Embed Size (px)
Citation preview
Privacy, Security And Privacy, Security And Content Protection Content Protection
Peter N. BiddlePeter N. BiddleTechnical EvangelistTechnical Evangelist
Marcus Peinado, ArchitectMarcus Peinado, ArchitectDigital Media DivisionDigital Media Division
Dennis Flanagan, GPM Windows AV Dennis Flanagan, GPM Windows AV Platform, Digital Media DivisionPlatform, Digital Media Division
Microsoft CorporationMicrosoft Corporation
AgendaAgenda
Privacy and CopyrightsPrivacy and Copyrights Peter N. Biddle, MS Peter N. Biddle, MS
Technical EvangelistTechnical Evangelist
Digital Rights Management and Digital Rights Management and HardwareHardware Marcus Peinado, Architect, Digital Marcus Peinado, Architect, Digital
Media Division, MicrosoftMedia Division, Microsoft
Secure Video in WindowsSecure Video in Windows Dennis Flanagan, GPM Windows AV Dennis Flanagan, GPM Windows AV
Platform, Digital Media Division, Platform, Digital Media Division, MicrosoftMicrosoft
Our Goals In This ArenaOur Goals In This Arena
Provide Windows customers with the most Provide Windows customers with the most complete content availabilitycomplete content availability Legal access to all legitimate content, all the Legal access to all legitimate content, all the
time, all (of the appropriate) devicestime, all (of the appropriate) devices No system-level restrictions against No system-level restrictions against
unknown contentunknown content
Avoid new legal mandates for PC’s to Avoid new legal mandates for PC’s to “behave” in certain ways“behave” in certain ways
Keep Windows openKeep Windows open Arbitrary code still runsArbitrary code still runs
Unknown content still “plays”Unknown content still “plays”
Privacy And CopyrightPrivacy And Copyright
Privacy is good Privacy is good Users have rights to their own privacyUsers have rights to their own privacy Invading people’s privacy is bad Invading people’s privacy is bad We have processes in place to protect privacyWe have processes in place to protect privacy
Copyright is good Copyright is good People have legal rights over their People have legal rights over their
copyrighted workcopyrighted work Stealing is badStealing is bad We have processes in place to protect copyrightsWe have processes in place to protect copyrights
PrivacyPrivacy
How do you want me to protect your privacy?How do you want me to protect your privacy? Strong cryptoStrong crypto AuthenticationAuthentication Regulation via LicensingRegulation via Licensing Only things you trust get your privacy contentOnly things you trust get your privacy content
Things you trust are able to prove to you that you can Things you trust are able to prove to you that you can trust themtrust them
They can also prove that they can’t subvert the use of They can also prove that they can’t subvert the use of your privacy contentyour privacy content
They can prove they won’t share your privacy content They can prove they won’t share your privacy content with others without your permissionwith others without your permission
CopyrightCopyright
How do you want me to protect your How do you want me to protect your copyright?copyright? Strong cryptoStrong crypto AuthenticationAuthentication Regulation via LicensingRegulation via Licensing Only things you trust get your copyrighted contentOnly things you trust get your copyrighted content
Things you trust are able to prove to you that you can Things you trust are able to prove to you that you can trust themtrust them
They can also prove that they can’t subvert the use of They can also prove that they can’t subvert the use of your copyrighted contentyour copyrighted content
They can prove they won’t share your copyrighted They can prove they won’t share your copyrighted content with others without your permissioncontent with others without your permission
Privacy And Copyright Privacy And Copyright In An Open SystemIn An Open System Is one of these more important than the other?Is one of these more important than the other? Can you take a hard-line in favor of both?Can you take a hard-line in favor of both? Can you “do” both technically?Can you “do” both technically?
You can honor and enforce both for content that You can honor and enforce both for content that arrives into your domain in an encrypted fashionarrives into your domain in an encrypted fashion
What about content that is not protected?What about content that is not protected? Should we tell the police if we “see” other people’s Should we tell the police if we “see” other people’s
credit-card numbers in a text file on your hard credit-card numbers in a text file on your hard drive?drive?
Should we “look at” every un-encrypted file on your Should we “look at” every un-encrypted file on your system and try to decide if you have the system and try to decide if you have the rights to them?rights to them?
What Is Piracy?What Is Piracy?
