X

Microsoft's leaner approach to Vista security

Microsoft is talking up Secure Startup in Windows Vista, the sole piece of its original hardware-based security plan to make it into the OS.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
5 min read
A correction was made to this story. Read below for details.
Microsoft is talking up support for hardware-based security in Windows Vista, though only a sliver of the company's original plan will make it into the operating system.

Three years ago Microsoft unveiled Palladium, renamed Next-Generation Secure Computing Base (NGSCB) after the original name became tainted with controversy over privacy and fair-use issues and because another company claimed rights to the Palladium name. The technology was to be part of the next Windows release.

NGSCB promised to boost PC security by using hardware and software that would allow parts of a computer to be isolated from malicious code such as viruses and worms. It also would foil attacks that use logging devices by encrypting data as it moves between a PC's hardware components. NGSCB required significant changes to hardware and software.

In May 2004, following criticism from software makers, Microsoft said it was retooling NGSCB so some of the benefits would be available without the need to recode applications. The company has been silent on the plan since, though it insists NGSCB is not dead. Instead, its delivery is still to be determined, according to Microsoft's Web site.

Now Microsoft is busy telling hardware and software makers about Secure Startup in Windows Vista, which it says is the "first delivery" on its hardware-based security plan. Vista, previously known by its code name, Longhorn, is the next client release of Windows due on store shelves in time for the next year's holiday shopping season.

Secure Startup is primarily designed to prevent laptop thieves and other unauthorized users with physical access to a computer from getting access to the data on the system. Nearly half of all enterprises had laptops stolen, causing $4.1 million in damage, according to a January survey by the Computer Security Institute and the FBI.

"The number one goal is to prevent attackers from using software tools to get at information that is at rest on the hard drive," Stephen Heil, a technical evangelist at Microsoft said in a presentation at the Intel Developer Forum in San Francisco last week.

Current versions of Windows offer encryption of file folders and PCs include start-up security such as Basic Input/Output System, or BIOS passwords. However, both can be easily circumvented if an attacker has physical access to the PC. "You can get access to the system in less than 15 minutes," Heil said. BIOS lets hardware speak to software in a PC.

Secure Startup uses a chip called the Trusted Platform Module, or TPM, which offers protected storage of encryption keys, passwords and digital certificates. Vista uses this capability to verify that a PC has not been tampered with when it starts up and to protect data through encryption. The TPM is typically affixed to the motherboard of a PC. Because it is stored in hardware, the information is more secure from external software attacks and physical theft.

TPMs are made by a host of chip companies including Atmel, Broadcom, Infineon, Winbond Electronics, Sinosun and STMicroelectronics.

To service a PC, the Secure Startup feature can be temporarily disabled. And if a PC breaks and data on a hard drive needs to be accessed on, say, a different machine, a recovery key can unlock the system, Heil said. This recovery key is generated when a user enables Secure Startup and should be stored away from the computer.

Heil spoke at IDF to encourage hardware makers to adopt the latest TPM specification, version 1.2, released earlier this year. This is the version that Microsoft will support

 
Correction: This story misreported National Semiconductor as a vendor of TPM chips. National Semiconductor sold its Super I/O business, including its TPM products, to Winbond Electronics in May.
in Vista. Also, Heil called on software makers to build applications that take advantage of Microsoft's implementation of the TPM in Windows Vista.

It is unclear, however, which editions of Vista will support TPM and offer Secure Startup. The feature is aimed at business PC users, Heil said. This could mean that support will be limited to premium versions of Vista. Microsoft declined to discuss packaging of the new operating system.

Microsoft also won't commit to support for TPM in the server release of Longhorn, which is scheduled for 2007. The Trusted Computing Group, which develops the TPM specifications, in July released a blueprint for use of the security chip in server computers.

"The initial broad vision was just not accepted by the partners Microsoft had to enlist. Microsoft is now biting off the pieces that can get people some immediate benefit and can get support from hardware and software vendors."
--Rob Helm, director of research, Directions on Microsoft

TPM is not new. Microsoft is even late to the game with its support for the chip. PC vendors such as IBM, Hewlett-Packard and Dell already include TPM chips in some of their PCs and allow for features such as encrypted hard-disk drives and e-mail. HP and IBM and other companies provide software that enables those features.

"PCs with the TPM have been shipping for two-and-a-half years," said Brian Berger, head of the marketing working group of the Trusted Computing Group, which promotes open specifications to protect against software-based attacks.

According to IDC, about 25 million PCs will ship this year with TPM chips in them. Next year, the research firm predicts, about 60 million computers will ship with the security chip. By 2010 essentially all portable PCs and the vast majority of desktops will include a TPM chip, according to IDC.

NGSCB was heavily scrutinized by critics who feared it could curtail users' ability to control their own PCs and erode fair-use rights. TPM is also not without controversy. The security chip could be used for digital rights management applications and the presence of unique encryption keys has raised concerns among privacy watchers.

Although the TPM was not specifically designed for digital rights management purposes, third-party software makers could, for example, use the chip to enforce limitations on the number of times a digital media file can be played or copied, according to the Trusted Computing Group.

"There is some concern that (the TPM) could be used in a privacy-impairing way," Microsoft's Heil said. To quell those concerns, Microsoft won't require PC makers to include the security chip in their systems and the feature will be turned off by default in PCs that do ship with it, according to Heil.

Adding TPM support to Windows is "much less ambitious" than the full-blown NGSCB plan, said Rob Helm, director of research at Directions on Microsoft, a Kirkland, Wash., research firm. "But it also requires a lot less from software developers and makes it more likely to get widely adopted," he said.

Nobody is mourning the fact that NGSCB has not made it into Vista, Helm said. "The initial broad vision was just not accepted by the partners Microsoft had to enlist," he said. "Microsoft is now biting off the pieces that can get people some immediate benefit and can get support from hardware and software vendors."

Subsequent to Secure Startup, Microsoft will build other part of its NGSCB plan, according to the company Web site: "These will complement Secure Startup to enable a broad range of new secure computing solutions. The technical specifications, timing and delivery vehicles are TBD."