[146400] in cryptography@c2.net mail archive
Re: [Cryptography] Using Raspberry Pis
daemon@ATHENA.MIT.EDU (Mark Smith)
Mon Aug 26 19:36:53 2013
X-Original-To: cryptography@metzdowd.com
Date: Mon, 26 Aug 2013 15:04:44 -0700
From: Mark Smith <mark@halibut.com>
To: cryptography@metzdowd.com
In-Reply-To: <20130826174308.70368e06@jabberwock.cb.piermont.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--===============7086313029343441196==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="xtv4V16pHNclge1Bp6j8t1WX2okdALUew"
This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--xtv4V16pHNclge1Bp6j8t1WX2okdALUew
Content-Type: multipart/mixed;
boundary="------------030901010507060001070704"
This is a multi-part message in MIME format.
--------------030901010507060001070704
Content-Type: multipart/alternative;
boundary="------------080206080808090409070007"
--------------080206080808090409070007
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
I was pointed to this list by a friend of mine who thought I'd be
interested in this discussion, and indeed I am. I intended to lurk for
a while before posting, but this discussion so perfectly fits with a
SkyTalk I gave at DefCon last year (DC20, not just a few weeks ago)
where I proposed this very thing: A small home-router type device that
contains everything that I do on-line, such as Email, IM, DNS, my node
in that mythical federated social network that doesn't really exist,
etc. (I'm kind of embarrassed now that I was promoting Diaspora at the
time. *sigh*)
Unfortunately, the realities of my life are that I haven't done anything
about this, but I did get a few emails after my talk from people saying
they were. 'course, I haven't heard anything SINCE then so who knows.
Anyway. In case any of you are interested, my talk is available here:
https://archive.org/details/skytalks_defcon_20_taking_back_our_data_smitt=
y_2012_07_27
I'd be interested in hearing your comments or thoughts. If anything
strikes you as a good idea, by all means use it. While I'm interested
in seeing this happen, the realities of my life are that I'm unlikely to
be the one to do it.
Specifically, I'd love to be told why something like NameCoin
distributing both DNS server and domain-limited CA certs would NOT
work. There is the issue of scale with block-chain technologies like
that, but is that the ONLY thing? Or is there a fundamental problem
with the technology?
-Mark
On 08/26/13 14:43, Perry E. Metzger wrote:
> On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Baker
> <hallam@gmail.com> wrote:
>> I really like RPis as a cryptographic tool. The only thing that
>> would make them better is a second Ethernet interface so they could
>> be used as a firewall type device.
> You can of course use a USB ethernet with them, but to me, they're
> more a proof of what you can do with a very small bill of materials.
>
> If you're designing your own, adding another ethernet (and getting
> rid of unneeded things like the video adapter) is easy.
>
> Custom built hardware will probably be the smartest way to go for an
> entrepreneur trying to sell these in bulk to people as home gateways
> anyway -- you want the nice injection molded case, blinkylights and
> package as well. :)
>
>> The main con is that they are not so fast that you want to be
>> routing packets through them unnecessarily. So they are a great
>> device to make use of for connection brokering, not such a great
>> idea to tunnel video packets through them.
> Not sure that's really true for normal home networks. The current
> average home NAT box is, in fact, a CPU in this class running Linux,
> so we have proof of concept of them pushing packets fast enough
> running in millions of homes. The processors in question are also
> quite cheap, and only getting cheaper and more powerful -- multicore
> will be universal before long.
>
>> So I would like at minimum such a device to be my DNS + DHCP + PKI
>> + NTP configuration service and talk a consistent API to the rest
>> of the network.
> Not an unreasonable goal -- particular details of what software is
> running depend on what one's final application mix is.
>
>> Putting a mail server on the system as well would be logical,
>> though it would increase complexity and more moving parts on a
>> trusted system makes me a little nervous.
> Modern Linux systems have pretty good MAC and similar security
> hardening available. They're a pain in the neck to configure, but if
> you're handing people firmware, that only has to be done once. It
> isn't perfect but it is better than what almost anyone has at home
> now or what they rely on elsewhere.
>
> (I would prefer to see hybrid capability systems in such
> applications, like Capsicum, though I don't think any such have been
> ported to Linux and that's a popular platform for such work.)
