Upload
madlyn-boone
View
221
Download
1
Tags:
Embed Size (px)
Citation preview
Privacy, Security Privacy, Security And Content And Content In WindowsIn Windows®® Platforms Platforms
AgendaAgenda
Privacy, Security, ContentPrivacy, Security, Content Peter N. Biddle, MS Peter N. Biddle, MS
Technical EvangelistTechnical Evangelist MS DRMMS DRM
Marcus Peinado, MS DRM ArchitectMarcus Peinado, MS DRM Architect The Open Trusted PCThe Open Trusted PC
Paul England, MS ArchitectPaul England, MS Architect
A Definition Of TrustA Definition Of TrustPrivacyPrivacy
No matter where No matter where mymy data is, privacy is about data is, privacy is about keeping keeping youyou from benefiting from access to it from benefiting from access to it without without mymy informedinformed consent consent My data can be anything I own and control My data can be anything I own and control
the rights tothe rights to I want to be able to protect it no matter where it isI want to be able to protect it no matter where it is Consent is not enough - users need to understandConsent is not enough - users need to understand Need to provide for the needs of the user first Need to provide for the needs of the user first
while allowing the device to functionwhile allowing the device to function
A Definition Of TrustA Definition Of TrustComputer SecurityComputer Security
If If mymy computer holds computer holds mymy data, data, computer security is about keeping computer security is about keeping youyou from benefiting from from benefiting from unauthorized access to unauthorized access to mymy data data Traditional model of securityTraditional model of security Can include things like Can include things like
physical barriersphysical barriers
A Definition Of TrustA Definition Of TrustContent ProtectionContent Protection
If If mymy computer holds computer holds youryour data, data, content access is about keeping content access is about keeping meme from benefiting from unauthorized from benefiting from unauthorized access to access to youryour data data Your data is anything you ownYour data is anything you own You can associate rules with it’s useYou can associate rules with it’s use Use encryption, authentication to Use encryption, authentication to
enforce rules enforce rules Need to focus less on preventing access Need to focus less on preventing access
and more on allowing accessand more on allowing access
There Is No Difference There Is No Difference Between Privacy Protection, Between Privacy Protection,
Computer Security, And Computer Security, And Content ProtectionContent Protection
Did He Really Say That?Did He Really Say That?
There is no difference between There is no difference between protecting someone's privacy protecting someone's privacy and protecting someone’s contentand protecting someone’s content
Assurances of trust must be Assurances of trust must be universally trueuniversally true
For anything and everything that For anything and everything that anyone would want to apply rules toanyone would want to apply rules to A “privacy object” is a A “privacy object” is a
“content object”“content object”
I Want To Eliminate Our I Want To Eliminate Our Ability To Invade Anybody Ability To Invade Anybody
Else’s PrivacyElse’s Privacy
Trusted WindowsTrusted Windows
Create a platform that will protect Create a platform that will protect users from “us”users from “us” This is trustThis is trust
Make it extremely difficult to break Make it extremely difficult to break Windows trustWindows trust
Technical means are a cornerstone Technical means are a cornerstone of trustof trust Technology can protect Technology can protect
against invasionsagainst invasions Laws can lock up violatorsLaws can lock up violators
What Is Piracy?What Is Piracy?
Piracy is the un-licensed use of Piracy is the un-licensed use of someone’s digital propertysomeone’s digital property Piracy does not automatically result Piracy does not automatically result
in lost revenuein lost revenue EG, if I were to make a copy of MS Office EG, if I were to make a copy of MS Office
on a CD-R, and then destroy the CD-R, on a CD-R, and then destroy the CD-R, there would be no lost revenuethere would be no lost revenue
Some piracy can even foster sales Some piracy can even foster sales of some kinds of digital propertyof some kinds of digital property
Eliminating all piracy is Eliminating all piracy is prohibitively expensiveprohibitively expensive It also pisses off your loyal customersIt also pisses off your loyal customers
Does Microsoft Want To Make Does Microsoft Want To Make Piracy On The Windows Piracy On The Windows Platform Impossible?Platform Impossible? We are not police officers, nor do We are not police officers, nor do
we play them on TVwe play them on TV Designing an OS that eliminates Designing an OS that eliminates
piracy would be like trying to piracy would be like trying to design a car that can’t be used as a design a car that can’t be used as a getaway vehiclegetaway vehicle We don’t know how to do thisWe don’t know how to do this We don’t want to do thisWe don’t want to do this
Piracy Comes In Three Piracy Comes In Three Flavors – Good, Bad, Flavors – Good, Bad,
And TolerableAnd Tolerable
There Is Such A Thing There Is Such A Thing As Good PiracyAs Good Piracy Piracy that actually fosters more purchases Piracy that actually fosters more purchases
of content can be “good”of content can be “good” There is no easy way to quantify thisThere is no easy way to quantify this
Tolerable levels of piracy are any amount Tolerable levels of piracy are any amount that a content owner chooses to sustain that a content owner chooses to sustain in order to meet a specific goalin order to meet a specific goal EG, not pissing off customersEG, not pissing off customers
We want to keep piracy tolerable We want to keep piracy tolerable at a minimum at a minimum at a level that allows for sustainable economics at a level that allows for sustainable economics
for all digital content creatorsfor all digital content creators It is no fun to be a starving artistIt is no fun to be a starving artist
Content We Can Protect Content We Can Protect From PiracyFrom Piracy Content that is encrypted or Content that is encrypted or
scrambled, <and>scrambled, <and> that has rules associated with that has rules associated with
it, <and>it, <and> that requires use of special SW to that requires use of special SW to
accessaccess ……must be protected.must be protected.
