Next-Generation Secure Computing Base

The Next-Generation Secure Computing Base (NGSCB), codenamed Palladium (Pd) was a hardware and software architecture originally slated to be included in the Microsoft Windows "Longhorn" operating system. Development of the architecture began in 1997.

NGSCB relied on new software components and specially designed hardware to create a protected memory space for applications and services with higher security requirements. Microsoft's primary stated objective with NGSCB was to "protect software from software."

Upon the announcement of its existence in 2002 under the name "Palladium", reception to NGSCB was mostly negative. Concerns incuded software lock-in and monopolies,   loss of control over information,  and the imposition of digital rights management technology in favor of the music and film industries.

Microsoft revised NGSCB in WinHEC 2004, before announcing that only one part of it, the Bitlocker drive encryption function, would ship with Windows Vista.

Name
In Greek and Roman mythology, the term "palladium" refers to an object that the safety of a city or nation was believed to be dependent upon.

On 24 January 2003, Microsoft announced that "Palladium" had been renamed as the "Next-Generation Secure Computing Base." According to NGSCB product manager Mario Juarez, the new name was chosen not only to reflect Microsoft's commitment to the technology in the upcoming decade, but also to avoid any legal conflict with an unnamed company that had already acquired the rights to the Palladium name. Juarez acknowledged that the previous name had been a source of criticism, but denied that the decision was made by Microsoft in an attempt to deflect criticism.

Pre-Microsoft
The idea of creating an architecture where software components can be loaded in a known and protected state predates the development of NGSCB. A number of attempts were made in the 1960s and 1970s to produce secure computing systems, with variations of the idea emerging in more recent decades.

In 1999, the Trusted Computing Platform Alliance, a consortium of various technology companies, was formed in an effort to promote trust in the PC platform. The TCPA would release several detailed specifications for a trusted computing platform with focus on features such as code validation and encryption based on integrity measurements, hardware based key storage, and attestation to remote entities. These features required a new hardware component designed by the TCPA called the Trusted Platform Module (referred to as a Security Support Component, Secure Cryptographic Processor, or Security Support Processor in earlier Microsoft documentation). While most of these features would later serve as the foundation for Microsoft's NGSCB architecture, they were different in terms of implementation. The TCPA was superseded by the Trusted Computing Group in 2003.

Microsoft
Development of NGSCB began in 1997 after Microsoft developer Peter Biddle conceived of new ways to protect content on personal computers. It was initially conceived as a way of distributing music and film with digital rights management (DRM). Bill Gates was quoted as saying:

Microsoft filed a number of patents related to elements of the NGSCB design. Patents for a digital rights management operating system, loading and identifying a digital rights management operating system, key-based secure storage, and certificate based access control were filed on January 8, 1999. A method to authenticate an operating system based on its central processing unit was filed on March 10, 1999. Patents related to the secure execution of code and protection of code in memory were filed on April 6, 1999.

During its Windows Hardware Engineering Conference 2000 (WinHEC 2000), Microsoft showed a presentation titled Privacy, Security, and Content in Windows Platforms which focused on the protection of end user privacy and intellectual property. The presentation mentioned turning Windows into a "platform of trust" designed to protect the privacy of individual users. Microsoft made a similar presentation during WinHEC 2001.

NGSCB was publicly unveiled under the name "Palladium" on 24 June 2002 in an article by Steven Levy of Newsweek. (For more details, see Reception.)

In August 2002, Microsoft posted a recruitment advertisement seeking a group program manager to provide vision and industry leadership in the development of several Microsoft technologies, including its NGSCB architecture.

Encrypted memory was once considered for NGSCB, but the idea was later discarded as the only threat conceived of that would warrant its inclusion was the circumvention of digital rights management technology.

In 2003, Microsoft publicly demonstrated NGSCB for the first time at its WinHEC 2003  and released a developer preview of the technology later that year during its Professional Developers Conference. (See In builds of Windows "Longhorn".)

In PDC 2003, Microsoft announced that NGSCB would ship as part of "Longhorn", and that betas and other releases would be in sync with and delivered with "Longhorn". Version 1 of NGSCB would have focused on enterprise applications. Example opportunities were document signing, secure instant messaging, internal applications for viewing secure data, and secure e-mail plug-in.

During WinHEC 2004, Microsoft announced that it would revise the technology in response to feedback from customers and independent software vendors who stated that they did not want to rewrite their existing programs in order to benefit from its functionality. After the announcement, some reports stated that Microsoft would cease development of the technology. (Notably, it was reported that the NGSCB code would not be updated in the Longhorn developer preview that would come out in WinHEC 2004. See In builds of Windows "Longhorn" ) Microsoft denied the claims and reaffirmed its commitment to delivering the technology. Later that year, Microsoft's Steve Heil stated that the company would make additional changes to the technology based on feedback from the industry.

In 2005, Microsoft's lack of updates on its progress with NGSCB had led some in the industry to speculate that it had been cancelled. At the annual Microsoft Management Summit event, then Microsoft CEO Steve Ballmer said that the company was building on the foundation it had started with NGSCB to create a new set of hypervisor technologies for its Windows operating system. During WinHEC 2005, Microsoft announced that it was delivering Secure Startup, the first part of NGSCB, with the "Longhorn" launch. Secure Startup would protect users against offline attacks, blocking access to the computer if the content of the hard drive is compromised. This prevents a laptop thief from booting up the system from a floppy disk to circumvent security features or swapping out the hard drive. (See Legacy.)

The Gartner Group said in May 2005 that NGSCB was morphing to server virtualization. Microsoft stated that it planned to deliver other aspects of its NGSCB architecture at a later date.

Criticism
Steven Levy, who first reported about "Palladium" on Newsweek, was skeptical of the platform:

The response to the "Palladium" announcement was negative. Rob of geek.com wrote:

Robert X. Cringely opined:

John Lettice on The Register wrote:

Thomas Greene, also of ''The Register, wrote:

Bruce Schneier wrote:

Robert Lemos on CNET wrote:

Stallman wrote about "Palladium":

Ross Anderson made a set of frequently asked questions on NGSCB, which was reported on BBC News, The Register, and CNET. He described the platform, under the term, "TC" as:

Microsoft response
In a list of frequently-asked questions about NGSCB, Microsoft wrote:

Microsoft also discussed DRM and NGSCB:

Michael Aday, Senior Program Manager, Windows Trusted Platform Technologies at Microsoft explained:

Microsoft also emphasized the "privacy-enabling enhancements" in NGSCB in a November 2003 white paper:

Aftermath
In July 2008, Peter Biddle stated that the negative perception or reception was the main contributing factor responsible for the cancellation of NGSCB.

In 2015, Richard Stallman, founder of the Free Software Foundation, wrote about the Trusted Platform Module, which NGSCB would have required:

Architecture

 * Note: this section discusses NGSCB before WinHEC 2004.

NGSCB would have divided the computing environment into two separate and distinct operating modes. Thus, it would have been composed of two parts: the traditional "left-hand side" (LHS) and the “right-hand side” (RHS) security system. The LHS and RHS would have been a logical, but physically enforced, division or partitioning of the computer.

The LHS would have been composed of traditional applications such as Microsoft Office, along with a conventional operating system, such as Windows. Drivers, viruses, and any software with minor exceptions would also have run on the LHS. However, the new hardware memory controller would not have allowed certain "bad" behaviors: for example, code which copied all of memory from one location to the next, or which put the CPU into real mode. Another term for the LHS is standard mode.

Meanwhile, the RHS would have worked in conjunction with the LHS system and the central processing unit (CPU). With NGSCB, applications would have run in a protected memory space that is highly resistant to software tampering and interference. (See Strong process isolation). The RHS or nexus mode would have been composed of a “nexus” and trusted agents, called Nexus Computing Agents. The RHS would have also comprised a security support component that would have used a public key infrastructure key pair along with encryption functions to provide a secure state. Other terms for the RHS are the nexus mode or the isolated execution space.

Hardware would have created this secure space. Thus, creating a nexus would have required modification of the CPU, the memory controller or chipset, the keyboard, the video graphics card, and the graphics adapters; and the addition of a new part called the trusted platform module (TPM). The TPM would be permanently attached to the motherboard and could not be removed. However, the TPM would have been shipped with its functionality disabled, making NGSCB an opt-in system. Users could independently choose to disable all TPM functionality, effectively disabling NGSCB. (See Trusted Plaform Module for more information.)

Typically, there would have been one chipset in the computer that both the LHS and RHS would have used. The LHS and RHS would have also shared hardware resources, including the CPU, RAM, and some input/output (I/O) devices. The RHS was required not to rely on LHS for security. If adversarial LHS code were present, NGSCB was required to not leak secrets. However, the RHS was required to rely on the LHS for stability and services. NGSCB would not have run in the absence of LHS cooperation. NGSCB needed the following from the LHS:

NGSCB would not have changed the device driver model, resorting to secure reuse of LHS driver stacks whenever possible (i.e., RHS encrypted channel through LHS unprotected account). NGSCB would have needed very minimal access to real hardware. Every line of privileged code was considered a potential security risk. Therefore, there would have been no third-party code nor kernel-mode plug-ins.

The nexus would have halted and exited upon receiving an authorized request to stop from the standard side, or LHS. All nexuses would halt, whether through this process or because of a system exception, clearing all nexus and NCA memory.

