Next-Generation Secure Computing Base: Difference between revisions

From BetaArchive Wiki
(Added information about reception; certainly this is not exhaustive. I have more text but it does not look as nice. Added information about the idea encrypted memory, and expanded on some of the features of NGSCB.)
Line 55: Line 55:


==Hardware==
==Hardware==
Encrypted memory was once considered for the NGSCB, but the idea was later discarded as the only threat conceived of that would warrant its inclusion was the circumvention of digital rights management technology.<ref>Biddle, Peter. (February 22, 2008). [http://peternbiddle.wordpress.com/2008/02/22/attack-isnt-news-and-there-are-mitigations/ "Attack isn't news, and there are mitigations"]</ref><ref>Biddle, Peter. (February 23, 2008). http://peternbiddle.wordpress.com/2008/02/23/threat-model-irony/ "Threat Model Irony"]</ref>
Encrypted memory was once considered for the NGSCB, but the idea was later discarded as the only threat conceived of that would warrant its inclusion was the circumvention of digital rights management technology.<ref>Biddle, Peter. (February 22, 2008). [http://peternbiddle.wordpress.com/2008/02/22/attack-isnt-news-and-there-are-mitigations/ "Attack isn't news, and there are mitigations"]</ref><ref>Biddle, Peter. (February 23, 2008). [http://peternbiddle.wordpress.com/2008/02/23/threat-model-irony/ "Threat Model Irony"]</ref>
===Trusted Platform Module===
===Trusted Platform Module===
The Trusted Platform Module, previously referred to as the "Secure Cryptographic Processor" or "Security Support Component", is the hardware component that securely stores the cryptographic keys for the Nexus and Nexus Computing Agents, which makes the sealed storage and attestation features of the Nexus possible.
The Trusted Platform Module, previously referred to as the "Secure Cryptographic Processor" or "Security Support Component", is the hardware component that securely stores the cryptographic keys for the Nexus and Nexus Computing Agents, which makes the sealed storage and attestation features of the Nexus possible.

Revision as of 22:07, 3 August 2014

Diagram of the NGSCB software architecture as presented at WinHEC 2003.

The Next-Generation Secure Computing Base (codenamed Palladium) is the name of a cancelled software architecture originally slated to be included in the Microsoft Windows "Longhorn" operating system. Development of the architecture began in 1997.[1][2]

NGSCB was designed to provide an isolated environment where sensitive operations may be performed securely. Microsoft's primary stated objective with NGSCB was to "protect software from software."[3][4]

History

Development

Diagram of NGSCB architecture revision during WinHEC 2004.

Development of the NGSCB began in 1997 after Microsoft developer, Peter Biddle, conceived of new ways to offer content protection on personal computers.[5]

Microsoft later filed a large number of patents related to elements of the NGSCB design.[6] Patents for a digital rights management operating system,[7] loading and identifying a digital rights management operating system,[8] key-based secure storage,[9] and certificate based access control[10] were filed on January 8, 1999. A method to authenticate an operating system based on its central processing unit was filed on March 10, 1999.[11] Patents related to the secure execution of code[12] and protection of code in memory[13] were filed on April 6, 1999.

The technology was publicly unveiled under the name "Palladium" on June 24, 2002 in an article by Steven Levy of Newsweek that focused on its origin, design and features.[14][15][16] Levy stated that the technology would allow users to identify and authenticate themselves, encrypt data to protect against unauthorized access, and enforce policies related to the use of information. As examples of policies that users could enforce, Levy stated that users could send e-mail messages accessible only by the intended recipient, or create Microsoft Word documents that could only be read a week after they were created. To provide this functionality, the technology would require specially designed hardware components, including updated processors, chipsets, peripherals, and a new coprocessor designed to perform cryptographic operations.