Piracy is the un-licensed use of Piracy is the un-licensed use of someone’s digital propertysomeone’s digital property Piracy does not automatically result in lost Piracy does not automatically result in lost
revenuerevenue EG, if I were to make a copy of MS Office on a CD-EG, if I were to make a copy of MS Office on a CD-
R, and then destroy the CD-R, there would be no R, and then destroy the CD-R, there would be no lost revenuelost revenue
Some piracy can even foster sales of some Some piracy can even foster sales of some kinds of digital propertykinds of digital property
However, we do think that piracy is “bad”However, we do think that piracy is “bad” Eliminating all piracy is prohibitively Eliminating all piracy is prohibitively
expensiveexpensive It also pisses off your loyal customersIt also pisses off your loyal customers
Does Microsoft Want To Make Does Microsoft Want To Make Piracy On The Windows Piracy On The Windows Platform Impossible?Platform Impossible? We are not police officers, nor do We are not police officers, nor do
we play them on TVwe play them on TV Designing an OS that eliminates Designing an OS that eliminates
piracy would be like trying to piracy would be like trying to design a car that can’t be used as a design a car that can’t be used as a getaway vehiclegetaway vehicle We don’t know how to do thisWe don’t know how to do this We don’t want to do thisWe don’t want to do this
Content We Cannot Protect Content We Cannot Protect From PiracyFrom Piracy Unknown ContentUnknown Content
Content that looks “free” to the OSContent that looks “free” to the OS Redbook AudioRedbook Audio Un-encrypted softwareUn-encrypted software
Content that is free to the OSContent that is free to the OS ASCII text filesASCII text files HTMLHTML
Content we cannot understandContent we cannot understand Content that has been encrypted or Content that has been encrypted or
formatted using proprietary schemesformatted using proprietary schemes
Content We Can Protect Content We Can Protect From PiracyFrom Piracy Content that is encrypted or Content that is encrypted or
scrambled, <and>scrambled, <and> that has rules associated with that has rules associated with
it, <and>it, <and> that requires use of special SW to that requires use of special SW to
accessaccess ……must be protected by that SWmust be protected by that SW
Windows And EnforcementWindows And Enforcement
We enforce our own copyrightsWe enforce our own copyrights WPAWPA
We enforce others copyrightsWe enforce others copyrights DRMDRM
We enforce users privacyWe enforce users privacy PassportPassport
We do not and will not act as technical We do not and will not act as technical gatekeepers over content in Windowsgatekeepers over content in Windows Windows will continue to be an Open PlatformWindows will continue to be an Open Platform
Open Platforms allow for any contentOpen Platforms allow for any content It’s that simpleIt’s that simple
Trusted WindowsTrusted Windows
Create a platform that will protect Create a platform that will protect users from “us”users from “us” This is trustThis is trust
Make it extremely difficult to break Make it extremely difficult to break Windows trustWindows trust
Technical means are a cornerstone Technical means are a cornerstone of trustof trust Technology can protect Technology can protect
against invasionsagainst invasions Laws can lock up violatorsLaws can lock up violators
I Want To Eliminate Our I Want To Eliminate Our Ability To Invade Anybody Ability To Invade Anybody Else’s PrivacyElse’s Privacy
There Is No Technical There Is No Technical Difference Between Privacy Difference Between Privacy And Copyright ProtectionAnd Copyright Protection
SummarySummary
Privacy Protection is GoodPrivacy Protection is Good Copyright Protection is GoodCopyright Protection is Good Piracy is BadPiracy is Bad We are working towards:We are working towards:
Good ProtectionGood Protection Reduced PiracyReduced Piracy Happy CustomersHappy Customers Healthy Content EcosystemHealthy Content Ecosystem
Privacy, Security Privacy, Security And Content And Content In WindowsIn Windows®® Platforms Platforms
