A lawyer asked me recently how tivoisation works. I looked around, and there was no document explaining it. So I've put together a description below, but I'd like some comments on whether it's understandable and complete enough:
=================== Tivoisation is a way of giving someone a computer whose software can be upgraded but which will refuse to run any software that isn't first authorised by the manufacturer.
To implement tivosiation, a hardware manufacturer must do three things:
1. Put a chip in the computer which will check any software before it is run and which will only allow the running of software if an authorised digital fingerprint is found.
2. Inject that certain digital fingerprint into each version of their own software.
3. Don't tell their customers the fingerprint.
By doing this, the manufacture can still publish new versions of the software in the future. It just has to inject the secret fingerprint and then publish the software and users will be able to run it.
However, if the user tries to use a modified version of the software, or tries to run some third-party software, the computer will refuse to function fully, or will simply not run the software at all. ===================
A lawyer asked me recently how tivoisation works. I looked around, and there was no document explaining it. So I've put together a description below, but I'd like some comments on whether it's understandable and complete enough:
=================== Tivoisation is a way of giving someone a computer whose software can be upgraded but which will refuse to run any software that isn't first authorised by the manufacturer.
Maybe add something as to why this might be a bad thing. A priori, it might not be a bad thing, but the problem comes when the manufacturer is using software which was distributed with the express intent that any recipient be able to modify it and run the modified version. (The GPL being the case in point.) The 'fingerprinting' you describe then effectively takes away that right, thwarting the intent of the copyright holder for the software.
The description of how it's achieved was clear, I thought.
Ben.
Hi Ciaran,
I may be wrong but I assume that at least some Tivoisation schemes use cryptographic digital signatures. Your explanation gives the impression that the "fingerprint" is a value which is inserted in the software and compared byte-for-byte with a known value in the chip. With this approach, the "fingerprint" could relatively easily be read from the "official" software and added to unofficial software.
In practice, I expect that the chip contains a secret cryptographic key and the necessary hardware to verify a digital signature on the software. This is much more difficult to circumvent, since a valid signature can only be created by the correct signing key, and the signing key is not present in the software and may not even be the same key in the chip if asymmetric (public-key) cryptography is used.
I've suggested some changes to your explanation below, but these are based on the assumptions I've made above so it might be best to verify them with others more familiar with, say, the actual Tivo devices.
Kind regards,
David
On 15.12.06 14:48, Ciaran O'Riordan wrote:
A lawyer asked me recently how tivoisation works. I looked around, and there was no document explaining it. So I've put together a description below, but I'd like some comments on whether it's understandable and complete enough:
=================== Tivoisation is a way of giving someone a computer whose software can be upgraded but which will refuse to run any software that isn't first authorised by the manufacturer.
To implement tivosiation, a hardware manufacturer must do three things:
- Put a chip in the computer which will check any software before it is run and which will only allow the running of software if an authorised digital fingerprint is found.
an authorised digital fingerprint -> an authorised digital signature
- Inject that certain digital fingerprint into each version of their own software.
-> Digitally sign each version of their software with a private key.
- Don't tell their customers the fingerprint.
-> Don't give their customers the signing key.
By doing this, the manufacture can still publish new versions of the software in the future. It just has to inject the secret fingerprint and then publish the software and users will be able to run it.
It just has to ... -> It just has to digitally sign and then publish the software and users will be able to run it.
However, if the user tries to use a modified version of the software, or tries to run some third-party software, the computer will refuse to function fully, or will simply not run the software at all.
+ because it is practically impossible to create a valid digital signature without knowledge of the private key.
David O'Callaghan david.ocallaghan@cs.tcd.ie writes:
I may be wrong but I assume that at least some Tivoisation schemes use cryptographic digital signatures.
I think all do, but if a lawyer wants an explanation, then I'm thinking that "digital fingerprints" is an easier idea to understand than encryption keys.
Tivoisation could be done with watermarking-like fingerprints, or it could be done with encrpytion keys. In practice, it's probably always done with encryption keys, but for thinking about the licence and how to block tivoisation, I think (and I'm open to correction here) the two implementation are the same.
Maybe instead of saying "insert the fingerprint into the software", I should say "hide the fingerprint in the software" - to avoid the confusion you mention where it looks easy to spoof.
it might be best to verify them with others more familiar with, say, the actual Tivo devices.
I don't know anyone I can do that checking with, but it's ok to just think of the range of ways it could work and assume Tivo uses one of those.
Hi Ciaran,
On 15.12.06 19:08, Ciaran O'Riordan wrote:
David O'Callaghan david.ocallaghan@cs.tcd.ie writes:
I may be wrong but I assume that at least some Tivoisation schemes use cryptographic digital signatures.
I think all do, but if a lawyer wants an explanation, then I'm thinking that "digital fingerprints" is an easier idea to understand than encryption keys.
I don't really dispute this, although since "digital signatures" have legal recognition in some parts of Europe I would hope that lawyers involved in the IT area would have a basic understanding of them.
Regards,
David
I think all do, but if a lawyer wants an explanation, then I'm thinking that "digital fingerprints" is an easier idea to understand than encryption keys.
Actually, I would have thought that "fingerprints" was a rather poor metaphor. One doesn't usually use fingerprints to mark one's posessions. Wouldn't "signature" be conceptually closer? Or possibly "watermark" (although I think this might have a particular technical meaning).
Malcolm.
___________________________________________________________ All new Yahoo! Mail "The new Interface is stunning in its simplicity and ease of use." - PC Magazine http://uk.docs.yahoo.com/nowyoucan.html
It seems no one liked the fingerprints idea, so I've removed it.
The article is online now: http://fsfe.org/en/fellows/ciaran/ciaran_s_free_software_notes/tivoisation_e...
Thanks for the comments.