Microsoft publicly demonstrated the NGSCB for the first time at its Windows Hardware Engineering Conference in 2003.[17][18][19]

Microsoft released the first NGSCB software developer kit (SDK) during its Professional Developers Conference (PDC) of 2003.[20][21][22]

During WinHEC 2004, based on feedback from customers and ISV partners who stated that they did not want to rewrite their existing programs in order to benefit from its functionality, Microsoft announced that it would revise the technology.[23][24] After the announcement, reports stated that Microsoft would cease development of the technology.[25][26] Microsoft denied the claims and reaffirmed its commitment to delivering the technology.[27][28]

Name

In Greek and Roman mythology, the term "palladium" refers to an object that the safety of a city or nation was believed to be dependent upon.[29]

On January 24, 2003, Microsoft announced that "Palladium" had been renamed as the "Next-Generation Secure Computing Base." According to NGSCB product manager Mario Juarez, the new name was chosen not only to reflect Microsoft's commitment to the technology in the upcoming decade, but also to avoid any legal conflict with an unnamed company that had already acquired the rights to the Palladium name. Juarez acknowledged that the previous name had been a source of criticism, but denied that the decision was made by Microsoft in an attempt to deflect criticism.[30]

Reception

Industry and consumer reaction to Microsoft's Next-Generation Secure Computing Base technology was largely negative. The editorial staff of The Register were among the first to criticize Microsoft after the technology was unveiled. John Lettice, noting the similarities between Microsoft's NGSCB and the company's DRM-OS patents filed almost three years prior, believed that the technology was in development solely for the content industries and that the article by Newsweek had "been deliberately planted in order to prepare the way for the DRM OS."[31] Richard Forno blamed Microsoft's past record with security for the majority of contemporary security issues and expressed his belief that the technology would allow Microsoft to dictate the applications that could be allowed to run on personal computers.[32] Thomas Greene wrote that the technology had the potential to eradicate Linux and the GPL.[33] Ross Anderson of Cambridge University was one of the most vocal critics and had written an article on the potential dangers of the technology.[34][35][36] Anderson claimed that it would allow content providers to remotely censor or delete data from personal computers. Richard Stallman, founder of the GNU Project and the Free Software Foundation, expressed similar concerns and labelled the "trusted computing" initiative as "treacherous computing".[37] There were concerns that Microsoft would replace the Transmission Control Protocol with a proprietary one.[38][39]

In response, Microsoft published the first version of its technical NGSCB FAQ on August 21, 2002 that outlined the scope and intent of the technology.[40] According to Microsoft, the technology would not incorporate features that could be used to censor or delete users' data; an idea which the corporation stated was in direct conflict with its design goals. Microsoft also vehemently denied that it would incorporate a backdoor or exploit that would allow government agencies access to computers or data protected by the technology:

"Microsoft would refuse to voluntarily place a back door in any of its products and would fiercely resist any government attempt to require back doors in products. From a security perspective, such back doors are an unacceptable security risk because they would permit unscrupulous individuals to compromise the confidentiality, integrity and availability of our customers' data and systems. From a market perspective, such products would not be marketable, either domestically or internationally. Equally important, deliberately inserting such vulnerabilities would undermine Microsoft's reputation in the marketplace as a trusted vendor of products. For these reasons and others, we would, as we did during the encryption debate, oppose any such government efforts."

Cancellation

During WinHEC 2005, Microsoft announced that it had scaled back its plans for the technology in order to ship the post-reset Windows "Longhorn" operating system within a reasonable timeframe. Instead of providing a new operating environment, the NGSCB would offer full volume encryption with a feature known as "Secure Startup" (later renamed as "Bitlocker Drive Encryption").[41] Microsoft stated that it would deliver other aspects of its NGSCB vision at a later date.[42]

In July 2008, Peter Biddle stated that negative perception was the main contributing factor responsible for the cancellation of the architecture.[43]

Overview and features

Process isolation

Sealed storage

Sealed storage refers to the use of encryption to protect locally stored data. Sealed storage differs from traditional encryption schemes in that it allows data to be decrypted only under conditions specified at the time of its encryption.

