Palladium is the codename for a set of security features to be incorporated in future releases of MS Windows. It’s meant to make computers more secure by incorporating features at both hardware and software levels. The hardware will allow each machine running Palladium to have a unique identification. All Palladium-capable applications on these machines will work only if they can be authenticated and conform to certain policies. The hardware will be a cryptographic chip, and the SSC (Security Support Component) and the machine’s identification number will be hard-coded on to it. It will also handle authentication for all kinds of secure transactions, making the need for SSL or separate encryption software unnecessary.
In Microsoft parlance, three hardware mechanisms control and faciltitate the Palladium environment. The trusted space, which is the execution enviroment and a separate entity protected from external factors like viruses. This mechanism can be compared to the JVM (Java Virtual Machine), albeit, this is the hardware version controlled by the SSC chip. The second mechnism is the sealed storage, where only applications running in trusted mode can access the storage. The third is the attestation process, the one we referred to in the beginning, where an external party (read remote server) can request information about the computer that is Palladium activated. The software components include the trusted service provider called Nexus (originally known as Trust Operating Root). The services include communication services to other trusted agents. The application that runs in this enviroment is called the trusted agent.
Working
If you’ve experienced the DRM (Digital Rights Management) features in Microsoft’s WMA format, which enforces things like time-bound certificates for listening to music for a period of time, you’ll get a picture of what to expect from the Palladium initiative.
Refer to the diagram on the previous page to see how Palladium will work. It will run parallel to the Windows OS (green bar), and not as a separate layer between the OS and application. This means that normal applications will still be able to run as usual, while the Palladium-activated ones (trusted agents) will interact with the hardware through Nexus and SSC (Security Support Component).
Through Nexus and SSC the trusted agents are completely isolated against any kind of attack from viruses, etc. The official whitepaper cites an example of a Palladium-enabled anti-virus software, which runs in a “guaranteed execution state”. This means that the anti-virus software now running as a trusted agent cannot be infected by any outside programs. Hence, the need for a self-check that every anti-virus software today performs gets eliminated.
Sealed storage mentioned above makes use of SSC, making even the theft of the storage device useless. How? Because the data has been encrypted using asymmetrical encryption and one of the keys is intrinsic to the SSC of the computer in use. Hence, data is bound to the computer on which it’s generated.
More to it
DRM (Digital Rights Management) is another feature that can be built over Palladium. The modus operandi for this will be somewhat like this–you buy a music CD and run it using a Microsoft or third-party DRM-enabled player. The computer detects it and sends a request to the attestation station (remote server). The request is okayed by the music company that owns the music and you can play the music. If you make a copy of it and forward it to someone else, that someone else may recognize the file format but will not be able to play it because the music file is cryptographically watermarked and will not run beyond the sphere of trust under the Palladium umberalla. Microsoft claims that this is also pertinent to embedded systems such as cellphones, as they can also be Palladium-enabled through the hardware.
The catch
The power of Palladium lies in its ability to run only those agents which have been authorized, meaning you can only run applications that you’ve purchased legally. However, there’s also a dark side to it, especially for the open-source world.
GPL’ed software, for instance, may not be able to run on Palladium because technically there would be no attestation authority for it. Even if the software was attested to work on Palladium, there would be problems because the GPL license says that the software’s source code can be modified by anyone. So, once it’s been modified by some open-source fan in a garage, it will be different from the attested original and, therefore, won’t work.
Microsoft states that Palladium will be turned off by default with users having control of switching it on. But as momentum picks up, Palladium might become an essential and not optional feature. Music companies may only allow Palladium-activated computers to run their watermarked music, surfing sites may not be possible without enabling Palladium. A scary thought isn’t it? Other ramifications, like file sharing, may also crop up. With everything that runs on a PC needing authentication from remote servers, file sharing might end up in Microsoft’s hands with its proprietary protocol CIFS (Common Internet Flesystem), which has been actively opposed by open-source activists
(www.heise.de/ english/newsticker/data/jk-10.04.02-007/). Does that mean good bye to Samba?
The first indication of what Palladium will do can be seen in the modified EULA (End User License Agreement) of the new Windows Media Player. This explicity states that agreeing to EULA will allow Microsoft to automatically update your software to disable the use of content that’s not purchased legally (read the latest MP3 file you’ve just kaaza’ed and haven’t paid for).
But due credit should be given to the people in Redmond for awesome work in security, privacy and throwing their weight behind the effort to give what digital content creators badly need–the end to piracy.
Ankit Khare