Privacy, Security And Content In Windows ® Platforms

Privacy, Security Privacy, Security And Content And Content In WindowsIn Windows®® Platforms Platforms

AgendaAgenda

Privacy, Security, ContentPrivacy, Security, Content Peter N. Biddle, MS Peter N. Biddle, MS

Technical EvangelistTechnical Evangelist MS DRMMS DRM

Marcus Peinado, MS DRM ArchitectMarcus Peinado, MS DRM Architect The Open Trusted PCThe Open Trusted PC

Paul England, MS ArchitectPaul England, MS Architect

A Definition Of TrustA Definition Of TrustPrivacyPrivacy

No matter where No matter where mymy data is, privacy is about data is, privacy is about keeping keeping youyou from benefiting from access to it from benefiting from access to it without without mymy informedinformed consent consent My data can be anything I own and control My data can be anything I own and control

the rights tothe rights to I want to be able to protect it no matter where it isI want to be able to protect it no matter where it is Consent is not enough - users need to understandConsent is not enough - users need to understand Need to provide for the needs of the user first Need to provide for the needs of the user first

while allowing the device to functionwhile allowing the device to function

A Definition Of TrustA Definition Of TrustComputer SecurityComputer Security

If If mymy computer holds computer holds mymy data, data, computer security is about keeping computer security is about keeping youyou from benefiting from from benefiting from unauthorized access to unauthorized access to mymy data data Traditional model of securityTraditional model of security Can include things like Can include things like

physical barriersphysical barriers

A Definition Of TrustA Definition Of TrustContent ProtectionContent Protection

If If mymy computer holds computer holds youryour data, data, content access is about keeping content access is about keeping meme from benefiting from unauthorized from benefiting from unauthorized access to access to youryour data data Your data is anything you ownYour data is anything you own You can associate rules with it’s useYou can associate rules with it’s use Use encryption, authentication to Use encryption, authentication to

enforce rules enforce rules Need to focus less on preventing access Need to focus less on preventing access

and more on allowing accessand more on allowing access

There Is No Difference There Is No Difference Between Privacy Protection, Between Privacy Protection,

Computer Security, And Computer Security, And Content ProtectionContent Protection

Did He Really Say That?Did He Really Say That?

There is no difference between There is no difference between protecting someone's privacy protecting someone's privacy and protecting someone’s contentand protecting someone’s content

Assurances of trust must be Assurances of trust must be universally trueuniversally true

For anything and everything that For anything and everything that anyone would want to apply rules toanyone would want to apply rules to A “privacy object” is a A “privacy object” is a

“content object”“content object”

I Want To Eliminate Our I Want To Eliminate Our Ability To Invade Anybody Ability To Invade Anybody

Else’s PrivacyElse’s Privacy

Trusted WindowsTrusted Windows

Create a platform that will protect Create a platform that will protect users from “us”users from “us” This is trustThis is trust

Make it extremely difficult to break Make it extremely difficult to break Windows trustWindows trust

Technical means are a cornerstone Technical means are a cornerstone of trustof trust Technology can protect Technology can protect

against invasionsagainst invasions Laws can lock up violatorsLaws can lock up violators

What Is Piracy?What Is Piracy?

Piracy is the un-licensed use of Piracy is the un-licensed use of someone’s digital propertysomeone’s digital property Piracy does not automatically result Piracy does not automatically result

in lost revenuein lost revenue EG, if I were to make a copy of MS Office EG, if I were to make a copy of MS Office

on a CD-R, and then destroy the CD-R, on a CD-R, and then destroy the CD-R, there would be no lost revenuethere would be no lost revenue

Some piracy can even foster sales Some piracy can even foster sales of some kinds of digital propertyof some kinds of digital property

Eliminating all piracy is Eliminating all piracy is prohibitively expensiveprohibitively expensive It also pisses off your loyal customersIt also pisses off your loyal customers

Does Microsoft Want To Make Does Microsoft Want To Make Piracy On The Windows Piracy On The Windows Platform Impossible?Platform Impossible? We are not police officers, nor do We are not police officers, nor do

we play them on TVwe play them on TV Designing an OS that eliminates Designing an OS that eliminates

piracy would be like trying to piracy would be like trying to design a car that can’t be used as a design a car that can’t be used as a getaway vehiclegetaway vehicle We don’t know how to do thisWe don’t know how to do this We don’t want to do thisWe don’t want to do this

Piracy Comes In Three Piracy Comes In Three Flavors – Good, Bad, Flavors – Good, Bad,

And TolerableAnd Tolerable

There Is Such A Thing There Is Such A Thing As Good PiracyAs Good Piracy Piracy that actually fosters more purchases Piracy that actually fosters more purchases

of content can be “good”of content can be “good” There is no easy way to quantify thisThere is no easy way to quantify this

Tolerable levels of piracy are any amount Tolerable levels of piracy are any amount that a content owner chooses to sustain that a content owner chooses to sustain in order to meet a specific goalin order to meet a specific goal EG, not pissing off customersEG, not pissing off customers

We want to keep piracy tolerable We want to keep piracy tolerable at a minimum at a minimum at a level that allows for sustainable economics at a level that allows for sustainable economics

for all digital content creatorsfor all digital content creators It is no fun to be a starving artistIt is no fun to be a starving artist

Content We Can Protect Content We Can Protect From PiracyFrom Piracy Content that is encrypted or Content that is encrypted or

scrambled, <and>scrambled, <and> that has rules associated with that has rules associated with

it, <and>it, <and> that requires use of special SW to that requires use of special SW to

accessaccess ……must be protected.must be protected.

Content We Cannot Protect Content We Cannot Protect From PiracyFrom Piracy Unknown ContentUnknown Content

Content that looks “free” to the OSContent that looks “free” to the OS Redbook AudioRedbook Audio Un-encrypted softwareUn-encrypted software

Content that is free to the OSContent that is free to the OS ASCII text filesASCII text files HTMLHTML

Content we cannot understandContent we cannot understand Content that has been encrypted or Content that has been encrypted or

formatted using proprietary schemesformatted using proprietary schemes

There Will Be Some There Will Be Some Badness In This WorldBadness In This World Users will have their privacy invadedUsers will have their privacy invaded Computers will be hackedComputers will be hacked Content will be piratedContent will be pirated Our goal is to make these things the Our goal is to make these things the

exception, not the ruleexception, not the rule Create a Trusted Windows Platform as Create a Trusted Windows Platform as

trustworthy as the Telephone is todaytrustworthy as the Telephone is today

Protecting PrivacyProtecting Privacy

HW-based encryption can be used HW-based encryption can be used to protect documentsto protect documents

Smart Card that allows users Smart Card that allows users to authenticate a PCto authenticate a PC As opposed to now, where a PC authenticates As opposed to now, where a PC authenticates

a usera user Authentication can allow an end-user to Authentication can allow an end-user to

verify that a third party is *exactly* what it verify that a third party is *exactly* what it says it issays it is

Anonymous authentication is even possibleAnonymous authentication is even possible You don’t know who I am but someone you trust You don’t know who I am but someone you trust

doesdoes and can vouch for me and my computer and can vouch for me and my computer

Securing A PlatformSecuring A Platform

Ensures that a system is what it Ensures that a system is what it says it issays it is

Code signingCode signing Ensures that a legitimate user can’t Ensures that a legitimate user can’t

load illegitimate codeload illegitimate code Ensures that an illegitimate user can’t Ensures that an illegitimate user can’t

load illegitimate codeload illegitimate code Allows a computer and user Allows a computer and user

to authenticate themselves to authenticate themselves to a third partyto a third party

ContentContent

ApplicationApplication

OSOS

HardwareHardware

Protecting ContentProtecting Content

Content has Content has associated associated ACL/license: ACL/license: hardware, OS, hardware, OS, application, termsapplication, terms

Customers can Customers can access the content access the content based on the terms based on the terms of the ACLof the ACL

SummarySummary

Think about these concepts as you Think about these concepts as you listen to this sessionlisten to this session

Apply them to what you are doing Apply them to what you are doing in this spacein this space

Two areas of focus in this session:Two areas of focus in this session: What we are doing today to “secure” the What we are doing today to “secure” the

Windows platform in SW aloneWindows platform in SW alone What we will be doing in the future to What we will be doing in the future to

secure the platform using some secure the platform using some combination of ubiquitous HW and SWcombination of ubiquitous HW and SW

Digital Rights Digital Rights Management And Content Management And Content Protection ArchitecturesProtection Architectures

Marcus PeinadoMarcus PeinadoMicrosoftMicrosoftDigital Media DivisionDigital Media [email protected]@microsoft.com

OverviewOverview

Digital rights management (DRM): Digital rights management (DRM): fundamentals and visionfundamentals and vision Commerce scenariosCommerce scenarios Security challengesSecurity challenges

Microsoft RightsmanagerMicrosoft Rightsmanager System featuresSystem features

OverviewOverview



E-Commerce / Physical DistributionE-Commerce / Physical Distribution

Commerce siteCommerce site

(Store front)(Store front) customercustomerinternetinternet

1.1. Customer selects productCustomer selects product

(book, CD, DVD, software, hiking boots)(book, CD, DVD, software, hiking boots)

2. Customer pays2. Customer pays

3. Merchant ships physical product3. Merchant ships physical product

Credit Credit CardCard

customercustomerUPSUPS

IEIE

E-Commerce / E-Commerce / Electronic DistributionElectronic Distribution


(Store front)(Store front) customercustomerinternetinternet

1.1. Customer selects product Customer selects product (book, audio, video, software, (book, audio, video, software, no hiking bootsno hiking boots))

2. Customer pays2. Customer pays

3. 3. Customer downloads digital contentCustomer downloads digital content

credit credit cardcard

customercustomerinternetinternet

IEIE

4.4. customercustomer friendfriend

friendfriend

friendfriend

friendfriendfriendfriend

E-commerce / E-commerce / electronic distributionelectronic distribution / / Digital Rights ManagementDigital Rights Management


(Store front)(Store front)customercustomerinternetinternet

1.1. 2. 3. Customer selects content 2. 3. Customer selects content (book, audio, video) and (book, audio, video) and accessaccess optionoption, pays, downloads content, pays, downloads content

0. Content owner specifies how 0. Content owner specifies how content may be accessed (off line)content may be accessed (off line)

4. DRM system tries to enforce 4. DRM system tries to enforce access rulesaccess rules

DRM: General ModelDRM: General Model

Content owner specifies how the Content owner specifies how the content may be accessedcontent may be accessed

Access specification will be Access specification will be enforced subject to the overall enforced subject to the overall security level of the systemsecurity level of the system

Access specifications enable Access specifications enable business models (e.g. pay-per-view, business models (e.g. pay-per-view, rental etc)rental etc)

Compare with Pay-TV schemesCompare with Pay-TV schemes

OverviewOverview



General DRM GoalGeneral DRM Goal

Traditional PC security: Protect a Traditional PC security: Protect a good host from a hostile applicationgood host from a hostile application

DRM security: Protect a trusted DRM security: Protect a trusted application in a hostile application in a hostile host environmenthost environment Adversary has full physical controlAdversary has full physical control Plaintext content must be accessiblePlaintext content must be accessible

End-user PC End-user PC

DRM CoreDRM Core

DRM ClientDRM Client

Rendering Rendering applicationapplication

Other Other componentscomponents Requirements:Requirements:

1. Secret hiding1. Secret hiding

2. Secure execution2. Secure execution

3. Verification of 3. Verification of other componentsother components

Building Upon 1,2,3Building Upon 1,2,3

Assuming that primitives 1,2,3 are Assuming that primitives 1,2,3 are available, a secure content available, a secure content protection system can be built protection system can be built using standard cryptography using standard cryptography

Implementing Primitives 1,2,3Implementing Primitives 1,2,3

Known approaches:Known approaches: Secure hardware (e.g. Secure Secure hardware (e.g. Secure

Co-Processor)Co-Processor) Tamper resistant softwareTamper resistant software Security by obscuritySecurity by obscurity

All known protection methods can All known protection methods can be corrupted by a sufficiently be corrupted by a sufficiently powerful adversarypowerful adversary

Adversary ModelsAdversary Models

Naïve:Naïve: will copy files (mp3); may be will copy files (mp3); may be willing to install hacked programs; willing to install hacked programs; will not actively hackwill not actively hack

Skilled:Skilled: in-depth knowledge, but no in-depth knowledge, but no commercial interest; will break commercial interest; will break most software protection most software protection mechanismsmechanisms

Professional:Professional: pirate corporation; pirate corporation; commercial interest and funds to commercial interest and funds to hire skilled pirates; may reverse-hire skilled pirates; may reverse-engineer hardware protectionengineer hardware protection

RenewabilityRenewability

Fundamental Law of Anti-PiracyFundamental Law of Anti-Piracy Any given content protection Any given content protection

component (software, hardware) will component (software, hardware) will be subverted by a sufficiently be subverted by a sufficiently powerful adversarypowerful adversary

Parameters:Parameters: Value of the protected assetsValue of the protected assets Time until breakTime until break Resources of attackerResources of attacker


Allow easy recovery from breaksAllow easy recovery from breaks Disable / Revoke broken components Disable / Revoke broken components

Revocation of DRM clientsRevocation of DRM clients Revocation of processing componentsRevocation of processing components

Field upgrade to re-enable the systemField upgrade to re-enable the system Individualization toIndividualization to

Reduce scope of individual breaksReduce scope of individual breaks Improve granularity of revocationImprove granularity of revocation

PCPC

PCPC

PCPC

PCPC

PCPC

DRM DRM administratoradministrator

Content Content owner owner



PCPC

PCPC

PCPC

PCPC

PCPC




Renewability: 1. Deployment Of DRMRenewability: 1. Deployment Of DRM

PCPC

PCPC

PCPC

PCPC

PC




Renewability: 2. Attack On DRMRenewability: 2. Attack On DRM

PC

PC

PC

PC

PC




Renewability: 3. Distribution Of The BreakRenewability: 3. Distribution Of The Break

PCPC

PCPC

PCPC

PCPC

PCPC




Renewability: 4. Revocation And Renewability: 4. Revocation And Field UpgradeField Upgrade

Other ChallengesOther Challenges

Secure time (expiry)Secure time (expiry) Secure state information Secure state information

(e.g. counted play)(e.g. counted play) Recovery from catastrophic failureRecovery from catastrophic failure Standard deployment mechanisms Standard deployment mechanisms

and global secretsand global secrets Working with external Working with external

system componentssystem components

ConclusionsConclusions

Cannot write unbreakable softwareCannot write unbreakable software Aim to limit the effect of Aim to limit the effect of

individual breaksindividual breaks Aim for cheap recoveryAim for cheap recovery Configure security parameters Configure security parameters

based on what is being protected based on what is being protected and against whomand against whom

Use cryptography to reduce the Use cryptography to reduce the number of weak spotsnumber of weak spots

OverviewOverview



WM Rightsmanager: GoalsWM Rightsmanager: Goals

Bring premium audio/video content Bring premium audio/video content to the Windows platformto the Windows platform

Content owners (Hollywood) want Content owners (Hollywood) want protection for their content.protection for their content.

Enable a whole range of new Enable a whole range of new software applicationssoftware applications

Non goal:Non goal: control of the end user’s control of the end user’s PCPC

WMRM: General FeaturesWMRM: General Features

Works with ASF/WMAWorks with ASF/WMA Audio, Audio, Video, Video, Illustrated AudioIllustrated Audio Any CodecAny Codec Core DRM is “Media Agnostic”Core DRM is “Media Agnostic”

Streaming and DownloadStreaming and Download Portable devices, portable mediaPortable devices, portable media

DeploymentDeployment

ClientClient Free web downloadFree web download http://windowsmedia.comhttp://windowsmedia.com Part of Windows MediaPart of Windows Media Technologies Technologies 100 million downloaded clients100 million downloaded clients

ServerServer Free web downloadFree web download Register with Windows MediaRegister with Windows Media Used for audio and video distribution Used for audio and video distribution

by a variety of companiesby a variety of companies

Usage Scenario: PromotionalUsage Scenario: Promotional

““Know your audience”Know your audience” Distribute promotional Distribute promotional

trailer (encrypted)trailer (encrypted) Give license to users in exchange Give license to users in exchange

for email address etc.for email address etc. Superdistribution; put trailer on Superdistribution; put trailer on

empty space of existing CD or DVDempty space of existing CD or DVD DRM forces each user to obtain DRM forces each user to obtain

a license from the servera license from the server

Sale, Rental, Pay Per ViewSale, Rental, Pay Per View

User obtains encrypted contentUser obtains encrypted content DownloadDownload StreamingStreaming DVDDVD

User contacts clearing server and User contacts clearing server and makes paymentmakes payment

Usage rules specify user accessUsage rules specify user access Simple in DRM V1Simple in DRM V1 Much more expressive in the futureMuch more expressive in the future

S S t t o o r r e e f f r r o o n n tt

Hosting ServerHosting Server1.1. Encrypts contentEncrypts content

2.2. Allows downloadAllows download

Clearing ServerClearing Server1.1. Authenticates clientAuthenticates client

2.2. Generates licenseGenerates license

End-user machineEnd-user machine

Content (plaintext)Content (plaintext)

Content (encrypted)Content (encrypted)

License (key)License (key)

One-time One-time shared secretshared secret WMPlayerWMPlayer

DRMDRM

ContentContentkeykey

Hardware Hardware bindingbinding

Authentication

License requestLicense request

11

22

33

44

5566

77

Monitor Monitor sound cardsound card

Hosting ServerHosting Server1.1. Encrypts contentEncrypts content

2.2. Allows downloadAllows download

Clearing ServerClearing Server1.1. Authenticates clientAuthenticates client

2.2. Generates licenseGenerates license

End-user machine

Content (encrypted)Content (encrypted)

One-time One-time shared secretshared secret

Downstream Downstream componentscomponents

DRM ClientDRM Client License acquisitionLicense acquisition

Crypto engineCrypto engine

License evaluation engineLicense evaluation engine

Authentication engineAuthentication engine

Hardware bindingHardware binding

License acquisitionLicense acquisition

Monitor Monitor sound cardsound card

Central DRM servicesCentral DRM services Client certification / initializationClient certification / initialization

App authorization / controlApp authorization / control

Server authorizationServer authorization

Backup / restoreBackup / restore

CodeCode

downloaddownload

Portable devicesPortable devices

Portable mediaPortable media

S S t t o o r r e e f f r r o o n n tt

DRM Client ArchitectureDRM Client Architecture

Content crypto Content crypto engineengine

Authentication Authentication engineengine

License eval License eval engineengine

License License acquisitionacquisition

License storeLicense store Secure Secure statestate

Hardware Hardware bindingbinding

Rendering ApplicationRendering Application

Request rights (play)Request rights (play)Encrypted Encrypted contentcontent

DRM ClientDRM Client

LicenseLicense(from lic. Server)(from lic. Server)

IndividualizationIndividualization

Goal: Protect the DRM client Goal: Protect the DRM client against global attacksagainst global attacks

Registration with DRM server Registration with DRM server on installation or first use / on installation or first use / field upgradefield upgrade

DRM server provides per-client DRM server provides per-client keys and code keys and code

User MachineUser MachineDRM ServerDRM Server CertificationCertification

Individualized dllIndividualized dll

Upgrade requestUpgrade request

DRMDRMuniformuniform

dlldll certscerts

License ServerLicense Server

License License requestrequest

““This license This license requires an requires an individualized individualized client”client”

Indiv.Indiv.

dlldll certscertsInstall DRMInstall DRM

Local CD rippingLocal CD rippingRemote license acquisitionRemote license acquisitionUpgrade triggerUpgrade trigger

Upgrade requestUpgrade request

Server generates indiv. dllServer generates indiv. dllInstall on clientInstall on client

Individualization / Individualization / Field UpgradeField Upgrade

End-To-End ChannelEnd-To-End Channel

Audio / Video content flows through Audio / Video content flows through many processing components many processing components (renderer, sysaudio, sound card (renderer, sysaudio, sound card driver etc)driver etc)

Content can be extracted from any Content can be extracted from any of these componentsof these components

Task: Retrofit DRM onto the Task: Retrofit DRM onto the existing audio / video infrastructureexisting audio / video infrastructure

First step: Windows MEFirst step: Windows ME

Secure Audio PathSecure Audio Path

Song.wmaSong.wma

DRMDRMAdd noiseAdd noise

LicLic

Audio ComponentsAudio Components

SysAudioSysAudio

RemoveRemoveNoiseNoise

Kmixer, …Kmixer, …

AudioDriverAudioDriver

DRM-KDRM-K

useruser kernelkernel

3. verify3. verify1.1.

2.2.

4.4.

5.5.

6.6.

Secure Audio PathSecure Audio Path

License triggers secure audio pathLicense triggers secure audio path Verify components(WHQL Verify components(WHQL

sig,DRM bits)sig,DRM bits) Below KMixer Below KMixer

Disable digital loopback in audio driverDisable digital loopback in audio driver Noise for tunneling through to Kmixer Noise for tunneling through to Kmixer Certification of external components Certification of external components

through existing WHQL processthrough existing WHQL process Requires small piece of new code Requires small piece of new code

(100 lines)(100 lines)

Content EncryptionContent Encryption

FastFast 10 Megabytes per second10 Megabytes per second Allows encryption of the entire Allows encryption of the entire

video signalvideo signal Fault tolerantFault tolerant

Packet based: tolerates loss of Packet based: tolerates loss of arbitrary set of asf packetsarbitrary set of asf packets

SecureSecure Full-strength encryption algorithmFull-strength encryption algorithm

PlaintextPlaintext

asf fileasf file

encryptedencrypted

asf fileasf file

headerheader Data Data packetspackets

All payload packets are fully encryptedAll payload packets are fully encrypted Each packet is encrypted individuallyEach packet is encrypted individually No increase in packet lengthNo increase in packet length

Content EncryptionContent Encryption

SummarySummary

DRM Goals:DRM Goals: Bring premium content to the platformBring premium content to the platform Enable new business and Enable new business and

distribution modelsdistribution models Enable new applications, which Enable new applications, which

process this contentprocess this content Security:Security:

Baseline DRM clientBaseline DRM client Renewability, individualizationRenewability, individualization End-to-end channel for audio, videoEnd-to-end channel for audio, video

The Open Trusted PCThe Open Trusted PC

Paul EnglandPaul EnglandMicrosoft CorporationMicrosoft Corporation

SubtitleSubtitleStrategic Software and Strategic Software and Platform Technologies to make Platform Technologies to make the Open-PC as Trustworthy as the Open-PC as Trustworthy as the Closed-Box, forthe Closed-Box, for

E-CommerceE-CommerceUser Privacy ProtectionUser Privacy ProtectionRights-Managed DataRights-Managed Data

OutlineOutline

The Trusted PC ParadoxThe Trusted PC Paradox Platform AuthenticationPlatform Authentication Authenticated BootAuthenticated Boot Privacy ProtectionPrivacy Protection Secure Persistent StorageSecure Persistent Storage SummarySummary

The Trusted-PC ParadoxThe Trusted-PC Paradox

The PC is The PC is openopen – anyone can add – anyone can add Any softwareAny software Any hardware / option ROMAny hardware / option ROM Any operating systemAny operating system Any BIOSAny BIOS ……

So how can it possibly be as So how can it possibly be as trustworthy as a closed box?trustworthy as a closed box?

Furthermore…Furthermore…

It’s very hard to store secrets on a PCIt’s very hard to store secrets on a PC Many viruses have Many viruses have moremore rights than rights than

the userthe user Even if an OS secures (using ACLs) Even if an OS secures (using ACLs)

files or data for usersfiles or data for users No other OS needs to honor these No other OS needs to honor these

access controlsaccess controls All file systems are readable under all OSsAll file systems are readable under all OSs

Contrast This With Contrast This With A A Closed BoxClosed Box E.g. set-top box, game-console, E.g. set-top box, game-console,

other CE-deviceother CE-device Can’t add third-party hardwareCan’t add third-party hardware Can’t add unauthorized Can’t add unauthorized

third-party softwarethird-party software How can we achieve the best How can we achieve the best

of both worlds?of both worlds?

