Palladium is also Microsoft's current name for software that they are planning to incorporate into future versions of Windows that is supposed to create a trusted computing platform. Much of what has been coming out of Microsoft as of this time of writing links it to the Trusted Computing Platform Alliance (TCPA), and their own efforts at producing an 'enchanced HW and Operating System-based trusted computing platform'. However, since the details have not yet been completely released as of this writing, depending on who you ask, it could be Microsoft's own implementation of the TCPA spec, their attempt at preempting the specification by coming up with a de facto standard totally under their control, or something completely unrelated that has some areas of overlap with what the TCPA is trying to do.

What It's Supposed To Do

Basically, Palladium is an attempt to create a hardware and software-based solution to create a trusted computing platform, i.e. a computer system where users are limited in their abilities and what they can do does not affect what other users are doing. This is all well and good, until you ask who is in control of the system and says what you can and cannot do with your computer. What it would likely result in is the creation of a system where it is impossible to tamper with any software, and this software has a secure communications link to its vendor. It's one way of granting Microsoft root access to everyone's computers. In Bruce Schneier's words: "My fear is that [Palladium] will lead us down a road where our computers are no longer our computers, but are instead owned by a variety of factions and companies all looking for a piece of our wallet."

It would be a recipe for the enforcement of a digital restrictions management system that would make Disney, its cohorts at the MPAA, and the RIAA drool. If movie or video player software exists that could not be tampered, and a secure path of communications to them, it could allow them to create DVD discs that would automatically bill you every time you watched them, sell music downloads that you could not trade with your friends, etc. It would also be Microsoft's means to make the Chinese pay for software, as unauthorized copies could be instantly and remotely disabled and deleted under this system. It is also possible for this system to perform remote censorship, as it would provide a way for someone with control over the system to delete incriminating documents or other undesirable information from unsuspecting users by remote control. It could also lock you tightly into a vendor's control and make it extremely difficult to switch to using a competing system. Microsoft Word, for instance, would be in possession of cryptographic keys that no non-Microsoft program would have access to, so any files created using it would be unreadable using any other vendor's software.

Other less baneful possibilities exist. Government and corporate computer systems could have a system like this installed that would make files on them automatically "born classified", and cannot be electronically leaked to journalists or competitors. It would also provide the vaunted protection from viruses, worms, and other malware because it then becomes impossible for these pieces of malicious software to create modifications that would take control of the computer. Expect Microsoft to push this as its primary selling point, but remember that this problem existed because Microsoft allowed it to exist in the first place.

The Hardware Connection

The system works, and becomes extremely difficult to defeat, by adding a monitoring and reporting component to the computer hardware, which contains a cryptographic certificate which is unique for every chip. This is the so-called 'Fritz chip', named for the infamous US Senator Fritz Hollings, who is working mightily to get mandated that a system such as Palladium be installed in every computer. The Fritz chip is envisioned to be a smart card or other dongle soldered onto a motherboard, that begins its work when the computer is booted up. It will check that the boot ROM is as expected, gives the go signal for it to execute, then checks the configuration of the machine to see if it is an authorized one, and the loaded operating system kernel for its digital signature. If it sees everything is in ordnung it allows the boot process to proceed. If not, then the system must go online to be re-certified. The end result is the PC is booted into a known state with all components properly certified. Control is then transferred to enforcement software in the operating system kernel: Palladium.

From here, Palladium and the Fritz chip can make possible all of the things described above, which mostly boil down to certifying the computer to third parties. For instance, connected to the Internet it can perform a secure authentication protocol with a server at, say, Disney, to prove that the machine is allowed to play a copy of "The Little Mermaid". This would also mean certifying that an authorized and certified application is being used to play the movie, such as Windows MediaPlayer, preventing someone from using an uncertified player that would dump unencrypted content or give away the keys, for instance. If all is well, the Disney server will send some encrypted data that will allow the Fritz chip to unseal the movie. The Fritz chip makes this encrypted key available only to the authorized application and only if the environment remains 'trustworthy'. What it means to be trustworthy depends on a security policy obtained from the source of the key. From the example, Disney, being the source of the key would be able to dictate the conditions to the Fritz chip on which to disclose the key. They could, for instance, request that payment be made every time the movie is to be viewed. The application itself used to play the movie could also require some similar conditions, allowing the software itself to be rented.