Nexus


The nexus, previously referred to as the "Nub" or "Trusted Operating Root" would have hosted, protected, and controlled NCAs. It would have provided NCAs with security services so that NCAs could have provided users with trustworthy computing. The nexus would have isolated trusted agents, managed communications to and from trusted agents, and cryptographically sealed stored data (e.g., stored in a hard disk drive). More particularly, the nexus would have executed in kernel mode in trusted space (see Strong process isolation) and provided basic services to trusted agents, such as the establishment of the process mechanisms for communicating with trusted agents and other applications, otherwise known as an interprocess communication (IPC) mechanism, memory mapping, thread management. The IPC would have provided communication channels among and between NCAs and other programs that were not trusted and that were operating on the same computer or on different computers.

The nexus would have also provided special trust services such as attestation of a hardware/software platform or execution environment and the sealing and unsealing of secrets. The nexus would have stored one or more secrets (private keys and symmetric keys) that it would have only provided to the cryptographically-identified NCA running on a specific hardware platform. Simply stated, the nexus would have offered services to store cryptographic keys and encrypt and decrypt information, and it would have identified and cryptographically authenticated NCAs.

The nexus was also intended to have controlled access to trusted applications and resources by using a security reference monitor, which would have been part of the nexus security kernel.

The nexus would have managed all essential NGSCB services, including memory management, exclusive access to device memory and secure input and output, and access to any non-NGSCB system services.

The nexus was described either as a kernel, like a kernel, a “high assurance” operating system, not a complete operating system, as an operating system component, or as a secure system component.

The nexus was required to be small so that every NCA owner could, in principle, examine and trust the implementation of the nexus. To keep the nexus small, it was required to meet the following design criteria:
 * Contain code that could be duplicated among NCAs;
 * Multiplex its time among NCAs.
 * Use the hardware Sealed storage and Attestation functions to store keys on behalf of NCAs, and attest to the combined nexus-NCA software stack more flexibly than would be possible with the hardware primitives. This would have allowed the hardware primitives to be simple and inexpensive, while allowing the NCA primitives to be much more flexible and extensible without sacrificing security.
 * Provide (at each NCA’s request) standard management tasks, such as key migration between nexus versions and NCA versions.

In order to minimize its size, the nexus would have implemented only the operating system services, such as access control and memory isolation, that would have been necessary to preserve its integrity. Beyond these components, the nexus and its trusted applications would have relied on services provided by the main operating system, such as the physical storage of data, opening communication channels to identified standard processes, or performing I/O operations that are not trusted, such as hard-disk access. Typically, the nexus would have cryptographically protected this data before exposing it to the main operating system.

The nexus could have booted any time, shut down when not needed, and restarted later. Nexus startup would have been atomic and protected in a controlled initial state. The nexus would have been authenticated during computer startup. After authentication, the nexus would have created the protected operating environment within Windows. Programs could then request that the nexus perform trusted services such as starting an NCA.

The nexus could have provided encryption technology to authenticate and protect data that would be entered, stored, communicated, or displayed on the computer, and to help ensure that the data would not be accessed by other applications and hardware devices. (For more detail, see Strong process isolation.)

The nexus would have provided a limited set of application programming interfaces (APIs) and services for trusted applications, including sealed storage and attestation functions. The set of nexus system components was chosen to guarantee the confidentiality and integrity of the nexus data, even when the nexus encountered malicious behavior from the main operating system.

NGSCB would have allowed a PC to run one nexus at a time. The hardware would have loaded any nexus, but only one at a time. Each nexus would have gotten the same services. The hardware would have kept nexus secrets separate. Nothing about this architecture would have prevented any nexus from running.

NGSCB would have enforced policy but would not have had set the policy. The owner could have therefore controlled which nexuses would be allowed to run. This meant they could run any nexus, or write their own and run it, on the hardware. That nexus could only report the attestation provided by the TPM. As Baker put it, "The TPM won't lie". The nexus would not have been able to pretend to be another nexus. Other systems would need to decide if they trust the new derived nexus. Users would just have needed to prove to others that their derivative is legitimate. Users could have also independently chosen to specify nexuses that could access the public key certificate for the TPM, to name nexuses that would have had access to PKSeal and PKUnSeal (thereby enabling the Attestation function in NGSCB), and to name nexuses that would have been authorized to change the foregoing selections. A user could perform these actions through a secure user interface presented by the computer early in the startup sequence, but not through standard software which could be subject to a software attack.

The nexus might permit all applications to run, or a machine owner might configure a machine policy in which the nexus permits only certain agents to run. In other words, the nexus would run any agent that the machine owner tells it to run. The machine owner might also tell the nexus what not to run. Alternatively stated, users could have run any agent, or could have written their own, and run it on the nexus. That agent could report the attestation provided by the nexus. "The nexus won’t lie," according to Baker. The agent could not pretend to be another agent. Other systems would need to decide if they trusted the new derived nexus. Users would just have needed to prove to others that their derivative is legitimate.