Content We Cannot Protect Content We Cannot Protect From PiracyFrom Piracy Unknown ContentUnknown Content
Content that looks “free” to the OSContent that looks “free” to the OS Redbook AudioRedbook Audio Un-encrypted softwareUn-encrypted software
Content that is free to the OSContent that is free to the OS ASCII text filesASCII text files HTMLHTML
Content we cannot understandContent we cannot understand Content that has been encrypted or Content that has been encrypted or
formatted using proprietary schemesformatted using proprietary schemes
There Will Be Some There Will Be Some Badness In This WorldBadness In This World Users will have their privacy invadedUsers will have their privacy invaded Computers will be hackedComputers will be hacked Content will be piratedContent will be pirated Our goal is to make these things the Our goal is to make these things the
exception, not the ruleexception, not the rule Create a Trusted Windows Platform as Create a Trusted Windows Platform as
trustworthy as the Telephone is todaytrustworthy as the Telephone is today
Protecting PrivacyProtecting Privacy
HW-based encryption can be used HW-based encryption can be used to protect documentsto protect documents
Smart Card that allows users Smart Card that allows users to authenticate a PCto authenticate a PC As opposed to now, where a PC authenticates As opposed to now, where a PC authenticates
a usera user Authentication can allow an end-user to Authentication can allow an end-user to
verify that a third party is *exactly* what it verify that a third party is *exactly* what it says it issays it is
Anonymous authentication is even possibleAnonymous authentication is even possible You don’t know who I am but someone you trust You don’t know who I am but someone you trust
doesdoes and can vouch for me and my computer and can vouch for me and my computer
Securing A PlatformSecuring A Platform
Ensures that a system is what it Ensures that a system is what it says it issays it is
Code signingCode signing Ensures that a legitimate user can’t Ensures that a legitimate user can’t
load illegitimate codeload illegitimate code Ensures that an illegitimate user can’t Ensures that an illegitimate user can’t
load illegitimate codeload illegitimate code Allows a computer and user Allows a computer and user
to authenticate themselves to authenticate themselves to a third partyto a third party
ContentContent
ApplicationApplication
OSOS
HardwareHardware
Protecting ContentProtecting Content
Content has Content has associated associated ACL/license: ACL/license: hardware, OS, hardware, OS, application, termsapplication, terms
Customers can Customers can access the content access the content based on the terms based on the terms of the ACLof the ACL
SummarySummary
Think about these concepts as you Think about these concepts as you listen to this sessionlisten to this session
Apply them to what you are doing Apply them to what you are doing in this spacein this space
Two areas of focus in this session:Two areas of focus in this session: What we are doing today to “secure” the What we are doing today to “secure” the
Windows platform in SW aloneWindows platform in SW alone What we will be doing in the future to What we will be doing in the future to
secure the platform using some secure the platform using some combination of ubiquitous HW and SWcombination of ubiquitous HW and SW
Digital Rights Digital Rights Management And Content Management And Content Protection ArchitecturesProtection Architectures
Marcus PeinadoMarcus PeinadoMicrosoftMicrosoftDigital Media DivisionDigital Media [email protected]@microsoft.com
OverviewOverview
Digital rights management (DRM): Digital rights management (DRM): fundamentals and visionfundamentals and vision Commerce scenariosCommerce scenarios Security challengesSecurity challenges
Microsoft RightsmanagerMicrosoft Rightsmanager System featuresSystem features
OverviewOverview
Digital rights management (DRM): Digital rights management (DRM): fundamentals and visionfundamentals and vision Commerce scenariosCommerce scenarios Security challengesSecurity challenges
Microsoft RightsmanagerMicrosoft Rightsmanager System featuresSystem features
E-Commerce / Physical DistributionE-Commerce / Physical Distribution
Commerce siteCommerce site
(Store front)(Store front) customercustomerinternetinternet
1.1. Customer selects productCustomer selects product
(book, CD, DVD, software, hiking boots)(book, CD, DVD, software, hiking boots)
2. Customer pays2. Customer pays
3. Merchant ships physical product3. Merchant ships physical product
Credit Credit CardCard
customercustomerUPSUPS
IEIE
E-Commerce / E-Commerce / Electronic DistributionElectronic Distribution
Commerce siteCommerce site
(Store front)(Store front) customercustomerinternetinternet
1.1. Customer selects product Customer selects product (book, audio, video, software, (book, audio, video, software, no hiking bootsno hiking boots))
2. Customer pays2. Customer pays
3. 3. Customer downloads digital contentCustomer downloads digital content
credit credit cardcard
customercustomerinternetinternet
IEIE
4.4. customercustomer friendfriend
friendfriend
friendfriend
friendfriendfriendfriend
E-commerce / E-commerce / electronic distributionelectronic distribution / / Digital Rights ManagementDigital Rights Management
Commerce siteCommerce site
(Store front)(Store front)customercustomerinternetinternet
1.1. 2. 3. Customer selects content 2. 3. Customer selects content (book, audio, video) and (book, audio, video) and accessaccess optionoption, pays, downloads content, pays, downloads content
0. Content owner specifies how 0. Content owner specifies how content may be accessed (off line)content may be accessed (off line)
4. DRM system tries to enforce 4. DRM system tries to enforce access rulesaccess rules
DRM: General ModelDRM: General Model
Content owner specifies how the Content owner specifies how the content may be accessedcontent may be accessed
Access specification will be Access specification will be enforced subject to the overall enforced subject to the overall security level of the systemsecurity level of the system
