http://www.digitalidworld.com/print.php?sid=74
Interview with Palladium's Mario Juarez By: Phil Becker ([EMAIL PROTECTED]) Topic: Security Posted: Wednesday, June 26 @ 00:00:00 URL: http://www.digitalidworld.com/article.php?id=74 Microsoft made it's Palladium project public and it has caused quite a stir as people seek information. Mario Juarez is the Group Product Manager for the Palladium project. Digital ID World caught up with Mr. Juarez and asked him to fill us in on what Palladium is, how it will work, and how Microsoft sees its deployment strategy. Along the way he addressed the Privacy issues, governmental issues, and provided insight into Microsoft's philosophy about Palladium as well... DIDW: What were the motivations that caused Palladium to happen? What was going on as Microsoft looked at the world that caused them to think it was time to try to address this arena? Juarez: What you had were a core group of wild and crazy guys who I'm just in awe of. They were focused on a small problem, and came up with a big solution. They pretty quickly realized that what they were dealing with was something that had huge implications. These weren't trivial guys. Peter Biddle had been spending his time focusing on hardware issues and he quickly brought in a couple of very senior research architect level guys and a key guy from the NT core base operating system team. They worked on this in their spare time, in their off hours and weekends, and just kept building on it. By sheer force of determination and the belief that they had in the vision, they really pushed this thing. They began to carefully engage Intel and AMD to evangelize them, and eventually win them over. And other forces in the universe have come around to where this has clearly emerged as an idea whose time has come. Because these guys are really good, and they know how to make things happen at Microsoft, they finally, as of last Fall, succeeded in having this established as a product unit. We're now at the phase where we've talked to a lot of other companies, and we've talked to a lot of potential partners, and we've talked to a lot of people in other realms such as privacy, security, government and policy. We've gotten a lot of stakeholders involved in this and now we're trying to do business in a way that's a lot more open. That's why we've decided to take the wraps off at this point. DIDW: So you are saying that this was pushed from the bottom up in the company, as opposed to being part of a larger strategy initiative from above? Juarez: Yes. A lot of things happen like that at Microsoft. DIDW: What is Palladium and how does it fit with TrustBridge, .NET, Passport and all the identity related things Microsoft has going. Juarez: As I'm sure you've gleaned, Palladium is the code name for a set of features in an upcoming version of Windows (Don't know which one yet, don't know when.) We regard it as pretty significantly evolutionary, because for the architecture we've got here - a new breed of hardware, new capabilities in the operating system, and over time new applications and services - we think it will provide some very significant things in the way of security, personal privacy, and system integrity. And I think that the concerns you have around identity-centric computing are going to be well served by [Palladium]. DIDW: Could you give us an overview of Palladium's structure? Juarez: I mentioned system integrity, personal privacy, and enhanced security. In terms of system integrity what we have with Palladium is some new hardware components, actually one new component and some modified components. We have changes to the CPU, changes to the chip sets, and a new security chip that work together with the operating system to create what we call a Trusted Operating Root - the TOR. You can think of the TOR as a kind of micro-kernel. When you turn [the computer] on and the system boots up, it will load the TOR - the Trusted Operating Root. Several things happen upon that load. Space gets physically cleared out and reserved on the chip set (we use the metaphor of calling this a vault.) Think of this as a secure processing environment inside of which you can run code that is "trusted." On that virtual vault, you can build other trusted processes. You can have processes or data that are field installed and trusted in a way that is physically isolated, protected, and not accessible to other things on the machine. It can't be modified or observed, so it's essentially impervious to the kinds of things people think of when they think of software based attacks. By virtue of the way the hardware is working, you get the abilities that the TOR will use to create provability or attestation. The software or hardware can be cryptographically provable to you, to other computers, and to other processes that are happening on the computers - which means that things can be verified. The system can verify that other computers or processes are trustworthy, that they are what they say they are, or what they were yesterday before anything happens or gets engaged. We'll [also] have the ability to have a secure I/O architecture from the keystrokes to the glass on the screen. You will have channels inside the machine that will be impervious to snooping, hardware/software based attacks, and masquerading or impersonating on the screen. DIDW: And what about personal privacy and control? Juarez: As a user you can be confident that your intentions are being properly represented - that what you want to have happen is actually being carried out and there is not the opportunity within the realm of what you want to have happen in those trusted processes for things to be masqueraded or for there to be impersonation. As a side note, we will publish the source code on that Trusted Operating Root. We will make sure that people have the opportunity to really go deep on that and kick the tires and know that what we're doing in there is what we say we are doing. DIDW: System integrity has some aspects of security, but what about the specific security capabilities of Palladium? Juarez: You have the ability to establish the notion of trusted code which can't be observed or modified. Moreover, information on your machine, which