"Trusted computing" technology plans for Windows are undergoing a major revision, Microsoft has announced. Specifically, the company is redesigning the Next-Generation Secure Computing Base (NGSCB), a technology that would employ hardware to secure sensitive data on PCs. NGSCB was slated to be a feature of the next version of Windows, but it was never fully developed and little is known about the new architecture. Partners and customers should wait for clear information, including detailed documentation and a new build that enables existing applications to be updated to take advantage of NGSCB, before writing NGSCB into any future planning.

Scope Had Already Been Reduced

NGSCB, initially code-named Palladium, was the cornerstone of Microsoft's long-term plans to better secure Windows by using a new generation of PC hardware specifically designed to enhance security and privacy by protecting sensitive data from leaks, and to reduce piracy by protecting sensitive content (such as digital music) from unauthorized copying. In particular, NGSCB was intended to provide the following capabilities on the Windows platform:

• Strong process isolation—a secure area of memory would be used to process data with high security requirements
• Sealed storage (originally called the lockbox)—data would be encrypted in a way that allowed only trusted agents or entities to have access
• Attestation—cryptographic hashes would confirm the identities of users, software, and data and would ensure that they were known and trusted
• Secure paths to users—new input (including the keyboard and mouse) and output (secure regions of graphic cards and displays) systems would be created to ensure that data was secure as it moved in and out of the computer.

The capabilities would all rely on a Trusted Platform Module (TPM), hardware built onto a PC's motherboard, which would perform critical tasks such as storing secret keys and checking that only trusted components are given access to sensitive areas of memory. Hardware support would make it more difficult for hackers to compromise the system.

NGSCB was related to efforts of the Trusted Computing Group, of which Microsoft is a member, but focuses exclusively on the Windows platform.

However, at its Professional Developers Conference (PDC) in Oct. 2003, Microsoft began reining in the scope of NGSCB, focusing the first release on a limited set of threats and users to make sure that NGSCB could be delivered as part of Longhorn, the next major client version of Windows.

Mitigated threats. The revised version of NGSCB was to target a few typical threats to security and privacy, including the following:

• Process isolation and sealed storage would prevent rogue applications from tampering with data
• Sealed storage and secure paths would prevent rogue applications from disclosing secure data
• Users would not be able to falsely claim that a rogue application or virus changed data because NGSCB would have verified through attestation that the application, computer configuration, and user were trusted
• Identity spoofing would be prevented because NGSCB would be able to confirm, via attestation and the secure I/O path, that agents were dealing with a specific user or a specific server rather than with a rogue application appearing to be that user or server.

Targeted user base. The revised version of NGSCB was to target enterprise customers and corporate users, who were most likely to acquire the required hardware and write the applications that would take advantage of the new security systems.

Why Redesign NGSCB?

At its Windows Hardware Engineering Conference (WinHEC) in May 2004, Microsoft announced that it had changed direction on NGSCB again. Not only has it reined in NGSCB's initial scope but it is almost completely redesigning NGSCB to address feedback from customers and partners who had worked with the prerelease version of NGSCB provided at the PDC.

Specifically, Microsoft is responding to the following feedback:

• Existing applications could not benefit from the NGSCB secure environment without being rewritten
• It was too hard to develop new NGSCB-enabled applications, especially as they had to be written in unmanaged code using the C language.

In addition, the following factors are probably contributing to the change in direction:

• NGSCB did not appear to be in line with other Longhorn initiatives, such as the preferred use of managed code for applications
• It was too difficult for customers and hardware manufacturers (whose support was necessary) to understand what problems NGSCB solved
• Other than the approval of the TPM 1.2 specification, the secure hardware necessary for NGSCB is scarce. The required secure graphic cards, mice, and keyboards are not yet being manufactured, but even with the previous architecture it may have been too early in the development process for hardware manufacturers to create more than prototypes.

What to Watch For

Although Microsoft says that NGSCB is still an active initiative, partners should wait for clear signs from Microsoft before proceeding with development of any NGSCB-related hardware or software. Prerequisites for proceeding include clear information about and documentation for the new NGSCB architecture, a build of the NGSCB that supports existing applications, and an SDK to enable developers to write NGSCB-compatible applications.

Although Microsoft is currently saying that some form of NGSCB will still be a part of Longhorn, it is not clear what threats this first release of NGSCB will mitigate. Moreover, if this first release is not ready in time for Longhorn, it seems unlikely that Microsoft would delay the OS for NGSCB.

Resources

As of press time (late May 2004), Microsoft had not updated information at either the NGSCB or MSDN Web sites to reflect the change in direction.

The NGSCB Web site is at www.microsoft.com/resources/ngscb/default.mspx.