[Cryptography] CD bootable Linux (was randomness +- entropy)
Nico Williams
nico at cryptonector.com
Thu Nov 7 17:28:37 EST 2013
On Thu, Nov 07, 2013 at 09:54:26AM -0500, Thierry Moreau wrote:
> >In fact, though, I can think of one simple example: A CD Linux image
> >used precisely to conduct operations we want to keep secure. For
> >example, there's a suggestion that small businesses use exactly such
> >a thing to do their on-line banking, as their usual systems are way
> >too vulnerable to various kinds of malware (and small businesses have
> >been subject to attacks that bankrupted them). The CD itself can't
> >carry a seed, as it will be re-used repeatedly. It has to come up
> >quickly, and on pretty much any hardware, to be useful. You could
> >probably get something like Turbid in there - but there are plenty of
> >CD's around already that have little if anything.
12 years ago, in the aftermath of a time-bomb attack on a bank by a
disgruntled [ex-]employee, I co-wrote recommendations on how to deal
with that in the future. Those were pre-TPM days, and one part of our
proposal was to investigate booting from read-only media or secure NFS
(also non-existent back then; nowadays one might consider diskless iSCSI
booting) as a way to prevent time bombs being left in boot images.
We also proposed -and implemented- making privileged access to systems
much more closely audited as a deterrent. The read-only media concept
made, effectively, for an easy-to-audit boot media update process (but
it required additional physical security protections).
Read-only media is a poor-man's TPM-measured boot media. Highly
effective.
Anyways, the take-away: we need HW RNGs on all systems that need to boot
from read-only media, or even TPM-measured media (because any next-boot-
seed must be measured or be considered not trusted, and because updating
the TPM every time the system boots/shuts down very much weakens the
TPM-measured boot proposition.
It also so happens that we should want HW RNGs on *every* system.
We also want CPU cycle counters, hi-res timers, and so on so that there
are some sources of entropy (jitter) that aren't (can't be) potentially-
backdoored HW RNGs.
That's it. ARM and other CPU designers: give us both of those things!!
> There is this US military sector initiative "Lightweight Portable
> Security" with precisely this mandate.
>
> http://www.spi.dod.mil/lipose.htm
Thanks for the link, that's very interesting.
Nico
--
More information about the cryptography
mailing list