Interview with Palladium's Mario Juarez

By: Phil Becker ([EMAIL PROTECTED])
Topic: Security
Posted: Wednesday, June 26 @ 00:00:00

Microsoft made it's Palladium project public and it has caused quite a stir
as people seek information. Mario Juarez is the Group Product Manager for
the Palladium project. Digital ID World caught up with Mr. Juarez and asked
him to fill us in on what Palladium is, how it will work, and how Microsoft
sees its deployment strategy. Along the way he addressed the Privacy
issues, governmental issues, and provided insight into Microsoft's
philosophy about Palladium as well...

DIDW: What were the motivations that caused Palladium to happen? What was
going on as Microsoft looked at the world that caused them to think it was
time to try to address this arena?

Juarez: What you had were a core group of wild and crazy guys who I'm just
in awe of. They were focused on a small problem, and came up with a big
solution. They pretty quickly realized that what they were dealing with was
something that had huge implications. These weren't trivial guys. Peter
Biddle had been spending his time focusing on hardware issues and he
quickly brought in a couple of very senior research architect level guys
and a key guy from the NT core base operating system team. They worked on
this in their spare time, in their off hours and weekends, and just kept
building on it.

By sheer force of determination and the belief that they had in the vision,
they really pushed this thing. They began to carefully engage Intel and AMD
to evangelize them, and eventually win them over. And other forces in the
universe have come around to where this has clearly emerged as an idea
whose time has come.

Because these guys are really good, and they know how to make things happen
at Microsoft, they finally, as of last Fall, succeeded in having this
established as a product unit. We're now at the phase where we've talked to
a lot of other companies, and we've talked to a lot of potential partners,
and we've talked to a lot of people in other realms such as privacy,
security, government and policy. We've gotten a lot of stakeholders
involved in this and now we're trying to do business in a way that's a lot
more open. That's why we've decided to take the wraps off at this point.

DIDW: So you are saying that this was pushed from the bottom up in the
company, as opposed to being part of a larger strategy initiative from

Juarez: Yes. A lot of things happen like that at Microsoft.

DIDW: What is Palladium and how does it fit with TrustBridge, .NET,
Passport and all the identity related things Microsoft has going.

Juarez: As I'm sure you've gleaned, Palladium is the code name for a set of
features in an upcoming version of Windows (Don't know which one yet, don't
know when.) We regard it as pretty significantly evolutionary, because for
the architecture we've got here - a new breed of hardware, new capabilities
in the operating system, and over time new applications and services - we
think it will provide some very significant things in the way of security,
personal privacy, and system integrity. And I think that the concerns you
have around identity-centric computing are going to be well served by

DIDW: Could you give us an overview of Palladium's structure?

Juarez: I mentioned system integrity, personal privacy, and enhanced security.

In terms of system integrity what we have with Palladium is some new
hardware components, actually one new component and some modified
components. We have changes to the CPU, changes to the chip sets, and a new
security chip that work together with the operating system to create what
we call a Trusted Operating Root - the TOR. You can think of the TOR as a
kind of micro-kernel.

When you turn [the computer] on and the system boots up, it will load the
TOR - the Trusted Operating Root. Several things happen upon that load.
Space gets physically cleared out and reserved on the chip set (we use the
metaphor of calling this a vault.) Think of this as a secure processing
environment inside of which you can run code that is "trusted." On that
virtual vault, you can build other trusted processes. You can have
processes or data that are field installed and trusted in a way that is
physically isolated, protected, and not accessible to other things on the
machine. It can't be modified or observed, so it's essentially impervious
to the kinds of things people think of when they think of software based

By virtue of the way the hardware is working, you get the abilities that
the TOR will use to create provability or attestation. The software or
hardware can be cryptographically provable to you, to other computers, and
to other processes that are happening on the computers - which means that
things can be verified. The system can verify that other computers or
processes are trustworthy, that they are what they say they are, or what
they were yesterday before anything happens or gets engaged.

We'll [also] have the ability to have a secure I/O architecture from the
keystrokes to the glass on the screen. You will have channels inside the
machine that will be impervious to snooping, hardware/software based
attacks, and masquerading or impersonating on the screen.

DIDW: And what about personal privacy and control?

Juarez: As a user you can be confident that your intentions are being
properly represented - that what you want to have happen is actually being
carried out and there is not the opportunity within the realm of what you
want to have happen in those trusted processes for things to be masqueraded
or for there to be impersonation. As a side note, we will publish the
source code on that Trusted Operating Root. We will make sure that people
have the opportunity to really go deep on that and kick the tires and know
that what we're doing in there is what we say we are doing.

DIDW: System integrity has some aspects of security, but what about the
specific security capabilities of Palladium?

