[Cryptography] Secure erasure

Ralf Senderek crypto at senderek.ie
Sat Sep 10 09:44:31 EDT 2016


On Fri, 9 Sep 2016, John Denker wrote:

> The way forward is to stop oversimplifying.  Start by asking What's
> Your Threat Model.  The real threats come from verrrry far outside
> the domain of specification for ordinary computer languages:  cold
> boot, attackers with root privilege, NSA "tailoring" (i.e. subversion)
> of the firmware in the flash controller, tempest, et cetera.
>
> Let's be clear:  A zeroization routine that might have worked
> just fine on an Apple ][e floppy is not good enough for a modern
> hard disk, and is guaranteed to do almost nothing on a flash
> drive except waste electricity and shorten the useful life of
> the drive.

[...]

> This is one of the reasons for the existence of Hardware Security
> Modules.  If the bad guys can't get inside, it doesn't matter
> whether the software makes frequent calls to the "secure erase"
> routine or not.

I read this as an endorsement of the idea of a "personal security server"
under the user's control. A separate hardware with a maximal level of
auditability that shuts itself (and its OS) off from network access
as much as possible, leaving only an encrypted tunnel to the user's
main machine which is the target of most malware approaching from
a huge number of sources.

For this "personal security server" the main issue will become assuring
its isolation and safeguarding the tunnel to its legitimate user, not
to ensure "secure erase" of secrets. In my view, the separation of
security critical actions (like message decryption) from the machine
the user (carelessly) uses for everything, is the most valuable step
forward, because we won't be able to defeat most attacks on the user's
desktop. But we may be able to strengthen a well-designed second system
to be much less vulnerable.

I know that it's quite difficult to ensure that only the legitimate
user can access the encrypted tunnel, because it'll require the
(safe) use of a secret. And so the "secure erase" problem must be
solved - one way or the other - on the user's main machine.
But the problem of running the whole bunch of safe crypto need not
be solved here.


    --ralf


PS: I assume that physical access to the "personal security server" can
     be provided, once it is under the user's control (no online server)
     and that primarily attacks through the network cable have to be
     prevented.



More information about the cryptography mailing list