>
> In the long term, of course, I'd like to see the work in seL4
> extended to open source systems, but that's a very long term goal.
>
--------------080206080808090409070007
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<meta content=3D"text/html; charset=3DISO-8859-1"
http-equiv=3D"Content-Type">
</head>
<body bgcolor=3D"#FFFFFF" text=3D"#000000">
<pre wrap=3D"">I was pointed to this list by a friend of mine who tho=
ught I'd be
interested in this discussion, and indeed I am. I intended to lurk for
a while before posting, but this discussion so perfectly fits with a
SkyTalk I gave at DefCon last year (DC20, not just a few weeks ago)
where I proposed this very thing: A small home-router type device that
contains everything that I do on-line, such as Email, IM, DNS, my node
in that mythical federated social network that doesn't really exist,
etc. (I'm kind of embarrassed now that I was promoting Diaspora at the
time. <b class=3D"moz-txt-star"><span class=3D"moz-txt-tag">*</span>sigh<=
span class=3D"moz-txt-tag">*</span></b>)
Unfortunately, the realities of my life are that I haven't done anything
about this, but I did get a few emails after my talk from people saying
they were. 'course, I haven't heard anything SINCE then so who knows.
Anyway. In case any of you are interested, my talk is available here:
<a class=3D"moz-txt-link-freetext" href=3D"https://archive.org/details/sk=
ytalks_defcon_20_taking_back_our_data_smitty_2012_07_27">https://archive.=
org/details/skytalks_defcon_20_taking_back_our_data_smitty_2012_07_27</a>=
I'd be interested in hearing your comments or thoughts. If anything
strikes you as a good idea, by all means use it. While I'm interested
in seeing this happen, the realities of my life are that I'm unlikely to
be the one to do it.
Specifically, I'd love to be told why something like NameCoin
distributing both DNS server and domain-limited CA certs would NOT
work. There is the issue of scale with block-chain technologies like
that, but is that the ONLY thing? Or is there a fundamental problem
with the technology?
-Mark</pre>
<div class=3D"moz-cite-prefix">On 08/26/13 14:43, Perry E. Metzger
wrote:<br>
</div>
<blockquote
cite=3D"mid:20130826174308.70368e06@jabberwock.cb.piermont.com"
type=3D"cite">
<pre wrap=3D"">On Mon, 26 Aug 2013 16:12:22 -0400 Phillip Hallam-Ba=
ker
<a class=3D"moz-txt-link-rfc2396E" href=3D"mailto:hallam@gmail.com"><h=
allam@gmail.com></a> wrote:
</pre>
<blockquote type=3D"cite">
<pre wrap=3D"">I really like RPis as a cryptographic tool. The on=
ly thing that
would make them better is a second Ethernet interface so they could
be used as a firewall type device.
</pre>
</blockquote>
<pre wrap=3D"">
You can of course use a USB ethernet with them, but to me, they're
more a proof of what you can do with a very small bill of materials.
If you're designing your own, adding another ethernet (and getting
rid of unneeded things like the video adapter) is easy.
Custom built hardware will probably be the smartest way to go for an
entrepreneur trying to sell these in bulk to people as home gateways
anyway -- you want the nice injection molded case, blinkylights and
package as well. :)
</pre>
<blockquote type=3D"cite">
<pre wrap=3D"">The main con is that they are not so fast that you=
want to be
routing packets through them unnecessarily. So they are a great
device to make use of for connection brokering, not such a great
idea to tunnel video packets through them.
</pre>
</blockquote>
<pre wrap=3D"">
Not sure that's really true for normal home networks. The current
average home NAT box is, in fact, a CPU in this class running Linux,
so we have proof of concept of them pushing packets fast enough
running in millions of homes. The processors in question are also
quite cheap, and only getting cheaper and more powerful -- multicore
will be universal before long.
</pre>
<blockquote type=3D"cite">
<pre wrap=3D"">So I would like at minimum such a device to be my =
DNS + DHCP + PKI
+ NTP configuration service and talk a consistent API to the rest
of the network.
</pre>
</blockquote>
<pre wrap=3D"">
Not an unreasonable goal -- particular details of what software is
running depend on what one's final application mix is.
