The Old Joel on Software Forum: Part 4 (of 5) - Defeating piracy with encryption?

Defeating piracy with encryption?

I've been thinking – piracy means being able to copy information from one computer to another.

What if information – software, pictures, music, etc. – was encrypted for one and only one particular computer?

You log on to fogcreek.com and order a copy of Citydesk. Your computer sends out its public key, the fogcreek server encrypts the binary and sends it over. The executable runs fine on your machine, on any other it's garbage.

Now the interesting part – information is always encrypted in memory, at all times. There is no "buffer" where it's decrypted and run from. Decryption is on-the-fly, inside the CPU, where the private key is baked into the silicon.

In the same way, when the CPU writes to memory, it re-encrypts the stuff.

Thoughts?

Alex.ro
Friday, April 2, 2004

Disclaimer: I know nothing (at least not on this board) about cryptography.

>Decryption is on-the-fly, inside the CPU, where the private >key is baked into the silicon.

Having an encryption algorithm that is done on the fly within the CPU would substantially slow down the speed at which a given CPU is running the software. This would lead to all sorts of backwards compatiblity issues.

Also, the en- and decryption complexity vs. execution speed of programs would in my oppinion severly limit the key length that would be usable.

Short keys is crackable(?) by brute force, and if one machine specific key was compromized, it would probably be reusable by BIOS patches or what have you.

Patrik
Friday, April 2, 2004

I think this sort of thing is essentially what Intel's Palladium was supposed to do. Hardware-assissted security and copy protection. So far the idea hasn't gone over so well with the public, but we may see something like it in the future. Doing this in hardware is basically the only way to make it so that it couldn't be easily broken

MikeMcNertney
Friday, April 2, 2004

There are systems that work this way in the embedded systems arena, though they mostly use symmetric encryption, as far as I know. The purpose of those systems is to make reverse-engineering the code/data in the system more difficult.

You probably don't need to go to the trouble of encrypting memory to discourage piracy. All you need to do is have the OS vendor only allow "approved" software to run. Eliminating piracy is one of the driving forces behind Microsoft's "Trusted Computing", in its various incarnations.

-Mark

Mark Bessey
Friday, April 2, 2004

Implementation issues aside (for instance, how would printer driver installation work over a network?)
Why would anyone buy such a severely broken product? They would sooner buy an unencumbered, albeit slowe,r CPU from China and install whatver they see fit on it.
The biggest problem the U.S. faces with trying to limit the usability of PCs is that it will limit itself out of competitiveness.

Full Name:
Friday, April 2, 2004

How would you upgrade your CPU without breaking all your software?

Kyralessa
Friday, April 2, 2004

"I've been thinking – piracy means being able to copy information from one computer to another."

Them you should go back and think some more.

Piracy means being able to copy information from one medium to another, *without having the right to do so*.

Just a minor distinction, you see? Don't worry. The content-producing industry (music, movies, books, software, etc) overlooks that fact, too. As long as their rights are protected...

Paulo Caetano
Saturday, April 3, 2004

And when you buy software from the store, how's it going to know what your public key would be?

Wants to be an ISV
Saturday, April 3, 2004

What you need is a secure coprocessor:

http://www.bennetyee.org/ucsd-pages/coproc.html

It's all explained in Bennet Yee's Ph.D. thesis:

http://www.bennetyee.org/ucsd-pages/pub/th.psfonts.pdf

BC
Saturday, April 3, 2004

I would refuse to buy something that only works on a single PC. I honor copyright for software like I honor copyright for a book. I have a desktop and a laptop, and a single copy of Office. As long as I don't use them at the same time, I'm not violating the spirit of the law. (Obviously, anything I need to run on multiple machines at the same time, I buy multiple copies of; for instance, the OS.)

Any other scheme can kiss my ass. :-p

Brad Wilson (dotnetguy.techieswithcats.com)
Saturday, April 3, 2004

Lets see now. After I download and install this app, somewhere on my computer I will have a) an encrypted file, and b) the key needed to decrypt that file.

Can you explain again why you think that file is protected from me?

Jonno
Saturday, April 3, 2004

The private key necessary to decrypt the file would be stored in a tamper-resistant part of your computer hardware, like those isolation boxes IBM makes for ATM machines.

One difficulty of this approach is that software/content producers would need extra infrastructure to encrypt their products uniquely for each buyer. Also they'd have to check your key against a "master list" of public keys from the hardware manufacturer, so that you couldn't just supply any old key you made up (whose private key you could use to decrypt things yourself). There is a human vulnerability in that a sufficiently well-off pirate could just bribe someone with access to the master list to add a bogus key, thereby allowing the pirate to decrypt whatever he wants. Also I think it's likely that the US government would want a back door, like for eavesdropping on encrypted email or checking for child porn, which would be another big problem in the encryption scheme.

Dan Maas
Saturday, April 3, 2004

You cannot mass produce products and then try to make them unique in some way. The only way your security scheme would work is if each PC had a unique CPU with a unique built-in ID, with encryption/decryption hardware and a software package which would somehow be made to work only with that CPU's ID.

When you start putting keys and codes in files, sending them over the internet etc, you are comprimising your security system. If you spend sometime learning how security is comprimised these days, you will realize it is not as easy as you think to stop it. Don't you think billion-dollar companies would do something about it if they could?

By the way, I am sure corporations would love to have Paladium and similar technologies to keep tabs on consumers' actions, but as long as the spirit of freedom is alive, people will find ways to bypass it. I personally refuse to buy a PC which will tell me what I can and can't do. That's just ridiculuous. Maybe the genetically engineered foods are preparing us for higher levels of obedience for such future technologies.. ;)

...
Sunday, April 4, 2004

Remember also that home piracy is good for big software companies.
If every home user had to pay 400£/$/e for Office there would be a whole market full of $30 word processors but since everybody can 'borrow' a copy from work it ensures no one else can enter the market. MS objects to large companies not signing licence deals but home piracy is what guarantees MS+Office monopoly.

As MS said about china - "if they are going to pirate software make sure it's our software"

Martin Beckett
Sunday, April 4, 2004

>> As long as I don't use them at the same time, I'm not violating the spirit of the law....
...Any other scheme can kiss my ass. :-p

Well said Brad. I totally agree.

gwyn
Sunday, April 4, 2004

EULAs are a joke and everyone knows it.

In any sane legal system, EULAs would be completely unenforceable. The only sane EULA is the GPL and other rights-granting licenses. In exchange for *extra* rights above and beyond normal copyright, you must accept the terms of the license.

If you're buying expensive corporate software and you negotiate and sign a contract, that's one thing.

But if I walk into a store, pick up a box of software, pay my money to the retail store, I consider that I've purchased a copy of the software. It's my copy. I own it. I don't "just own the physical media but require a license to use the software." Nobody has the right to revoke my "license" at any time for any reason.

Regardless of what the current case law might say, I believe I'm being completely ethical when I

1) Make backup copies
2) Use No-CD patches.
3) Lend the software to a friend (stop using it completely while they have it and make sure they uninstall it when they give it back).
4) Re-sell or give away my copy when I no longer have a use for it.
5) Install it as many times as I want, on as many of my computers as I want, as long as I only use one copy at a time.

EULAs, IMHO, are completely worthless.

Richard P
Monday, April 5, 2004

If EULAs are valid and enforceable, then so are EVLAs (End-Vendor Licensing Agreements). You send the vendor an EVLA with your conditions, and it goes into effect unless they object and send you a refund.

T. Norman
Tuesday, April 6, 2004