Access specifications enable Access specifications enable business models (e.g. pay-per-view, business models (e.g. pay-per-view, rental etc)rental etc)
Compare with Pay-TV schemesCompare with Pay-TV schemes
OverviewOverview
Digital rights management (DRM): Digital rights management (DRM): fundamentals and visionfundamentals and vision Commerce scenariosCommerce scenarios Security challengesSecurity challenges
Microsoft RightsmanagerMicrosoft Rightsmanager System featuresSystem features
General DRM GoalGeneral DRM Goal
Traditional PC security: Protect a Traditional PC security: Protect a good host from a hostile applicationgood host from a hostile application
DRM security: Protect a trusted DRM security: Protect a trusted application in a hostile application in a hostile host environmenthost environment Adversary has full physical controlAdversary has full physical control Plaintext content must be accessiblePlaintext content must be accessible
End-user PC End-user PC
DRM CoreDRM Core
DRM ClientDRM Client
Rendering Rendering applicationapplication
Other Other componentscomponents Requirements:Requirements:
1. Secret hiding1. Secret hiding
2. Secure execution2. Secure execution
3. Verification of 3. Verification of other componentsother components
Building Upon 1,2,3Building Upon 1,2,3
Assuming that primitives 1,2,3 are Assuming that primitives 1,2,3 are available, a secure content available, a secure content protection system can be built protection system can be built using standard cryptography using standard cryptography
Implementing Primitives 1,2,3Implementing Primitives 1,2,3
Known approaches:Known approaches: Secure hardware (e.g. Secure Secure hardware (e.g. Secure
Co-Processor)Co-Processor) Tamper resistant softwareTamper resistant software Security by obscuritySecurity by obscurity
All known protection methods can All known protection methods can be corrupted by a sufficiently be corrupted by a sufficiently powerful adversarypowerful adversary
Adversary ModelsAdversary Models
Naïve:Naïve: will copy files (mp3); may be will copy files (mp3); may be willing to install hacked programs; willing to install hacked programs; will not actively hackwill not actively hack
Skilled:Skilled: in-depth knowledge, but no in-depth knowledge, but no commercial interest; will break commercial interest; will break most software protection most software protection mechanismsmechanisms
Professional:Professional: pirate corporation; pirate corporation; commercial interest and funds to commercial interest and funds to hire skilled pirates; may reverse-hire skilled pirates; may reverse-engineer hardware protectionengineer hardware protection
RenewabilityRenewability
Fundamental Law of Anti-PiracyFundamental Law of Anti-Piracy Any given content protection Any given content protection
component (software, hardware) will component (software, hardware) will be subverted by a sufficiently be subverted by a sufficiently powerful adversarypowerful adversary
Parameters:Parameters: Value of the protected assetsValue of the protected assets Time until breakTime until break Resources of attackerResources of attacker
RenewabilityRenewability
Allow easy recovery from breaksAllow easy recovery from breaks Disable / Revoke broken components Disable / Revoke broken components
Revocation of DRM clientsRevocation of DRM clients Revocation of processing componentsRevocation of processing components
Field upgrade to re-enable the systemField upgrade to re-enable the system Individualization toIndividualization to
Reduce scope of individual breaksReduce scope of individual breaks Improve granularity of revocationImprove granularity of revocation
PCPC
PCPC
PCPC
PCPC
PCPC
DRM DRM administratoradministrator
Content Content owner owner
Content Content owner owner
RenewabilityRenewability
PCPC
PCPC
PCPC
PCPC
PCPC
DRM DRM administratoradministrator
Content Content owner owner
Content Content owner owner
Renewability: 1. Deployment Of DRMRenewability: 1. Deployment Of DRM
PCPC
PCPC
PCPC
PCPC
PC
DRM DRM administratoradministrator
Content Content owner owner
Content Content owner owner
Renewability: 2. Attack On DRMRenewability: 2. Attack On DRM
PC
PC
PC
PC
PC
DRM DRM administratoradministrator
Content Content owner owner
Content Content owner owner
Renewability: 3. Distribution Of The BreakRenewability: 3. Distribution Of The Break
PCPC
PCPC
PCPC
PCPC
PCPC
DRM DRM administratoradministrator
Content Content owner owner
Content Content owner owner
Renewability: 4. Revocation And Renewability: 4. Revocation And Field UpgradeField Upgrade
Other ChallengesOther Challenges
Secure time (expiry)Secure time (expiry) Secure state information Secure state information
(e.g. counted play)(e.g. counted play) Recovery from catastrophic failureRecovery from catastrophic failure Standard deployment mechanisms Standard deployment mechanisms
and global secretsand global secrets Working with external Working with external
system componentssystem components
ConclusionsConclusions
Cannot write unbreakable softwareCannot write unbreakable software Aim to limit the effect of Aim to limit the effect of
individual breaksindividual breaks Aim for cheap recoveryAim for cheap recovery Configure security parameters Configure security parameters
based on what is being protected based on what is being protected and against whomand against whom
Use cryptography to reduce the Use cryptography to reduce the number of weak spotsnumber of weak spots
OverviewOverview
Digital rights management (DRM): Digital rights management (DRM): fundamentals and visionfundamentals and vision Commerce scenariosCommerce scenarios Security challengesSecurity challenges
Microsoft RightsmanagerMicrosoft Rightsmanager System featuresSystem features
WM Rightsmanager: GoalsWM Rightsmanager: Goals
Bring premium audio/video content Bring premium audio/video content to the Windows platformto the Windows platform
Content owners (Hollywood) want Content owners (Hollywood) want protection for their content.protection for their content.