Targeted AudienceTargeted Audience

Not just professionally Not just professionally administered machinesadministered machines Home PCsHome PCs Small businessesSmall businesses LaptopsLaptops Corporate client machines Corporate client machines

(dial in + desktop)(dial in + desktop)

Long-Term GoalsLong-Term Goals

Growth of the Growth of the Web LifestyleWeb Lifestyle More e-commerceMore e-commerce Greater use of Web-servicesGreater use of Web-services More of More of youryour personal and personal and

valuable informationvaluable information On your home PCOn your home PC On Web serversOn Web servers

Increase trustworthiness of your PC Increase trustworthiness of your PC andand provide mechanisms to allow you provide mechanisms to allow you to determine trustworthiness of the to determine trustworthiness of the Web-services that you useWeb-services that you use

Platform AuthenticationPlatform Authentication

We propose adding platform HW/SW to We propose adding platform HW/SW to reliably report the platform configurationreliably report the platform configuration

User can boot into a system that can User can boot into a system that can reliably report its configurationreliably report its configuration

A Web-site can do this to “brand trust”A Web-site can do this to “brand trust” A home-user can do this to obtain A home-user can do this to obtain

premium contentpremium content A corporate user (RAS, or intranet) can A corporate user (RAS, or intranet) can

do this to gain access to the networkdo this to gain access to the networkThe user must always be in control of what The user must always be in control of what information she revealsinformation she reveals

Corporate RAS AccessCorporate RAS Access

Platform Platform authentication authentication hardware can hardware can prove client prove client

boot-boot-configurationconfiguration

Corpnet requires Corpnet requires Win2K + Win2K +

Certified drivers Certified drivers to access to access network network

resourcesresources

Another ExampleAnother Example

Doctor’s PCDoctor’s PC

Medical Insurance Medical Insurance CompanyCompany

Insurance company Insurance company wants to check wants to check

trustworthiness of the trustworthiness of the doctor’s PC before doctor’s PC before revealing records revealing records

Doctor’s office PC Doctor’s office PC is not is not

professionally professionally administeredadministered

Trusted Trusted Platform Platform

states states platform platform

configurationconfiguration

Insurance Insurance company company challenges PC challenges PC to authenticate to authenticate itselfitself

Doctor’s PC responds by Doctor’s PC responds by describing its configurationdescribing its configuration

Authenticated BootAuthenticated Boot

PC will boot PC will boot anyany software and the software and the OS can run OS can run anyany policy, but… policy, but… The platform reports the booted The platform reports the booted

configurationconfiguration (we will require privacy support)(we will require privacy support)

ISVs (OS-vendors) can choose what ISVs (OS-vendors) can choose what kind of information they revealkind of information they reveal

This is not secure bootThis is not secure boot Platform can still boot any Platform can still boot any

OS/configurationOS/configuration

Design ConsiderationsDesign Considerations

We need additional We need additional security hardwaresecurity hardware

There is no way (right now) that a There is no way (right now) that a challenger can reliably distinguish challenger can reliably distinguish WinME from Win2000WinME from Win2000

The additional hardware should The additional hardware should add add minimal cost, and minimally perturb minimal cost, and minimally perturb the PC boot /execution modelthe PC boot /execution model

A Simple, Cheap, SolutionA Simple, Cheap, Solution

Platform crypto-processorPlatform crypto-processor E.g. “smart-card core”E.g. “smart-card core”

Small changes to BIOSSmall changes to BIOS BIOS “reports” platform configuration BIOS “reports” platform configuration

to crypto-processorto crypto-processor Small changes to OS-boot modelSmall changes to OS-boot model

E.g. only load signed driversE.g. only load signed drivers Some changes to OS execution modelSome changes to OS execution model

Simplified Authenticated BootSimplified Authenticated Boot

crypto-crypto-processorprocessor

Boot logBoot logOS-loaderOS-loader

Trusted Trusted BIOSBIOS

OS-Loader

OS-Kernel

Driver1 Driver2 Driver3

Trusted BIOS “logs” Trusted BIOS “logs” the digest of the OS-the digest of the OS-loader that it passes loader that it passes

control tocontrol to

Simplified Authenticated BootSimplified Authenticated Boot

BIOS Loads an OS-loaderBIOS Loads an OS-loader OS writes the digest of the loader OS writes the digest of the loader

into a write-once protected areainto a write-once protected area OS-Loader (typically) contains a OS-Loader (typically) contains a

public key or certificatepublic key or certificate OS-loader only loads drivers that OS-loader only loads drivers that

it trustsit trusts They are certified by the loaders CAThey are certified by the loaders CA

Any ISV can write any OS-loader Any ISV can write any OS-loader using any load policyusing any load policy

Platform AuthenticationPlatform Authentication

Protected log contains the Protected log contains the OS-loader digestOS-loader digest

OS-LoaderOS-Loader

Publisher Root Publisher Root CertificateCertificate

Load-Policy CodeLoad-Policy Code

Device Device DriverDriver

Publisher Publisher ““Authenticode” Authenticode”

CertificateCertificate

Hash of all Hash of all of OS-of OS-

loader is loader is written to written to the write-the write-once logonce log

OS-LoaderOS-LoaderKernel ComponentKernel Component

Configuration ReportingConfiguration Reporting

Write-once log contains a hash that Write-once log contains a hash that represents the running OSrepresents the running OS

