presentation ms paladium

8/7/2019 Presentation Ms Paladium

1/19

PRESENTATIONPRESENTATIONONON

MS PALLADIUMMS PALLADIUM

Ashi Gupta

07/CS/017


2/19

Definition:Definition:-- Palladium, often known as next generation secure

computing base is a s/w architecture developed by MSwhich is expected to implement trusted computingconcept on future version of MS windows operatingsystem.

Palladium involves a new breed of hardware andapplications in along with the architecture of the Windowsoperating system.

It is designed to work side-by-side with the existing

functionality of Windows to introduce a level of securitythat meets the rising customer requirements for dataprotection, integrity and distributed collaboration.

It is designed to give people greater security, personal

privacy and system integrity.


3/19

ContinueContinue With palladium there will be a new piece of hardware

referred to as a security chip. It will provide a set ofcryptographic functions and keys. There are also someassociated changes under the chipset, and the graphicsand I/O system through the USB portall designed tocreate a comprehensive security environment.

USER BENEFITS

System Integrity Enhance data security

Protects personal privacy


4/19


5/19

Features of PalladiumFeatures of Palladium A "Palladium"-enhanced computer must continue to run

any existing application and device drivers.

Palladium is not a separate operating system. It is anarchitectural enhancement to the windows kernel,

including CPU, Chipsets, I/O peripherals to create a newtrusted execution subsystem.

"Palladium"-based systems must provide the means toprotect user privacy better than any OS does today.

Palladium prevents identity thefts & unauthorized accessto personal data on users device while on internet .Transactions & processes are reliable and verifiable. Withpalladium computers secrets are sealed and are revealedon the terms the user has specified.


6/19

ContinueContinue User information Is not a requirement for palladium to work.

Palladium authenticates hardware and software , not theusers. palladium is about platform integrity & enables usersto take advantage of system trustworthiness.

Palladium is a opt in- system.Palladium is entirely an opt in solution. system will ship with

the palladium hard ware and software features turned off.The user of the system can choose to stay with defaultsetting, all palladium related capabilities disabled.

Palladiumdoes not interfere with operation of any programrunning in regular windows environment, everything includingOS, viruses runs there as today so antivirus monitoring anddetection software in windows will still be needed.


7/19

ContinueContinue

Palladium system will be open at all levels.

Palladium hardware will run any nexus. Some platformsmay allow a user to restricts the nexuses that are allowedto run, but the user will still be in full control of this

policy.


8/19

ComponentsComponents For the protected execution of applications, protected

OS provides :

y Trusted space:the execution space is protected byexternal s/w attacks such as virus. It is set up &

maintained by nexus.y Sealed storage: sealed storage is an authenticated

mechanism that allows a program to store the secretsthat cannot be retrieved by non trusted programs. Thesestored secrets can be tied to machines, nexus or an

application.y Attestation:it is a mechanism that allows user to reveal

the characteristics of operating environment to externalrequestor. For e.g., attestation can be used to verify thatcomputer is running a valid version of palladium.


9/19

SOFTWARE COMPONENTSOFTWARE COMPONENT

NEXUS( trusted operatingroot, TOR)1. Nexus in MS windows manages the trust functionalities

for palladium user mode processes.2. Executes in kernel mode in trusted space.3. provides services to trusted agents such as sealing &

unsealing of secrets, establishment of mechanism forcommunication.

TRUSTED AGENTS

1. A program that runs in user mode in trusted space.

2. it calls nexus for the security related services, memorymanagementNEXUS & TRUSTED AGENTS together provides

following facilities:1. Trusted data storage, encryption facilities to ensure data

integrity.2. enables h/w & s/w to authenticate themselves.


10/19

The initial version of palladium require changes tofollowing parts :

y Chipsety Input devices like keyboard

y CPU

y video output devices like graphics processor

In addition a new component must be added a tamperresistant secure cryptographic co processor.