</pre>
<blockquote type=3D"cite">
<pre wrap=3D"">Putting a mail server on the system as well would =
be logical,
though it would increase complexity and more moving parts on a
trusted system makes me a little nervous.
</pre>
</blockquote>
<pre wrap=3D"">
Modern Linux systems have pretty good MAC and similar security
hardening available. They're a pain in the neck to configure, but if
you're handing people firmware, that only has to be done once. It
isn't perfect but it is better than what almost anyone has at home
now or what they rely on elsewhere.
(I would prefer to see hybrid capability systems in such
applications, like Capsicum, though I don't think any such have been
ported to Linux and that's a popular platform for such work.)
In the long term, of course, I'd like to see the work in seL4
extended to open source systems, but that's a very long term goal.
</pre>
</blockquote>
<br>
</body>
</html>
--------------080206080808090409070007--
--------------030901010507060001070704
Content-Type: application/pgp-keys;
name="0xD4217DB1.asc"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="0xD4217DB1.asc"
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)
mQGiBFIST5ARBACT1X9uUIFlZ3jrYGbg4wLwUsqX7NkSi/qAHWQdRp59fxsq/z8C
DI/YOj/Eh84Sb6YVeiQXjt7VCGst03TeyXOX1LNOVLCcLujAnkqR2iRisFAT8q6g
1E81gKwpAvV09Dp6CLYdRzSCMQf2cD0Lh68u5QChPWCTaEzcELchNLDslwCgn2zA
/FcefFKG3he8zSLdjmRIwk8D/3YVAFaCxK+FWJ5Ltc1zvfVkh5U3nVcJvf4ymHxg
sw2HzuhTXP/uQ+MqXNmBBokAJynrD0h5VhHsKXYRoed8zqecNwWRn17Jawyvare6
O6qjIVvluIjAG1lMloo6diwSMKb+LE4fgu0GUHfscL6cL1YlhYwDFfyof75zcwPQ
aDjdBACQYmVr1uDsw7WZKl6LMz76ZOpjOwleNy0aOJPBAzVbMoFG4cMlO4rz6T3L
ruxJCiQLkexBdFMhgwoTVGy1NhXnQlk4YAHoprvtQpR1AlkyFj6y8spy4TlsSISB
bsn+2+hZLnfUaSRowQpqWcrdvqBOFWpdbVK/D/Uf0xiM/+M3abQdTWFyayBTbWl0
aCA8bWFya0BoYWxpYnV0LmNvbT6IYgQTEQIAIgIXgAUCUhjoGQgLCQgHAwIKBAYV
CgkICwIFFgIDAQACHgEACgkQdUKnqNQhfbHcXACeLRIuTfOR9AXt06FWfdiEWbMx
SQ4AnRzNERSHthEnJ8/Iv0350SVOVLxpiQEcBBMBAgAGBQJSF5+0AAoJEBXWm1Ga
B4AAl2QH/RrqBBDZHEmASqWxcmAcAl0HnAN1JGUFqPfTRYMRKHBskG5tqzU1ZT3a
h3BP29aEurPfwEGX3X3B3BZVh/ZrfP+n+vfrGxpekvlUvfCTAh9inWBkcBLOMhWW
VpS9ulK5v8JDQamKGb9wn9c4SvvcAXeECIK8hhYRoOvQ/syCgx8Ssx6zH6Yg4Ec6
vex9Adqe5ibjsek0CH3uppPwKTutYum/Am/IlvMFanqGX6VxyNTe1RJe2F0e1LUX
0MqJD8J4FHVlZ1F3ENDz5D7ctEIfUDsxdIjHG7lsF0/K4DzQBVDJH0lbj3UpE9XQ
