[148343] in cryptography@c2.net mail archive
Re: [Cryptography] Kindle as crypto hardware
daemon@ATHENA.MIT.EDU (Phillip Hallam-Baker)
Wed Dec 4 13:24:53 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <20131204145009.GB17008@thunk.org>
Date: Wed, 4 Dec 2013 10:40:25 -0500
From: Phillip Hallam-Baker <hallam@gmail.com>
To: "Theodore Ts'o" <tytso@mit.edu>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============5864273326079773002==
Content-Type: multipart/alternative; boundary=001a11c3337a50b48704ecb73b6c
--001a11c3337a50b48704ecb73b6c
Content-Type: text/plain; charset=ISO-8859-1
On Wed, Dec 4, 2013 at 9:50 AM, Theodore Ts'o <tytso@mit.edu> wrote:
> On Tue, Dec 03, 2013 at 11:39:27PM -0500, Phillip Hallam-Baker wrote:
> > What I really want from a crypto key management device is that it be
> >
> > * Small and light
> > * Have processor and display capabilities
> > * Be possible to control the operating system build completely
> > * Be cheap enough to be a burner machine
> >
> > Which is how I started thinking about the Kindle. It is pretty much ideal
> > in every respect, at least after it is jailbroken.
> >
> > And very unlikely that anyone has backdoored the existing stocks.
>
> Why not use an Arduino?
>
> - Ted
>
I would not choose an Arduino due to the lack of a display capability. But
I have certainly been considering the Raspberry Pi which has far more
capability for essentially the same price.
But the cost of a Kindle is $69 including shipping for the device and
display combined. That is a pretty hard price point to beat. And it is a
ready to run device rather than a kit. They can be bought off the shelf in
ready to run condition from numerous retail outlets. So it is pretty easy
to pin down the potential for compromise.
And further, Amazon is a company that is very net.friendly that faces a
massive problem as a result of Snowdonia. So they might well be willing to
cooperate if not participate.
The worst case risk they face would be if they are selling the Kindle at
below cost to make up the difference by selling content. Which might not
sit well with my type of application where certified destruction of the
device is a requirement in some ceremonies.
But for your typical law firm or the like looking to secure the apex of the
enterprise trust infrastructure, a Kindle kept in a tamper-evident pouch
could well be the best compromise between convenience and security.
If I was running a ceremony for a law firm I would imagine the process
would be something like the following:
1) Show up with some number of Raspberry Pi computers that have been potted
in transparent epoxy.
2) Download and confirm the boot disk for the Pi onto an SD card.
3) Disable the WiFi function on the Kindle
4) Download the key management application onto the Kindle from the Pi
5) Generate the keys, copy the encrypted versions onto the Pi, distribute
the key shares to the client key holders.
6) Either bag up the Kindle in a tamper proof bag or perform verifiable
physical destruction.
7) Invoice the client
What would make the system easier to audit would be a special edition
Kindle that had a removable SD card instead of the built-in firmware.
--
Website: http://hallambaker.com/
--001a11c3337a50b48704ecb73b6c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr"><br><div class=3D"gmail_extra"><br><br><div class=3D"gmail=
_quote">On Wed, Dec 4, 2013 at 9:50 AM, Theodore Ts'o <span dir=3D"ltr"=
><<a href=3D"mailto:tytso@mit.edu" target=3D"_blank">tytso@mit.edu</a>&g=
t;</span> wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;border-=
left-width:1px;border-left-color:rgb(204,204,204);border-left-style:solid;p=
adding-left:1ex"><div class=3D""><div class=3D"h5">On Tue, Dec 03, 2013 at =
11:39:27PM -0500, Phillip Hallam-Baker wrote:<br>
> What I really want from a crypto key management device is that it be<b=
r>
><br>
> * Small and light<br>
> * Have processor and display capabilities<br>
> * Be possible to control the operating system build completely<br>
> * Be cheap enough to be a burner machine<br>
><br>
> Which is how I started thinking about the Kindle. It is pretty much id=
eal<br>
> in every respect, at least after it is jailbroken.<br>
><br>
> And very unlikely that anyone has backdoored the existing stocks.<br>
<br>
</div></div>Why not use an Arduino?<br>
<br>
=A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 - Ted<br>
</blockquote></div><br>I would not choose an Arduino due to the lack of a d=
isplay capability. But I have certainly been considering the Raspberry Pi w=
hich has far more capability for essentially the same price.</div><div clas=
s=3D"gmail_extra">
<br></div><div class=3D"gmail_extra">But the cost of a Kindle is $69 includ=
ing shipping for the device and display combined. That is a pretty hard pri=
ce point to beat. And it is a ready to run device rather than a kit. They c=
an be bought off the shelf in ready to run condition from numerous retail o=
utlets. So it is pretty easy to pin down the potential for compromise.</div=
>
<div class=3D"gmail_extra"><br></div><div class=3D"gmail_extra"><br></div><=
div class=3D"gmail_extra">And further, Amazon is a company that is very net=
.friendly that faces a massive problem as a result of Snowdonia. So they mi=
ght well be willing to cooperate if not participate.<br clear=3D"all">
<div><br></div><div>The worst case risk they face would be if they are sell=
ing the Kindle at below cost to make up the difference by selling content. =
Which might not sit well with my type of application where certified destru=
ction of the device is a requirement in some ceremonies.</div>
<div><br></div><div><br></div><div>But for your typical law firm or the lik=
e looking to secure the apex of the enterprise trust infrastructure, a Kind=
le kept in a tamper-evident pouch could well be the best compromise between=
convenience and security.=A0</div>
<div><br></div><div><br></div><div>If I was running a ceremony for a law fi=
rm I would imagine the process would be something like the following:</div>=
<div><br></div><div>1) Show up with some number of Raspberry Pi computers t=
hat have been potted in transparent epoxy.</div>
<div><br></div><div>2) Download and confirm the boot disk for the Pi onto a=
n SD card.</div><div><br></div><div>3) Disable the WiFi function on the Kin=
dle</div><div><br></div><div>4) Download the key management application ont=
o the Kindle from the Pi</div>
<div><br></div><div>5) Generate the keys, copy the encrypted versions onto =
the Pi, distribute the key shares to the client key holders.</div><div><br>=
</div><div>6) Either bag up the Kindle in a tamper proof bag or perform ver=
ifiable physical destruction.</div>
<div><br></div><div>7) Invoice the client</div><div><br></div><div><br></di=
v><div>What would make the system easier to audit would be a special editio=
n Kindle that had a removable SD card instead of the built-in firmware.</di=
v>
<div><br></div><div><br></div>-- <br>Website: <a href=3D"http://hallambaker=
.com/">http://hallambaker.com/</a><br>
</div></div>
--001a11c3337a50b48704ecb73b6c--
--===============5864273326079773002==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============5864273326079773002==--
