The cable is just what he had at his house: a smaller one is better. Not sure why you keep bringing up smartcards as alternative to long cable: two totally different things. Only realistic alternative to his cable w/out extra risk is point-to-point IR transfer: cheap & hard to grab if nearby (unlike Bluetooth/Wifi).
It would be nice to get more people on GPG or Linux. It's what I use, too. The problem is their Trusted Computing Base [1] is ridiculously huge. Even amateurs regularly break NIX systems, browsers, and so on. The methods for designing things highly resistant to attack are out of reach for most projects. See my framework [2], for example, to see the gap between high quality coding and truly secure systems. Most developers, even many security "pro's," have no idea about so many of these things. Just ask anyone building one of these "NSA-proof" crypto tools to see their Covert Channel Analysis with breakdown of all residual storage, timing, and resource exhaustion channels. Observe the blank or confused stares.
So, Markus was trying to shortcut around that using concepts he learned and we discussed. It had to be provably immune to software attack despite weaknesses in components. GPG on Linux/Android means GPG or Linux/Android must be breached. Although GPG is solid, Linux/Android breaches abound because they're insecure crap. So, that won't work against event a good black hat. He couldn't build a High Assurance Guard [3] by himself so he had to eliminate almost whole TCB. TFC was a clever workaround. TFC and Linux/Android-based clients have no comparison given only one can make a strong security argument under all conditions of software attack and the others just have so many real-world attacks... Apple to oranges, my friend.
For cascading, it might be overkill and might not. Note that many real-world algorithms working in isolation had problems. Cryptophone used a AES + Twofish cascade as insurance. The idea is that one algorithm or trick failing won't compromise the system. It applies to regular crypto users as much as anyone else given we use same algorithms. I agree it might not be necessary for majority of people, though. They use Gmail or Facebook over HTTPS for their critical communications. Clearly different privacy needs, there. ;)
I agree on the overlap: it's why I push the strong stuff. :) The reason, though, is that all the bad guys aim for the same thing. Plus, the nation-state methods (esp firmware attacks) are starting to be used by non-nation-states. The methods for stopping software attacks by nation-states are same as for anyone else. It's why our systems need to be redone (example [4]) to simply enforce fundamental protections to stop all that shit. And meanwhile, we have to use GPG, TFC, air gaps, and other kludgy solutions to make up for how bad we have it.
> The cable is just what he had at his house: a smaller one is better. Not sure why you keep bringing up smartcards as alternative to long cable: two totally different things.
True, a smart card doesn't give you separate input/output terminals. But it can isolate the key and encryption bit. It can be quite secure in case of theft, off-line access.
[ed: I wasn't talking about just the cable, I was thinking about all the devices soldered into it. They look big enough for there to be a possibility to embed a listening device. That is if you're a direct target by something like the Egyptian Secret Police etc]
Certainly this system has different and stronger security properties -- but also usability issues (even if you could probably sandwich most of it into a single laptop case. Would be interesting to have two screens side-by-side for input and output).
Do you know anything about throughput for this? Would it be viable for high-quality video chat?
> TFC and Linux/Android-based clients have no comparison given only one can make a strong security argument under all conditions of software attack and the others just have so many real-world attacks... Apple to oranges, my friend.
I meant and Android hw device, similar to running a stripped down OS on pc hardware. Sort of as a replacement for the hw in the terminals used here. I didn't mean a full Android software stack. Preferably a system without baseband, networking etc.
I'm not sure about your use of "NIX" here. Is this a combined hardware/software platform? Google wasn't very helpful.
It is of course true that if you can compromise the keyboard, display driver, kernel, i/o for gpg etc -- you can actively compromise the system.
As far as I know, typical Linux/bsd installs are not vulnerable to compromise either via a usb stick or via tcp/ip (assuming updates are disabled). So it would seem that using a dedicated (mostly) air-gapped laptop would practically be as secure. In such a case, keeping keys/crypto on an open-hw smartcard might be a prudent extra step that would add a little more security against certain threats.
> For cascading, it might be overkill and might not.
As long as one can show that cascading doesn't weaken the system (eg: perhaps a construction opened up some kind of oracle, along the lines of compression+encryption, perhaps key derivation would leak information on a master secret if one uses related keys) -- I don't see much of a reason not to.
On the other hand, if you double the number of crypto systems in use, you double the number of bugs. Of course, it might be that the attacker can't attack bugs in the inner systems easily, so perhaps by layering you get to choose which system are most easily exploited...
Either way, I think both an air-gapped computer+smartcard and this system would be secure enough, that if you are a target, someone might want to try and sell you special, compromised hardware. It might not compromise the system as such, but even just a microphone+transmitter in any one of the components might be enough to pick up sounds of typing, and be able to infer plaintext. Not sure what the easiest way to read the screen would be, but probably some kind of signal leakage from the gpu/cable/screen.
The smartcard can isolate the key. The problem is that they don't need it if they compromise the PC. It's pointless if the goal is to protect the current communication. Far as implants, they're possible with anything. Rule is that enemy can never physically possess your stuff or it's considered compromised.
"but also usability issues (even if you could probably sandwich most of it into a single laptop case. Would be interesting to have two screens side-by-side for input and output)."
You should've seen my old VOIP design: a briefcase of cables, boards, and shit lol. Yeah, it will take up more space and have a learning curve. Any strong solution usually does, though. Be skeptical of anything claiming high usability and high security. ;)
"Sort of as a replacement for the hw in the terminals used here. I didn't mean a full Android software stack. Preferably a system without baseband, networking etc."