Attestation

Attestation refers to validation of a NGSCB machine configuration. Attestation allows users to attest to the state of a hardware or software configuration by sending its cryptographic information to a trusted third-party; the third-party can then determine whether it should trust the configuration.

Secure I/O

Input and output devices compatible with the NGSCB are designed to provide encrypted channels from the user and to applications in order to protect it from observation or modification.

Software

Nexus

Diagram of the Nexus design.

The Nexus, previously referred to as the "Nub"[44] or "Trusted Operating Root"[45][46] is the new kernel introduced by the NGSCB. The Nexus is responsible for the secure interaction between the specialized hardware components, and is also responsible for the management of Nexus Computing Agents.

Nexus Computing Agents

Nexus Computing Agents are user-mode application processes managed by the Nexus kernel.

Nexus Computing Agents are divided into three categories: "Application," "Component," and "Trusted Service Provider."[47]

Hardware

Encrypted memory was once considered for the NGSCB, but the idea was later discarded as the only threat conceived of that would warrant its inclusion was the circumvention of digital rights management technology.[48][49]

Trusted Platform Module

The Trusted Platform Module, previously referred to as the "Secure Cryptographic Processor" or "Security Support Component", is the hardware component that securely stores the cryptographic keys for the Nexus and Nexus Computing Agents, which makes the sealed storage and attestation features of the Nexus possible.

The Trusted Platform Module includes an asymmetric 2048-bit RSA key pair, referred to as the Endorsement Key (EK), which is unique to each particular module and is generated as part of its manufacturing process. The public key is accessible to applications or services that have established a trusted relationship with the owner, and is also used to provide the owner with Attestation Identity Keys (AIKs).

According to Microsoft, version 1.2 of the Trusted Platform Module is the first version compatible with its NGSCB architecture. Previous versions do not include the required functionality.[50]

In builds of Windows "Longhorn"

In released pre-reset builds of Windows "Longhorn", NGSCB components reside in %SYSTEMDRIVE%\WINDOWS\NGSCB.

In Windows 8

On systems equipped with a compatible Trusted Platform Module, Windows 8 includes a feature called "Measured Boot" which allows a trusted server to verify the integrity of the Windows startup process.[51][52][53] Measured Boot is not directly related to the NGSCB architecture; rather, it serves a purpose comparable to the architecture's "Attestation" feature in that both are designed to validate a platform's configuration.[54]

