From owner-freebsd-hackers@FreeBSD.ORG Fri Nov 28 03:43:35 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 8C65316A4CE; Fri, 28 Nov 2003 03:43:35 -0800 (PST) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1436F43F93; Fri, 28 Nov 2003 03:43:34 -0800 (PST) (envelope-from phk@phk.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.10/8.12.10) with ESMTP id hASBhUgS007305; Fri, 28 Nov 2003 12:43:31 +0100 (CET) (envelope-from phk@phk.freebsd.dk) To: Wes Peters From: "Poul-Henning Kamp" In-Reply-To: Your message of "Fri, 28 Nov 2003 00:14:49 PST." <200311280014.49356.wes@softweyr.com> Date: Fri, 28 Nov 2003 12:43:30 +0100 Message-ID: <7304.1070019810@critter.freebsd.dk> cc: freebsd-hackers@freebsd.org Subject: Re: "secure" file flag? X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Nov 2003 11:43:35 -0000 In message <200311280014.49356.wes@softweyr.com>, Wes Peters writes: >If you want an interesting problem to work on, come up with a solution to >the keying problem for disk encryption. It somehow needs to allow >automated, unattended reboots during "normal" operations but prevent >attackers from compromising the system. Maybe you could have the system >send an SMS message when it needs a key, you reply with a one-time key >from your mobile phone? I have already described one solution to this in my GBDE paper at BSDcon. You use weak-link/strong-link setups for that: Put the computer and a small UPS (5 minutes) in a good quality safe, drill a tiny hole in it, through which you run the power cord and a fiberoptic network connection. Put serious violation sensors *inside* the safe: corner integrity, door opening, tilt, humidity, mositure, temperature, pressure, gas, smoke, vibration. In addition put serious sensors on the network connection: packet filters, monitor the media state, wrong password attempts, significant changes in trafic level etc etc. As long as the violation sensors don't trigger (the weak link) the safe protects the keys (the strong link). If any of these sensors trip, if the safe is rocked, gets warmer, if the external power disappears, if the network connection looses connection, if somebody attempts to enter with a wrong sshd password, the computer *immediately* nukes its keys and other sensitive material and turns itself off, after which a breach of the strong link is no longer a risk to the data. Now *that* is a DIY project for the dedicated hobbyist :-) The terminology and principle, is from atomic weapons which have a similar security profile: http://nuclearweaponarchive.org/Usa/Weapons/Pal.html enjoy -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.