NGSCB

1 INTRODUCTION

Today's personal computing environment is built on flexible, extensible, and

feature-rich platforms that enable consumers to take advantage of a wide variety

of devices, applications, and services. Unfortunately, the evolution of shared

networks and the Internet has made computers more susceptible to attacks at the

hardware, software, and operating system levels. Increasing existing security

measures, such as adding more firewalls and creating password protection

schemes, can slow data delivery and frustrate users. Using only software-based

security measures to protect existing computers is starting to reach the point of

diminishing returns.

These new problems have created the need for a trustworthy computing

platform. Users want computers that provide both ease-of-use and protection

from malicious programs that can damage their computers or access their

personal information. Because they use their computers to process and store

more and more valuable and important data, users need a platform that

addresses their data security, personal privacy, and system integrity needs.

IT DEPARTMENT,UCE,KARIAVATTOM Page 1

NGSCB

The next-generation secure computing base (NGSCB) is a combination of new

hardware and operating system features that provides a solid foundation on

which privacy- and security-sensitive software can be built. NGSCB does not

affect the software running in the main operating system; rather, NGSCB-

capable computers provide an isolated execution With NGSCB-capable

computers, users can choose to work within the standard operating system

environment using their existing applications, services, and devices without any

changes, or they can choose to run critical processes by using NGSCB-trusted

components that exist in a separate, protected operating environment.

IT DEPARTMENT,UCE,KARIAVATTOM Page 2

NGSCB

1.1 TRUSTED COMPUTING

Trusted Computing (TC) is a technology developed and promoted by the

Trusted Computing Group, which is an initiative started by companies like

AMD, INTEL, IBM, MICROSOFT etc. With Trusted Computing, the computer

will consistently behave in expected ways, and those behaviors will be enforced

by hardware and software. In practice, Trusted Computing uses cryptography to

help enforce a selected behaviour. The main functionality of TC is to allow

someone else to verify that only authorized code runs on a system. It aims to

provide a level of security which is beyond the control of the PC user, and is

therefore resistant to attacks which the user may deliberately or accidentally

allow. Trusted computing wrests control from the PC's owner/user, and

potentially places it in the hands of content providers or other parties.

IT DEPARTMENT,UCE,KARIAVATTOM Page 3

NGSCB

2 MICROSOFT PALLADIUM -NGSCB

The Next-Generation Secure Computing Base (NGSCB), formerly known as

Palladium, is a software architecture designed by Microsoft which is expected

to implement "Trusted Computing" concept on future versions of the Microsoft

Windows operating system. Palladium is part of Microsoft's Trustworthy

Computing initiative. Microsoft's stated aim for palladium is to increase the

security and privacy of computer users. Palladium involves a new breed of

hardware and applications in along with the architecture of the Windows

operating system. Designed to work side-by-side with the existing functionality

of Windows, this significant evolution of the personal computer platform will

introduce a level of security that meets the rising customer requirements for data

protection, integrity and distributed collaboration. It's designed to give people

greater security, personal privacy and system integrity. Internet security is also

provided by palladium such as protecting data from virus and hacking of data.

In addition to new core components in Windows that will move the Palladium

effort forward, Microsoft is working with hardware partners to build Palladium

components and features into their products. The new hardware architecture

involves some changes to CPUs which are significant from a functional

IT DEPARTMENT,UCE,KARIAVATTOM Page 4

NGSCB

perspective. There will also be a new piece of hardware called for by Palladium

that you might refer to as a security chip. It will provide a set of cryptographic

functions and keys that are central to what we're doing. There are also some

associated changes under the chipset, and the graphics and I/O system through

the USB port all designed to create a comprehensive security environment.

"Palladium" is the code name for an evolutionary set of features for the

Microsoft Windows operating system. When combined with a new breed of

hardware and applications, "Palladium" gives individuals and groups of users

greater data security, personal privacy and system integrity. Designed to work

side-by-side with the existing functionality of Windows, this significant

evolution of the personal computer platform will introduce a level of security

that meets the rising customer requirements for data protection, integrity and

distributed collaboration .

NGSCB relies on hardware technology designed by members of the Trusted

Computing Group (TCG), which provides a number of security-related features,

including fast random number generation, a secure cryptographic co-processor,

and the ability to hold cryptographic keys in a manner that should make them

impossible to retrieve, even to the machine's owner. It is this latter ability that

makes remote attestation of the hardware and software configuration of an

NGSCB-enabled computer possible, and to which the opponents of the scheme

IT DEPARTMENT,UCE,KARIAVATTOM Page 5

NGSCB

chiefly object. Several computer manufacturers are selling computers with the

Trusted Platform Module chip, notably IBM Lenovo Think Pads and the Dell

OptiPlex GX620.