On the software side, Microsoft would have built a nexus designed to complement Windows, and expected other developers and vendors to build nexuses of their own. The Microsoft nexus would run any agent. The platform owner could set policy that limits this. The owner could pick some other delegated evaluator if they choose.

Microsoft pledged to make the source code of the nexus available for public review, so that it could be evaluated and validated by third parties for both security and privacy considerations.

Nexus Computing Agents
Nexus Computing Agents (NCAs), or trusted agents, would have been application processes strictly managed by the nexus. They would have consisted of user-mode code executing within the isolated execution space (nexus mode), also known as the protected operating environment. They would have been trusted software components, hosted by the nexus. NCAs would have been used to process data and transactions in curtained memory.

An NCA could have been be an application in and of itself, or an NCA could have been part of an application that would have also run in the standard Windows environment. In other words, an NCA or trusted agent could have been a program, a part of a program, or a service that runs in user mode in trusted space. Each NCA would have had access only to the memory allocated to it by the nexus. This memory would not have been shared with other processes on the system, unless explicitly allowed by the NCA.

The NCA would have been represented by a signed extensible markup language (XML) document called a manifest. The manifest would have identified the program hash either by naming it directly in the manifest or by naming a public key. This public key would have meant, informally, “Any cryptographic hash signed by the corresponding private key has the same software identity.” In addition, the manifest would have defined the code modules that can be loaded for each NCA, associated human-readable names with the program, noted version numbers, and expressed program-debugging policy (i.e., whether the NCA was debuggable). Debugging an agent really meant debugging via the LHS shadow process.

The manifest would have also provided information about an application that a machine user would have used to determine if the app should run, and would have defined agent components, agent properties (e.g. system requirements and descriptive properties such as the version number), and agent policy requests. The machine owner's policy might, however, have overridden the policy requests in the manifest.

NCAs would have been monolithic, with no DLLs. Code could have been shared using statically-linked libraries. The composition of NCAs would have been based on IPC, which was blocking and message-oriented. NCAs and LHS processes could have both used IPC: for NCAs to communicate with other NCAs; for LHS applications to communicate with the NCAs they start. Access to IPCs would have been controlled by policy.

An NCA or trusted agent would have called, or could have made requests to, the nexus for security-related services and critical general services or essential NGSCB services, such as memory management. An NCA or trusted agent would have been able to store secrets using sealed storage, and to authenticate itself using the attestation services of the nexus. Each trusted agent or entity would have controlled its own domain of trust, and they need not have relied on each other. Alternatively stated, each NCA would have controlled its own trust relationships, and NCAs would not have needed to trust or rely on each other.

Each NCA was required to operate without forcing the computer to restart, shut down running programs, or cause compatibility problems for existing programs. This would have allowed NCAs to run without restricting the other software currently running, or could potentially run, on a computer.

The nexus would have determined the unique code identity of each NCA, which would have enabled the NCA to be specifically designated as trusted or not trusted by multiple entities, such as the user, IT department, a merchant, or a vendor. The mechanism for identifying code in NGSCB would have been unambiguous and policy-independent.

NCAs could have been written in C or C++, using any compiler. Agents could have been instantiated from managed or unmanaged code. An RHS CLR was planned; it would have allowed agents to be written in any .Net language.

Projection would have been the mechanism by which some of the powers and properties of NCAs or trusted agents could be extended to LHS code (ex. Excel). Rather than porting an application (or mortal) on the LHS, projection would have allowed the construction of a monitoring agent (or angel) for the application. This would have permitted the existing application to run with many of the same useful properties as a trusted agent. Projection might have also been applied to both the LHS operating system and to any LHS application programs for which some level of trusted operation was desirable. Projection might have also been applied to LHS device drivers. Thus, projection would have allowed trusted agents to protect, assure, attest, and extend, LHS operating systems, services, and programs.

Projection would have been the mechanism by which some of the powers and properties of NCAs or trusted agents could be extended to LHS code (ex. Excel). Rather than porting an application (or mortal) on the LHS, projection would have allowed the construction of a monitoring agent (or angel) for the application. This would have permitted the existing application to run with many of the same useful properties as a trusted agent. Projection might have also been applied to both the LHS operating system (through a base monitoring agent or archangel) and to any LHS application programs for which some level of trusted operation was desirable. Projection might have also been applied to LHS device drivers. Thus, projection would have allowed trusted agents to protect, assure, attest, and extend, LHS operating systems, services, and programs.