Enable a whole range of new Enable a whole range of new software applicationssoftware applications
Non goal:Non goal: control of the end user’s control of the end user’s PCPC
WMRM: General FeaturesWMRM: General Features
Works with ASF/WMAWorks with ASF/WMA Audio, Audio, Video, Video, Illustrated AudioIllustrated Audio Any CodecAny Codec Core DRM is “Media Agnostic”Core DRM is “Media Agnostic”
Streaming and DownloadStreaming and Download Portable devices, portable mediaPortable devices, portable media
DeploymentDeployment
ClientClient Free web downloadFree web download http://windowsmedia.comhttp://windowsmedia.com Part of Windows MediaPart of Windows Media Technologies Technologies 100 million downloaded clients100 million downloaded clients
ServerServer Free web downloadFree web download Register with Windows MediaRegister with Windows Media Used for audio and video distribution Used for audio and video distribution
by a variety of companiesby a variety of companies
Usage Scenario: PromotionalUsage Scenario: Promotional
““Know your audience”Know your audience” Distribute promotional Distribute promotional
trailer (encrypted)trailer (encrypted) Give license to users in exchange Give license to users in exchange
for email address etc.for email address etc. Superdistribution; put trailer on Superdistribution; put trailer on
empty space of existing CD or DVDempty space of existing CD or DVD DRM forces each user to obtain DRM forces each user to obtain
a license from the servera license from the server
Sale, Rental, Pay Per ViewSale, Rental, Pay Per View
User obtains encrypted contentUser obtains encrypted content DownloadDownload StreamingStreaming DVDDVD
User contacts clearing server and User contacts clearing server and makes paymentmakes payment
Usage rules specify user accessUsage rules specify user access Simple in DRM V1Simple in DRM V1 Much more expressive in the futureMuch more expressive in the future
S S t t o o r r e e f f r r o o n n tt
Hosting ServerHosting Server1.1. Encrypts contentEncrypts content
2.2. Allows downloadAllows download
Clearing ServerClearing Server1.1. Authenticates clientAuthenticates client
2.2. Generates licenseGenerates license
End-user machineEnd-user machine
Content (plaintext)Content (plaintext)
Content (encrypted)Content (encrypted)
License (key)License (key)
One-time One-time shared secretshared secret WMPlayerWMPlayer
DRMDRM
ContentContentkeykey
Hardware Hardware bindingbinding
Authentication
License requestLicense request
11
22
33
44
5566
77
Monitor Monitor sound cardsound card
Hosting ServerHosting Server1.1. Encrypts contentEncrypts content
2.2. Allows downloadAllows download
Clearing ServerClearing Server1.1. Authenticates clientAuthenticates client
2.2. Generates licenseGenerates license
End-user machine
Content (encrypted)Content (encrypted)
One-time One-time shared secretshared secret
Downstream Downstream componentscomponents
DRM ClientDRM Client License acquisitionLicense acquisition
Crypto engineCrypto engine
License evaluation engineLicense evaluation engine
Authentication engineAuthentication engine
Hardware bindingHardware binding
License acquisitionLicense acquisition
Monitor Monitor sound cardsound card
Central DRM servicesCentral DRM services Client certification / initializationClient certification / initialization
App authorization / controlApp authorization / control
Server authorizationServer authorization
Backup / restoreBackup / restore
CodeCode
downloaddownload
Portable devicesPortable devices
Portable mediaPortable media
S S t t o o r r e e f f r r o o n n tt
DRM Client ArchitectureDRM Client Architecture
Content crypto Content crypto engineengine
Authentication Authentication engineengine
License eval License eval engineengine
License License acquisitionacquisition
License storeLicense store Secure Secure statestate
Hardware Hardware bindingbinding
Rendering ApplicationRendering Application
Request rights (play)Request rights (play)Encrypted Encrypted contentcontent
DRM ClientDRM Client
LicenseLicense(from lic. Server)(from lic. Server)
IndividualizationIndividualization
Goal: Protect the DRM client Goal: Protect the DRM client against global attacksagainst global attacks
Registration with DRM server Registration with DRM server on installation or first use / on installation or first use / field upgradefield upgrade
DRM server provides per-client DRM server provides per-client keys and code keys and code
User MachineUser MachineDRM ServerDRM Server CertificationCertification
Individualized dllIndividualized dll
Upgrade requestUpgrade request
DRMDRMuniformuniform
dlldll certscerts
License ServerLicense Server
License License requestrequest
““This license This license requires an requires an individualized individualized client”client”
Indiv.Indiv.