sCUwU1cRXJmReFXq02Ip7jT+09dOzWyIRgQTEQIABgUCUhefwQAKCRDhYlYS4R1n
9/csAJ4j4PDB2UvL8uOpY0jLDPJ1No3NkgCgpSP1VJh6V4QKlog7FEPPSu1GW+OI
VwQTEQIAFwUCUhJPkAULBwoDBAMVAwIDFgIBAheAAAoJEHVCp6jUIX2xgn4An1FG
PgplzKnMC33VO8a8dUlUqf6VAJ45/iFPNTGJ0WaNfBnN3O8LzqAHhrkEDQRSEk/Y
EBAA/v/4vpxG/ptZzoZCwvJSaoNwkr3diEg0SU8zAVuDNM3QYINpaju+bCf+PX0P
p8aAHg4CjAs6Z6NjnYQ1IVO+ZFTMmEtUpm7IY9+hHZsdPcWU+Jp/j1sAOUjxXMPa
11XEtBSTv1YNLJlHTfFqqL1VmlWfBzMzLIidHFpKrO5Bd7JrHRK4/H6v3/t3V0QJ
vtGLe+BrNjJTfyFcyTv1M+HOEWepf1CjDEi6raJvTa6j/1D6euTDjEgwv2Zn64Kj
cD9O69xy4cmL46OZ/jRxR76eHhUmNrnMj5Vw/jKDLE2yMlrcK4c2WwJqzijh7Iy/
W2RfPMEBWscEHieGDA2NmbbYTxVSGdNT2WHGaHvih46qnSRIis9eDxgTpxQP2ZC+
BaGkUiXQi946ezbu/dxrRHdITwLUqsfKRB9BeMSbfgeC5R5i9vG0sw/0OPHEVcmk
CV0D1fvqAjTvl7DVz043uf58DWjVNEFPbXb0l/o5MA47599Im91+CSI3+XuvkPcw
Bz4tz9VGxP4TUM77ziHFmY1N3RT9yO/ojSj8csNjyMRCrCBTOgkss9qcoXDC97/A
ukEme88w2yehJsL9xsT+Tmx7m08mr4YKvfrz/IL78pdmEKsTayKCFgTqoXgIAKoN
h+LxvnGnUzBQlRIhUf2Rp51F40+jJnbNri+oMPw07VfTGGMAAwUQAOIIe+25Jvhq
yOTnz5af9Do3/LgDZ+OWqBNVzUo5ZOMUvVccB0tpRP3EOjlkNErtp2OP1aFqSoKa
tH8/XfkPer5QBRqWyZQrdyI2Lga5lYjPCRhI9rokwrX1dNd8yl1mKT2goS4mzMz6
+7bR1zEQs79aPwBkh2tmPouxdZA6JQAlK7ycLTvcO8acxs0qsHa4PCnsQYcU/FwC
1qSv2aG4BC3/ivmWys+BXaBn0udl1MLEM/OuXbqfhgOSwG5MGAqjwEuc/Cpg5u5k
mCSJHmKgEorA8mqa6TcKb4b44WIrzAXb0cNLvc/uld8BS+NJq86EKpnUgQQX/9c0
iMOX/nCCjlDpMGPjKe0nog6T0HooSclv5boBKrLsE3okRjZv0r83BLwsVNtazHSg
NMnI5iNW/9NJvqlEPqyeh3YjFDHIhq1RK+6iIkRengvu0pJC2Y10WJld4Vle6fbi
XBtBGk4X3V99iaQf64O+NFvYLsrg6pZeJl29mTKjLFdGaF+5fOFtaw/mVYGoUKuv
ru6pclhycYNtlThXHvmx1h+HWoj9kTOojkVI7w5taiVg61TIb2fLifpJUPvr1R+/
N/bm7V9zOWEntNW6P3rXgN3EMHy+dBDEKryiujNIzCJF+rIjzow11Hf0K4NxwWQg
qf9A/X6TepD6XeiMJKueC5jG8ZiStyLhiEYEGBECAAYFAlIST9gACgkQdUKnqNQh
fbEQiACfcDelz246hxiqE+XyBXKDQVeglhoAoJLeTXWHKrxDghW+aMx1AOMwfYvo
=3DJqCE
-----END PGP PUBLIC KEY BLOCK-----
--------------030901010507060001070704--
--xtv4V16pHNclge1Bp6j8t1WX2okdALUew
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iEYEARECAAYFAlIb0PwACgkQdUKnqNQhfbEYLACeOVF6N3ApgMeGhiLYf6YV6Nnk
oI8AmgOqOmyEFO2zUisX6u3TRaObyB44
=2Rwt
-----END PGP SIGNATURE-----
--xtv4V16pHNclge1Bp6j8t1WX2okdALUew--
--===============7086313029343441196==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============7086313029343441196==--