NCAs were divided into three categories: "Application," "Component," and "Trusted Service Provider."

Application agents would have been stand-alone applications, and good for clients in multi-tier applications, such as an online banking client. The entire application would have run on the RHS.

Component agents would have been components of a larger application. Most of the application would have run on the LHS, but agents would have been used for specific trusted applications. Component agents would have been suitable for adding trusted features to existing Windows applications, such as a document signing component of a word processor.

Trusted Service Provider NCAs would have run entirely in Nexus mode and would have provided services to other NCAs. For example, the Trusted UI Engine, which would have rendered and managed the UI of an NCA, and would have alerted such NCA when events occur on active UI elements, would have been an example of a Trusted Service Provider NCA.

Features

 * Note: this section discusses NGSCB before WinHEC 2004.

Developers could have used four main capabilities to protect data against software attacks on NGSCB systems: strong process isolation, sealed storage, secure paths to and from the user, also called secure input and output, and attestation. All NGSCB-enabled application capabilities would have been built off of these four key features or pillars. The first three would have been needed to protect against malicious code, while attestation would have broken new ground in distributed computing.

Strong process isolation


Strong process isolation would have been a mechanism for protecting data in memory. It would have been created and maintained by the nexus and enforced by NGSCB hardware and software. The hardware would have notified the nexus of certain operations, and the nexus would have arbitrated page tables, control registers, and others.

Agents and the nexus would have run in curtained memory, inaccessible to other agents, to the standard Windows kernel, nor to hardware direct memory access (DMA) devices, by using a special structure called the DMA exclusion vector.

Strong process isolation would have provided an execution and memory space, a trusted space, by carving out a secure area (the RHS). This space would have been a specific portion of RAM within the address space. This space would have been protected from external access and software-based attacks (even those launched from the kernel), and would have provided a restricted and protected address space for applications and services that have higher security requirements. This curtained memory would have guaranteed against leaking information to the world outside of the nexus, and would have permitted only certain certified applications to execute under the nexus and to access the curtained memory.

Operations that run on the RHS would have been protected and isolated from the LHS, which would have made them significantly more secure from attack. In other words, strong process isolation would have prevented rogue applications from changing NGSCB data or code while it was running.

Because of strong process isolation and curtained memory, the main operating system would have been largely unaware of the NGSCB system. The nexus could be started at any time through authenticated startup, which enables hardware and software components to authenticate themselves within the system. After the nexus was authenticated, the nexus and its trusted applications would be protected in isolated memory and could not be accessed by the main operating system. The nexus was required not to interact with the main operating system in any way that would allow events happening at the main operating system to compromise the behavior of the nexus. Thus, this protected operating environment provided a higher level of secure processing while leaving the rest of the computer's hardware and software unaffected.

In user interface terms, when users run trusted applications within this curtained memory, all processes would operate within special "trusted windows." A non-writable banner with a trusted icon and program name would appear on the top of each trusted window. The trusted window could not be covered by other windows for programs that were running in the standard operating system environment. If more than one trusted window is open on the desktop, they would not overlap.

Sealed storage
Sealed storage would have been a mechanism for protecting data in storage. It would have allowed the user to encrypt information with a key rooted in the hardware, so that it could only be accessed by a trustworthy application, the designated trusted entity that stored it, or by authenticated entities.

NGSCB would have provided sealed data storage by using a special security support component (SSC). The SSC would have provided the nexus with individualized encryption services to manage the cryptographic keys, including the NGSCB public and private key pairs and the Advanced Encryption Standard (AES) key from which keys would have been derived for trusted applications and services. Each nexus would have generated a random keyset on first load. The TPM chip on the motherboard would have protected the nexus keyset. An NCA would have used these derived keys for data encryption. Simply put, agents would have used nexus facilities to seal (encrypt and sign) private data. The nexus would have protected the key from any other agent/application, and the hardware would have prevented any other nexus from gaining access to the key. File system operations by the standard operating system would have provided the storage services.

The trustworthy application could have included just the application that created the information in the first place, or any application that was trusted by the application that owned the data. Therefore, sealed storage would have allowed a program to store secrets that could not be retrieved by nontrusted programs, such as a virus or Trojan horse, and sealed storage would have prevented rogue applications from getting at encrypted data. In addition, sealed storage could not be read if another operating system is started or if the hard disk is moved to another computer. NGSCB would have provided mechanisms for backing up data and for migrating secure information to other computers.

Sealed storage would have also verified the integrity of data when unsealing it.

Sealed storage would have bound long-lived confidential information to code. Long-lived information referred to confidential information for which the lifetime of the information would have exceeded the lifetime of the process that accesses it. For example, a banking application might need to store confidential banking records for use at a later time, or a browser might need to store user credentials on the hard disk and protect that data from tampering.

