Last week, I presented a wide-angle view of Next-Generation Secure Computing Base (NGSCB--formerly Palladium), Microsoft's solution for creating a secure, private, and trusted computing environment with the next Windows version, code-named Longhorn. This week, I drill down and look at the hardware and software components that will make up NGSCB. NGSCB is a hardware and software solution; you can't run it on a PC that doesn't incorporate specific NGSCB hardware. This unique architecture is, Microsoft says, what makes NGSCB more trustworthy than previous technologies that attempted to address the concerns NGSCB will solve. However, the company is also quick to point out that even NGSCB won't solve all security problems. Like any other security device, be it hardware or software based, NGSCB will likely be compromised in some way, eventually. The goal, however, is to dramatically improve security over present solutions. Here are some of the components that make up NGSCB.
An NGSCB PC will likely look and act like a regular PC, but it will include new NGSCB-specific hardware, making it a superset of a regular PC. These new hardware bits include a security computing chip called the Security Support Component (SSC), a modified CPU (Intel and AMD are supporting the new architecture) and supporting chipsets, and NGSCB-compatible input and output devices, including new keyboards and displays. NGSCB PCs will also require physically isolated disk and RAM storage that's separate from the storage that the non-NGSCB parts of the system use. The NGSCB SSC will perform cryptographic operations and will securely store cryptographic keys that the NGSCB nexus (formerly called the trust operating root) and its agents use.
NGSCB requires a special PC with a new kind of protected BIOS and a specially written OS--initially Windows Longhorn--that knows how to interact with NGSCB and provide low-level system services such as file access. The NGSCB software system is an optional OS component that boots after the OS boots and lets the user run legacy applications (e.g., today's version of Microsoft Office) and specially written applications in a protected memory space that's separate from the unprotected parts of the system. At the heart of the software side is the NGSCB nexus, which handles interactions between the protected and nonprotected worlds. The nexus works with software agents called Nexus Computing Agents (NCAs) to provide a variety of cryptographic services to the software environment. Logically, the NGSCB nexus is the kernel mode portion of the Palladium software environment, and the NCAs pass and process information between it and (user-mode) applications. Palladium will also require protected versions of virtually every software component in Windows, including the graphics subsystem and device drivers.
To make the technology more approachable, Microsoft usually describes these NGSCB components by their capabilities, not by discrete part. NGSCB PCs, the company says, will provide the following capabilities: - Attestation. This capability basically means notarization. Documents, data, and applications running in the NGSCB software environment can be tested and proven to be "good" or "bad." Attestation is similar the question you get about your bags at the airport: "Has this Microsoft Word document ever been outside your control, or outside the control of a NGSCB-powered environment?" If so, it can't be trusted. In NGSCB, attestation applies to virtually anything you can think of: PC, hardware devices attached to the system, software environment, applications, documents, or users.
- Sealed storage. NGSCB seals off its software environment, physically and logically, from the rest of the system, ensuring that data and information stored within are safe. Users can encrypt data to ensure that nothing or no one outside of the safe NGSCB environment can access the data.
- Process isolation. Applications and services running inside the NGSCB environment are also physically and logically isolated from the rest of the system to ensure that they're protected and isolated from unsafe code.
- Secure input and output. NGSCB-enabled keyboards encrypt keystrokes before sending them inside the NGSCB environment, ensuring that intruders can't imitate keystrokes, or other users can't sit down at the system and access your private data. Microsoft also says that information displayed to the user is "presented so that no one else can intercept and read it." Microsoft hasn't publicly demonstrated this last feature but showed it a few weeks ago at Windows Hardware Engineering Conference (WinHEC) 2003.
Combined, these capabilities will attempt to engender the trust concept I wrote about last week. The way the technology works in day-to-day life is predictable: When you create a Word document in an NGSCB environment and attempt to email it to a non-Palladium-enabled coworker, you'll receive a warning that such a transmission could compromise the data. However, with data exchanged within an NGSCB environment, you can encrypt it and set certain limits on its use. For example, you can specify that an NGSCB-enabled coworker can't print, copy, paste, or forward an email message you send, and NGSCB will enforce the restriction. So what won't NGSCB do? It won't provide a simple one-step, plug-in security solution, because overall NGSCB adoption will limit its capabilities initially. It won't automatically stop spam, worms, or viruses because most of those compromises find their way into PCs when users specifically let them in. However, NGSCB will provide a more secure, reliable, and privacy-friendly computing environment than today's PCs and present a platform for building better tools for eliminating today's vulnerabilities. Those who use Palladium to its fullest will be more secure by default, although as with any system, user error will continue to be a problem. NGSCB technology comprises a lot more functionality, but I'm running out of space. For more technical information, please refer to the Microsoft Next-Generation Secure Computing Base - Technical FAQ ( http://www.microsoft.com/technet/security/news/ngscb.asp ). And keep those questions coming. I suspect NGSCB is a topic we'll be revisiting in the days ahead.