Why Intel's ID tracker won't work
By Bruce Schneier, ZDNet News
January 26, 1999 4:45 PM PT
Have an opinion on this opinion? Make your comment part of this page!
Last Thursday Intel Corp. announced that its new processor chips would come equipped with ID numbers, a unique serial number burned into the chip during manufacture. Intel said that this ID number will help facilitate e-commerce, prevent fraud and promote digital content protection.
Unfortunately, it doesn't do any of these things.
'Patches that randomize the ID number will be available on hacker Web sites within days of the new chips hitting the streets'
To see the problem, consider this analogy: Imagine that every person was issued a unique identification number on a national ID card. A person would have to show this card in order to engage in commerce, get medical care, whatever. Such a system works, provided that the merchant, doctor, or whoever can examine the card and verify that it hasn't been forged. Now imagine that the merchants were not allowed to examine the card. They had to ask the person for his ID number, and then accept whatever number the person responded with. This system is only secure if you trust what the person says.
The same problem exists with the Intel scheme.
Too easy to hack
Yes, the processor number is unique and cannot be changed, but the software that queries the processor is not trusted. If a remote Web site queries a processor ID, it has no way of knowing whether the number it gets back is a real ID or a forged ID. Likewise, if a piece of software queries its processor's ID, it has no way of knowing whether the number it gets back is the real ID or whether a patch in the operating system trapped the call and responded with a fake ID. Because Intel didn't bother creating a secure way to query the ID, it will be easy to break the security.
As a cryptographer, I cannot design a secure system to validate identification, enforce copy protection, or secure e-commerce using a processor ID. It doesn't help. It's just too easy to hack.
This kind of system puts us in the same position we were in when the government announced the Clipper chip: Those who are engaged in illicit activities will subvert the system, while those who don't know any better will find their privacy violated. I predict that patches that randomize the ID number will be available on hacker Web sites within days of the new chips hitting the streets.
The real question
The only positive usage for processor IDs is the one usage that Intel said they would not do: Stolen processor tracking. Pentium II chips are so valuable that trucks are hijacked on the highways, sometimes resulting in drivers being killed. A database of stolen processor IDs would drop the market for stolen CPUs to zero: Board manufacturers, computer companies, resellers and customers could simply query the database to ensure that their particular CPU wasn't stolen. (This is the primary usage for automobile VINs.) This same system could be used to prevent manufacturers from overclocking their CPUs -- running them faster than Intel rated them for -- another thing that Intel would love to prevent.
The real question is whether computers are a dangerous technology, and need to be individually tracked like handguns and automobiles. During the Cold War many Eastern European countries required mimeograph machines to be individually licensed; I have a hard time believing that computers need the same sorts of controls.
Bruce Schneier is the president of Counterpane Systems and the author of "Applied Cryptography."
Talkback Articles
Post TalkBack
When it is put this way, I wou... - Steve
I agree completely. When I re... - Jay Ongg
Good and Bad....Intel has a go... - Robert
Another little nibble at indiv... - Daniel Kenny
Why would we NEED id numbers o... - John Welch
Bravo! This is an exceptionall... - Robert Alonso
Bruce is right. First you must... - Fran Litterio
Finally, the voice of reason. ... - Kyle Hanna
It's nice to know that Intel's... - Ricky Dhatt
Thanks, Bruce, for injecting s... - Jeremy Buhler
Public/Private key encryption,... - Paul Jackson
It seems to me that the reason... - Grant Vergottini
If chip ID's eliminate theft a... - Jim House
Shneiner's logic is flawed. Wh... - Tzeshan Chen
Intel must have suicidal tende... - Robert Smith
It's easy to blow holes in any... - D. Day
The "absolute security" argume... - Don Homer
Furthermore, this scheme assum... - D.I.Benton
Can't believe Intel thought fo... - Joel
Bruce is 100% "right on". The ... - Prof Bill Caelli
I agree with you...I think tha... - Edward Hsu
What is wrong with tracking st... - Richard J. Camp
People said that previous vers... - Aaron Cross
Intel must be aware of the sho... - Tim Mueller
What is it that you want Intel... - Tom Downs
Even if it worked, it would hu... - Hugh Johnson
If this info is sent through t... - Leeor Geva
I think overclocking is our ch... - John Deer
I totally agree with Bruce and... - Imran Saeed
Piracy may be an... - Ben
CPU ID = User ID !? Don't thin... - Corneliu Popescu
Schneier's logic does work Tze... - Jamie Jamison
It could be done. Intel would... - S.K.A.K.
I concur. I also add, that if... - Jim Noble
I agree with Bruce. A false se... - Steve Salkin
Just get the K7.... - Ricky Long
So much hoopla over a simple s... - Rick Berg
I don't think this would have ... - Jonathan Smith
if the content of this article... - mike ford
One more thing: everyone seem... - Alex Van De Putte
An even worse idea ... giving ... - David Gamey
You guys are eating the red he... - TQ White II
Well 99% will not turn off the... - Mr Bobby Jones
The topic of assigning softwar... - Scott
Bruce is no friend of mine ... - David Scott
THe ID tracker for stolen CPUs... - William Asdi
TRADEOFF: Security or freedom?... - Louis Horvath
Shneiner's logic is not flawed... - John C. Ring, Jr.
I aggree with Bruce, Ecommerce... - Cliff Lee
I can tell you right now, how ... - Nick Kinnas
Why would it matter if we are ... - Jose Gutierrez
This looks like a design for s... - Pascal Martin
Just Intel marketing! They ... - Bruno Walter
Big Problem with this is Intel... - Johnny
Will work (with 128-bit ... - Michel Merlin
A hack to generate random ID's... - Gary Stock
Intel's just trying to copy th... - Shinma Lemures
e-commerce ID's are deffinite... - kevin Gotze
People do enjoy what little pr... - Marc M. Lopez
Berlind
Berst
Cooper
Coursey
Crabb
Dodge
Dvorak
Foley
Louderback
Lundquist
Machrone
Miller
Willmott
Top
SPONSORED LINKS
Employment Want to move up? Search jobEngine for opportunity.
Services 9c/MINUTE LONG DISTANCE, 5c/MINUTE ON SUNDAYS!
Software @Backup. . .The #1 Online Backup Service. Download Now.
Software X10.com -- The SuperSite for Home Automation
ZDNET FEATURED LINKS
Freeware Download the 25 most popular FREE screen savers
Savings Great deals on computer products: Shop The Basement
Library Chapter One Library-Browse the best new books for FREE
MAGAZINE OFFERS
Free Shirt Get a free XL t-shirt from PC Magazine!
Use of ZDNet is subject to certain Terms & Conditions
Please read ZDNet's Privacy Statement
Copyright (c) 1999 ZDNet. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of ZDNet is prohibited. ZDNet and the ZDNet logo are trademarks of Ziff-Davis Inc.
|
