[148080] in cryptography@c2.net mail archive
Re: [Cryptography] CD bootable Linux (was randomness +- entropy)
daemon@ATHENA.MIT.EDU (Nico Williams)
Thu Nov 7 19:11:20 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 7 Nov 2013 16:28:37 -0600
From: Nico Williams <nico@cryptonector.com>
To: Thierry Moreau <thierry.moreau@connotech.com>
In-Reply-To: <527BA9A2.1030404@connotech.com>
Cc: Cryptography <cryptography@metzdowd.com>, Jerry Leichter <leichter@lrw.com>,
Watson Ladd <watsonbladd@gmail.com>, John Kelsey <crypto.jmk@gmail.com>,
RNG mlist <rng@lists.bitrot.info>, John Denker <jsd@av8n.com>,
Theodore Ts'o <tytso@mit.edu>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Thu, Nov 07, 2013 at 09:54:26AM -0500, Thierry Moreau wrote:
> >In fact, though, I can think of one simple example: A CD Linux image
> >used precisely to conduct operations we want to keep secure. For
> >example, there's a suggestion that small businesses use exactly such
> >a thing to do their on-line banking, as their usual systems are way
> >too vulnerable to various kinds of malware (and small businesses have
> >been subject to attacks that bankrupted them). The CD itself can't
> >carry a seed, as it will be re-used repeatedly. It has to come up
> >quickly, and on pretty much any hardware, to be useful. You could
> >probably get something like Turbid in there - but there are plenty of
> >CD's around already that have little if anything.
12 years ago, in the aftermath of a time-bomb attack on a bank by a
disgruntled [ex-]employee, I co-wrote recommendations on how to deal
with that in the future. Those were pre-TPM days, and one part of our
proposal was to investigate booting from read-only media or secure NFS
(also non-existent back then; nowadays one might consider diskless iSCSI
booting) as a way to prevent time bombs being left in boot images.
We also proposed -and implemented- making privileged access to systems
much more closely audited as a deterrent. The read-only media concept
made, effectively, for an easy-to-audit boot media update process (but
it required additional physical security protections).
Read-only media is a poor-man's TPM-measured boot media. Highly
effective.
Anyways, the take-away: we need HW RNGs on all systems that need to boot
from read-only media, or even TPM-measured media (because any next-boot-
seed must be measured or be considered not trusted, and because updating
the TPM every time the system boots/shuts down very much weakens the
TPM-measured boot proposition.
It also so happens that we should want HW RNGs on *every* system.
We also want CPU cycle counters, hi-res timers, and so on so that there
are some sources of entropy (jitter) that aren't (can't be) potentially-
backdoored HW RNGs.
That's it. ARM and other CPU designers: give us both of those things!!
> There is this US military sector initiative "Lightweight Portable
> Security" with precisely this mandate.
>
> http://www.spi.dod.mil/lipose.htm
Thanks for the link, that's very interesting.
Nico
--
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography