quigleybc said:
At the risk of sounding like a nube moron, could someone briefly write what this is all about in simple terms.
Starting with, what is DRM? PKI, SSl?
DRM = Digital Rights Management. DRM allows a 'content provider' (a recording artist's label, movie company, software developer) to have control over who is allowed to do what with their software/music/movie, etc. The iTunes Music Store impliments this by only allowing you to use a song you've purchased on up to 5 registered machine, and you can only burn the same play list 10 times (or something like this). This gets consumer rights advocates, hackers and geeks up in arms because it allows other entities (like Sony, Universal, Microsoft, etc) to control what you are allowed to do on your computer. IF someone can tell your computer NOT to play an MP3 file, it would be relitively simple to use the same technology to block access to information (websites) that contain information they don't want you to have. See how this is turning Big Brother-ish (reference 1984).
PKI = Public Key Infustructure. To use a simple analogy, imagine you have a lock, and a key broken in 1/2. You can lock the lock with one half of the key, but you need both halves to unlock it. You can send 1/2 the key to a friend, and they can lock (encrypt) information with it. Even if someone intercepts the 1/2 of the key you sent them and the locked box coming back, they can't figure out what the other 1/2 of the key should be.
One problem is cryptography is how do you transmit an encrypted message over an insecure infrastructre (i.e. The Internet) and be sure that only the person you want to can read the information. With out getting too technical, PKI uses the fact that there are no shortcuts for certain kinds of mathimatical operations, mainly factoring (figuring out the square-root of a number). It is much easier to multiply a number by itself then to do the reverse (figure out what number multiplied by itself will give you a certain number). With PKI you generate two VERY large numbers (called the public and private keys) that essentially plug into the PKI software. With the public key, you can encrypt a message, but you need both keys in order to decrypt a message. In theory someone could just try every possible combination (known as 'brute forcing'), bu8t the numbers are so large that it would take a very very VERY long time (think thousands of years or more depending on the size of the keys) with modern computers.
SSL = Secure Socket Layer. SSL is probably the most common implementation of PKI. Its software written to use PKI to encrypt and decrypt data on a computer, specifically for use on insecure networks like the Internet. You probably use SSL almost daily without realizing it. If you go online to check your bank account, you're using SSL. When you visit your bank's website, your webbrowser and their server each generate a pair of these keys (for two-way encryption). You then transmit your public key to the bank server, and they transmit their public key to you. Then, anything you send to them (like login information) in encrypted by your webbrowser, and only they have the private key to decrypt it. This way, you and your bank can communicate securely, even if every single transmittion between the two of you is intercepted.
Now, how does all of this relate to Apple, OS X, and TPM? PKI works fine for encrypting data, but it does nothing to verify that the sender of the encrypted data is who they say they are. Someone could intercept your public key, encrypt data with it, and pretend to be someone else. Luckily (or unluckily depending on your POV) PKI can be used in a different fashion to verify a sender's authenticity. You can take your private key, and digitally 'sign' a piece of data. Then the recipient can take the 'signed' document and verify it with your public key. This how Microsoft prevents people from playing burned games and non-retail software on an Xbox. The Xbox contains the public key, and a retail Microsoft game is signed with their private key. On boot, the Xbox checks the game signature with the public key it has embedded in it. Apple is doing something very similar (though set up in reverse) with OS X on Intel. As far as I can tell Rosseta (which is require to run much of the un-ported GUI) checks the signature stored in the TPM chip to verify that the hardware was made by Apple. If it doesn't find a valid signature then it refuses to run. The Xbox hardware verifies the authenticity of the software, where as on Mac OS X for Intel, the software verifies the authenticity of the hardware.
Any questions?
skinlayers
