Microsoft Trusted Computing Updates
Staff Technologist Seth Schoen, EFF's resident expert on trusted computing, recently attended this year's Windows Hardware Engineering Conference (WinHEC). Today we debut the first of a four-part series in which Schoen provides detailed updates on the status of Microsoft's security and lockware strategies for Windows. The outcome of these strategies will affect to what degree people using the platform and "trusted" PCs can maintain a desirable level of control over their own computers.
The most important message at the 2005 WinHEC about Microsoft's trusted computing effort, now known as Next Generation Secure Computing Base (NGSCB), is that it is late and will not be included in Windows Longhorn.
In fact, Microsoft is not implementing support in Longhorn for the controversial remote attestation features of trusted computing hardware. That means that publishers and service providers will not have a hardware-based means of forcing people to use particular programs for interoperability, nor of stopping people from reverse engineering or altering software on their own computers.
Microsoft is, however, continuing to develop digital rights management (DRM) technologies that could be strengthened directly by the use of trusted computing hardware in future operating system releases. Those DRM technologies are currently highly vulnerable to pure software attacks, and making those software attacks fail is one of several possible future trusted computing applications. One of Microsoft's DRM initiatives is known as "information rights management" (IRM), perhaps an attempt to avoid some of the stigma the term "DRM" carries with consumers. IRM is already supported in Microsoft Office, and, indeed, has been the subject of advertisements which portray it as a feature for preventing inadvertent disclosure of sensitive corporate information.
(Read on after the jump.)
Although NGSCB isn't included in Longhorn, Microsoft and other software developers are coming up with useful applications of trusted computing for traditional, non-DRM-like security applications, such as protecting one's own files from being read by an unauthorized person.
Wave Systems, exhibiting at WinHEC, demonstrated software for Windows that uses a Trusted Computing Group (TCG) Trusted Platform Module (TPM) trusted computing chip to make traditional file encryption more robust. Microsoft plans to include conceptually related features in Windows Longhorn; if Longhorn is run on a system containing a TPM chip, it will be able to encrypt the entire hard drive using a TPM-protected key.
Microsoft's explanation of why you would want this centers on the idea of an epidemic of lost or stolen laptops containing sensitive information. It is already possible to encrypt laptop hard drives with hard drive encryption software, but this may be cumbersome; secure implementations could require users to choose long, hard-to-remember passphrases, and to enter those passphrases often. If the encryption key is stored on the hard drive itself, and protected with a short passphrase, it would be possible for someone who steals a laptop to run a passphrase-guessing program to try all possible passphrases in a relatively short time. Even if the laptop's operating system prohibits such a program from being run, the laptop's hard drive could be removed and installed in another machine. Thus, software hard drive encryption alone may be cumbersome or ineffective. (Microsoft has described other problems with pure software hard drive encryption, including what happens if a laptop hibernates and is woken up a long time later, what happens if a laptop has multiple authorized users with different passwords, and what happens if a computer contains sensitive information but needs to be able to boot or reboot without a human being present.)
Although there are software techniques that may address some of these problems, the use of a TPM's sealed storage feature is an appealingly simple approach. The TPM itself protects the access to the hard drive's decryption key; if the hard drive is removed from its original machine and placed into a new machine, the new machine will not be able to derive the decryption key. If the machine is made to boot a different operating system, the TPM will not be able to unseal the encrypted partitions on the hard drive. This is not a DRM-like application, however; authorized users retain the ability to make complete backups of all their data or to move it to another computer or software environment. (Because systems with encrypted hard drives have more failure modes than systems with unencrypted hard drives, it's especially important that users who choose to use such a feature do make regular backups!)
When a laptop protected with this technology is lost or stolen, its hard drive cannot usefully be decrypted if removed from the laptop; if the laptop is booted normally, however, its operating system will continue to enforce its security policy, denying access to anyone who does not present the appropriate passwords or credentials. This technique can also protect data on a machine in a colocation facility by denying access to anyone who steals or seizes the colocated machine. In a sense, TPM-based hard drive encryption means that obtaining physical access to a machine will no longer allow someone to obtain administrator-privileged access to the data stored on that machine. It does not, however, inherently impose any new restrictions on those with authorized access.
Still, Microsoft notes that a skilled person can attack the TPM from hardware. Thus, someone who steals a laptop might be able to use the PC equivalent of a video game console mod chip to bypass the TPM protections and recover data. The hardware necessary for this attack is inexpensive, but the skill and time required are fairly great. It may therefore be the case that TPM-based file or disk encryption will provide adequate protection for laptops against opportunistic or non-targeted attack. As even the Trusted Computing Group acknowledges, the TPM is not intended to protect against a skilled hardware attacker. If hardware attacks against the TPM become cheap and readily available, the kind of protection TPM-based trusted computing offers to a stolen laptop -- or a colocated machine with sensitive data -- may appear increasingly inadequate. In Microsoft's view, it is still likely strong enough to deter casual thieves from getting at sensitive information, because they are not likely to try to make sophisticated attempts to break a stolen system's security policy. On the other hand, law enforcement agents or corporate spies might well develop automated means of defeating this kind of security.
It's too early to tell, then, whether this trusted computing application will provide much incremental benefit over pure software encryption to particular kinds of users. Its biggest benefit may turn out to be in usability -- it will be bundled with Windows and relatively transparent, unlike much existing software encryption. It's thus more likely to be used, and used correctly and pervasively, than many other encryption technologies.
Microsoft's NGSCB project, although delayed, remains troubling because of its ability to strengthen DRM-like applications and facilitate software lock-in. There may also be a smooth upgrade path from the innocuous trusted computing implementation in Windows Longhorn to future implementations that help software impose restrictions on the user. Those who do see value in the TPM-based hard drive encryption should keep a close eye on what policies the TPM is enforcing and whose interest they serve. Microsoft, for its part, can keep NGSCB solidly on the user's side -- if it chooses -- by implementing a "owner override" that gives the computer owner ultimate control over which security policies the TPM will enforce.