USER_AGENT_KMAIL version=2.41-cvs X-Spam-Level: > > Is the use of "trusted hardware" really worth it ? > > Answering that requires fairly complete knowledge of the business > model. But, in all probability: no, it isn't usually worth it. So, it > comes down to how difficult you want to make the cracker's job. > > > Look at the DVDs. > > IIRC, CSS was cracked by reverse-engineering a software player; and > one where the developers forgot to encrypt the decryption key at that. This make me wonder about the relative protection of smart cards. They have an internal procession unit around 4MHz. Can we consider them as trusted hardware ? The ability to ship smart cards periodicaly uppon cashing of a monthly subscription fee would not raise too much the cost of "renting" the system. Smart card do their own self encryption. Can they be used to decrypt data needed by the system ? The input of the system could me mangled and the would keep a reference of how long it was in service. This sounds really feasible but I may be totaly wrong. I may also be wrong about the safety of a smart card. What do you think ? -- Yannick Gingras Coder for OBB : Oceangoing Bared Bonanza http://OpenBeatBox.org