[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Needed: Dongles and "Crypto Boxes" on Ports



At 4:56 PM 3/5/96, Hal wrote:
...
>It will be just as easy to steal the mixmaster executable as to steal a
>script file containing a pass phrase.  And it might even be possible to
>run the stolen mixmaster directly to decrypt intercepted incoming mail
>messages, without even having to type in the pass phrase.  Failing that
>the attacker could easily extract the pass phrase from the mixmaster
>executable file.
>
>The other suggestion that was made here, that the operator would have to
>manually type in the pass phrase every time the computer rebooted, would
>be a way of avoiding having the information in the clear on the disk.
>However it would probably not be a practical method of operation given
>the reliability of at least the Unix operating systems that I am familiar
>with.  And even then the information is in memory.  An attacker who could
...

It seems to me that we get some of the advantages of "secure hardware" (and
I don't mean in a formal NSA "Orange Book" sense) by having secure dongles
attached to serial or other ports on machines. "Dongles" are the much-hated
copy protection devices used with some products: they typically are a small
plastic-packages doodad plugged into a serial port on a PC. (The Mac
versions are less common; don't know if Unix boxes have ever used them.)

In the case described by Hal, there might be two imaginable modes of operation:

1. The dongle feeds a passphrase at boot time. This is not very secure, as
means could be found to either intercept the supplied passphrase and/or
find system commands that would trigger the providing. But at least the
passphrase is nominally not stored on a disk accessible to outsiders. (The
passphrase is still presumably in memory, as noted above by Hal, and by
others. But at least it's not on a disk.)

2. Some sort of zero knowledge protocol in which the dongle possesses the
secret knowledge and does part of the decryption, etc. Seen more broadly,
this dongle might actually be a separate PC box, 386- or 486-based, and
connected to the main Unix box. The main box would still do the usual
stuff, but the "secure box" would have a constrained set of
operations--maybe running a stripped-down Linux or FreeBSD a la our
discussions a few years ago--and would essentially only operate as a crypto
box.

A separate crypto box could be quite cheap, and one could imagine measures
to make it less prone to physical tampering (*) and certainly less prone to
network snooping.

(* Tamper-resistant vs. tamper-responding. See the FAQ. Basically, there is
no such thing as a "tamper-proof box." But "tamper-resistant" can mean PC
boards potted in epoxy, locked lids, no floppies, alarms, etc. And
"tamper-responding" means there is evidence given that a security barrier
has been breached.)

A "crypto box" could in fact handle most of the mix functions directly,
bypassing the Unix box. The Unix box--the one hooked to the Net in the
usual way--would get the incoming packets, send them to the crypto box,
then get back the processed messages.

If done right, the crypto box could ensure that no records are kept of the
mapping between incoming and outgoing messages. A court order to produce
the mapping could then be honestly responded to with a "no records are
kept, or can even possibly be kept." (Without modification of the
software/hardware, something which Digital Telephony II could certainly
mandate, but it doesn't exist now.)

I think a "crypto box" based on a cheap 486 box, a reduced functionality
Linux, and very limited storage capabilities (possibly no disk, only RAM),
could be an interesting way to solve both the passphrase-snarfing and
LEA-subpoenaing problems. While not as secure as either a Chaumian
tamper-responding digital mix (cf. the 1981 paper in CACM) or as a
software-based DC-Net, it sure does beat the current model of multiuser
Unix boxes running remailers out of user accounts!

(A word on separating the functions into a "network box" (what I've also
called a "Unix box") and a separate "crypto box." There is no reason one
box cannot do both....but by separating the two functions and linking the
boxes via a secure connection, one faces less temptation to add more
capabilities, storage, and users to the "crypto box." So, I think it better
for remailer operators to continue to have their powerful, capable, net
connection boxes and then have a stripped-down, possibly RAM-only box that
only does limited things. It's also possible to have several boxes, just
with different Net addresses, but there might still be the temptation to
give the "remailer box" more capabilities. My intuition is that it would be
easier and more secure to just have the crypto/remailer box as a slave or
dongle to the more capable box.)

--Tim May

Boycott "Big Brother Inside" software!
We got computers, we're tapping phone lines, we know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
[email protected]  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^756839 - 1  | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."