crypto question

Arnold G. Reinhold reinhold at world.std.com
Thu Mar 21 19:44:51 EST 2002 

At 8:52 PM -0800 3/20/02, Mike Brodhead wrote:
> > The usual good solution is to make a human type in a secret.
>
>Of course, the downside is that the appropriate human must be present
>for the system to come up properly.

It's not clear to me what having the human present accomplishes. 
While the power was out, the node computer could have been tampered 
with, e.g. a key logger attached.

>
>In some situations, the system must be able to boot into a working
>state.  That way, even if somebody accidentally trips the power-- I've
>had this happen on production boxen --the system outage lasts only as
>long as the boot time.  If a particular human (or one of a small
>number of secret holders) must be involved, then the outage could be
>measured in hours rather than minutes.

Who said you were allowed to lose power and stay secure? Laptops are 
pretty cheap and come with multi-hour batteries.  There should be 
enough physical security around the node to prevent someone from 
"tripping" power.

One approach might be to surround a remote node with enough sensors 
so that it can detect an unauthorized attempt to physically approach 
it. Web cams are pretty cheap. Several cameras and/or mirrors would 
be required to get 4Pi coverage.  Software could detect frame to 
frame changes that indicated an intrusion. The machine would be kept 
in a secure closet or cabinet. The the machine would be set up in 
what ever location by a trusted person or team and would remain 
"conscious" from then on. Entry would be authorized via an 
authenticated link. Any unauthorized entry would result in the node 
destroying it's secrets. It would then have to be replaced.

>
>Don't forget that Availability is also an important aspect of
>security.  It all depends on your threat model.
>

The approach I outlined offers very high availability.


Arnold Reinhold

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list