Highly secure messaging, email, and Internet services has a long history in military and defense sector with issues well-understood. I mention here [1] the framework I used in high assurance security engineering. The system must be built using strongest engineering techniques with the right requirements. It must run on an endpoint with specialist security engineering techniques resistant to talented hackers. The protocols, parsers, networking stacks, and so on must be carefully implemented to prevent problems. Modern attackers are hitting various firmware, too, so protection is needed from devices. Then, we must be sure the software displayed to us for all this is what's actually running, on non-subverted hardware, and with non-malicious insiders.
The whole thing is beyond tricky to the point that no hosted service is rated to high security in any honest way (eg outside hand-waiving arguments). The only proven model has standalone apps (eg PGP, Nexor Sentinel) acting as proxies between trusted mail/messaging apps and untrusted side. Ideally, user-controlled, vetted code handles secrets with untrusted side (eg Internet host) simply a transport or storage layer that has no influence on endpoint or security past availability. The trusted software must also run on strong endpoints that don't run any other risky software. Given target market, that disqualifies most users of email and messaging software in general.
So, about this one. It seems to not meet many of these requirements and its users don't either. That puts it in Low-Medium assurance category where it might still be helpful against regular black hats, snoops, and attackers without 0-days in what their users have. That will necessarily require decent design & implementation. I commend them on having it pen-tested & open-sourced for review to that effect.
Meanwhile, users wanting to increase resistance to High Strength Attackers should use air gapped, hardened NIX boxes with GPG or Markus Ottela's Tinfoil Chat. Snowden leaks showed using GPG correctly, esp with Tor correctly, gave NSA hell. Markus has also improved TFC many times in response to our critiques to the point that many attack vectors are impossible, risk is lower in others, and endpoint risks are possibly lower than all solutions if right hardware is used. Still work to be done but he's way ahead of the competition.
Note: I second rossjudson that the site, although with beautiful artwork, should be redesigned so it's clear what the app does without a lot of digging. I've seen competing apps where they were clear on the specifics upfront while still not drowning readers in technical detail. The technical detail was a link or so away if I needed it. Right not, it looks too much like a marketing team's work.
"When the serial cable used to transmit information between two computers is enforced with an RS-232 data diode to funciton in unidirectional fashion, exfiltration of encryption and signing keys without physical access becomes impossible."
Right. Or use a smart-card. I'm not sure it's more sane to trust a typical pc to not have a hw backdoor (eg: intel managment cpu with wlan access -- does need to be enabled in bios. At least that's what Intel says) -- rather than trust a smart-card (idea is to send data to card, get signed/encrypted data back. Keys never leave card).
The modules look huge though. Plenty of room for someone to slip in a listening device with burst-capable transmission. I don't think the actual security is much higher than just using a smartcard?
The smart-card vendors might be working with any number of people. You can't be sure and subversion is at an all time high. The reason he used our data diode recommendation was you can use arbitrary hardware for the send, receive, and network nodes. Receiver can't leak anything outward even if hit by malware. Sender can't receive attacks from Internet. And network can be toast without ill effect. This can be verified by looking at the wires you modified rather than giving ChipWorks millions to R.E. it. ;)
Later we told him OTP wasn't going to get takeup. I described my cascading cipher. That led to his multiple encryption etc version. I told him high assurance crypto NSA uses defeats covert channels with (a) fixed sized transmissions, (b) fixed rate transmissions and (c) not letting errors have a visible effect on that. Goes way back. He changed it to do that.
So, he was clever with the design and has been responsive to updates. Those are just a few I remember. He used Python because it's easy to read. He only has so much time for the project. Other stuff I suggested included converting it to a language like C, Ada, or Pascal for control over memory & extra visibility. Also, using the Dresden Nizza architecture (or MILS architecture) on transport and sending stack to further enforce isolation and secure decomposition. More work to be done but it's a nice executable specification of something that can give NSA hell with low end equipment.