Users implicitly trust their computers with more of their valuable data every

day. They also trust their computers to perform more and more important

financial, legal and other transactions. "Palladium" provides a solid basis for

this trust: a foundation on which privacy- and security-sensitive software can be

built. There are many reasons why "Palladium" will be of advantage to users.

Among these are enhanced, practical user control; the emergence of new

server/service models; and potentially new peer-to-peer or fully peer-distributed

service models. The fundamental benefits of "Palladium" fall into three chief

categories: greater system integrity, superior personal privacy and enhanced

data security.These categories are illustrated in Fig 1.1

IT DEPARTMENT,UCE,KARIAVATTOM Page 6

NGSCB

Fig 1.1 Palladium enabled system

Today's personal computing environment has advanced in terms of security

and privacy, while maintaining a significant amount of backward compatibility.

However, the evolution of a shared, open network (the Internet) has created new

problems and requirements for trustworthy computing. As the personal

computer grows more central to our lives at home, work and school, consumers

and business customers alike are increasingly aware of privacy and security

issues. Now, the pressure is on for industry leaders to take the following

actions:

IT DEPARTMENT,UCE,KARIAVATTOM Page 7

NGSCB

Build solutions that will meet the pressing need for reliability and

integrity.

Make improvements to the personal computer such that it can more fully

reach its potential and enable a wider range of opportunities.

Give customers and content providers a new level of confidence in the

computer experience.

Continue to support backward compatibility with existing software and

user knowledge that exists with Windows systems today.

Together, industry leaders must address these critical issues to meet the

mounting demand for trusted computing while preserving the open and rich

character of current computer functionality.

IT DEPARTMENT,UCE,KARIAVATTOM Page 8

NGSCB

3 ARCHITECTURE

"Palladium" comprises two key components: hardware and software.

3.1 Hardware Components

Hardware Components of Next Generation Secured Computing Base (NGSCB)

are also known as Trusted Computing Platform (TCP) which includes:

Trusted Platform Module (TPM)

curtained memory feature

Trusted Platform Module   (TPM)

Trusted Platform Module (TPM) is a hardware chip embedded in the

motherboard, also called SSC - Security Support Component. It provides a

number of security-related features, including fast random number generation, a

secure cryptographic co-processor, and the ability to hold cryptographic keys so

as to prevent them from retrieving by hackers, even the machine's owner. It

carries a unique public/private key pair for the computer to establish its identity

when needed.

IT DEPARTMENT,UCE,KARIAVATTOM Page 9

NGSCB

Fig 2: TPM architecture

Random Number Generator:  Used for generating asymmetric as well as

symmetric keys

Asymmetric key generation:   This module generates RSA keys for the TPM. 

Hash engine: It provides SHA-1 functionality.

Ecryption decryption engine: It is used for signing/verifying AIK keys.

The various keys used in TPM are :

IT DEPARTMENT,UCE,KARIAVATTOM Page 10

NGSCB

1.The Endorsement Key (EK) is a pair of RSA keys that is installed when the

TPM is manufactured. The public EK value is used to uniquely identify a TPM

and will not change during the TPM's lifetime. The private part of that key

cannot be extracted from the TPM, and records of it at manufacture time should

be destroyed. Trusted computing wrests control from the PC's owner/user, and

potentially places it in the hands of content providers or other parties. The

uniqueness of the TPM EK threatens the privacy of the PC user.

2.The Storage Root Key (SRK) is also a pair of RSA keys that is used to

encrypt other keys stored outside the TPM. SRK is in effect the Root of Trust

for Storage (explained later). SRK can change when a new user takes

ownership of the TPM.

3. Platform Configuration Register (PCR)  store platform configuration

measurements. These measurements are normally hash values (SHA-1) of

entities (applications) running on the platform.

4. Attestation Identity Key (AIK):  In remote attestation to know that you are

communicating with a valid TPM-enabled platform.

IT DEPARTMENT,UCE,KARIAVATTOM Page 11

NGSCB

CURTAINED MEMORY

NGSCB also relies on a curtained memory feature provided by the CPU. Data

within curtained memory can only be accessed by the application to which it

belongs, and not by any other application or the Operating System. The

attestation features of the TPM can be used to confirm to a trusted application

that it is genuinely running in curtained memory; it is therefore very difficult for

anyone, including the owner, to trick a trusted application into running outside

of curtained memory. This in turn makes reverse engineering of a trusted

application extremely difficult.

Intel's Trusted Execution Technology (TXT) already offers this feature.