dlldll certscertsInstall DRMInstall DRM
Local CD rippingLocal CD rippingRemote license acquisitionRemote license acquisitionUpgrade triggerUpgrade trigger
Upgrade requestUpgrade request
Server generates indiv. dllServer generates indiv. dllInstall on clientInstall on client
Individualization / Individualization / Field UpgradeField Upgrade
End-To-End ChannelEnd-To-End Channel
Audio / Video content flows through Audio / Video content flows through many processing components many processing components (renderer, sysaudio, sound card (renderer, sysaudio, sound card driver etc)driver etc)
Content can be extracted from any Content can be extracted from any of these componentsof these components
Task: Retrofit DRM onto the Task: Retrofit DRM onto the existing audio / video infrastructureexisting audio / video infrastructure
First step: Windows MEFirst step: Windows ME
Secure Audio PathSecure Audio Path
Song.wmaSong.wma
DRMDRMAdd noiseAdd noise
LicLic
Audio ComponentsAudio Components
SysAudioSysAudio
RemoveRemoveNoiseNoise
Kmixer, …Kmixer, …
AudioDriverAudioDriver
DRM-KDRM-K
useruser kernelkernel
3. verify3. verify1.1.
2.2.
4.4.
5.5.
6.6.
Secure Audio PathSecure Audio Path
License triggers secure audio pathLicense triggers secure audio path Verify components(WHQL Verify components(WHQL
sig,DRM bits)sig,DRM bits) Below KMixer Below KMixer
Disable digital loopback in audio driverDisable digital loopback in audio driver Noise for tunneling through to Kmixer Noise for tunneling through to Kmixer Certification of external components Certification of external components
through existing WHQL processthrough existing WHQL process Requires small piece of new code Requires small piece of new code
(100 lines)(100 lines)
Content EncryptionContent Encryption
FastFast 10 Megabytes per second10 Megabytes per second Allows encryption of the entire Allows encryption of the entire
video signalvideo signal Fault tolerantFault tolerant
Packet based: tolerates loss of Packet based: tolerates loss of arbitrary set of asf packetsarbitrary set of asf packets
SecureSecure Full-strength encryption algorithmFull-strength encryption algorithm
PlaintextPlaintext
asf fileasf file
encryptedencrypted
asf fileasf file
headerheader Data Data packetspackets
All payload packets are fully encryptedAll payload packets are fully encrypted Each packet is encrypted individuallyEach packet is encrypted individually No increase in packet lengthNo increase in packet length
Content EncryptionContent Encryption
SummarySummary
DRM Goals:DRM Goals: Bring premium content to the platformBring premium content to the platform Enable new business and Enable new business and
distribution modelsdistribution models Enable new applications, which Enable new applications, which
process this contentprocess this content Security:Security:
Baseline DRM clientBaseline DRM client Renewability, individualizationRenewability, individualization End-to-end channel for audio, videoEnd-to-end channel for audio, video
The Open Trusted PCThe Open Trusted PC
Paul EnglandPaul EnglandMicrosoft CorporationMicrosoft Corporation
SubtitleSubtitleStrategic Software and Strategic Software and Platform Technologies to make Platform Technologies to make the Open-PC as Trustworthy as the Open-PC as Trustworthy as the Closed-Box, forthe Closed-Box, for
E-CommerceE-CommerceUser Privacy ProtectionUser Privacy ProtectionRights-Managed DataRights-Managed Data
OutlineOutline
The Trusted PC ParadoxThe Trusted PC Paradox Platform AuthenticationPlatform Authentication Authenticated BootAuthenticated Boot Privacy ProtectionPrivacy Protection Secure Persistent StorageSecure Persistent Storage SummarySummary
The Trusted-PC ParadoxThe Trusted-PC Paradox
The PC is The PC is openopen – anyone can add – anyone can add Any softwareAny software Any hardware / option ROMAny hardware / option ROM Any operating systemAny operating system Any BIOSAny BIOS ……
So how can it possibly be as So how can it possibly be as trustworthy as a closed box?trustworthy as a closed box?
Furthermore…Furthermore…
It’s very hard to store secrets on a PCIt’s very hard to store secrets on a PC Many viruses have Many viruses have moremore rights than rights than
the userthe user Even if an OS secures (using ACLs) Even if an OS secures (using ACLs)
files or data for usersfiles or data for users No other OS needs to honor these No other OS needs to honor these
access controlsaccess controls All file systems are readable under all OSsAll file systems are readable under all OSs
Contrast This With Contrast This With A A Closed BoxClosed Box E.g. set-top box, game-console, E.g. set-top box, game-console,
other CE-deviceother CE-device Can’t add third-party hardwareCan’t add third-party hardware Can’t add unauthorized Can’t add unauthorized
third-party softwarethird-party software How can we achieve the best How can we achieve the best
of both worlds?of both worlds?
Targeted AudienceTargeted Audience
Not just professionally Not just professionally administered machinesadministered machines Home PCsHome PCs Small businessesSmall businesses LaptopsLaptops Corporate client machines Corporate client machines
(dial in + desktop)(dial in + desktop)
Long-Term GoalsLong-Term Goals
Growth of the Growth of the Web LifestyleWeb Lifestyle More e-commerceMore e-commerce Greater use of Web-servicesGreater use of Web-services More of More of youryour personal and personal and
valuable informationvaluable information On your home PCOn your home PC On Web serversOn Web servers
Increase trustworthiness of your PC Increase trustworthiness of your PC andand provide mechanisms to allow you provide mechanisms to allow you to determine trustworthiness of the to determine trustworthiness of the Web-services that you useWeb-services that you use
Platform AuthenticationPlatform Authentication
We propose adding platform HW/SW to We propose adding platform HW/SW to reliably report the platform configurationreliably report the platform configuration
User can boot into a system that can User can boot into a system that can reliably report its configurationreliably report its configuration
A Web-site can do this to “brand trust”A Web-site can do this to “brand trust” A home-user can do this to obtain A home-user can do this to obtain
premium contentpremium content A corporate user (RAS, or intranet) can A corporate user (RAS, or intranet) can
do this to gain access to the networkdo this to gain access to the networkThe user must always be in control of what The user must always be in control of what information she revealsinformation she reveals
Corporate RAS AccessCorporate RAS Access
Platform Platform authentication authentication hardware can hardware can prove client prove client
boot-boot-configurationconfiguration
Corpnet requires Corpnet requires Win2K + Win2K +
Certified drivers Certified drivers to access to access network network
resourcesresources
Another ExampleAnother Example
Doctor’s PCDoctor’s PC
Medical Insurance Medical Insurance CompanyCompany
Insurance company Insurance company wants to check wants to check
trustworthiness of the trustworthiness of the doctor’s PC before doctor’s PC before revealing records revealing records
Doctor’s office PC Doctor’s office PC is not is not
professionally professionally administeredadministered
Trusted Trusted Platform Platform
states states platform platform
configurationconfiguration
Insurance Insurance company company challenges PC challenges PC to authenticate to authenticate itselfitself
Doctor’s PC responds by Doctor’s PC responds by describing its configurationdescribing its configuration
Authenticated BootAuthenticated Boot
PC will boot PC will boot anyany software and the software and the OS can run OS can run anyany policy, but… policy, but… The platform reports the booted The platform reports the booted
configurationconfiguration (we will require privacy support)(we will require privacy support)
ISVs (OS-vendors) can choose what ISVs (OS-vendors) can choose what kind of information they revealkind of information they reveal
This is not secure bootThis is not secure boot Platform can still boot any Platform can still boot any
OS/configurationOS/configuration
Design ConsiderationsDesign Considerations
We need additional We need additional security hardwaresecurity hardware
There is no way (right now) that a There is no way (right now) that a challenger can reliably distinguish challenger can reliably distinguish WinME from Win2000WinME from Win2000
The additional hardware should The additional hardware should add add minimal cost, and minimally perturb minimal cost, and minimally perturb the PC boot /execution modelthe PC boot /execution model
A Simple, Cheap, SolutionA Simple, Cheap, Solution
Platform crypto-processorPlatform crypto-processor E.g. “smart-card core”E.g. “smart-card core”
Small changes to BIOSSmall changes to BIOS BIOS “reports” platform configuration BIOS “reports” platform configuration
to crypto-processorto crypto-processor Small changes to OS-boot modelSmall changes to OS-boot model
E.g. only load signed driversE.g. only load signed drivers Some changes to OS execution modelSome changes to OS execution model
Simplified Authenticated BootSimplified Authenticated Boot
crypto-crypto-processorprocessor
Boot logBoot logOS-loaderOS-loader
Trusted Trusted BIOSBIOS
OS-Loader
OS-Kernel
Driver1 Driver2 Driver3
Trusted BIOS “logs” Trusted BIOS “logs” the digest of the OS-the digest of the OS-loader that it passes loader that it passes
control tocontrol to
Simplified Authenticated BootSimplified Authenticated Boot
BIOS Loads an OS-loaderBIOS Loads an OS-loader OS writes the digest of the loader OS writes the digest of the loader
into a write-once protected areainto a write-once protected area OS-Loader (typically) contains a OS-Loader (typically) contains a
public key or certificatepublic key or certificate OS-loader only loads drivers that OS-loader only loads drivers that
it trustsit trusts They are certified by the loaders CAThey are certified by the loaders CA
Any ISV can write any OS-loader Any ISV can write any OS-loader using any load policyusing any load policy
Platform AuthenticationPlatform Authentication
Protected log contains the Protected log contains the OS-loader digestOS-loader digest
OS-LoaderOS-Loader
Publisher Root Publisher Root CertificateCertificate
Load-Policy CodeLoad-Policy Code
Device Device DriverDriver
Publisher Publisher ““Authenticode” Authenticode”
CertificateCertificate
Hash of all Hash of all of OS-of OS-
loader is loader is written to written to the write-the write-once logonce log
OS-LoaderOS-LoaderKernel ComponentKernel Component
Configuration ReportingConfiguration Reporting
Write-once log contains a hash that Write-once log contains a hash that represents the running OSrepresents the running OS
How can we use this?How can we use this? Not much use to just “tell” Not much use to just “tell”
a challengera challenger It’s a well-known numberIt’s a well-known number
We use We use cryptographic reportingcryptographic reporting The crypto-processor can report the The crypto-processor can report the
configuration using a secret keyconfiguration using a secret key The The QUOTEQUOTE operationoperation
The QUOTE OperationThe QUOTE Operation
QUOTEQUOTE(challenge) (challenge) SIGN(challenge, boot-log)SIGN(challenge, boot-log) Challenger sends a “Challenger sends a “nonce”nonce”
Platform responds with a signed Platform responds with a signed description of the boot description of the boot configuration + nonceconfiguration + nonce
Challenger can decide whether Challenger can decide whether to allow accessto allow accessother mechanisms provide for privacy – other mechanisms provide for privacy –
see latersee later
Adding Flexibility – Adding Flexibility – The Boot Policy FileThe Boot Policy File
Publisher Root CertPublisher Root CertExceptions (revocation)Exceptions (revocation)
Other boot-policyOther boot-policyDateDate
OS-LoaderOS-LoaderBoot Policy FileBoot Policy File
IT or Publisher IT or Publisher
CertificateCertificate
Secure LogSecure Log
OS-loaderOS-loader
Boot policy fileBoot policy file
BIOS BIOS records OS-records OS-
loaderloader
OS-loaderOS-loader records records
Boot-policy in effectBoot-policy in effect
OS-LoaderOS-Loader
Loader loads and logs Loader loads and logs the boot-policy filethe boot-policy file
Loader obeys theLoader obeys thePolicy descriptionPolicy description
A More Complicated ExampleA More Complicated Example
Practical boot models must include Practical boot models must include OS-selectors, etcOS-selectors, etc
Use the same basic model – Use the same basic model – Measure component about to Measure component about to
execute nextexecute next Decide whether it is “trustworthy”Decide whether it is “trustworthy”
If it is, do nothingIf it is, do nothing If it is “unknown,” securely log its “digest”If it is “unknown,” securely log its “digest”
Pass control Pass control
How Do We Implement The How Do We Implement The Secure Log?Secure Log?
MBRMBR
OS-boot-sectorOS-boot-sector
OS-loaderOS-loader
Boot PolicyBoot Policy
Virus definitionVirus definition
……
……
What we would like:What we would like: + +
Similar logs for Similar logs for firmware, microcode, firmware, microcode, upper-level software, upper-level software,
etc…etc…
How can we do this How can we do this cheaply (and cheaply (and
manageably)?manageably)?
EXTEND Simulates EXTEND Simulates An Infinite Secure LogAn Infinite Secure Log EXTENDEXTEND operation + operation + one one
secure registersecure register EXTEND(d)EXTEND(d)
Takes current contents of registerTakes current contents of register Hashes it with dHashes it with d Stores it back in the registerStores it back in the register
Hashing is Hashing is one-wayone-way Nobody can figure out how to Nobody can figure out how to
“remove” an entry“remove” an entry
EXTEND UsageEXTEND Usage
MBRMBR
OS-boot-sectorOS-boot-sector
OS-loaderOS-loader
Boot PolicyBoot Policy
Virus definitionVirus definition
……
……
Platform executesPlatform executes
1) EXTEND(MBR)1) EXTEND(MBR)
2) EXTEND(boot-sector)2) EXTEND(boot-sector)
3) EXTEND(Boot-policy)3) EXTEND(Boot-policy)
4) EXTEND(virus defn)4) EXTEND(virus defn)
5) EXTEND(…)5) EXTEND(…)
Challenger needs to do a little more work to interpret Challenger needs to do a little more work to interpret the composite value– but it is not hardthe composite value– but it is not hard
Authentication ModelAuthentication Model
Suppose we have a certified key-Suppose we have a certified key-pair in the “crypto-processor”pair in the “crypto-processor”
You can tell anyone what platform You can tell anyone what platform you are running, but…you are running, but… This is like a “super-cookie” you This is like a “super-cookie” you
use everywhereuse everywhere Unscrupulous sites could track what Unscrupulous sites could track what
you are doingyou are doing This is This is not not an acceptable solutionan acceptable solution
Authenticated AnonymityAuthenticated Anonymity
Users can acquire Users can acquire anonymous identitiesanonymous identities
Platform keyPlatform key
BankingBankingIdentityIdentity
ISPISPIdentityIdentity
Corp.Corp.IdentityIdentity
Trusted Trusted Identity Identity ServerServer
Bank Web ServerBank Web ServerUser picks User picks an Identity an Identity
Server Server trusted by trusted by bank and bank and
useruser
Trusted Trusted Identity Identity ServerServer
Other ConsiderationsOther Considerations
Identity acquisition is fully opt-inIdentity acquisition is fully opt-in Pick (during-boot) whether OS Pick (during-boot) whether OS
should support authenticationshould support authentication Nothing wrong with being anonymousNothing wrong with being anonymous
Boot ComplicationsBoot Complications
Boot is multi-stepBoot is multi-step MBR, OS boot-sectorMBR, OS boot-sector
BIOS is typically flashableBIOS is typically flashable Many option-ROMS insert codeMany option-ROMS insert code Favored model isFavored model is
Provide logging for all components Provide logging for all components that affect trustthat affect trust
(Not all challengers will care)(Not all challengers will care)
Other ImplementationsOther Implementations
Chipset modelChipset model Removable tokenRemovable token Processor changesProcessor changes
Secure Persistent StorageSecure Persistent StorageMotivation (I)Motivation (I) You want your “Trusted OS” You want your “Trusted OS”
to store your banking recordsto store your banking records But another OS can always read But another OS can always read
the files…the files… Simple encryption doesn’t help Simple encryption doesn’t help
(where do you store the keys?)(where do you store the keys?) Password-protection doesn’t Password-protection doesn’t
really helpreally help
Secure Persistent Storage Secure Persistent Storage Motivation (II)Motivation (II) When you RAS-in to your When you RAS-in to your
corporation you can prove you are corporation you can prove you are running a Trusted-OSrunning a Trusted-OS
But, on a dual-boot MachineBut, on a dual-boot Machine Where do you store files that are not Where do you store files that are not
accessible to viruses on another OS?accessible to viruses on another OS? Where do you store files that are not Where do you store files that are not
accessible to users on a cable-LAN if accessible to users on a cable-LAN if the other OS is badly configured?the other OS is badly configured?