Far as email, that must be a side project he started as a result of some of us suggesting he port GPG or something to the architecture. I'm not familiar with it. I only endorse main chat architecture with encouragement that implementation keeps improving. :)
Oh, don't get my wrong. I think the project is interesting, and it's obvious open hw is the way to go - especially if the design can be kept both simple and useful.
I don't really see anything wrong with having the cable be shorter (ie: an open platform smart card).
Lets just say that from a practical standpoint, I'd be much more interested in getting "most" people to use s/mime and/or gpg with keys and encryption on a dedicated device -- no matter if that device is a re-purposed Android without a baseband chip, running some open Linux based OS (full distro or something like Replicant) -- or it is a smart card, or some kind of dedicated open hardware.
The cascading idea is interesting, but probably more useful in a more adversarial scenario than most people need. Good for running drugs, or a revolution (or insurgency) though ;-)
On a serious note, I do see some real overlap between this military grade approach and "normal" use-cases. Especially for people that find them selves at odds with their government. Be that FBI targeting #occupy in Zuccotti Park, the German intelligence services/NSA spying on elected officials in Germany -- or people opposed to current policies in China, or advocating gay rights in Russia.
We live in a time where there's enough oppression to go around :-(
The cable is just what he had at his house: a smaller one is better. Not sure why you keep bringing up smartcards as alternative to long cable: two totally different things. Only realistic alternative to his cable w/out extra risk is point-to-point IR transfer: cheap & hard to grab if nearby (unlike Bluetooth/Wifi).
It would be nice to get more people on GPG or Linux. It's what I use, too. The problem is their Trusted Computing Base [1] is ridiculously huge. Even amateurs regularly break NIX systems, browsers, and so on. The methods for designing things highly resistant to attack are out of reach for most projects. See my framework [2], for example, to see the gap between high quality coding and truly secure systems. Most developers, even many security "pro's," have no idea about so many of these things. Just ask anyone building one of these "NSA-proof" crypto tools to see their Covert Channel Analysis with breakdown of all residual storage, timing, and resource exhaustion channels. Observe the blank or confused stares.
So, Markus was trying to shortcut around that using concepts he learned and we discussed. It had to be provably immune to software attack despite weaknesses in components. GPG on Linux/Android means GPG or Linux/Android must be breached. Although GPG is solid, Linux/Android breaches abound because they're insecure crap. So, that won't work against event a good black hat. He couldn't build a High Assurance Guard [3] by himself so he had to eliminate almost whole TCB. TFC was a clever workaround. TFC and Linux/Android-based clients have no comparison given only one can make a strong security argument under all conditions of software attack and the others just have so many real-world attacks... Apple to oranges, my friend.
For cascading, it might be overkill and might not. Note that many real-world algorithms working in isolation had problems. Cryptophone used a AES + Twofish cascade as insurance. The idea is that one algorithm or trick failing won't compromise the system. It applies to regular crypto users as much as anyone else given we use same algorithms. I agree it might not be necessary for majority of people, though. They use Gmail or Facebook over HTTPS for their critical communications. Clearly different privacy needs, there. ;)
I agree on the overlap: it's why I push the strong stuff. :) The reason, though, is that all the bad guys aim for the same thing. Plus, the nation-state methods (esp firmware attacks) are starting to be used by non-nation-states. The methods for stopping software attacks by nation-states are same as for anyone else. It's why our systems need to be redone (example [4]) to simply enforce fundamental protections to stop all that shit. And meanwhile, we have to use GPG, TFC, air gaps, and other kludgy solutions to make up for how bad we have it.
> The cable is just what he had at his house: a smaller one is better. Not sure why you keep bringing up smartcards as alternative to long cable: two totally different things.
True, a smart card doesn't give you separate input/output terminals. But it can isolate the key and encryption bit. It can be quite secure in case of theft, off-line access.