IT DEPARTMENT,UCE,KARIAVATTOM Page 12

NGSCB

3.2 Software Components

Hardware Components of Next Generation Secured Computing Base (NGSCB)

are also known as Trusted Operating System(TOS) which includes:

NEXUS

Nexus Computing Agents (NCAs)

NEXUS

The component in Microsoft Windows that manages trust functionality for

"Palladium" user-mode processes (agents). The nexus executes in kernel mode

in the trusted space. It provides basic services to trusted agents, such as the

establishment of the process mechanisms for communicating with trusted agents

and other applications, and special trust services such as attestation of requests

and the sealing and unsealing of secrets. Special processes that work with nexus

are called “Agents”. Can run different nexuses on a machine but only one nexus

at a time;

IT DEPARTMENT,UCE,KARIAVATTOM Page 13

NGSCB

Nexus Computing Agents (NCAs)

A trusted agent is a program, a part of a program, or a service that runs in user mode in the

trusted space. A trusted agent calls the nexus for security related services and critical general

services such as memory management. A trusted

agent is able to store secrets using sealed storage and authenticates itself using the

attestation services of the nexus. One of the main principles of trusted agents is that they can

be trusted or not trusted by multiple entities, such as the user, an IT department, a merchant

or a vendor. Each trusted agent or entity controls its own sphere of trust, and they need not

trust or rely on each other.

Together, the nexus and trusted agents provide the following features:

Trusted data storage, encryption services for applications to ensure data integrity and

protection.

Authenticated boot, facilities to enable hardware and software to authenticate itself.

4 COMPUTING ENVIRONMENTS

NSGCB operates two operating systems in ONE system

Two Modes: Normal Mode and Trusted Mode.

IT DEPARTMENT,UCE,KARIAVATTOM Page 14

NGSCB

Normal Mode:

◦ Un-protected environment

◦ Same as our current Windows series

◦ Fully Controlled by the users

Trusted Mode:

◦ Protected environment

◦ Users have no authorities to modify, delete, or

copy ANY content.

◦ Implemented TC: Hardware and Software

implementation

◦ Fully Controlled by the computers

5 FEATURES

The four main features of NGSCB are:

IT DEPARTMENT,UCE,KARIAVATTOM Page 15

NGSCB

1. Strong Process Isolation

2. Sealed Storage

3. Attestation

4. Secured Path I/O

STRONG PROCESS ISOLATION

Isolate protected and non-protected operating environment that are

stored in the same memory using curtained memory feature of CPU.

Blocks the access of Direct Memory Access (DMA) devices in term

of writing and reading to secured block of memory

Block access of malicious code like spyware, or viral attack, even if

those attacks are launched on the same CPU at the kernel level

Claimed: “no illegitimate access will occurring in protected

environment”

SEALED STORAGE

IT DEPARTMENT,UCE,KARIAVATTOM Page 16

NGSCB

Sealed storage is an authenticated mechanism allows a program to store

confidential information by sealing it.

Sealed data is only accessible to the program, Nexus, and machine that

sealed it, although the capability to access it can be safely passed to other

trusted programs(NCA).

NGSCB use Trusted Platform Module (TPM)to do this

TPM has own encryption services to generate cryptographic key for

Sealing.

NCA uses these keys to encrypt data, access file system, and provide

storage services.

Once sealed, data is safe from interception or tampering.

Thus sealed data may be stored on unsecured disk drives, sent over

unsecured transmission links, or even left in unprotected RAM with no

concerns about its interception or misuse.

Claimed: No unauthorized application can read the sealed storage

whatsoever (at boot up, or running).

IT DEPARTMENT,UCE,KARIAVATTOM Page 17

NGSCB

ATTESTATION

This mechanism for authenticating the trustworthiness of software

and hardware configurations is a bit like having a document

notarized

Attestation lets other computers know that your computer is really

the computer it claims to be, and is running the software it claims to

be running

Confirm the recipient that the data was digital signed by the NGSCB

and data was cryptographically identifiable

Useful in networking, prove its identity securely before transmit any

data.

Secure path to and from the user

This mechanism provides a secure data channel between input and

video devices and the nexus.

Ensure the information remains securely through the input/output of

the devices by encrypting the input/output, ie; creates a secure path.

This allows the nexus to assure that data entered by the user and

presented to the user cannot be read by Trojan programs or spyware

which might try to mimic or intercept input, to obscure or alter

output.