Digital Rights Digital Rights Management And Management And HardwareHardware
Marcus PeinadoMarcus PeinadoDigital Media DivisionDigital Media DivisionMicrosoft CorporationMicrosoft Corporation
OverviewOverview
Introduction to DRMIntroduction to DRM Goals, principles, techniquesGoals, principles, techniques
The DRM platformThe DRM platform Interfaces to hardwareInterfaces to hardware
Portable players (audio, video)Portable players (audio, video) Smart cardsSmart cards Digital audio receiversDigital audio receivers Audio cardsAudio cards Video cardsVideo cards
Introduction To DRMIntroduction To DRM
E-Commerce / E-Commerce / Electronic DistributionElectronic Distribution
Commerce siteCommerce site
(Store front)(Store front) customercustomerinternetinternet
1.1. Customer selects product Customer selects product (book, audio, video, software)(book, audio, video, software)
2. Customer pays2. Customer pays
3. 3. Customer downloads digital contentCustomer downloads digital content
credit credit cardcard
customercustomerinternetinternet
IEIE
4.4. customercustomer friendfriend
friendfriend
friendfriend
friendfriendfriendfriend
E-commerce / E-commerce / electronic distributionelectronic distribution / / Digital Rights ManagementDigital Rights Management
Commerce siteCommerce site
(Store front)(Store front)customercustomerinternetinternet
1.1. 2. 3. Customer selects content 2. 3. Customer selects content (book, audio, video) and (book, audio, video) and accessaccess optionoption, pays, downloads content, pays, downloads content
0. Content owner specifies how 0. Content owner specifies how content may be accessed (off line)content may be accessed (off line)
4. DRM system tries to enforce 4. DRM system tries to enforce access rulesaccess rules
DRM: General ModelDRM: General Model
GoalsGoals Enable commerce in digital goodsEnable commerce in digital goods Bring premium content to the PCBring premium content to the PC
Content owner specifies how the content Content owner specifies how the content may be accessedmay be accessed
Access specification will be enforced subject Access specification will be enforced subject to the overall security level of the systemto the overall security level of the system
Access specifications enable business Access specifications enable business models (e.g. pay-per-view, rental etc)models (e.g. pay-per-view, rental etc)
Compare with Pay-TV schemesCompare with Pay-TV schemes
The DRM PlatformThe DRM Platform
DRM EvolutionDRM Evolution
So farSo far DRM tied to specific content typesDRM tied to specific content types
AudioAudio VideoVideo BooksBooks
In the futureIn the future Move toward a DRM platformMove toward a DRM platform
The DRM PlatformThe DRM Platform
General-purpose DRM client APIGeneral-purpose DRM client API Anybody can use DRM functionality byAnybody can use DRM functionality by
Writing applications to the DRM APIWriting applications to the DRM API Building hardwareBuilding hardware
DRM Platform is content agnosticDRM Platform is content agnostic Key functional components are Key functional components are
pluggablepluggable Central ServicesCentral Services Content distribution servicesContent distribution services
The DRM Platform ProvidesThe DRM Platform Provides
An authenticated content channel An authenticated content channel from web servers to end-user PCsfrom web servers to end-user PCs from end-user PCs to rendering HWfrom end-user PCs to rendering HW
Rights managementRights management License evaluation and enforcementLicense evaluation and enforcement
Platform authenticationPlatform authentication Content encryption / decryptionContent encryption / decryption WatermarkingWatermarking
Rights ManagementRights Management
XrML rights languageXrML rights language Public standard (Public standard (http://www.xrml.orghttp://www.xrml.org)) Flexible specification ofFlexible specification of
Rights (play, transfer, print etc.)Rights (play, transfer, print etc.) Conditions (time, count, fee)Conditions (time, count, fee) Principals (any piece of SW or HW)Principals (any piece of SW or HW)
Interfacing With DRMInterfacing With DRMAuthenticatedAuthenticatedDigital AudioDigital Audio
ReceiverReceiver
AuthenticatedAuthenticatedPortable devicePortable device(music player)(music player)
Other Other AuthenticatedAuthenticated
DeviceDevice
DRM APIDRM API
AuthenticatorAuthenticatorEncryptionEncryption Binding pointBinding pointWatermarkingWatermarking
SmartSmartcardcard
AuthenticatedAuthenticatedSound cardSound card
AuthenticatedAuthenticatedvideo cardvideo card
WMDM/Transfer toolWMDM/Transfer toolAuthenticated SW applicationAuthenticated SW application (e.g. Windows Mediaplayer)(e.g. Windows Mediaplayer)
Digital Asset ServerDigital Asset Server
Operated by content providerOperated by content provider
End-user machineEnd-user machine
ContentContent
DRM Enabled DRM Enabled Application Application ComponentsComponents
DRM Client PlatformDRM Client Platform
Monitor Monitor sound cardsound card
Central DRM servicesCentral DRM services ActivationActivation
License RoamingLicense Roaming
Authorization / controlAuthorization / control
Backup / restoreBackup / restore
DRM Enabled DRM Enabled External Devices External Devices (e.g. DAR, (e.g. DAR, portable players)portable players)
DRM Enabled AV DRM Enabled AV hardwarehardware
Interfaces To HardwareInterfaces To Hardware
GoalsGoals
Allow rendering hardware to access Allow rendering hardware to access protected contentprotected content in accordance with the specifications of in accordance with the specifications of
the content ownerthe content owner External devices (e.g. players, DARs, External devices (e.g. players, DARs,
speakers), video cards, audio cardsspeakers), video cards, audio cards
Enable interoperability between security Enable interoperability between security hardware and DRMhardware and DRM Smart cardsSmart cards CA systemsCA systems
TaxonomyTaxonomy
renderingrendering DRM supportDRM support
PC cardsPC cards CE devicesCE devices
Smart Smart cardscards
Audio Audio cardscards
Video Video cardscards
Portable (e.g. Portable (e.g. WMA player)WMA player)
Fixed (e.g. DAR)Fixed (e.g. DAR)
DRM HWDRM HW
ApproachApproach
Support published algorithms and Support published algorithms and formatsformats Licensing: XrMLLicensing: XrML Public-key cryptography: RSA, ECCPublic-key cryptography: RSA, ECC Bulk encryption: AES etc. Bulk encryption: AES etc.
Advantages:Advantages: No surprises with well-known algorithmsNo surprises with well-known algorithms Easy and cheap access for everyoneEasy and cheap access for everyone
Enable interoperability with proprietary Enable interoperability with proprietary systemssystems
Target: Closed DevicesTarget: Closed Devices
Definition: Closed DeviceDefinition: Closed Device No unauthenticated software downloadsNo unauthenticated software downloads hardware robustnesshardware robustness
IHV owns security on the deviceIHV owns security on the device Protection of secret keysProtection of secret keys Protection from “content leaks”Protection from “content leaks” Device authorization processDevice authorization process
Rendering HW Must Rendering HW Must ImplementImplement Authentication:Authentication:
Rendering HW must be able to authenticate itself to Rendering HW must be able to authenticate itself to a content source (DRM)a content source (DRM)
Public-key protocol; HW hides private keyPublic-key protocol; HW hides private key Content decryption:Content decryption:
If the content is encrypted, the rendering HW must If the content is encrypted, the rendering HW must be able to decrypt it.be able to decrypt it.
DRM will support a variety of symmetric ciphersDRM will support a variety of symmetric ciphers Rights management:Rights management:
Multi-function rendering HW may evaluate access Multi-function rendering HW may evaluate access rules (set by content owner).rules (set by content owner).
Subset of XrML (not needed everywhere)Subset of XrML (not needed everywhere)
……More PreciselyMore Precisely
Must be a closed device:Must be a closed device: If software or firmware is field upgradeable there If software or firmware is field upgradeable there
must be a gate keeper (signature check).must be a gate keeper (signature check).
