Next-Generation Secure Computing Base

Diagram of the NGSCB software platform as presented at WinHEC 2003.

The Next-Generation Secure Computing Base (codenamed Palladium) is the name of a cancelled software architecture originally slated to be included in the Microsoft Windows "Longhorn" operating system. Development of the architecture began in 1997.^[1]^[2]

NGSCB is designed to provide an isolated environment where sensitive operations may be performed securely. Microsoft's primary stated objective with NGSCB is to "protect software from software."^[3]

History

Development

Name

In Greek and Roman mythology, the term "palladium" refers to an object that the safety of a city or nation was believed to be dependent upon.^[4]

On January 24, 2003, Microsoft announced that "Palladium" had been renamed as the "Next-Generation Secure Computing Base." According to NGSCB product manager Mario Juarez, the new name was chosen not only to reflect Microsoft's commitment to the technology in the upcoming decade, but also to avoid any legal conflict with an unnamed company that had already acquired the rights to the Palladium name. Juarez acknowledged that the previous name had been a source of controversy, but denied that the decision was made by Microsoft in an attempt to deflect attention.^[5]

Cancellation

At WinHEC 2004, Microsoft announced that it would reconsider its plans for the platform, based on feedback from customers and ISV partners who stated that they did not want to rewrite their existing programs in order to benefit from its functionality.^[6]^[7] Although some reports stated that Microsoft planned to cancel the platform because of this,^[8]^[9] Microsoft reaffirmed its commitment to the technology.^[10]^[11]

At WinHEC 2005, Microsoft announced that its plans had been scaled back in order to ship the post-reset Windows "Longhorn" operating system within a reasonable timeframe. Instead of providing a new operating environment, the NGSCB would offer full volume encryption with a feature known as Secure Startup (later renamed as Bitlocker Drive Encryption).^[12] Microsoft stated that it would deliver other aspects of its NGSCB vision at a later date.^[13]

In July 2008, Peter Biddle stated that negative perception was the main factor responsible for the cancellation of the architecture.^[14]

Overview and features

Process isolation

Sealed storage

Attestation

Secure I/O

Software

Nexus

Diagram of the Nexus design.

The Nexus, previously referred to as the "Nub"^[15] or "Trusted Operating Root"^[16]^[17] is the security kernel in the NGSCB software platform. The Nexus is responsible for the secure interaction between the specialized hardware components, and is also responsible for the management of Nexus Computing Agents.

Nexus Computing Agents

Nexus Computing Agents are user-mode application processes managed by the Nexus kernel.

Nexus Computing Agents are divided into three categories: "Application," "Component," and "Trusted Service Provider."^[18]

Hardware

Trusted Platform Module

The Trusted Platform Module, previously referred to as the "Secure Cryptographic Processor" or "Security Support Component", is the hardware component that securely stores the cryptographic keys for the Nexus and Nexus Computing Agents, which makes the sealed storage and attestation features of the Nexus possible.

The Trusted Platform Module includes an asymmetric 2048-bit RSA key pair, referred to as the Endorsement Key (EK), which is unique to each particular module and is generated as part of its manufacturing process. The public key is accessible to applications or services that have established a trusted relationship with the owner, and is also used to provide the owner with Attestation Identity Keys (AIKs).

According to Microsoft, version 1.2 of the Trusted Platform Module is the first version compatible with its NGSCB architecture. Previous versions do not include the required functionality.^[19]

In builds of Windows "Longhorn"

In released pre-reset builds of Windows "Longhorn", NGSCB components reside in %SYSTEMDRIVE%\WINDOWS\NGSCB.

In Windows 8

On systems equipped with a Trusted Platform Module, Windows 8 incorporates a feature called "Measured Boot" which allows a trusted server to verify the integrity of the Windows startup process.^[20]^[21]^[22] Measured Boot is not directly related to the NGSCB architecture; rather, it serves a purpose comparable to the architecture's "Attestation" feature in that both are designed to validate a platform configuration.^[23]

References

↑ Biddle, Peter (August 5, 2002). "Re: Dangers of TCPA/Palladium"
↑ Merritt, Rick (July 15, 2002). "Microsoft scheme for PC security faces flak"
↑ Aday, Michael. "Palladium"
↑ Greek Mythology Index "PALLADIUM"
↑ Lemos, Robert (January 24, 2003). "What's in a name? Not Palladium"
↑ Evers, Joris (May 5, 2004). WinHEC: Microsoft revisits NGSCB security plan
↑ Sanders, Tom (May 6, 2004) "Microsoft shakes up 'Longhorn' security"
↑ Bangeman, Eric (May 5, 2004). "Microsoft kills Next-Generation Secure Computing Base"
↑ Rooney, Paula (May 5, 2004). "Microsoft shelves NGSCB project as NX moves to center stage"
↑ eWeek (May 5, 2004). "Microsoft: Palladium is still alive and kicking"
↑ Thurrott, Paul (May 7, 2004). "WinHEC 2004 Show Report and Photo Gallery"
↑ Sanders, Tom (April 26, 2005). "'Longhorn' security gets its teeth kicked out"
↑ Microsoft Next-Generation Secure Computing Base
↑ Biddle, Peter (July 16, 2008). "Perception (or, Linus gets away with being honest again)"
↑ Biddle, Peter (August 5, 2002). "Re: Dangers of TCPA/Palladium"
↑ Microsoft: "'Palladium': A Business Overview"
↑ Biddle, Peter (September 19, 2002). "Re: Cryptogram: 'Palladium' only for DRM"
↑ Cram, Ellen (October 2003). "Development Considerations for Nexus Computing Agents"
↑ Microsoft: "Privacy-Enabling Enhancements in the Next-Generation Secure Computing Base"
↑ Microsoft TechNet: "Windows 8 Boot Process - Security, UEFI, TPM"
↑ Microsoft TechNet: Windows 8 Boot Security FAQ
↑ Microsoft Software Developer Network: "Measured Boot"
↑ Microsoft: "Secured Boot and Measured Boot: Hardening Early Boot Components against Malware"

External links

Microsoft Next-Generation Secure Computing Base Home Page

[1] Biddle, Peter (August 5, 2002). "Re: Dangers of TCPA/Palladium"

[2] Merritt, Rick (July 15, 2002). "Microsoft scheme for PC security faces flak"

[3] Aday, Michael. "Palladium"

[4] Greek Mythology Index "PALLADIUM"

[5] Lemos, Robert (January 24, 2003). "What's in a name? Not Palladium"

[6] Evers, Joris (May 5, 2004). WinHEC: Microsoft revisits NGSCB security plan

[7] Sanders, Tom (May 6, 2004) "Microsoft shakes up 'Longhorn' security"

[8] Bangeman, Eric (May 5, 2004). "Microsoft kills Next-Generation Secure Computing Base"

[9] Rooney, Paula (May 5, 2004). "Microsoft shelves NGSCB project as NX moves to center stage"

[10] Week (May 5, 2004). "Microsoft: Palladium is still alive and kicking"

[11] Thurrott, Paul (May 7, 2004). "WinHEC 2004 Show Report and Photo Gallery"

[12] Sanders, Tom (April 26, 2005). "'Longhorn' security gets its teeth kicked out"

[13] Microsoft Next-Generation Secure Computing Base

[14] Biddle, Peter (July 16, 2008). "Perception (or, Linus gets away with being honest again)"

[15] Biddle, Peter (August 5, 2002). "Re: Dangers of TCPA/Palladium"

[16] Microsoft: "'Palladium': A Business Overview"

[17] Biddle, Peter (September 19, 2002). "Re: Cryptogram: 'Palladium' only for DRM"

[18] Cram, Ellen (October 2003). "Development Considerations for Nexus Computing Agents"

[19] Microsoft: "Privacy-Enabling Enhancements in the Next-Generation Secure Computing Base"

[20] Microsoft TechNet: "Windows 8 Boot Process - Security, UEFI, TPM"

[21] Microsoft TechNet: Windows 8 Boot Security FAQ

[22] Microsoft Software Developer Network: "Measured Boot"

[23] Microsoft: "Secured Boot and Measured Boot: Hardening Early Boot Components against Malware"

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]

[18]

[19]

[20]

[21]

[22]

[23]