Encrypted files would have been useless if stolen or surreptitiously copied.

Secure paths to and from the user
Secure paths to and from the user would have been mechanisms for protecting data moving from input devices to the NCAs, and from NCAs to the monitor screen. NGSCB would have supported secure input through upgraded keyboards and Universal Serial Bus (USB) devices,  allowing a local user at a local keyboard or other device to communicate privately with an NCA or a trusted application. Other protected input devices included mice, and integrated input for laptops.

Data entered by the user and presented to the user could not be read by software, such as spyware or “Trojan horses,” programs that could read keystrokes, or allowed a remote user or program to act as a legitimate local user. Malicious software could not mimic or intercept input, or intercept, obscure or alter output; in the keyboard setting,  malicious software could not be used to record, steal or modify keystrokes Secure path would have enabled one to be sure that they are dealing with the real user, not an application spoofing the user.

Secure output would have been similar. Graphic adapters were generally optimized for performance rather than security, allowing software to read or write to video memory easily and making securing video very difficult. A secure channel would have existed between the nexus and the graphics adapter. The information that would have appeared onscreen could be presented to the user so that no one else could intercept it and read it. Taken together, these things would have allowed a user to know with a high degree of confidence that the software in his computer is doing what it was supposed to do. NGSCB dialog boxes could be obscured, and they had visual cues that allowed users to be certain that the window was not being displayed by the standard side or the LHS.



A two-factor authentication combination of NGSCB-enabled smart cards and biometric devices could have been combined with the trustworthy computing capabilities of an NGSCB system to provide the strongest user authentication at reasonable cost. This combination of NGSCB and authentication input devices would have addressed the human factor problem involved in password credentials, and the hijacking scenario in case of biometrics authentication. NGSCB-enabled devices would have been attached to the system, and the user authentication software component would have run as an NCA in the protected operating environment.

NGSCB would have added the following secure input capabilities to two-factor authentication to provide the strongest possible user authentication:

Smart cards, biometrics, and other authentication input devices could have been made trustworthy by embedding an input security support component into the device or into the hub to which the device connects. When these devices would be plugged into the computer, and the NGSCB system was turned on, the system could have determined whether the devices were secure and could set up a path for the exchange of authentication information between the devices and the user authentication software component NCA that would be running in the computer's protected operating environment.

Attestation
Attestation would have been a mechanism for authenticating a given software and hardware configuration, either locally or remotely. Attestation referred to the ability of a piece of code to digitally sign or otherwise attest to a piece of data and further assure the recipient that the data was constructed by an unforgeable, cryptographically identified software stack. It would have enabled a user to verify that they were dealing with an application and machine configuration they trusted.

Attestation would have let other computers know that a computer was really the computer it claimed to be, and was running the software it claimed to be running. It would have based on secrets rooted in hardware combined with cryptographic representations (hash vectors) of the nexus and/or software running on the machine. Attestation would have been a core feature for enabling many of the privacy benefits in NGSCB. Because NGSCB software and hardware would have been cryptographically verifiable to the user and to other computers, programs, and services, the system could verify that other computers and processes were trustworthy before engaging them or sharing information. Thus, when used in conjunction with certification and licensing infrastructure, attestation would allowed the user to reveal selected characteristics of the operating environment to external requestors, and to prove to remote service providers that the hardware and software stack is legitimate. By authenticating themselves to remote entities, trusted applications could have created, verified, and maintained a security perimeter that would not have required trusted administrators or authorities.

For example, a banking company might have provided NGSCB-capable computers to its high-profile customers to help provide secure remote access and processing for Internet banking transactions that contain highly sensitive and valuable information. The banking company would have then built its own NGSCB-trusted application that would have used a secure network protocol, enabling the customers to communicate with a server application on the company's servers.

When requested by an agent, the nexus could have prepared a chain that authenticated: the agent by digest, signed by the nexus; the nexus by digest, signed by the TPM; and the TPM by public key, signed by the OEM or the IT department. The machine owner would have set policies to control which forms of attestation each agent or group of agents could use. A secure communications agent would have provided higher-level services to agent developers. It would have opened a secure channel to a service using a secure session key, and responded to an attestation challenge from the service based on user policy.

All trust relationships could have been traced back to the "root of trust." Trust relationships were only as strong as their root. For example, if the CA gave away all its secrets to untrustworthy entities, a requestor could potentially download a malicious program without knowing that the trust relationship had been compromised. The NGSCB root of trust would have been made as strong as possible by embedding a 2048-bit RSA public and private key in the SSC that would have stored the shared secrets. The coprocessor's private key could not be accessed; it could only be used to encrypt and decrypt secrets. The computer's RSA private key would have embedded in hardware and never exposed. If computer-specific secrets were somehow accessed by a sophisticated hardware attack, they only applied to data on the compromised computer and could not be used to develop widely deployable programs that could compromise other computers. In the case of an attack, a compromised computer could be identified by IT managers, service providers, and other systems, and then excluded from the network.

