Next-Generation Secure Computing Base

From Wikipedia, the free encyclopedia

You have new messages (last change).

The Next-Generation Secure Computing Base (NGSCB), formerly known as Palladium, is a software architecture designed by Microsoft which is expected to implement parts of the controversial "Trusted Computing" concept on future versions of the Microsoft Windows operating system. NGSCB is part of Microsoft's Trustworthy Computing initiative. Microsoft's stated aim for NGSCB is to increase the security and privacy of computer users [1], but critics assert that the technology will not only fail to solve the majority of contemporary IT security problems, but also result in an increase in vendor lock-in and a resulting reduction in competition in the IT marketplace.

NGSCB relies on hardware technology designed by members of the Trusted Computing Group (TCG), which provides a number of security-related features, including fast random number generation, a secure cryptographic co-processor, and the ability to hold cryptographic keys in a manner that makes them extremely difficult to retrieve, even to the machine's owner. It is this latter ability that makes remote attestation of the hardware and software configuration of an NGSCB-enabled computer possible, and to which the opponents of the scheme chiefly object [2]. Several computer manufacturers are selling computers with the Trusted Platform Module chip, notably the Dell OptiPlex GX620 [3].

Contents

[edit] Architecture and technical details

Architecture of NGSCB
Architecture of NGSCB

A complete Microsoft-based Trusted Computing-enabled system will consist not only of software components developed by Microsoft but also of hardware components developed by the Trusted Computing Group. The majority of features introduced by NGSCB are heavily reliant on specialised hardware and so will not operate on contemporary PCs.

In current Trusted Computing specifications, there are two hardware components; the Trusted Platform Module (TPM), which will provide secure storage of cryptographic keys and a secure cryptographic co-processor, and a curtained memory feature in the Central Processing Unit (CPU). In NGSCB, there are two software components, the Nexus, a security kernel that is part of the Operating System, and Nexus Computing Agents (NCAs), trusted modules within NGSCB-enabled applications.

[edit] Secure storage and attestation

At the time of manufacture, a cryptographic key is generated and stored within the TPM. This key is never transmitted to any other component, and the TPM is designed in such a way that it is extremely difficult to retrieve the stored key by reverse engineering or any other method, even to the owner. Applications can pass data encrypted with this key to be decrypted by the TPM, but the TPM will only do so under certain strict conditions. Specifically, decrypted data will only ever be passed to authenticated, trusted applications, and will only ever be stored in curtained memory, making it inaccessible to other applications and the Operating System. Although the TPM can only store a single cryptographic key securely, secure storage of arbitrary data is by extension possible by encrypting the data such that it may only be decrypted using the securely stored key.

The TPM is also able to produce a cryptographic signature based on its hidden key. This signature may be verified by the user or by any third party, and so can therefore be used to provide remote attestation that the computer is in a secure state.

[edit] Curtained memory

NGSCB also relies on a curtained memory feature provided by the CPU. Data within curtained memory can only be accessed by the application to which it belongs, and not by any other application or the Operating System. The attestation features of the TPM can be used to confirm to a trusted application that it is genuinely running in curtained memory; it is therefore very difficult for anyone, including the owner, to trick a trusted application into running outside of curtained memory. This in turn makes reverse engineering of a trusted application extremely difficult.

[edit] Applications

NGSCB-enabled applications are to be split into two distinct parts, the NCA, a trusted module with access to a limited Application Programming Interface (API), and an untrusted portion, which has access to the full Windows API. Any code which deals with NGSCB functions must be located within the NCA.

The reason for this split is that the Windows API has developed over many years and is as a result extremely complex and difficult to audit for security bugs. To maximise security, trusted code is required to use a smaller, carefully audited API. Where security is not paramount, the full API is available.

[edit] Uses

NGSCB is currently set to be a framework for building Trusted Computing applications. It therefore has a wide range of potential uses, but does not inherently provide any features from the point of view of the user.

[edit] Digital Rights Management

By utilising the attestation, curtained memory and cryptographic features of the TPM, a secure form of Digital Rights Management (DRM) may be developed; critics charge that although it does not provide DRM features itself, DRM is nevertheless the primary motivation for the development of NGSCB.

DRM would be implemented by encrypting DRM-protected files and only making the decryption key available to trusted applications. A wide range of copy-protection and similar features could thereby be implemented, limited only by the imagination. For example, it would be possible to create a file that can only be read on one computer, or within one organisation, or a file that can only be opened for reading three times. While any DRM-protected file could be just as easily copied or read as an unprotected file, it would be impossible to decrypt the file at an unauthorised destination, rendering it useless.