References

  1. Biddle, Peter. (August 5, 2002). "Re: Dangers of TCPA/Palladium"
  2. Merritt, Rick. (July 15, 2002). "Microsoft scheme for PC security faces flak"
  3. Aday, Michael. "'Palladium'"
  4. Lee, Timothy. (November 30, 2012). "How 4 Microsoft engineers proved that the 'darknet' would defeat DRM"
  5. Schoen, Seth. (July 5, 2002). "'Palladium' summary"
  6. Lampson, Butler. "Curriculum Vitae"
  7. Digital rights management operating system (U.S. 6330670 B1)
  8. Loading and identifying a digital rights management operating system (U.S. 6327652 B1)
  9. Key-based secure storage (U.S. 7194092 B1)
  10. Controlling access to content based on certificates and access predicates (U.S. 6820063 B1)
  11. System and method for authenticating an operating system to a central processing unit (U.S. 7174457 B1)
  12. Secure execution of program code (U.S. 6651171 B1)
  13. Hierarchical trusted code for content protection in computers (U.S. 20040243836 A1)
  14. Levy, Steven. (June 24, 2002). "The Big Secret"
  15. Geek.com. (June 24, 2002). "'Palladium': Microsoft's big plan for the PC"
  16. ExtremeTech. (June 24, 2002). "'Palladium': Microsoft Revisits Digital Rights Management"
  17. Bekker, Scott. (May 6, 2003). "'Palladium' on Display at WinHEC"
  18. BusinessWire. (May 7, 2003). "Atmel and Microsoft Demonstrate New Secure USB Keyboard Prototype at WinHEC 2003"
  19. Microsoft PressPass. "At WinHEC, Microsoft Discusses Details of Next-Generation Secure Computing Base"
  20. Rooney, Paula; Montalbano, Elizabeth. (October 1, 2003). "Microsoft to Hand Over Early Whidbey, Yukon Code At PDC"
  21. Furman, Keith; Thurrott, Paul. (October 23, 2003). "Live from PDC 2003: Countdown, Two Days to Go!"
  22. Evers, Joris. (October 30, 2003). "Developers get hands on Microsoft's NGSCB"
  23. Evers, Joris. (May 5, 2004). "WinHEC: Microsoft revisits NGSCB security plan"
  24. Sanders, Tom. (May 6, 2004) "Microsoft shakes up 'Longhorn' security"
  25. Bangeman, Eric. (May 5, 2004). "Microsoft kills Next-Generation Secure Computing Base"
  26. Rooney, Paula. (May 5, 2004). "Microsoft shelves NGSCB project as NX moves to center stage"
  27. eWeek. (May 5, 2004). "Microsoft: Palladium is still alive and kicking"
  28. Thurrott, Paul. (May 7, 2004). "WinHEC 2004 Show Report and Photo Gallery"
  29. Greek Mythology Index. "PALLADIUM"
  30. Lemos, Robert. (January 24, 2003). "What's in a name? Not Palladium"
  31. Lettice, John. (June 24, 2002). "MS DRM OS, retagged 'secure OS' to ship with 'Longhorn'?"
  32. Forno, Richard. (June 24, 2002). "MS to micro-manage your computer"
  33. Greene, Thomas. (June 25, 2002). "MS to eradicate GPL, hence Linux"
  34. Anderson, Ross. (June 26, 2002). "TCPA / Palladium Frequently Asked Questions - Version 0.1"
  35. Tweney, Dylan. (June 28, 2002). "Broken trust"
  36. Lettice, John. (June 28, 2002). "MS 'Palladium' protects IT vendors, not you - paper"
  37. Stallman, Richard. "Can you trust your computer?"
  38. Cringely, Robert. (August 1, 2001). "The Death of TCP/IP"
  39. Cringely, Robert (June 27, 2002). "I Told You So: Alas, a Couple of Bob's Dire Predictions Have Come True"
  40. Microsoft PressPass. (August, 2002). "Microsoft "Palladium" Initiative Technical FAQ"
  41. Sanders, Tom. (April 26, 2005). "'Longhorn' security gets its teeth kicked out"
  42. Microsoft Next-Generation Secure Computing Base
  43. Biddle, Peter. (July 16, 2008). "Perception (or, Linus gets away with being honest again)"
  44. Biddle, Peter. (August 5, 2002). "Re: Dangers of TCPA/Palladium"
  45. Microsoft PressPass. "'Palladium': A Business Overview"
  46. Biddle, Peter. (September 19, 2002). "Re: Cryptogram: 'Palladium' only for DRM"
  47. Cram, Ellen. (October 2003). "Development Considerations for Nexus Computing Agents"
  48. Biddle, Peter. (February 22, 2008). "Attack isn't news, and there are mitigations"
  49. Biddle, Peter. (February 23, 2008). "Threat Model Irony"
  50. Microsoft. "Privacy-Enabling Enhancements in the Next-Generation Secure Computing Base"
  51. Microsoft TechNet. "Windows 8 Boot Process - Security, UEFI, TPM"
  52. Microsoft TechNet. "Windows 8 Boot Security FAQ"
  53. Microsoft Software Developer Network (MSDN). "Measured Boot"
  54. Microsoft. "Secured Boot and Measured Boot: Hardening Early Boot Components against Malware"

External links

Microsoft Next-Generation Secure Computing Base Home Page

Retrieved from ‘https://www.betaarchive.com/wiki/index.php?title=Next-Generation_Secure_Computing_Base&oldid=7330
the Creative Commons 3.0 ShareAlike (except the Microsoft KB Archive).
Powered by MediaWiki