Neither nexus nor agent could directly determine if it were running in the secured environment. They would have been required to use Remote Attestation or Sealed Storage to cache credentials or secrets to prove the system is sound.

Attestation would have involved secure authentication of subjects (e.g., software, machines, services) through code ID. This would have been separate from user authentication.

WinHEC 2004
Biddle announced during his presentation in WinHEC 2004:

Security would still have been first. The same nexus would support both Windows client and server. "Longhorn" would run with or without NGSCB. NGSCB would have more direct support for Windows (e.g., “Cornerstone”), and would have been more closely aligned to Windows components (e.g., compartments). Isolation would have been provided per compartment, rather than per process.

System services would be provided to the operating system in the system-only compartment. An IPC mechanism would have been used to call them. The same services described in Features would still be provided, namely, isolation, sealed storage, trusted path, and attestation. TPM 1.2 would have been used to root sealed storage.

The nexus would have managed sufficient hardware to provide useful isolation, including the CPU, memory, and TPM (crypto processor). The secure compartment would have managed secure I/O. The primary operating system would have managed all other hardware.

"Cornerstone" would have prevented a thief who booted another operating system or ran a hacking tool from breaking core Windows protections, and provided a root key which could be used by third-parties to protect their secrets against the same attack. User login and authentication would have been done in a secure compartment. Meanwhile, under Code Integrity Rooting (CIR), boot and system files would have been validated and their integrity checked prior to the release of the SYSKEY into the legacy operating system.

The Integrated Security Support Component intended for Secure input could have protected against both software and hardware attacks, but required new keyboards, new mice, user retraining, among other costs, which would have been out of proportion to the problems that most users will face. It was scrapped in favor of Intel’s Trusted Mobile Keyboard Controller for mobile devices, and work to get changes for USB in chipsets without requiring new USB devices nor new drivers.

Trusted Platform Module
The Trusted Platform Module (TPM) is a cryptographic co-processor specified by the Trusted Computing Group. It contains cryptographic keys, performs basic cryptographic services, and stores cryptographic hashes, or platform measurements. The TPM anchors chain of trust for keys, digital certificates and other credentials.

The public-private key pair that is created as part of the TPM’s manufacturing process is called the endorsement key (EK), which is unique, generated only once, and is the root key for establishing the identity used for attestation. It is a 2048-bit RSA key pair. Microsoft claimed that it would not be involved in generating the EK. The TPM owner could enable/disable the access to the EK, thus enabling/disabling attestation.

The private key component of the EK never leaves, and is known only to, the TPM. The private key would never have been accessible to software executing in the operating system. It would have been used only to instantiate the NGSCB environment and to provide services to the nexus.

In an NGSCB-capable computer, even the public key on the TPM (also referred to as platform credentials) would have been secured against accidental disclosure or unauthorized access. The public key component of the EK would have been used by NGSCB only to create “alias” keys (called attestation identity keys (AIKs) in the TPM specification) that could have been used to ensure anonymity. The public key would have been accessible only by software that the machine owner explicitly trusted (trust being established by the user taking overt action to run this software). Trusted software could then implement policies as determined by the machine owner. These policies control access to the computer's public key by other clients, servers or services. In contrast to most public key infrastructure systems, the public key in an NGSCB-capable system would not be made widely available. This design was implemented to prevent indiscriminate tracking of users or computers on the Internet through their public keys. It would have been protected to mitigate against identity profiling and tracking.

According to Microsoft, version 1.2 of the Trusted Platform Module is the first version compatible with NGSCB. Previous versions do not include the required functionality.

TPM is an implementation of a root-of-trust, meaning, a system can be trusted if it behaves in the expected manner for the intended purpose. A Root-of-Trust allows third parties to rely on this trust, and serves to anchor a certificate verification chain that is unique to a given system.

During boot, the TPM would gather measurements about the running environment: namely, the BIOS, the loader, the trusted operating system, and applications. "To measure" means that it would perform hash, would log and extend appropriate register. TPM would only measure the running environment. Collected PCRs values would have been later used for sealed storage & [[#Attestation|attestation. The remote entity could decide whether to trust the running platform based on the PCR values. Secrets would be sealed to a particular state of the platform using these measurements. PCRs would have been part of the sealed message. For large data blocks, data would be encrypted; only the key would be sealed. Unseal would return decrypted data only when the PCR(s) match.