is living in one of those vaults or one of the sub-vaults, or as storage on your disc can be encrypted with machine specific secrets so that they are functionally useless if they are stolen. [For example,] if the hard drive gets pulled or copied. You've got machine specific secrets which are physically locked and cryptographically secure in a way that provide for these benefits without betraying information that you don't want to have revealed. The hardware and the architecture prevents snooping, spoofing, and different kinds of data interception. Because you have system secrets that are stored on the machine, [Palladium] is fundamentally impervious to a BORA (Break Once, Run Anywhere) attack. And if you do find a way to break open the machine - and we expect the first attacks to be hardware attacks where people sand off the silicon and pull the keys off the security chip - you've still only broken what that one machine can do. You can't do a widely deployable hack or put up an executable that will essentially break the whole platform. You may perhaps be able to break a machine, but you won't be able to break the guy's machine next to you. And moreover, when you break a machine, the compromised security can be spotted by service providers or other systems. Its easy to have a kind of repudiation or ways to render the things that are being done with those secrets useless in a functional way by virtue of the fact that you have a unique system key set on each machine. DIDW: Doesn't that kind of "provability" raise privacy concerns? Juarez: Yes, and it is very important to understand a few things. First of all your identity, or any identity, is not intrinsically linked to the key set on your machine. We're not looking at a situation where we've got a serial number or some unique identifier there. By virtue of the fact that the Trusted Operating Root creates a cryptographic hash of itself, and that all kinds of things can be hashed up and down the line, you have the ability to create uniqueness - in the sense of being able to prove things - without being able to discern any other kinds of information that can be utilized to reverse engineer an identity or even track things that are happening across a wide landscape of transactions or processes. DIDW: Identity is often used as you have described it, which is referred to as pseudonymous or anonymous - but provable. Are you saying that Palladium is NOT intended to be used in the realm of things like Digital Signatures or PKI which IS intended to supply direct and provable traceability in certain transactions? Juarez: It plays into that, and it supports other systems that play into that. Part of the design goal here was to have something that could be very flexible and adaptable to different scenarios. You can go from one end, a scenario where's there is simply a transaction that occurs at the most base level of public key cryptography - you don't know anything about me, I don't know anything about you, but we both know that it's a secure transaction, all the way up to very sophisticated scenarios involving all different kinds of service providers - maybe service identity providers working in tandem with authentication services with all kinds of credentialing and certifications and authentications that would support more sophisticated kinds of things that would be happening on a broad basis involving multiple machines and computers. And you could have everything that exists in between. DIDW: So flexibility is a big goal, with nothing traceable locked in and no specific required PKI structure it must be part of? Juarez: The architecture is designed to be an open platform and open environment. As an ISV or service provider you can build anything you want on top of this platform and offer up a value proposition with consumers, or with other businesses. It can do all kinds of interesting things. But there's nothing in the system that says, for example, that if you run something in one of these vaults that you've got to have the code signed, or you have to have things authenticated. It's a very basic, open environment and we're not trying to build any elements of it that are going to require verification or the participation of anything other than the ISV and the person who is using the services want to have happen. DIDW: So Palladium is an open engine which other applications can access as an operating system service to use for their own purposes to build the encrypted, trusted capability into higher level things that are not yet known. And these future applications can be from third parties as easily as from Microsoft. But what will Microsoft's "first use" of Palladium within your OS software be? Juarez: One of the first things we are talking about, and I'm speaking a little bit out of school here, is a really promising implementation of VPN access - the ability to create really secure remote access into the corporate network in ways that are really trustworthy. This is a very beginning thought and it reflects the small ambition of the first early implementations. But I think it is really interesting because it can augment all the other things we are doing to keep our remote access channels secure. By having [the Palladium] environment you are guaranteed of a couple of things. You are guaranteed first of all, from the company's point of view, that the channels that are coming in are trusted channels. If somebody wants to get into the network, we can prove they are who they say they are. We can know that whatever they do, we are confident of the environment. And we also know that whatever nasty things are going on in their computer other than this channel can't break through the vault and infect our system. From the [user's] point of view, it's very good to know that the channel is secure. And this could be architected in such a way that I can be certain that what is happening through my connection to the corporate network may not have access to other things that are happening on my computer. That's a very basic kind of thing and it's probably the only thing I can reveal about what we are seeing here early. Our ITG guys are starting to get pretty engaged to think about what kinds of things can be done on