tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: cgd and remote keys

Martin J. Laubach wrote:
|  Just additional note, it is possible to store /etc/cgd/* content on usb
| memory, already tested. You just need to add a line into /etc/fstab.
  I was thinking about that (keeping local data safe yet not be a
hassle on every reboot) some time ago and came up with three variants:

  - an USB storage on a cable, reasonably secured (ie. bolted to the
    wall, so an attacker is more likely to just plug it off)
  - a bluetooth device for key storage that could be hidden/securely
    mounted somewhere nearby the server
  - a remote server that only responds to the expected IP address
    (which causes pain when your internet connection goes down)

These things should all have secure protocols for communication, especially the bluetooth and IP solutions. Authentication should be two-way (and not just based on IP / MAC address) and should be resistant to replay attacks. It should also be as resistant as possible to somebody obtaining the server as well as the client. (This is not 100% possible, but allowing for the possibility of the server keeping its secret foo on an encrypted disk itself, with a chain of such clients / servers seems to be a good start, especially if some of those items are tiny and sufficiently well hidden).

  Additional brownie points given for auto-destruction which seems
necessary wrt recent legislation in certain parts of the world ("Sorry,
I don't have the key, your [law enforcement] agents destroyed it when
they confiscated the server").

Auto-destruction is a good idea, but is something that must be done very carefully, and for carefully considered reasons. Using it to circumvent law enforcement is potentially very dangerous, as if that is the sole purpose of such a scheme it could land you in serious trouble for deliberate attempts to circumvent such laws.

While it is certainly the case that auto-destruction is worthwhile, it should be done to allow an administrator to prevent sensitive data from getting into the wrong hands in the face of extreme duress by criminals, not by law enforcement.

("Sorry, I don't have the key, your goons destroyed it when they took all the servers and smashed up the place.")

Mind you, that situation is also likely to land you in (different) trouble.

Possibly a better strategy would be for cgd (or something similar) to support multiple keys for the same partition, and return alternative datasets depending on which key is given. Plausible deniability tends to work much better when under duress than not being in a position to give anything. If you can give them something that is sufficient to convince them that they have got everything there is to get from you, and that it will be of some value to them, then you are more likely to escape with your life (or without a criminal record).

In the case of criminals, presumably some slightly secret information that you would plausibly encrypt (while the ultra-secret stuff is encrypted with an auto-destructed key, of which no trace exists). In the case of law enforcement, presumably some softcore porn or details of swiss bank accounts which contain trivial amounts of money. Basically, enough to warrant hiding it from prying eyes, but not enough to get you into deep trouble.

Then there is no way to prove that you have any more keys, and you can deny it to your heart's content.

Home | Main Index | Thread Index | Old Index