[Cryptography] Anyone interested in a cheap security module for Raspberry Pi?

Ashish Gulhati crypto at ashish.neomailbox.com
Wed Jul 26 22:04:30 EDT 2017


> On Jul 26, 2017, at 2:18 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> 
> What I would do is run some software on the user's computer to form a network of HSMs.  Only firmware and keys in the HSM need to be trusted, not the host software.  The HSMs would secure not just the owner's secrets, but would participate in securing secrets of other users.  This creates a potential incentive for the owner to hack their own HSM, since the secrets of others might be valuable.  The idea sounds a bit nutty, but there seem to be ways to improve security, reliability, and availability considerably with this approach.
> 
> Some concerns I would have putting my secrets into a SC4-HSM: What if I lose it?  What if it breaks?  Do I need to backup all my secrets?  What if I want to buy a hamburger with my bitcoins bug my HSM is plugged in at home?  What if an attacker steals it and brute-forces my HSM pin/password?  Do I need to use a super-hard password, and enter it every time I buy a hamburger?  I really just want to buy a Hamburger with bitcoins on my phone.  Can I do that with the HSM, without carrying it around?  There seem to be opportunities to improve on all this with networked HSMs working together.  That's the area I am currently interested in.
> 

The R-Pi is cheap enough (and will only get cheaper) to serve as an air-gapped HSM by itself.

This is the idea behind Noodle Unsnoopable, an integrated R-Pi (Zero) based handheld device 
with hi-res display, camera, and battery.

It’s on Kickstarter now: http://noodlepi.com

This was specifically designed for use with HashCash (www.hashcash.com) offline wallets and
my Unsnoopable messaging app (www.unsnoopable.org). I mentioned such a device in 
previous posts on this list.

So, you want to buy a hamburger with Bitcoin.

Let’s say you don’t want to trust anyone with your Bitcoin, so you want to hold it yourself.

You set up a HashCash (abbreviated as "[#]" below) vault at home, maybe inside a physical 
safe if you like. You store your Bitcoin in your vault and you get [#] coins from your vault. 
These go in your [#] wallet on your Noodle Unsnoopable (shorted to “Noodle" below), which 
is air-gapped and can’t connect to any networks.

Now you go off shopping.. you want to buy some gadgets, buy a hamburger, etc.

When you need to pay someone, you enter the amount in your [#] wallet on the Noodle, 
scan the [#] coins as a QR code from the Noodle with your phone, and send them to 
your vault. The vault then sends Bitcoin to the payee’s bitcoin address.

The vault can also be air-gapped, communicating over a serial link.

So your Bitcoin keys are always air-gapped, and your [#] coins are always air-gapped. 
Yet you can pay with a couple of taps on your Noodle and a QR code scan on your mobile 
phone.

Better yet, your family and friends trust you enough to use your [#] vault, so now they can 
do the same thing with their [#] wallets on their Noodles. And since [#] is untraceable, they 
don’t compromise any privacy by using your vault.

And this is before there are any public [#] vaults whose coins are widely accepted by 
merchants. Once there are a few of those, you don’t need to run your own vault at all to 
buy a hamburger. You just load up your wallet with some [#] coins from any of the 
well-reputed vaults and pay the merchant directly in [#]. Merchant simply scans the
coins off your Noodle.

Also, since the Noodle runs entirely off its MicroSD card, the only thing you need to keep 
physically secure is the MicroSD card, which pops easily out of the device and is really 
easy to keep secure. You can also easily make backups of it. 

And multiple people can use the same device, just by popping in different MicroSD 
cards.

Of course Noodle Unsnoopable (and Noodle Pi, the network-capable version) can
be used for a lot of other stuff too (including perfectly unsnoopable messaging,
with the Unsnoopable app).

Very limited number of early bird rewards left. Grab one soon! http://noodlepi.com

Cheers
#!



More information about the cryptography mailing list