Hide a private keyHide a private key Individualization at some level of granularityIndividualization at some level of granularity Secure state informationSecure state information Resources (CPU, ROM, RAM) to performResources (CPU, ROM, RAM) to perform
Public key operationsPublic key operations Evaluate simple licensesEvaluate simple licenses Decrypt contentDecrypt content
Example: Portable Example: Portable Music PlayersMusic Players Each playerEach player
Stores a unique private key for Stores a unique private key for authentication and content accessauthentication and content access
Evaluates reduced XrML licenseEvaluates reduced XrML license Decrypts and plays contentDecrypts and plays content
Example: DARExample: DAR
Each DAREach DAR Stores a unique private key for Stores a unique private key for
authentication and content accessauthentication and content access Evaluates reduced XrML licenseEvaluates reduced XrML license Decrypts and plays contentDecrypts and plays content
Example: Video CardExample: Video Card
Goals:Goals: Protection for compressed content Protection for compressed content
(DirectXVA)(DirectXVA) Protection for uncompressed contentProtection for uncompressed content
Need:Need: Authentication of the video cardAuthentication of the video card High-speed content decryption (for High-speed content decryption (for
DirectXVA)DirectXVA) Write-only VRAM (for uncompressed Write-only VRAM (for uncompressed
content)content)
Example: Audio CardExample: Audio Card
Each sound cardEach sound card Stores a unique private key for Stores a unique private key for
authentication and content accessauthentication and content access Decrypts and plays contentDecrypts and plays content
Example: Premium Video On Example: Premium Video On The PC Option 1:The PC Option 1:
PC
ContentContentsourcesource
DRMDRM
VideoVideocardcard
ScreenScreenTrans DRMTrans DRM
SmartSmartcardcard
Example: Premium Video On Example: Premium Video On The PC Option 2:The PC Option 2:
PCPC
ScreenScreenVideoVideocardcardContentContent
sourcesource
DRMDRMSmartSmartcardcard
SummarySummary
SummarySummary
DRM system on the PC will integrate DRM system on the PC will integrate with a broad range of hardware deviceswith a broad range of hardware devices
Hardware device will be able to take part Hardware device will be able to take part in the DRM content chainin the DRM content chain
Hardware devices have to implement Hardware devices have to implement DRM functionality (e.g. security)DRM functionality (e.g. security)
Microsoft Is Working OnMicrosoft Is Working On
Specifications of algorithms, protocols, APIs, Specifications of algorithms, protocols, APIs, license formats (look out for white papers)license formats (look out for white papers)
Low-footprint reference implementations of Low-footprint reference implementations of public key algorithmspublic key algorithms
Specifications of low gate count hardware Specifications of low gate count hardware implementations implementations
Low-footprint reference implementation of Low-footprint reference implementation of reduced XrML license evaluator.reduced XrML license evaluator.
Low-footprint reference implementation of Low-footprint reference implementation of content decryptioncontent decryption
More Details In More Details In Other SessionsOther Sessions Portable players Portable players Foundation Foundation
Technologies for Digital DevicesTechnologies for Digital Devices Digital Audio Receivers Digital Audio Receivers Connecting Connecting
the Homethe Home Video Cards Video Cards this session, TV this session, TV
EntertainmentEntertainment Audio Cards Audio Cards Audio Technologies Audio Technologies
Call To ActionCall To Action
Provide feedback on this proposalProvide feedback on this proposal Winhec session feedback formsWinhec session feedback forms [email protected]@microsoft.com
Participate in Windows SVP ForumParticipate in Windows SVP Forum Specification and forum forthcomingSpecification and forum forthcoming Target: early 3Q01Target: early 3Q01
More details and contact points at the More details and contact points at the device specific talksdevice specific talks
Secure Video In WindowsSecure Video In Windows
Dennis FlanaganDennis FlanaganGPM – Windows AV PlatformGPM – Windows AV PlatformMicrosoft Windows DMDMicrosoft Windows DMD
Why Secure Video?Why Secure Video?
Ensure legal access to premium contentEnsure legal access to premium content Napster ruling indicates industry directionNapster ruling indicates industry direction Movie services will be secureMovie services will be secure
Grow business opportunitiesGrow business opportunities Labels, studios, ICPs, networksLabels, studios, ICPs, networks
New devices/systems to work with new servicesNew devices/systems to work with new services
Corporations Corporations Sensitive corporate communicationsSensitive corporate communications Pay for use (training, market data, etc.)Pay for use (training, market data, etc.)
PC platform as home media center/serverPC platform as home media center/server
Avoid legislated mandatesAvoid legislated mandates
What Needs To Be SecuredWhat Needs To Be Secured
Content sourceContent source Processing/decodingProcessing/decoding
User mode softwareUser mode software Kernel mode software/driversKernel mode software/drivers
Bus transfer to graphics chipBus transfer to graphics chip Graphics memory (VRAM)Graphics memory (VRAM) Graphics Link to MonitorGraphics Link to Monitor
DRM/SC
SecureProcess
??
??