Palladium's changes to the CPU allow it to be placed intoa new mode where certain areas of memory are restricted

via a technique called "code curtaining" to an ultraprivileged piece of code called the "nub" or "TOR". Thenub is a kind of trusted memory manager, which runs withmore privilege than an operating system kernel. The nubalso manages access to the SCP.


11/19


12/19

Palladium pc in trusted modePalladium pc in trusted mode When you want to start a Palladium PC in trusted mode,

the system hardware performs "authenticated boot", inwhich the system is placed in a known state and a nub isloaded. A hash (SHA-1) is taken of the nub which was justloaded, and the 160-bit hash is stored unalterably in the

PCR, and remains there for as long as the systemcontinues to operate in trusted mode. Then the operatingsystem kernel can boot but the key to trusted system isauthentication of nub. As long as the system is up, theSCP knows exactly which nub is currently running.

The SCP provides a feature called "sealed storage" bymeans of two API calls (called SEAL and UNSEAL). If aTA running on a system in trusted mode wants to usesealed storage, it can call into the APIs implemented inthe nub.


13/19

Sealed storageSealed storage Sealed storage is implemented by means of encryption

(sealing) or decryption (unsealing) with a symmetric cipher.When the SCP is given data to seal, it's given twoarguments:

y data itself

y 160-bit nub identifier Sealing is performed by prepending the nub identifier to

the data to be sealed, and then encrypting the result witha private symmetric key -- the "platform-specific key",which varies from machine to machine and is secret. That

key is kept within the SCP and is a unique identifier forthe machine which performed the sealing operation.

After encryption, the SCP returns the encrypted result asthe return value of the SEAL operation.


14/19


15/19

UnsealUnseal When an SCP is given encrypted data to UNSEAL, it internally

attempts to decrypt the encrypted data using its platform-specifickey. This means that, if the encrypted data was originally sealed ona different machine, the UNSEAL operation will fail outrightimmediately. (You can't take a sealed file and transfer it to anothermachine and unseal it there; because the platform-specific key is

used for encryption and decryption, and can't be extracted fromthe SCP, you can only UNSEAL data on the same machine on which itwas originally Sealed.)

If the decryption is successful, the SCP performs a second check: itexamines the nub identifier which resides within the decrypteddata. The nub identifier was specified at the time the data wasoriginally Sealed, and indicates which nub is allowed to receive the

decrypted data. If the nub identifier for the decrypted data isidentical to the nub identifier which is currently stored in the PCR(which is the SHA-1 hash of the currently-running nub on themachine at the moment UNSEAL was called), the UNSEAL issuccessful and the decrypted data is returned to the calling nub.However, if the nub identifier does not match the contents of thePCR, the SCP concludes that the nub which is currently running isnot entitled to receive this data, and discards it.


16/19

AdvantagesAdvantages

Block malicious code

Digital right management


17/19

DisadvantagesDisadvantages

UpgradesIn order to take advantage of what Palladium is supposed tooffer, users will have to upgrade both their current operatingsystems and hardware. The central processing unit will have tosupport the trusted execution mode that Palladium offers. It isclear that future motherboards will need to contain the

security chip for Palladium to run properly (MS PalladiumTechnical FAQ). More upgrades may be of concern in the areaof graphic hardware and peripherals such as keyboards andmice because of the encryption in between these hardwaredevices and the software they are interacting with.

Interoperability

The problem with palladium enabled systems isinteroperability. For instance,if a bank switches over to exclusively Palladium systems,would customers of that bank who dont run Palladiumsystems be able to use the banks services


18/19

ConclusionConclusionToday, IT managers face tremendous challenges due tothe inherent openness of end-user machines, and millionsof people simply avoid some online transactions out offear. However, with the usage of "Palladium" systems,trustworthy, secure interactions will become possible.

This technology will provide tougher security defensesand more abundant privacy benefits than ever before.With "Palladium," users will have power over systemintegrity, personal privacy and data security.


19/19

THANK YOU

presentation ms paladium

Documents