[ed: I wasn't talking about just the cable, I was thinking about all the devices soldered into it. They look big enough for there to be a possibility to embed a listening device. That is if you're a direct target by something like the Egyptian Secret Police etc]
Certainly this system has different and stronger security properties -- but also usability issues (even if you could probably sandwich most of it into a single laptop case. Would be interesting to have two screens side-by-side for input and output).
Do you know anything about throughput for this? Would it be viable for high-quality video chat?
> TFC and Linux/Android-based clients have no comparison given only one can make a strong security argument under all conditions of software attack and the others just have so many real-world attacks... Apple to oranges, my friend.
I meant and Android hw device, similar to running a stripped down OS on pc hardware. Sort of as a replacement for the hw in the terminals used here. I didn't mean a full Android software stack. Preferably a system without baseband, networking etc.
I'm not sure about your use of "NIX" here. Is this a combined hardware/software platform? Google wasn't very helpful.
It is of course true that if you can compromise the keyboard, display driver, kernel, i/o for gpg etc -- you can actively compromise the system.
As far as I know, typical Linux/bsd installs are not vulnerable to compromise either via a usb stick or via tcp/ip (assuming updates are disabled). So it would seem that using a dedicated (mostly) air-gapped laptop would practically be as secure. In such a case, keeping keys/crypto on an open-hw smartcard might be a prudent extra step that would add a little more security against certain threats.
> For cascading, it might be overkill and might not.
As long as one can show that cascading doesn't weaken the system (eg: perhaps a construction opened up some kind of oracle, along the lines of compression+encryption, perhaps key derivation would leak information on a master secret if one uses related keys) -- I don't see much of a reason not to.
On the other hand, if you double the number of crypto systems in use, you double the number of bugs. Of course, it might be that the attacker can't attack bugs in the inner systems easily, so perhaps by layering you get to choose which system are most easily exploited...
Either way, I think both an air-gapped computer+smartcard and this system would be secure enough, that if you are a target, someone might want to try and sell you special, compromised hardware. It might not compromise the system as such, but even just a microphone+transmitter in any one of the components might be enough to pick up sounds of typing, and be able to infer plaintext. Not sure what the easiest way to read the screen would be, but probably some kind of signal leakage from the gpu/cable/screen.
The smartcard can isolate the key. The problem is that they don't need it if they compromise the PC. It's pointless if the goal is to protect the current communication. Far as implants, they're possible with anything. Rule is that enemy can never physically possess your stuff or it's considered compromised.
"but also usability issues (even if you could probably sandwich most of it into a single laptop case. Would be interesting to have two screens side-by-side for input and output)."
You should've seen my old VOIP design: a briefcase of cables, boards, and shit lol. Yeah, it will take up more space and have a learning curve. Any strong solution usually does, though. Be skeptical of anything claiming high usability and high security. ;)
"Sort of as a replacement for the hw in the terminals used here. I didn't mean a full Android software stack. Preferably a system without baseband, networking etc."
If you keep the three nodes, then you can certainly use Android devices. If you condense them, then you loose the protection due to all the attack surface. One drawback with Android is most of them have embedded wireless hardware. Tiny risk maybe but hard to tell if you've disabled it for sure. Android on device w/out wireless chip is fine.
"I'm not sure about your use of "NIX" here. Is this a combined hardware/software platform? Google wasn't very helpful."
UNIX or UNIX-like systems. Many of us called them NIX's for short in the old days. Their complexity and security track record make them untrustworthy for defending against strong attackers. They're a last resort you use while still monitoring for compromise. Unfortunately for that crowd, the systems with high security are all proprietary (often defense-only) and similar open-source systems have less assurance and usability. They're all alpha stage, actually.
"So it would seem that using a dedicated (mostly) air-gapped laptop would practically be as secure."