How can we use this?How can we use this? Not much use to just “tell” Not much use to just “tell”

a challengera challenger It’s a well-known numberIt’s a well-known number

We use We use cryptographic reportingcryptographic reporting The crypto-processor can report the The crypto-processor can report the

configuration using a secret keyconfiguration using a secret key The The QUOTEQUOTE operationoperation

The QUOTE OperationThe QUOTE Operation

QUOTEQUOTE(challenge) (challenge) SIGN(challenge, boot-log)SIGN(challenge, boot-log) Challenger sends a “Challenger sends a “nonce”nonce”

Platform responds with a signed Platform responds with a signed description of the boot description of the boot configuration + nonceconfiguration + nonce

Challenger can decide whether Challenger can decide whether to allow accessto allow accessother mechanisms provide for privacy – other mechanisms provide for privacy –

see latersee later

Adding Flexibility – Adding Flexibility – The Boot Policy FileThe Boot Policy File

Publisher Root CertPublisher Root CertExceptions (revocation)Exceptions (revocation)

Other boot-policyOther boot-policyDateDate

OS-LoaderOS-LoaderBoot Policy FileBoot Policy File

IT or Publisher IT or Publisher

CertificateCertificate

Secure LogSecure Log

OS-loaderOS-loader

Boot policy fileBoot policy file

BIOS BIOS records OS-records OS-

loaderloader

OS-loaderOS-loader records records

Boot-policy in effectBoot-policy in effect

OS-LoaderOS-Loader

Loader loads and logs Loader loads and logs the boot-policy filethe boot-policy file

Loader obeys theLoader obeys thePolicy descriptionPolicy description

A More Complicated ExampleA More Complicated Example

Practical boot models must include Practical boot models must include OS-selectors, etcOS-selectors, etc

Use the same basic model – Use the same basic model – Measure component about to Measure component about to

execute nextexecute next Decide whether it is “trustworthy”Decide whether it is “trustworthy”

If it is, do nothingIf it is, do nothing If it is “unknown,” securely log its “digest”If it is “unknown,” securely log its “digest”

Pass control Pass control

How Do We Implement The How Do We Implement The Secure Log?Secure Log?

MBRMBR

OS-boot-sectorOS-boot-sector

OS-loaderOS-loader

Boot PolicyBoot Policy

Virus definitionVirus definition

……

……

What we would like:What we would like: + +

Similar logs for Similar logs for firmware, microcode, firmware, microcode, upper-level software, upper-level software,

etc…etc…

How can we do this How can we do this cheaply (and cheaply (and

manageably)?manageably)?

EXTEND Simulates EXTEND Simulates An Infinite Secure LogAn Infinite Secure Log EXTENDEXTEND operation + operation + one one

secure registersecure register EXTEND(d)EXTEND(d)

Takes current contents of registerTakes current contents of register Hashes it with dHashes it with d Stores it back in the registerStores it back in the register

Hashing is Hashing is one-wayone-way Nobody can figure out how to Nobody can figure out how to

“remove” an entry“remove” an entry

EXTEND UsageEXTEND Usage

MBRMBR

OS-boot-sectorOS-boot-sector

OS-loaderOS-loader

Boot PolicyBoot Policy

Virus definitionVirus definition

……

……

Platform executesPlatform executes

1) EXTEND(MBR)1) EXTEND(MBR)

2) EXTEND(boot-sector)2) EXTEND(boot-sector)

3) EXTEND(Boot-policy)3) EXTEND(Boot-policy)

4) EXTEND(virus defn)4) EXTEND(virus defn)

5) EXTEND(…)5) EXTEND(…)

Challenger needs to do a little more work to interpret Challenger needs to do a little more work to interpret the composite value– but it is not hardthe composite value– but it is not hard

Authentication ModelAuthentication Model

Suppose we have a certified key-Suppose we have a certified key-pair in the “crypto-processor”pair in the “crypto-processor”

You can tell anyone what platform You can tell anyone what platform you are running, but…you are running, but… This is like a “super-cookie” you This is like a “super-cookie” you

use everywhereuse everywhere Unscrupulous sites could track what Unscrupulous sites could track what

you are doingyou are doing This is This is not not an acceptable solutionan acceptable solution

Authenticated AnonymityAuthenticated Anonymity

Users can acquire Users can acquire anonymous identitiesanonymous identities

Platform keyPlatform key

BankingBankingIdentityIdentity

ISPISPIdentityIdentity

Corp.Corp.IdentityIdentity

Trusted Trusted Identity Identity ServerServer

Bank Web ServerBank Web ServerUser picks User picks an Identity an Identity

Server Server trusted by trusted by bank and bank and

useruser

Trusted Trusted Identity Identity ServerServer

Other ConsiderationsOther Considerations

Identity acquisition is fully opt-inIdentity acquisition is fully opt-in Pick (during-boot) whether OS Pick (during-boot) whether OS

should support authenticationshould support authentication Nothing wrong with being anonymousNothing wrong with being anonymous

Boot ComplicationsBoot Complications

Boot is multi-stepBoot is multi-step MBR, OS boot-sectorMBR, OS boot-sector

BIOS is typically flashableBIOS is typically flashable Many option-ROMS insert codeMany option-ROMS insert code Favored model isFavored model is