In builds of Windows "Longhorn"
In released pre-reset builds of Windows "Longhorn", NGSCB components reside in %SYSTEMDRIVE%\WINDOWS\NGSCB. The first build of Windows "Longhorn" known to include the NGSCB directory and subfolders is either 4015.main or 4039, and the last is build 4066. A report dated 5 May 2004 stated, "The NGSCB code won't be updated in the enhanced Longhorn developer's preview update, due out later this week". That build, 4074, does not contain the  folder.

The build version of NGSCB that shipped with build 4051, distributed to PDC 2003 attendees, was. It had to be configured manually by running, located in  , through the Command Prompt.

The Longhorn SDK, also distributed to PDC 2003 attendees, also contained APIs for NGSCB.

The NGSCB developer preview SDK was provided so that developers could understand the features and APIs of NGSCB, but did not demonstrate the security of NGSCB. The SDK enabled developers to prototype most applications they might write on Version 1 of NGSCB, but with a warning that the SDK might change before RTM. The developer preview also included a software emulator which simulated the NGSCB environment; new hardware was not necessary to run it.

The developer preview supported creating an agent in Visual Studio (debugging must be done on the command line), simulated sealed storage, simulated attestation, IPC, and standard Windows and CRT style APIS, but did not provide secure path nor strong process isolation.

Sample apps
The Longhorn SDK, distributed to attendees of PDC 2003 with build 4051, came with three sample applications that must be compiled in the version of Visual Studio "Whidbey" which was also distributed to said attendees. The screenshots show how to build them. Building all three leads to errors.

Secure Chat
Building the solution leads to the following errors:

c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Client\chatdlg.c(15): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Server\digests.c(17): fatal error C1083: Cannot open include file: 'digest.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Client\listener.c(14): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Client\log.c(14): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Client\logindlg.c(14): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Client\main.c(14): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Digestgen\main.c(18): fatal error C1083: Cannot open include file: 'digest.h': No such file or directory Project The following environment variables were not found: $(NG_SDK) Project The following environment variables were not found: $(NG_SDK) Project The following environment variables were not found: $(NG_SDK) c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Server\request.c(27): fatal error C1083: Cannot open include file: 'attest.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Client\request.c(14): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Client\seal.c(14): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Client\users.c(14): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securechat_cpp\Client\viewlogdlg.c(14): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory

Secure Notepad
Building the solution leads to the following errors:

c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securenotepad_cpp\Main.c(17): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory Project The following environment variables were not found: $(NG_SDK) c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securenotepad_cpp\seal.c(17): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securenotepad_cpp\SNPEditWin.c(1): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory c:\Documents and Settings\Administrator\Desktop\lhsdk_ngscb_securenotepad_cpp\SNPFile.c(1): fatal error C1083: Cannot open include file: 'nca.h': No such file or directory

TxtViewer
The project file for this application crashes Visual Studio.

Legacy
The development of the Next-Generation Secure Computing Base ultimately led to the creation of Microsoft's Bitlocker drive encryption feature for Windows Vista Enterprise and Ultimate. It was one of the first mainstream device encryption features to support version 1.2 of the Trusted Platform Module, and the first device encryption feature to be integrated with the Windows operating system. This feature was announced as "Cornerstone" in WinHEC 2004 and Secure Startup in WinHEC 2005, or Secure Startup-Full Volume Encryption.

Windows 8, released in 2012, includes a feature called Measured Boot which allows a trusted server to verify the integrity of the Windows startup process. It serves a purpose comparable to NGSCB's attestation feature in that they are both designed to validate a platform's configuration, but it is not directly related to NGSCB.

In addition, features based on those originally intended for NGSCB would later become available in competing operating systems. In 2008, Peter Biddle observed that XenSE would deliver the same functionality as NGSCB, but did not spark outcry. He also mentioned what the open-source community had been doing which NGSCB aimed to perform, such as secure boot, NGSCB near-clones in some universities, and TPM drivers for Linux. . In 2012, Giesecke & Devrient produced a parallel execution environment called MobiCore for the Android operating system designed to host secure user applications and protect confidential data. In 2013, Apple released a new feature for its iOS operating system called Secure Enclave to protect a user's biometric information.

BetaArchive forum

 * Builds of "Longhorn" with NGSCB?
 * Longhorn 4033 Privacy Preferences - This hidden feature from build 4033 does not appear to be a part of NGSCB, given the description above. The link is retained here for reference.
 * Windows "Longhorn" features present in Windows Vista, includes some NGSCB features
 * "Longhorn" NGSCB patents expired

Microsoft

 * Microsoft Next-Generation Secure Computing Base Home Page, from the Wayback Machine
 * Earlier capture from June 2003, with WinHEC 2003 links
 * Microsoft Next-Generation Secure Computing Base Documentation, with links to resources from the Microsoft site on NGSCB