IT DEPARTMENT,UCE,KARIAVATTOM Page 18

NGSCB

Protects computer from: Keystroke recorded(Keyboard sniffing)

6 ADVANTAGES OF PALLADIUM

6.1 BLOCK MALICIOUS CODE

One of the more promising aspects that Palladium will bring to end-users

is the ability to authenticate the programs they use. A user will allow certain

applications access to resources. Originally, it was thought that Palladium

would not permit unauthorized code to run on a system; therefore it would stop

the execution of programs like viruses. Recently, however, Microsoft has

backed off these claims about Palladium. Now it simply claims that Palladium

will provide a secure execution environment for anti-virus programs (MS

Palladium Technical FAQ). The benefit of a secure environment is that viruses

and other malicious code cannot alter the behavior of a Palladium-enabled anti-

virus program. Microsoft has decided that legacy support for existing Windows

applications is important enough so as not to require all programs to be

rewritten for Palladium. This means that existing programs and viruses will still

run on a Palladium system. The implied benefit to Palladium, aside from the

added protection to anti-virus programs, is the increased

authentication with new Palladium enabled programs. If Palladium proliferates

as Microsoft hopes, there will come a time when legacy support will not be

IT DEPARTMENT,UCE,KARIAVATTOM Page 19

NGSCB

important anymore, and unauthorized programs will not be run. It appears as

though this is the first step on the way to that idea.

6.2 DIGITAL RIGHT MANAGEMENT

The digital rights management (DRM) potential with a Palladium system

is what content producers and distributors are interested with. Digital rights

management has to do with controlling whom and how long content is

distributed. Microsoft touts Palladium as being independent of any existing

DRM technology today. On the other hand, it acknowledges that Palladium

systems are being designed to coincide with DRM technologies to help content

developers A Palladium system is supposed to make it easier for individual

users to implement DRM on their own personal data. For example, a user may

setup a vault containing credit card

information. Palladium would allow the user to setup a group of trusted agents

that would have access to all or certain parts of that data. Along with data,

Palladium promises to give users the option to regulate time interval that data is

available to the trusted agents they have specified.

IT DEPARTMENT,UCE,KARIAVATTOM Page 20

NGSCB

7 DISADVANTAGES OF PALLADIUM

7.1 UPGRADES

In order to take advantage of what Palladium is supposed to offer, users

will have to upgrade both their current operating systems and hardware. The

next version of Windows, due out in 2004, will need hardware support for

Palladium features to work at all. It is unclear at this point whether the next

major Windows release will run on non-Palladium compatible hardware. The

central processing unit will have to support the trusted execution mode that

Palladium offers. It is clear that future motherboards will need to contain the

security chip for Palladium to run properly. More upgrades may be of concern

in the area of graphic hardware and peripherals such as keyboards and mice

because of the encryption in between these hardware devices and the software

they are interacting with.

7.2 INTEROPERABILITY

Palladium has received wide criticism for being a so-called General Public

License (GPL) killer (Anderson). Now, Microsoft clearly states that the

Palladium-enabled operating system will be able to co-exist with any Linux

based system, just as their operating systems do today. The question that comes

to mind is, will that change with wide spread adoption of the Palladium

IT DEPARTMENT,UCE,KARIAVATTOM Page 21

NGSCB

architecture? For example, if a bank switches over to exclusively Palladium

systems, would customers of that bank who don’t run Palladium systems be

able to use the bank’s services? Palladium is not a direct attack on GPL or

Linux based system, but is an attempt to change the rules of the names.

5.3 LEGACY PROGRAMS

By Microsoft’s own admission, the Palladium-enabled operating system will

not have perfect legacy support (MS Palladium Technical FAQ). All existing

debuggers will need to be updated in order to work under Palladium.

Performance tools that monitor operating system or user processes will need to

be updated. Any memory dump software will not work correctly without

changes to support Palladium. Hibernation features of motherboards will need

to be updated as well. Memory scrub routines, at the hardware level, will need

to be rewritten to accommodate Palladium. The reason for all of these updates is

the trusted agent policy that Palladium enforces. No program is allowed to

invade the execution space for any other program. In the case of a debugger, it

will need special permission from the operating system to monitor the execution

space of the target program. Even software developed for the TCPA

specification will need to be rewritten if it tries to directly write to any TCPA

hardware. This description of incompatible legacy programs is by no means

comprehensive; it is simply what Microsoft is disclosing at this time.

IT DEPARTMENT,UCE,KARIAVATTOM Page 22

NGSCB

8 NGSCB APPLICATIONS

Many applications involved NGSCB: regular computing, networking,

DRM, others

Example: Microsoft Word

◦ Restrict user:

View/Copy/Write/Open/Close

Not compatible with other *.doc applications, ie. OpenOffice

Written document is Signed and Encrypted with Microsoft

Word --- Only Word has the private key to decrypt it

Networking application:

◦ Cannot file-sharing via P2P

◦ Cannot open your friend’s packed programs

◦ Presumably Secured with connected in network

Microsoft Explorer / Outlook

◦ User might be able to see the content but not able to “Copy-and-

Paste” to other applications

◦ Users have no right to “do whatever they wanted to do”

IT DEPARTMENT,UCE,KARIAVATTOM Page 23

NGSCB

8 ANALYSIS and CONCLUSIONS

Today, IT managers face tremendous challenges due to the inherent

openness of end-user machines, and millions of people simply avoid some

online transactions out of fear. However, with the usage of "Palladium"

systems, trustworthy, secure interactions will become possible. This technology

will provide tougher security defenses and more abundant privacy benefits than

ever before. With "Palladium," users will have unparalleled power over system

integrity, personal privacy and data security.

Independent software vendors (ISVs) that want their applications to take

advantage of "Palladium" benefits will need to write code specifically for this

new environment. A new generation of "Palladium"- compatible hardware and

peripherals will need to be designed and built. The "Palladium" development

process will require industry wide collaboration. It can only work with broad

trust and widespread acceptance across the industry, businesses and consumers.

"Palladium" is not a magic bullet. Clearly, its benefits can only be

realized if industry leaders work collaboratively to build "Palladium"-

compatible applications and systems - and then only if people choose to use

them. But the "Palladium" vision endeavors to provide the trustworthiness

necessary to enable businesses, governments and individuals to fully embrace

IT DEPARTMENT,UCE,KARIAVATTOM Page 24

NGSCB

the increasing digitization of life.

The Internet and the proliferation of digital content have sparked the need

for more privacy and security of data. The looming question whenever anyone

talks about security and privacy is: for whom? Palladium certainly gives digital

content providers the control over their product that they have wanted for a long

time. In recent months, Microsoft has clearly emphasized the benefits that the

marriage of Palladium and DRM can bring to end-users. Microsoft claims that

users will have complete control of their personal information. The Palladium-

enabled operating system isn’t due for at least another year. It could take

months after the initial release for anyone to feel its effects. It is clear, however,

that widespread adoption of Palladium will fundamentally change how we use

are personal computers. The question is, will this change be for the better or the

worse?

IT DEPARTMENT,UCE,KARIAVATTOM Page 25

NGSCB

10.IEEE-ABSTRACT

This paper appears in:  Electronic and Mechanical Engineering and Information Technology (EMEIT), 2011 International Conference on Issue Date :  12-14 Aug. 2011 Volume :  6 On page(s): 3048 - 3053 Print ISBN: 978-1-61284-087-1 INSPEC Accession Number: 12263384 Digital Object Identifier :  10.1109/EMEIT.2011.6023732 Date of Current Version :   19 September 2011

Abstract

This paper mainly analyzes the Microsoft's implementations of Trusted Computing in its Next-Generation Secure Computing Base (NGSCB), and investigates that why NGSCB can build a secure and trusted system, and shows how it is built. In addition, Windows secure ability on withstanding attacks is also presented, and some defects that brought reproach upon NGSCB are proposed. Finally, some related works are listed, compared with the NGSCB.

Index Terms

IEEE Terms

Computer architecture , Computers , Hardware , Kernel , Security

INSPEC o Controlled Indexing

next generation networks , operating systems (computers) , security of data

o Non Controlled Indexing

Microsoft implementation , NGSCB , Windows secure ability , next generation secure computing base , secure system , trusted computing technology , trusted system

Author Keywords

CPU rings , isolation kernel , kernel integrity check , trusted Comput

IT DEPARTMENT,UCE,KARIAVATTOM Page 26

NGSCB

9 BIBILIOGRAPHY

A Trusted Open Platform –Paul England, Butler Lampson, John

Manferdelli, Bryan Willman: Microsoft Corporation.(IEEE JOURNAL,

ISSN: 0018-9162)

Research on Trusted Computing Implementations in Windows-Shu-xia

Wang; Yin-chuan Wang; ISBN: 978-1-4244-7669-5 

technet.microsoft.com

Anderson, R. “TCPA / Palladium Frequently Asked Questions Version

1.0.” July2002. University of Cambridge Online. 5 Jan 2003

<http://www.cl.cam.ac.uk/users/rja14/tcpa-faq.html>.

Trusted Computing Group : www.trustedcomputinggroup.org

“Microsoft Palladium.”. Electronic Privacy Information Center Online.

<http://www.epic.org/privacy/consumer/microsoft/palladium.html>.

IT DEPARTMENT,UCE,KARIAVATTOM Page 27