a mission critical basis, because I really think that is the way this is going to play out first in the short run. Enterprises that are looking at mission critical things that are happening within their own environment where they want another layer of security for something that they are doing inside of their enterprise. DIDW: You've painted the picture of a very flexible system here, Does Palladium have to use the built-in unique keys, or is it a "blank slate" that can be written into by the software. Juarez: At some level it's impossible for me to answer that question with complete clarity right now. But I can say that there is a unique public/private key pair in the security chip and there's a symmetrical key for some of the internal stuff that goes on. There's also some cryptography going on in there. Exactly what that crypto it is going to be we don't know yet, but I think you can consider it to be on par with the high end of what's out there in terms of RSA right now or complimentary technologies. It's too soon to tell, and these are some of the points which we are talking to major players in the realm of security about to figure out the right way to do this. That part is going to be pretty well baked into that chip, as it necessarily has to be. But in terms of the crypto that is running elsewhere, that maybe the TOR is using, or that other parts of the system are using, the thinking there is that there may be some sort of plug-and-play nature to the way that some of that gets implemented. So there will be the opportunity to, maybe only at an ISV level, choose which crypto gets used. DIDW: Because Palladium will have an installed public/private key for at least bootstrap purposes... Juarez: Which is never revealed to anybody, including you. DIDW: But it raises the questions, all the old Clipper Chip issues, of will the government pressure you for key escrow and things like that? Juarez: We are talking to the government now, and maybe this is where we get some advantage from having a broad industry initiative. Our fundamental goal is "let's do the right thing." We have pretty strong feelings about what the right thing is on terms of making sure that things are truly anonymous and that key escrow kinds of things don't happen. But there ARE governments in the world, and not just the U.S. Government. This is part of what we mean when we say we need to have a long dialog and a process where there are multiple stakeholders involved so that 1) we arrive at the best possible decision, and 2) since no decision will make everyone happy, that we arrive at a decision which is widely seen, known, and understood. So that if some stakeholders or classes of stakeholders have problems with what's been decided, at least [it is] clear and people can make decisions based off of that. These are issues that are not decided and are certainly on the table. There are a whole bunch of things in the realm you've touched on that are big. That's why things need to be open, and can't be done in a back room or it just won't work. DIDW: There is a significant amount of new hardware design in what you've discussed here. For example, you talk about a security chip as a separate item. There are a lot of other efforts out there today and companies out there that have worked on hardware security solutions for some time, and you mentioned that you are working with many of those. Do you see this chip as being a new design, or do you see picking up something that is out there? Juarez: I think it's probably a combination thereof. There are some considerations we have in the way that chip unfolds. We want to make sure that it does certain things, and we want to make sure that it doesn't do some things. We want to make sure that it is verifiable in the way that it's built. But, you know, there's no particular kind of magic that needs to happen in there. It's a critical component, but it's not a particularly arcane one. It's just a piece of what's going on and exactly how that piece gets developed, and how that development occurs within what's going on here is on the list of things that we'll see and that we'll do. We certainly care a lot about it. We are a founding member of TCPA, and this is, we hope, a complimentary effort to that. Exactly what the overlap will be, exactly how that's going to shake out, I don't know, and we're going to have to see. We'll certainly want a lot of input. DIDW: The TCPA issue brings up the fact that some have seen Palladium as a bit of "in your face" to the TCPA effort. You are indicating that you don't see it that way. Could you elaborate a little on how you see TCPA, why you see it as separate from or complimentary to Palladium? Juarez: TCPA is all about providing security and trustworthiness in computing. What we're doing here addresses those same things and we think there's some great overlap. [But] there are some differences in the two initiatives that sort of paint this as a complimentary thing. This is not intended to be "in your face" to TCPA by any means, and it's not intended to be a competitive technology. That said, we've got issues that we're going to need to deal with on that front, and we're pretty serious about dealing with them. We'll try to do it together. DIDW: When would you anticipate the first deliverable from Palladium? Juarez: I would say mid-decade. DIDW: So that would be 2004, 2005? Juarez: Mid-decade. DIDW: I see you're sticking with your time frame, we can respect that. Juarez: I've been a lot more specific with you than I've been with anyone else. It's a pleasure talking with somebody who has the level of perspective to be able to "get" this. DIDW: Blush... This article comes from Digital Identity World: http://www.digitalidworld.com Copyright © 2002 Digital Identity World, LLC - All Rights Reserved -- ----------------- R. A. Hettinga <mailto: [EMAIL PROTECTED]> The Internet Bearer Underwriting Corporation <http://www.ibuc.com/> 44 Farquhar Street, Boston, MA 02131 USA "... however it may deserve respect for its usefulness and antiquity, [predicting the end of the world] has not been found agreeable to experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire' --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]