Provide logging for all components Provide logging for all components that affect trustthat affect trust

(Not all challengers will care)(Not all challengers will care)

Other ImplementationsOther Implementations

Chipset modelChipset model Removable tokenRemovable token Processor changesProcessor changes

Secure Persistent StorageSecure Persistent StorageMotivation (I)Motivation (I) You want your “Trusted OS” You want your “Trusted OS”

to store your banking recordsto store your banking records But another OS can always read But another OS can always read

the files…the files… Simple encryption doesn’t help Simple encryption doesn’t help

(where do you store the keys?)(where do you store the keys?) Password-protection doesn’t Password-protection doesn’t

really helpreally help

Secure Persistent Storage Secure Persistent Storage Motivation (II)Motivation (II) When you RAS-in to your When you RAS-in to your

corporation you can prove you are corporation you can prove you are running a Trusted-OSrunning a Trusted-OS

But, on a dual-boot MachineBut, on a dual-boot Machine Where do you store files that are not Where do you store files that are not

accessible to viruses on another OS?accessible to viruses on another OS? Where do you store files that are not Where do you store files that are not

accessible to users on a cable-LAN if accessible to users on a cable-LAN if the other OS is badly configured?the other OS is badly configured?

Secure Persistent Storage Secure Persistent Storage Motivation (III)Motivation (III) Premium content providers provide Premium content providers provide

rights-managed content to rights-managed content to Trusted PlatformsTrusted Platforms How can a trusted platform store this How can a trusted platform store this

data for users?data for users? We want the Trusted-PC to be the We want the Trusted-PC to be the

favored platform for rights-favored platform for rights-managed goodsmanaged goods

Sealed StorageSealed Storage

Trusted Platform can store secrets Trusted Platform can store secrets for other “named configurations”for other “named configurations” Boot into a named configuration, you Boot into a named configuration, you

get to decrypt the secretsget to decrypt the secrets Boot into a different configuration and Boot into a different configuration and

you can’t recover the decryption keyyou can’t recover the decryption key Any Trusted OS can store secrets Any Trusted OS can store secrets

for itself or name other OSsfor itself or name other OSs

Sealed-Storage Sealed-Storage ImplementationImplementation We build on the We build on the same configuration same configuration

log we collected during bootlog we collected during boot SEAL(secret, log-value)SEAL(secret, log-value)

Uses a platform secret key to encrypt Uses a platform secret key to encrypt {secret, log-value} {secret, log-value} Blob Blob

UNSEAL(Blob)UNSEAL(Blob) Internally decryptInternally decrypt Return “secret” if platform is in the Return “secret” if platform is in the

named configurationnamed configuration

SEALSEAL Usage Usage

SEAL is mostly used to save encryption SEAL is mostly used to save encryption keys for registry hives / EFS keyskeys for registry hives / EFS keys

Mostly the OS “names itself” as trusted Mostly the OS “names itself” as trusted to decryptto decrypt Can name other OSsCan name other OSs Can name an upgraded OSCan name an upgraded OS

Other Uses For Other Uses For SEALSEAL

Simplifies deployment of Simplifies deployment of Trusted PlatformsTrusted Platforms

Authenticate the platform once, Authenticate the platform once, then SEAL then SEAL Your network logon keysYour network logon keys Your home banking keysYour home banking keys The Win2000 domain logon keyThe Win2000 domain logon key Any privacy-sensitive dataAny privacy-sensitive data

With SEAL we can do a better job With SEAL we can do a better job of protecting users secretsof protecting users secrets

Other Uses For Other Uses For SEALSEAL (II) (II)

EFS KeysEFS Keys Encrypted file-systems need per-user Encrypted file-systems need per-user

or per-platform storage keysor per-platform storage keys We can improve security of keys forWe can improve security of keys for

Dual-boot machinesDual-boot machines LaptopsLaptops Shared use home-machinesShared use home-machines

Summary: Summary: QUOTEQUOTE And And SEALSEAL QUOTEQUOTE allows the platform allows the platform

configuration to be reported configuration to be reported whenwhen online online

SEAL / UNSEALSEAL / UNSEAL allows platform allows platform configuration to be iconfiguration to be inferred nferred when when online of offlineonline of offline

ConclusionsConclusions

Trusted Windows TechnologyTrusted Windows Technology Enables the best of both worlds:Enables the best of both worlds:

Trusted, Open PlatformsTrusted, Open Platforms

Need new platform hardware Need new platform hardware to achieve itto achieve it Changes are not costly or profoundChanges are not costly or profound

Trusted Windows is the Platform Trusted Windows is the Platform for the future of E-commercefor the future of E-commerce

Calls To ActionCalls To Action

Platform TrustPlatform Trust Join TCPAJoin TCPA

ContentContent Join SDMIJoin SDMI Join CPTWGJoin CPTWG

PrivacyPrivacy Join TrustEJoin TrustE

Talk to us!Talk to us!

Documents

Privacy, Security And Content In Windows ® Platforms