Groups | Search | Server Info | Keyboard shortcuts | Login | Register [http] [https] [nntp] [nntps]

Groups > comp.lang.java.programmer > #21192

Re: creating a secret-carrying box

Show all headers | View raw

On Mon, 07 Jan 2013 18:00:07 -0800, Roedy Green wrote:

> The closest thing I have found to what I want is a Kanguru AES
> Encrypted Flash drive.  I key a password to open it. I can then fill
> it will secret files which are hardware-encrypted. Then I close it and
> nobody can read the files without the password.  
> 
> HOWEVER, when I take it to another machine, enter the password, it
> opens up, but TOO open. ANY app can read it, including spyware.
> 
> I am curious about how you might design such a beast without that
> problem.
> 
> It would be open, but only to one APP.  That one app might have to
> jump through hoops to retrieve or change data.
> 
> One idea I had was to put a little linux OS on the flash drive that
> talked HTTPS. It would be like a portable secure server.  The app
> could pass through a password over HTTPS keyed in.  All its
> communications would be encrypted.
> 
> Another idea I had was to run the app inside the USB drive, and have
> it talk to a device driver that would display and accept keystrokes
> and mouse strokes for it.  
> 
> Another related idea was putting some private keys in inaccessible
> ROM, and a CPU that could encrypt/decrypt.

If the drive sends file contents unencrypted to the PC, once the password
has been sent to it, then untrusted apps on the PC can read the drive. So,
you'll need the data to be encrypted in one way or another all the way into
the application you're using it in.

Furthermore, you will need the PC's operating system and all other
kernel-mode code on it to be trusted, as well as the application.
Kernel-mode code can see the contents of the application's address space,
including the data post-decryption, and can also do things like keylogging
while you type in the password.

Your options, as I see them:

1. Only use it from a specific, trusted PC with clean installs of
   everything, minimal stuff installed, and preferably no network
   connection. Malware either can't get on it or can't phone home
   with what it saw.

2. More elaborate: use drive with trusted PC that runs some sort of server.
   Less-trusted PC connects to trusted PC via HTTPS or other encrypted
   protocol. So, data is encrypted entering less-trusted PC. Both machines
   are behind a firewall that will not accept traffic routed to or from the
   trusted PC, so the trusted PC can't talk to the internet directly (or be
   hacked from it). The semi-trusted PC runs a vetted Linux kernel and
   kernel modules, and use of the HTTPS connection is done from an
   unprivileged account. That account isn't used for anything else and its
   home directory is mounted on a ram drive so anything not saved to the
   encrypted drive evaporates every time that machine is reset, limiting
   the ability of any malware that infects that account to record anything
   for phoning home later. Disconnect the internet before using the drive
   and reboot before reconnecting the internet, and malware can't preserve
   anything to phone home with. Or, disable networking privileges for that
   account (launch a browser sudo root if you need to consult google, or
   use your phone or pad or a third computer).

-- 
Hexapodia is the key insight.

Back to comp.lang.java.programmer | Previous | Next — Previous in thread | Next in thread | Find similar | Unroll thread

Thread

creating a secret-carrying box Roedy Green <see_website@mindprod.com.invalid> - 2013-01-07 18:00 -0800
  Re: creating a secret-carrying box Arne Vajhøj <arne@vajhoej.dk> - 2013-01-07 21:27 -0500
  Re: creating a secret-carrying box Twirlip of the Mists <twirlip@killfile.me.now.invalid> - 2013-01-07 23:12 -0500
    Re: creating a secret-carrying box Roedy Green <see_website@mindprod.com.invalid> - 2013-01-08 00:44 -0800

csiph-web