Juarez: You have the ability to establish the notion of trusted code which
can't be observed or modified. Moreover, information on your machine, which
is living in one of those vaults or one of the sub-vaults, or as storage on
your disc can be encrypted with machine specific secrets so that they are
functionally useless if they are stolen. [For example,] if the hard drive
gets pulled or copied.

You've got machine specific secrets which are physically locked and
cryptographically secure in a way that provide for these benefits without
betraying information that you don't want to have revealed. The hardware
and the architecture prevents snooping, spoofing, and different kinds of
data interception. Because you have system secrets that are stored on the
machine, [Palladium] is fundamentally impervious to a BORA (Break Once, Run
Anywhere) attack. And if you do find a way to break open the machine - and
we expect the first attacks to be hardware attacks where people sand off
the silicon and pull the keys off the security chip - you've still only
broken what that one machine can do.

You can't do a widely deployable hack or put up an executable that will
essentially break the whole platform. You may perhaps be able to break a
machine, but you won't be able to break the guy's machine next to you. And
moreover, when you break a machine, the compromised security can be spotted
by service providers or other systems. Its easy to have a kind of
repudiation or ways to render the things that are being done with those
secrets useless in a functional way by virtue of the fact that you have a
unique system key set on each machine.

DIDW: Doesn't that kind of "provability" raise privacy concerns?

Juarez: Yes, and it is very important to understand a few things. First of
all your identity, or any identity, is not intrinsically linked to the key
set on your machine. We're not looking at a situation where we've got a
serial number or some unique identifier there. By virtue of the fact that
the Trusted Operating Root creates a cryptographic hash of itself, and that
all kinds of things can be hashed up and down the line, you have the
ability to create uniqueness - in the sense of being able to prove things -
without being able to discern any other kinds of information that can be
utilized to reverse engineer an identity or even track things that are
happening across a wide landscape of transactions or processes.

DIDW: Identity is often used as you have described it, which is referred to
as pseudonymous or anonymous - but provable. Are you saying that Palladium
is NOT intended to be used in the realm of things like Digital Signatures
or PKI which IS intended to supply direct and provable traceability in
certain transactions?

Juarez: It plays into that, and it supports other systems that play into
that. Part of the design goal here was to have something that could be very
flexible and adaptable to different scenarios. You can go from one end, a
scenario where's there is simply a transaction that occurs at the most base
level of public key cryptography - you don't know anything about me, I
don't know anything about you, but we both know that it's a secure
transaction, all the way up to very sophisticated scenarios involving all
different kinds of service providers - maybe service identity providers
working in tandem with authentication services with all kinds of
credentialing and certifications and authentications that would support
more sophisticated kinds of things that would be happening on a broad basis
involving multiple machines and computers. And you could have everything
that exists in between.

DIDW: So flexibility is a big goal, with nothing traceable locked in and no
specific required PKI structure it must be part of?

Juarez: The architecture is designed to be an open platform and open
environment. As an ISV or service provider you can build anything you want
on top of this platform and offer up a value proposition with consumers, or
with other businesses. It can do all kinds of interesting things. But
there's nothing in the system that says, for example, that if you run
something in one of these vaults that you've got to have the code signed,
or you have to have things authenticated. It's a very basic, open
environment and we're not trying to build any elements of it that are going
to require verification or the participation of anything other than the ISV
and the person who is using the services want to have happen.

DIDW: So Palladium is an open engine which other applications can access as
an operating system service to use for their own purposes to build the
encrypted, trusted capability into higher level things that are not yet
known. And these future applications can be from third parties as easily as
from Microsoft. But what will Microsoft's "first use" of Palladium within
your OS software be?

Juarez: One of the first things we are talking about, and I'm speaking a
little bit out of school here, is a really promising implementation of VPN
access - the ability to create really secure remote access into the
corporate network in ways that are really trustworthy. This is a very
beginning thought and it reflects the small ambition of the first early
implementations. But I think it is really interesting because it can
augment all the other things we are doing to keep our remote access
channels secure.

By having [the Palladium] environment you are guaranteed of a couple of
things. You are guaranteed first of all, from the company's point of view,
that the channels that are coming in are trusted channels. If somebody
wants to get into the network, we can prove they are who they say they are.
We can know that whatever they do, we are confident of the environment. And
we also know that whatever nasty things are going on in their computer
other than this channel can't break through the vault and infect our system.

From the [user's] point of view, it's very good to know that the channel is
secure. And this could be architected in such a way that I can be certain
that what is happening through my connection to the corporate network may
not have access to other things that are happening on my computer.