DVI
The Situation TodayThe Situation Today
Source Source DriverDriver
Content Content ReaderReader
Content Content ProcessingProcessing
Video Video RendererRenderer
Video Video DriverDriver
Content Content SourceSourceDeviceDevice
GPUGPU
VRAMVRAM
Untrusted Untrusted DriverDriver
ApplicationApplication
Untrusted Untrusted ProcessingProcessing
DVILinkDVILink
MonitorMonitor
UserUser
KernelKernel
Encrypted/authenticatedEncrypted/authenticated
Potential attackPotential attack
Untrusted Untrusted MonitorMonitor
The Proposed SolutionThe Proposed Solution
Source Source DriverDriver
Content Content ReaderReader
Content Content ProcessingProcessing
Video Video RendererRenderer
Video Video DriverDriver
Content Content SourceSourceDeviceDevice
GPUGPU
Untrusted Untrusted DriverDriver
ApplicationApplication
Untrusted Untrusted ProcessingProcessing
DVILinkDVILink
MonitorMonitor
useruser
kernelkernelAuthenticatorAuthenticator
xx
xx
xx
Encrypted/authenticatedEncrypted/authenticated
Potential attackPotential attack
VRAMVRAMRead onlyRead only
CryptoCrypto Untrusted Untrusted MonitorMonitor
xx
Authenticator And SoftwareAuthenticator And Software
Authenticator ensures only trusted Authenticator ensures only trusted components in the processcomponents in the process Components must be signedComponents must be signed
Tamper resistanceTamper resistance ObfuscationObfuscation Anti-debugging measuresAnti-debugging measures
Authenticator periodically checks for Authenticator periodically checks for signed componentssigned components
Authenticator And GPUAuthenticator And GPU
Authenticates driver and GPU using public Authenticates driver and GPU using public key encryptionkey encryption
Generates symmetric session key for the GPU Generates symmetric session key for the GPU to use to decrypt secure contentto use to decrypt secure content
Passes symmetric session key to GPU using Passes symmetric session key to GPU using public key encryptionpublic key encryption
Periodically checks for signed componentsPeriodically checks for signed components Performs HDCP status check and revocationPerforms HDCP status check and revocation May periodically change the session key to May periodically change the session key to
defend against hacksdefend against hacks
GPU Security FeaturesGPU Security Features
Supports public-key encryption for:Supports public-key encryption for: Authentication of GPU to sourceAuthentication of GPU to source Receiving the session key from the authenticatorReceiving the session key from the authenticator
Protects session key (cannot retrieve)Protects session key (cannot retrieve) Protects DataProtects Data
Option 1Option 1: Data in VRAM is always encrypted. : Data in VRAM is always encrypted. Supports symmetric session key algorithm for all Supports symmetric session key algorithm for all VRAM reads and writes.VRAM reads and writes.
Option 2Option 2: Session key decrypts frames once when : Session key decrypts frames once when they arrive. VRAM is write-only.they arrive. VRAM is write-only.
Implementing The SolutionImplementing The Solution
Support for public key encryption for session Support for public key encryption for session key exchangekey exchange RSA accelerator (~10k gates, <<0.1sec, now)RSA accelerator (~10k gates, <<0.1sec, now) 8-bit micro (2-10K gates, 1-10 sec’s, need code)8-bit micro (2-10K gates, 1-10 sec’s, need code)
Support for symmetric session key encryptionSupport for symmetric session key encryption Stream Cipher (e.g., RC4) small, fast, proprietaryStream Cipher (e.g., RC4) small, fast, proprietary Block cipher (e.g., DES, AES) larger, slower, openBlock cipher (e.g., DES, AES) larger, slower, open
Write-only VRAMWrite-only VRAM Authenticated components onlyAuthenticated components only
Signed drivers, certification of hardwareSigned drivers, certification of hardware Signing/licensing processSigning/licensing process
ConclusionsConclusions
Secure video is needed to grow the businessSecure video is needed to grow the business PC as a platform for premium content servicesPC as a platform for premium content services New, innovative pay-per-use scenariosNew, innovative pay-per-use scenarios Platform for home media servicesPlatform for home media services
The technology exists to do this todayThe technology exists to do this today Public domain crypto algorithmsPublic domain crypto algorithms Digital Rights ManagementDigital Rights Management DVIDVI
Better to do this now than wait for lawmakers Better to do this now than wait for lawmakers to enter the pictureto enter the picture
Call To ActionCall To Action
Provide feedback on this proposalProvide feedback on this proposal Winhec session feedback formsWinhec session feedback forms [email protected]@microsoft.com
Participate in Windows SVP ForumParticipate in Windows SVP Forum Specification and forum forthcomingSpecification and forum forthcoming Target: early 3Q01Target: early 3Q01
