Cryptographers sound warnings on Microsoft security plan

[Dave Farber <dave () farber net>]

Cryptographers sound warnings on Microsoft security plan
By Rick Merritt, EE Times
April 15, 2003 (9:32 a.m. EST)
URL: http://www.eetimes.com/story/OEG20030415S0013

SAN FRANCISCO ‹ Just three weeks before Microsoft Corp. publicly details
plans to create a secure operating mode for Windows PCs, two top
cryptographers have raised concerns about Microsoft's approach.

Whitfield Diffie, a distinguished engineer at Sun Microsystems Laboratories,
said an integrated security scheme for computers is inevitable, but the
Microsoft approach is flawed because it fails to give users control over
their security keys. Ronald Rivest, an MIT professor and founder of RSA
Security, called for a broad public debate about the Microsoft move.

Microsoft first tipped its plans, formerly code-named Palladium, about a
year ago. Since then some details have emerged about the concepts for what
Microsoft now calls the next-generation secure computing base (NGSCB,
pronounced "enscub").

Microsoft has detailed its plans to as many as 30 partners under
non-disclosure agreements. The company plans to unveil the full technical
details and partnerships behind its plans at the Windows Hardware
Engineering Conference in early May.

The Microsoft approach ³lends itself to market domination, lock out, and not
really owning your own computer. That's going to create a fight that dwarfs
the debates of the 1990's,² said Diffie as part of a broad panel discussion
on cryptography at the RSA Conference here Monday (April 14).

³To risk sloganeering, I say you need to hold the keys to your own
computer,² added Diffie to strong applause for the audience of several
hundred security specialists.

³We should be watching this to make sure there are the proper levels of
support we really do want,² said Rivest.

³The right way to look at this is you are putting a virtual set-top box
inside your PC. You are essentially renting out part of your PC to people
you may not trust,² said Rivest in an interview after the panel.

³We need to understand the full implications of this architecture. This
stuff may slip quietly on to people's desktops, but I suspect it will be
more a case of a lot of debate,² he added.

Rivest said some experts have discussed setting up a forum in technical
society for such a debate, but he was unaware of any current moves to do
that. Likewise Diffie said he was not aware of any specific alternative to
NGSCB in the works at Sun.

³You want a standard, not competing approaches for something like this,²
Diffie added. 

Sun once considered but rejected the notion of releasing a computer that
would not boot without the presence of a cryptographically signed operating
system. The process of selling the computer would have been similar to a
cryptographic transaction of handing over security keys to the end user.

In Microsoft's NGSCB approach, users would have to consciously evoke a
secure operating mode that would be turned off by default. New instructions
in the CPU as well as changes in the memory controller would help carve out
a protected space in main memory to load a small, secure operating system
kernel. 

The PC approach also depends on a $5 encryption and flash module that
assists authentication and identification functions based on stored keys and
hashed values. NGSCB also requires secure channels between a keyboard and
main memory and between a display interface and a graphics chip and its
frame buffer. 

Holding pattern

Microsoft has made no decisions about when it will put the new functionality
into Windows while it waits on availability of many of the specially
modified components it requires from companies such as Intel and AMD
collaborating on the effort. ³We are running many functions now in
emulation,² said Stephen Heil, a security evangelist at Microsoft.

Microsoft has also not finalized decisions about how it will license the
NGSCB technology and make it open for others to review. ³Its an important
series of decisions we need to make that will have broad importance for
NGSCB and Microsoft. We are focusing on that now² said Mario Juarez, a group
product manager for NGSCB at Microsoft.

³We've got a number of different licensing buckets. It's kind of like a Venn
diagram,² added Heil.

Over the past six months, Microsoft has created a group of at least 100
developers working on NGSCB as part of a broad new security business unit at
Microsoft under Mike Nash. ³An awful lot of what has happened [in the last
nine months] is just filling out the team into a fully functioning product
group. There's been a lot of work spent hiring,² said Juarez.

Microsoft hopes its WinHEC presentations on security‹as much as 18 hours of
talks over three days‹will end debates about whether the approach will work
and begin the task of engaging a broader group of developers on the nuts and
bolts of building it out, said Amy Carroll, a group product manager in the
new security group. 

-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/