If you keep the three nodes, then you can certainly use Android devices. If you condense them, then you loose the protection due to all the attack surface. One drawback with Android is most of them have embedded wireless hardware. Tiny risk maybe but hard to tell if you've disabled it for sure. Android on device w/out wireless chip is fine.
"I'm not sure about your use of "NIX" here. Is this a combined hardware/software platform? Google wasn't very helpful."
UNIX or UNIX-like systems. Many of us called them NIX's for short in the old days. Their complexity and security track record make them untrustworthy for defending against strong attackers. They're a last resort you use while still monitoring for compromise. Unfortunately for that crowd, the systems with high security are all proprietary (often defense-only) and similar open-source systems have less assurance and usability. They're all alpha stage, actually.
"So it would seem that using a dedicated (mostly) air-gapped laptop would practically be as secure."
It's lower risk than most things. It's why most of us use that strategy. Your risk is being hit in the kernel stacks, the drivers, or peripheral firmware. If data goes back and forth, then the risk goes up. To be clear, this is a targeted attack by professionals that know what they're doing. Average hacker doesn't do this.
re cascade
They haven't shown evidence of this for years past the meet in the middle. So, it seems fine long as I avoid that. Far as adding risk, it's unlikely given this is merely a basic algorithm application. If you said protocol engines, I'd totally agree. With algorithms though, you can usually get three right if you can get one right. Still want a specialist coding them, though.
re other stuff
The system in question must be evaluated by security pro's before we can trust it. Meanwhile, GPG + air gapped machine is your best bet outside TFC. As for hardware subversion, they might do anything so acquire your hardware in different, unpredictable places or have others order it for you. Far as screen, the monitor cable is the best place for leak. I proposed long ago a shielded cable that works except amplifies signal along unused frequency. Later on, TAO catalog leaked and there's a VGA cable modified to do exactly that. So, there you go.... ;)
Thank you. I usually use, see *nix. Arguably Android sans Google apps, over-the-air updates fit into that box.
The idea of three nodes, trivially separated and air-gapped is interesting.
One should be able to do the input with an adruino or something (most obvious choice, a keyboard, but could also tack on a mic/camera for audio/video).
Link that with a "one-way" cable to a rpi2 (the "compromised"/networked node), and a cheap android tablet w/o baseband/gsm chips -- and perhaps solder off the antennas/kill the wlan/bluetooth. Preferably one w/o NFC. Use the tablet as the screen, and the "out" node.
Use lobotomized usb-cable for power from the Android-devices battery, and run everything off that.
I do like the idea of having the separation be obvious and simple -- easy to audit.
Suppose one might as well run freedos on the two nodes -- but Linux/BSD is probably less painful.
Now you're thinking on the right lines! All of that should be fine. Didn't think about using USB for power: just had a strip in the design. Will have to think on it. Standardizing on Linux/BSD is wise, too, as it lets us easily adapt it to new software applications.
And, in case I forgot, you can modify this architecture for voice or video but will need to replace serial cable with higher bandwidth line. Risk starts to go up there. You either need a real data diode or must physically modify Ethernet/Fiber cables and/or cards to do one-way transmission. Might take custom, microcontroller board to be sure it's done right.
It's a bigger project to say the least. There's examples online but the security is debatable. That's why the defense sector builds and certifies the big guns [1]. That it takes them that much hardware & they mention TEMPEST hints at how much work goes into this one, tiny problem.
It would be nice to get more people on GPG or Linux. It's what I use, too. The problem is their Trusted Computing Base [1] is ridiculously huge. Even amateurs regularly break NIX systems, browsers, and so on. The methods for designing things highly resistant to attack are out of reach for most projects. See my framework [2], for example, to see the gap between high quality coding and truly secure systems. Most developers, even many security "pro's," have no idea about so many of these things. Just ask anyone building one of these "NSA-proof" crypto tools to see their Covert Channel Analysis with breakdown of all residual storage, timing, and resource exhaustion channels. Observe the blank or confused stares.
So, Markus was trying to shortcut around that using concepts he learned and we discussed. It had to be provably immune to software attack despite weaknesses in components. GPG on Linux/Android means GPG or Linux/Android must be breached. Although GPG is solid, Linux/Android breaches abound because they're insecure crap. So, that won't work against event a good black hat. He couldn't build a High Assurance Guard [3] by himself so he had to eliminate almost whole TCB. TFC was a clever workaround. TFC and Linux/Android-based clients have no comparison given only one can make a strong security argument under all conditions of software attack and the others just have so many real-world attacks... Apple to oranges, my friend.
For cascading, it might be overkill and might not. Note that many real-world algorithms working in isolation had problems. Cryptophone used a AES + Twofish cascade as insurance. The idea is that one algorithm or trick failing won't compromise the system. It applies to regular crypto users as much as anyone else given we use same algorithms. I agree it might not be necessary for majority of people, though. They use Gmail or Facebook over HTTPS for their critical communications. Clearly different privacy needs, there. ;)
I agree on the overlap: it's why I push the strong stuff. :) The reason, though, is that all the bad guys aim for the same thing. Plus, the nation-state methods (esp firmware attacks) are starting to be used by non-nation-states. The methods for stopping software attacks by nation-states are same as for anyone else. It's why our systems need to be redone (example [4]) to simply enforce fundamental protections to stop all that shit. And meanwhile, we have to use GPG, TFC, air gaps, and other kludgy solutions to make up for how bad we have it.
[1] https://en.wikipedia.org/wiki/Trusted_computing_base
[2] http://www.schneier.com/blog/archives/2013/01/essay_on_fbi-m...
[3] https://en.wikipedia.org/wiki/Guard_%28information_security%...
[4] http://www.crash-safe.org/assets/ieee-hst-2013-paper.pdf