It's lower risk than most things. It's why most of us use that strategy. Your risk is being hit in the kernel stacks, the drivers, or peripheral firmware. If data goes back and forth, then the risk goes up. To be clear, this is a targeted attack by professionals that know what they're doing. Average hacker doesn't do this.
re cascade
They haven't shown evidence of this for years past the meet in the middle. So, it seems fine long as I avoid that. Far as adding risk, it's unlikely given this is merely a basic algorithm application. If you said protocol engines, I'd totally agree. With algorithms though, you can usually get three right if you can get one right. Still want a specialist coding them, though.
re other stuff
The system in question must be evaluated by security pro's before we can trust it. Meanwhile, GPG + air gapped machine is your best bet outside TFC. As for hardware subversion, they might do anything so acquire your hardware in different, unpredictable places or have others order it for you. Far as screen, the monitor cable is the best place for leak. I proposed long ago a shielded cable that works except amplifies signal along unused frequency. Later on, TAO catalog leaked and there's a VGA cable modified to do exactly that. So, there you go.... ;)
Thank you. I usually use, see *nix. Arguably Android sans Google apps, over-the-air updates fit into that box.
The idea of three nodes, trivially separated and air-gapped is interesting.
One should be able to do the input with an adruino or something (most obvious choice, a keyboard, but could also tack on a mic/camera for audio/video).
Link that with a "one-way" cable to a rpi2 (the "compromised"/networked node), and a cheap android tablet w/o baseband/gsm chips -- and perhaps solder off the antennas/kill the wlan/bluetooth. Preferably one w/o NFC. Use the tablet as the screen, and the "out" node.
Use lobotomized usb-cable for power from the Android-devices battery, and run everything off that.
I do like the idea of having the separation be obvious and simple -- easy to audit.
Suppose one might as well run freedos on the two nodes -- but Linux/BSD is probably less painful.
Now you're thinking on the right lines! All of that should be fine. Didn't think about using USB for power: just had a strip in the design. Will have to think on it. Standardizing on Linux/BSD is wise, too, as it lets us easily adapt it to new software applications.
And, in case I forgot, you can modify this architecture for voice or video but will need to replace serial cable with higher bandwidth line. Risk starts to go up there. You either need a real data diode or must physically modify Ethernet/Fiber cables and/or cards to do one-way transmission. Might take custom, microcontroller board to be sure it's done right.
It's a bigger project to say the least. There's examples online but the security is debatable. That's why the defense sector builds and certifies the big guns [1]. That it takes them that much hardware & they mention TEMPEST hints at how much work goes into this one, tiny problem.
The whole thing is beyond tricky to the point that no hosted service is rated to high security in any honest way (eg outside hand-waiving arguments). The only proven model has standalone apps (eg PGP, Nexor Sentinel) acting as proxies between trusted mail/messaging apps and untrusted side. Ideally, user-controlled, vetted code handles secrets with untrusted side (eg Internet host) simply a transport or storage layer that has no influence on endpoint or security past availability. The trusted software must also run on strong endpoints that don't run any other risky software. Given target market, that disqualifies most users of email and messaging software in general.
So, about this one. It seems to not meet many of these requirements and its users don't either. That puts it in Low-Medium assurance category where it might still be helpful against regular black hats, snoops, and attackers without 0-days in what their users have. That will necessarily require decent design & implementation. I commend them on having it pen-tested & open-sourced for review to that effect.
Meanwhile, users wanting to increase resistance to High Strength Attackers should use air gapped, hardened NIX boxes with GPG or Markus Ottela's Tinfoil Chat. Snowden leaks showed using GPG correctly, esp with Tor correctly, gave NSA hell. Markus has also improved TFC many times in response to our critiques to the point that many attack vectors are impossible, risk is lower in others, and endpoint risks are possibly lower than all solutions if right hardware is used. Still work to be done but he's way ahead of the competition.
Note: I second rossjudson that the site, although with beautiful artwork, should be redesigned so it's clear what the app does without a lot of digging. I've seen competing apps where they were clear on the specifics upfront while still not drowning readers in technical detail. The technical detail was a link or so away if I needed it. Right not, it looks too much like a marketing team's work.
[1] https://www.schneier.com/blog/archives/2013/01/essay_on_fbi-...