At 4:56 PM 3/5/96, Hal wrote: ...
It will be just as easy to steal the mixmaster executable as to steal a script file containing a pass phrase. And it might even be possible to run the stolen mixmaster directly to decrypt intercepted incoming mail messages, without even having to type in the pass phrase. Failing that the attacker could easily extract the pass phrase from the mixmaster executable file.
The other suggestion that was made here, that the operator would have to manually type in the pass phrase every time the computer rebooted, would be a way of avoiding having the information in the clear on the disk. However it would probably not be a practical method of operation given the reliability of at least the Unix operating systems that I am familiar with. And even then the information is in memory. An attacker who could ...
It seems to me that we get some of the advantages of "secure hardware" (and I don't mean in a formal NSA "Orange Book" sense) by having secure dongles attached to serial or other ports on machines. "Dongles" are the much-hated copy protection devices used with some products: they typically are a small plastic-packages doodad plugged into a serial port on a PC. (The Mac versions are less common; don't know if Unix boxes have ever used them.) In the case described by Hal, there might be two imaginable modes of operation: 1. The dongle feeds a passphrase at boot time. This is not very secure, as means could be found to either intercept the supplied passphrase and/or find system commands that would trigger the providing. But at least the passphrase is nominally not stored on a disk accessible to outsiders. (The passphrase is still presumably in memory, as noted above by Hal, and by others. But at least it's not on a disk.) 2. Some sort of zero knowledge protocol in which the dongle possesses the secret knowledge and does part of the decryption, etc. Seen more broadly, this dongle might actually be a separate PC box, 386- or 486-based, and connected to the main Unix box. The main box would still do the usual stuff, but the "secure box" would have a constrained set of operations--maybe running a stripped-down Linux or FreeBSD a la our discussions a few years ago--and would essentially only operate as a crypto box. A separate crypto box could be quite cheap, and one could imagine measures to make it less prone to physical tampering (*) and certainly less prone to network snooping. (* Tamper-resistant vs. tamper-responding. See the FAQ. Basically, there is no such thing as a "tamper-proof box." But "tamper-resistant" can mean PC boards potted in epoxy, locked lids, no floppies, alarms, etc. And "tamper-responding" means there is evidence given that a security barrier has been breached.) A "crypto box" could in fact handle most of the mix functions directly, bypassing the Unix box. The Unix box--the one hooked to the Net in the usual way--would get the incoming packets, send them to the crypto box, then get back the processed messages. If done right, the crypto box could ensure that no records are kept of the mapping between incoming and outgoing messages. A court order to produce the mapping could then be honestly responded to with a "no records are kept, or can even possibly be kept." (Without modification of the software/hardware, something which Digital Telephony II could certainly mandate, but it doesn't exist now.) I think a "crypto box" based on a cheap 486 box, a reduced functionality Linux, and very limited storage capabilities (possibly no disk, only RAM), could be an interesting way to solve both the passphrase-snarfing and LEA-subpoenaing problems. While not as secure as either a Chaumian tamper-responding digital mix (cf. the 1981 paper in CACM) or as a software-based DC-Net, it sure does beat the current model of multiuser Unix boxes running remailers out of user accounts! (A word on separating the functions into a "network box" (what I've also called a "Unix box") and a separate "crypto box." There is no reason one box cannot do both....but by separating the two functions and linking the boxes via a secure connection, one faces less temptation to add more capabilities, storage, and users to the "crypto box." So, I think it better for remailer operators to continue to have their powerful, capable, net connection boxes and then have a stripped-down, possibly RAM-only box that only does limited things. It's also possible to have several boxes, just with different Net addresses, but there might still be the temptation to give the "remailer box" more capabilities. My intuition is that it would be easier and more secure to just have the crypto/remailer box as a slave or dongle to the more capable box.) --Tim May Boycott "Big Brother Inside" software! We got computers, we're tapping phone lines, we know that that ain't allowed. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero W.A.S.T.E.: Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 - 1 | black markets, collapse of governments. "National borders aren't even speed bumps on the information superhighway."