Cryptographers sound warnings on Microsoft security plan

[InfoSec News <isn () c4i org>]

http://www.eet.com/sys/news/OEG20030415S0013

By Rick Merritt
EE Times
April 15, 2003
    
SAN FRANCISCO - Just three weeks before Microsoft Corp. publicly
details plans to create a secure operating mode for Windows PCs, two
top cryptographers have raised concerns about Microsoft's approach.

Whitfield Diffie, a distinguished engineer at Sun Microsystems
Laboratories, said an integrated security scheme for computers is
inevitable, but the Microsoft approach is flawed because it fails to
give users control over their security keys. Ronald Rivest, an MIT
professor and founder of RSA Security, called for a broad public
debate about the Microsoft move.

Microsoft first tipped its plans, formerly code-named Palladium, about
a year ago. Since then some details have emerged about the concepts
for what Microsoft now calls the next-generation secure computing base
(NGSCB, pronounced "enscub").

Microsoft has detailed its plans to as many as 30 partners under
non-disclosure agreements. The company plans to unveil the full
technical details and partnerships behind its plans at the Windows
Hardware Engineering Conference in early May.

The Microsoft approach "lends itself to market domination, lock out,
and not really owning your own computer. That's going to create a
fight that dwarfs the debates of the 1990's," said Diffie as part of a
broad panel discussion on cryptography at the RSA Conference here
Monday (April 14).

"To risk sloganeering, I say you need to hold the keys to your own
computer," added Diffie to strong applause for the audience of several
hundred security specialists.

"We should be watching this to make sure there are the proper levels
of support we really do want," said Rivest.

"The right way to look at this is you are putting a virtual set-top
box inside your PC. You are essentially renting out part of your PC to
people you may not trust," said Rivest in an interview after the
panel.

"We need to understand the full implications of this architecture.  
This stuff may slip quietly on to people's desktops, but I suspect it
will be more a case of a lot of debate," he added.

Rivest said some experts have discussed setting up a forum in
technical society for such a debate, but he was unaware of any current
moves to do that. Likewise Diffie said he was not aware of any
specific alternative to NGSCB in the works at Sun.

"You want a standard, not competing approaches for something like
this," Diffie added.

Sun once considered but rejected the notion of releasing a computer
that would not boot without the presence of a cryptographically signed
operating system. The process of selling the computer would have been
similar to a cryptographic transaction of handing over security keys
to the end user.

In Microsoft's NGSCB approach, users would have to consciously evoke a
secure operating mode that would be turned off by default. New
instructions in the CPU as well as changes in the memory controller
would help carve out a protected space in main memory to load a small,
secure operating system kernel.

The PC approach also depends on a $5 encryption and flash module that
assists authentication and identification functions based on stored
keys and hashed values. NGSCB also requires secure channels between a
keyboard and main memory and between a display interface and a
graphics chip and its frame buffer.


Holding pattern

Microsoft has made no decisions about when it will put the new
functionality into Windows while it waits on availability of many of
the specially modified components it requires from companies such as
Intel and AMD collaborating on the effort. "We are running many
functions now in emulation," said Stephen Heil, a security evangelist
at Microsoft.

Microsoft has also not finalized decisions about how it will license
the NGSCB technology and make it open for others to review. "Its an
important series of decisions we need to make that will have broad
importance for NGSCB and Microsoft. We are focusing on that now" said
Mario Juarez, a group product manager for NGSCB at Microsoft.

"We've got a number of different licensing buckets. It's kind of like
a Venn diagram," added Heil.

Over the past six months, Microsoft has created a group of at least
100 developers working on NGSCB as part of a broad new security
business unit at Microsoft under Mike Nash. "An awful lot of what has
happened [in the last nine months] is just filling out the team into a
fully functioning product group. There's been a lot of work spent
hiring," said Juarez.

Microsoft hopes its WinHEC presentations on security - as much as 18
hours of talks over three days - will end debates about whether the
approach will work and begin the task of engaging a broader group of
developers on the nuts and bolts of building it out, said Amy Carroll,
a group product manager in the new security group.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.