That's a very basic kind of thing and it's probably the only thing I can
reveal about what we are seeing here early. Our ITG guys are starting to
get pretty engaged to think about what kinds of things can be done on a
mission critical basis, because I really think that is the way this is
going to play out first in the short run. Enterprises that are looking at
mission critical things that are happening within their own environment
where they want another layer of security for something that they are doing
inside of their enterprise.

DIDW: You've painted the picture of a very flexible system here, Does
Palladium have to use the built-in unique keys, or is it a "blank slate"
that can be written into by the software.

Juarez: At some level it's impossible for me to answer that question with
complete clarity right now. But I can say that there is a unique
public/private key pair in the security chip and there's a symmetrical key
for some of the internal stuff that goes on. There's also some cryptography
going on in there. Exactly what that crypto it is going to be we don't know
yet, but I think you can consider it to be on par with the high end of
what's out there in terms of RSA right now or complimentary technologies.
It's too soon to tell, and these are some of the points which we are
talking to major players in the realm of security about to figure out the
right way to do this. That part is going to be pretty well baked into that
chip, as it necessarily has to be.

But in terms of the crypto that is running elsewhere, that maybe the TOR is
using, or that other parts of the system are using, the thinking there is
that there may be some sort of plug-and-play nature to the way that some of
that gets implemented. So there will be the opportunity to, maybe only at
an ISV level, choose which crypto gets used.

DIDW: Because Palladium will have an installed public/private key for at
least bootstrap purposes...

Juarez: Which is never revealed to anybody, including you.

DIDW: But it raises the questions, all the old Clipper Chip issues, of will
the government pressure you for key escrow and things like that?

Juarez: We are talking to the government now, and maybe this is where we
get some advantage from having a broad industry initiative. Our fundamental
goal is "let's do the right thing." We have pretty strong feelings about
what the right thing is on terms of making sure that things are truly
anonymous and that key escrow kinds of things don't happen. But there ARE
governments in the world, and not just the U.S. Government.

This is part of what we mean when we say we need to have a long dialog and
a process where there are multiple stakeholders involved so that 1) we
arrive at the best possible decision, and 2) since no decision will make
everyone happy, that we arrive at a decision which is widely seen, known,
and understood. So that if some stakeholders or classes of stakeholders
have problems with what's been decided, at least [it is] clear and people
can make decisions based off of that. These are issues that are not decided
and are certainly on the table.

There are a whole bunch of things in the realm you've touched on that are
big. That's why things need to be open, and can't be done in a back room or
it just won't work.

DIDW: There is a significant amount of new hardware design in what you've
discussed here. For example, you talk about a security chip as a separate
item. There are a lot of other efforts out there today and companies out
there that have worked on hardware security solutions for some time, and
you mentioned that you are working with many of those. Do you see this chip
as being a new design, or do you see picking up something that is out there?

Juarez: I think it's probably a combination thereof. There are some
considerations we have in the way that chip unfolds. We want to make sure
that it does certain things, and we want to make sure that it doesn't do
some things. We want to make sure that it is verifiable in the way that
it's built. But, you know, there's no particular kind of magic that needs
to happen in there. It's a critical component, but it's not a particularly
arcane one. It's just a piece of what's going on and exactly how that piece
gets developed, and how that development occurs within what's going on here
is on the list of things that we'll see and that we'll do. We certainly
care a lot about it. We are a founding member of TCPA, and this is, we
hope, a complimentary effort to that. Exactly what the overlap will be,
exactly how that's going to shake out, I don't know, and we're going to
have to see. We'll certainly want a lot of input.

DIDW: The TCPA issue brings up the fact that some have seen Palladium as a
bit of "in your face" to the TCPA effort. You are indicating that you don't
see it that way. Could you elaborate a little on how you see TCPA, why you
see it as separate from or complimentary to Palladium?

Juarez: TCPA is all about providing security and trustworthiness in
computing. What we're doing here addresses those same things and we think
there's some great overlap. [But] there are some differences in the two
initiatives that sort of paint this as a complimentary thing. This is not
intended to be "in your face" to TCPA by any means, and it's not intended
to be a competitive technology. That said, we've got issues that we're
going to need to deal with on that front, and we're pretty serious about
dealing with them. We'll try to do it together.

DIDW: When would you anticipate the first deliverable from Palladium?

Juarez: I would say mid-decade.

DIDW: So that would be 2004, 2005?

Juarez: Mid-decade.

DIDW: I see you're sticking with your time frame, we can respect that.

Juarez: I've been a lot more specific with you than I've been with anyone
else. It's a pleasure talking with somebody who has the level of
perspective to be able to "get" this.

DIDW: Blush...

This article comes from Digital Identity World:

Copyright  2002 Digital Identity World, LLC - All Rights Reserved
R. A. Hettinga <mailto: [EMAIL PROTECTED]>
The Internet Bearer Underwriting Corporation <>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to