The Fritz chip is of course the key to the system, and the fact that it's hardware makes attacking the system so much more difficult. Microsoft of course assumes that the chip will be broken, so unlike their current efforts at tamper resistant hardware with the XBox, there will be no global secrets a Fritz chip could give up. Breaking one won't break them all. Besides, in countries that have insane laws like the DMCA, it might even be illegal to do so. It will nevertheless be breakable to anyone with the ability to hook up a high-speed oscilloscope or (better yet) a logic analyzer to an active Fritz chip. Plans for the second phase of the TCPA/Palladium involve making the Fritz chip disappear completely inside the next generation Intel CPU, just as with the Pentium III Serial Number, and be beyond reach of almost everyone. It would still of course be possible to perform side-channel attacks like timing analysis and power analysis on the Palladium-embedded CPU, but that of course is far more difficult and would be something that they'll inevitably take into consideration.

Origins and Future

The ideas behind Palladium originally came from a paper by Bill Arbaugh, Dave Farber and Jonathan Smith, "A Secure and Reliable Bootstrap Architecture", which originally appeared in the 1997 IEEE Symposium on Security and Privacy. Their work later led to the granting of US Patent No. 6,185,678 on February 6, 2001. Arbaugh once worked at the National Security Agency and those ideas originated from work he had done there (why he wasn't killed before the paper was written is unknown :). Microsoft has licensed this patent, and has further applied for patents in the operating system aspects of the system, which may mean that Linux, FreeBSD or any other Free operating system may never become TCPA/Palladium-compliant. Does this sound like stuff in the Halloween Documents yet? Expect also that Microsoft will not give reasonable and non-discriminatory licensing for their patents on this to other OS vendors, so now they've got a means of killing off proprietary competition like Apple as MacOS X will not be able to provide the same kind of security services a Palladium-enabled Windows would.

Any and all of this information may change in the next few years when Palladium-enabled systems start appearing. Expect to start seeing them by around 2004 or so. Unless something is done to stop Palladium and the TCPA from materializing, everyone may very soon lose the right to read. It's the end of the world as we know it...

Palladium: Designed to protect your computer from YOU.

Palladium: Where the HELL do you think you're going today?

Update (January 26, 2003): Microsoft has apparently decided to change the name of Palladium to a buzzword-laden tongue twister: it's supposed to be called "Next-Generation Secure Computing Base". Microsoft has denied that this name change is an attempt to dodge the flurry of scathing criticism their move has made (a long tongue twister like "next-generation secure computing base" doesn't make as nice a sound bite as "Palladium"), but explaining that "this is really reflective of the fact that Microsoft is embracing this technology in terms of folding it into Windows for the next decade." They've also supposedly released the source code to the core of the next-generation secure computing base to show that it doesn't do much of what's written in this wu. But to whom? I for one would like to see this.

Update (August 23, 2005): Apparently Microsoft has attempted to put some of these ideas into practice in a new incarnation of the XBox. Fortunately for us, however, in typical Microsoft fashion the implementation they made of the bootstrap process had several security flaws and was broken within 24 hours of release. If they're really this incompetent when it comes to security then we have nothing to worry about if they ever manage to get a true Palladium/NGSCB system out the door!


Bruce Schneier's take on it:

Robert X Cringely's pessimistic outlook:

Ross Anderson's TCPA/Palladium FAQ:

Michael Steil on the XBox boot code's security flaws, which incorporates many of the ideas envisioned for Palladium: