Microsoft Security Plan Has Gaps, Study Says

Record labels and movie studios are eagerly anticipating the potential file protection capabilities of Microsoft Corp.'s Next-Generation Secure Computing Base technology.

Record labels and movie studios are eagerly anticipating the potential file protection capabilities of Microsoft Corp.s Next-Generation Secure Computing Base technology, but new research contends the architectures security features may also help pirates and file swappers protect their ill-gotten gains.

At the heart of the issue, according to a paper due to be published this week by researchers from Harvard University, in Cambridge, Mass., is a key feature of NGSCB called remote attestation. The technology lets one piece of code digitally sign another program or a piece of data to assure the recipient of the signature that the code was built by a cryptographically identifiable software stack.

Microsoft and its partners envision this system being used to verify the identity of software running on remote machines and make certain the software hasnt been modified since its manufacture.

This kind of protection is seen as central to the types of advanced digital rights management systems sought by content owners as a countermeasure against piracy. However, this chain of trust can be turned around and used by the people doing the illegal copying and distribution, according to the papers authors.

If the operator of a peer-to-peer network such as those commonly used to post and trade music, movies and other media files wanted to ensure that only authorized users—and not representatives of record labels or movie studios—were on the network, the operator would simply need to require that every client application entering the network be certified by an authority that the operator controls. Thus, every user would be individually authorized.

Stuart Schechter

"Though this technology was envisioned to thwart pirates, it is exactly what a peer-to-peer system needs to ensure that no client application can enter the network unless that application, and the hardware and operating system it is running on, has been certified by an authority trusted by the existing clients," conclude graduate students Stuart Schechter (pictured left) and Rachel Greenstadt and a Harvard professor of computer science and electrical engineering, Michael Smith. The trio will present the paper at the Workshop on Economics and Information Security at the University of Maryland, in College Park, at the end of this month.

Latest Microsoft News:

Latest Security News:

For more on WinHEC, check out our special section.