[edit] Network security

In corporate and educational networking environments, a desirable feature of NGSCB is the ability of each workstation to securely attest that no unauthorised modifications have been made either to its hardware or software. A workstation that is unable to authenticate itself can then be automatically denied access to some or all network services pending investigation.

[edit] Multiplayer games

The attestation and curtained memory features of NGSCB could also potentially be used to prevent most kinds of cheating in online games.[4] Cheating by various means is currently prevalent in a number of multiplayer games[5][6] and diminishes the enjoyment of those games by legitimate players.

Common methods of cheating include:

  • Modification of the game executable or video drivers, e.g. to allow the player to see through walls.[7] This type of cheat can be prevented by using remote attestation to confirm that neither the game executable nor the video driver has been modified.
  • Modification of game network traffic in transit between the client and server[8], e.g. to augment a player's ability to aim their weapon in a first-person shooter game. This type of cheat can be prevented by encryption of network traffic within curtained memory prior to transmission, and corresponding decryption on the server.

[edit] Criticism

NGSCB and Trusted Computing can be used to intentionally and arbitrarily lock certain users out from use of certain files, products and services, for example to lock out users of a competing product, potentially leading to severe vendor lock-in. This is analogous to a contemporary problem in which many businesses feel compelled to purchase and use Microsoft Word in order to be compatible with associates who use that software. Today this problem is partially solved by products such as OpenOffice.org which provide limited compatibility with Microsoft Office file formats. Under NGSCB, if Microsoft Word were to encrypt documents it produced, no other application would be able to decrypt them, regardless of its ability to read the underlying file format.

NGSCB and Trusted Computing are ineffectual at solving the majority of contemporary security problems, for example computer viruses and trojans. Despite this fact, Microsoft has in the past claimed that NGSCB was necessary to combat the threat of future virus outbreaks against Microsoft Windows users [9]. Microsoft is no longer making claims that NGSCB will solve these virus problems [10].

[edit] Owner Override

Critics have proposed 'Owner Override' as a potential solution to these problems [11]. In such a system, the key stored by the TPM would still be inaccessible. However, a secure method for the owner to identify themselves would be provided, and through this method the owner would be able to force the TPM to make a false attestation or decrypt data for an application that would not otherwise be allowed access to that data. This feature would ensure that owners continue to have ultimate control over their computers and software and data stored on them, although it would also make Trusted Computing useless for purposes such as DRM. Trusted Computing would still have some uses in preventing misuse by anyone other than the owner, for example in a business or educational environment where computing facilities are made available by an employer or school for use by an employee or student.

Microsoft, and the Trusted Computing Group have pointedly refused to even consider the notion of 'Owner Override'.

[edit] Availability

When originally announced, NGSCB was expected to be part of the then next major version of the Windows Operating System, Windows Vista (then known as Longhorn). However, in May 2004, Microsoft was reported to have shelved the NGSCB project [12]. This was quickly denied by Microsoft who released a press release stating that they were instead "revisiting" their plans [13]. The majority of features of NGSCB are now not expected to be available until well after the release of Windows Vista. However, Vista includes "BitLocker", which can make use of a Trusted Platform Module chip to facilitate secure startup and full-drive encryption. TPMs are already integrated in many systems using Intel's Core 2 Duo processors or AMD's Athlon 64 processors using the AM2 socket.

[edit] Change of name

When initially announced by Microsoft, NGSCB was known as Palladium. In Greek and Roman mythology, a Palladium is an "image of immemorial antiquity on which the safety of a city was said to depend". The name is particularly associated with a statue of the Goddess Athena which was kept in the citadel of Troy, and was believed to protect the Trojans against invading Greeks. The statue was stolen by Odysseus and Diomedes, but the city did not fall until it was later attacked by the Trojan horse.

When Microsoft announced the name change to NGSCB, the stated reason was that the name Palladium was trademarked, and that the trademark holders, Palladium Books, were not willing to allow Microsoft use of the mark. However, this interpretation is inconsistent with trademark law in the US, in which it is usually possible for two or more marks to be held on the same name so long as the rights-holders do not use the marks for trade in the same industry. It is possible that Microsoft's decision to abandon the name was influenced by bad publicity surrounding the product, or may be concerned with the inevitability of trademark complaints when information on NGSCB is released in print. [14]. Furthermore, the initiative was considered by opponents to be a potential "Trojan Horse" against the industry and its customers, an uncomfortable association with the mythology from which the name originated.

In early 2006, Microsoft renamed the NGSCB project at Microsoft to the System Integrity Team.

[edit] External links

[edit] Microsoft

[edit] Other articles

Retrieved from "http://en.wikipedia.org../../../n/e/x/Next-Generation_Secure_Computing_Base_f5d1.html"