Secure Persistent Storage Secure Persistent Storage Motivation (III)Motivation (III) Premium content providers provide Premium content providers provide
rights-managed content to rights-managed content to Trusted PlatformsTrusted Platforms How can a trusted platform store this How can a trusted platform store this
data for users?data for users? We want the Trusted-PC to be the We want the Trusted-PC to be the
favored platform for rights-favored platform for rights-managed goodsmanaged goods
Sealed StorageSealed Storage
Trusted Platform can store secrets Trusted Platform can store secrets for other “named configurations”for other “named configurations” Boot into a named configuration, you Boot into a named configuration, you
get to decrypt the secretsget to decrypt the secrets Boot into a different configuration and Boot into a different configuration and
you can’t recover the decryption keyyou can’t recover the decryption key Any Trusted OS can store secrets Any Trusted OS can store secrets
for itself or name other OSsfor itself or name other OSs
Sealed-Storage Sealed-Storage ImplementationImplementation We build on the We build on the same configuration same configuration
log we collected during bootlog we collected during boot SEAL(secret, log-value)SEAL(secret, log-value)
Uses a platform secret key to encrypt Uses a platform secret key to encrypt {secret, log-value} {secret, log-value} Blob Blob
UNSEAL(Blob)UNSEAL(Blob) Internally decryptInternally decrypt Return “secret” if platform is in the Return “secret” if platform is in the
named configurationnamed configuration
SEALSEAL Usage Usage
SEAL is mostly used to save encryption SEAL is mostly used to save encryption keys for registry hives / EFS keyskeys for registry hives / EFS keys
Mostly the OS “names itself” as trusted Mostly the OS “names itself” as trusted to decryptto decrypt Can name other OSsCan name other OSs Can name an upgraded OSCan name an upgraded OS
Other Uses For Other Uses For SEALSEAL
Simplifies deployment of Simplifies deployment of Trusted PlatformsTrusted Platforms
Authenticate the platform once, Authenticate the platform once, then SEAL then SEAL Your network logon keysYour network logon keys Your home banking keysYour home banking keys The Win2000 domain logon keyThe Win2000 domain logon key Any privacy-sensitive dataAny privacy-sensitive data
With SEAL we can do a better job With SEAL we can do a better job of protecting users secretsof protecting users secrets
Other Uses For Other Uses For SEALSEAL (II) (II)
EFS KeysEFS Keys Encrypted file-systems need per-user Encrypted file-systems need per-user
or per-platform storage keysor per-platform storage keys We can improve security of keys forWe can improve security of keys for
Dual-boot machinesDual-boot machines LaptopsLaptops Shared use home-machinesShared use home-machines
Summary: Summary: QUOTEQUOTE And And SEALSEAL QUOTEQUOTE allows the platform allows the platform
configuration to be reported configuration to be reported whenwhen online online
SEAL / UNSEALSEAL / UNSEAL allows platform allows platform configuration to be iconfiguration to be inferred nferred when when online of offlineonline of offline
ConclusionsConclusions
Trusted Windows TechnologyTrusted Windows Technology Enables the best of both worlds:Enables the best of both worlds:
Trusted, Open PlatformsTrusted, Open Platforms
Need new platform hardware Need new platform hardware to achieve itto achieve it Changes are not costly or profoundChanges are not costly or profound
Trusted Windows is the Platform Trusted Windows is the Platform for the future of E-commercefor the future of E-commerce
Calls To ActionCalls To Action
Platform TrustPlatform Trust Join TCPAJoin TCPA
ContentContent Join SDMIJoin SDMI Join CPTWGJoin CPTWG
PrivacyPrivacy Join TrustEJoin TrustE
Talk to us!Talk to us!