Idea for tamper-resistant PC hardware
Here's something I would like to see: a harddrive that is tamper-resistant. The threat model is a server is deployed in an untrusted machineroom, and recovery of plaintext from the system is unacceptable. One obvious attack, involving an encrypted hard drive, is for the attackers to have a "power failure" and then remove the encrypted hard drive from the server, and reinstall it in an "instrumented" server which can recover key data. I want to defeat that attack. One obvious way to do that would be to have a bunch of thermite, or explosives, or whatever that trigger when the thing is tampered with. That's fine, but as a general rule, if the solution to the problem requires explosives, I would rather try to find a different problem. So here's another solution. The hard drive itself is encrypted, and the encryption/decryption hardware is part of the hard drive chips, and all are mounted within a tamper-resistant enclosure. Also mounted in this enclosure is a little battery which will last for the lifetime of the harddrive, and a large-enough capacitor. When the enclosure is tampered with, the capacitor sends a jolt through the chip that holds the encryption key. This jolt is big enough to melt the silicon, so no key bits could be recovered (this would not require much of a jolt, I would think). Then the attacker would have the hard drive, but no way to decrypt it. Obviously, it would need sensors to detect tampering with the case, and tricks liking freezing the thing, using radiation, whatever. This allows us to have data be permenantly destroyed, and the hard drive permenantly deactivated, without doing any crazy stuff involving pyrotechnics which looks bad in the media. "The computer exploded, injuring the thieves" looks much worse than "The thieves tripped a safety mechanism and were unable to recover any data from the computer." It would also allow everyhting to be done in a normal-looking PC case. So the total solution would be a computer case with sensors which trigger the capacitor in the hard drive, and also sensors in the hard drive enclosure which trigger destruction of the key. It seems like this wouldn't be such a complicated thing to implement. Any thoughts on this?
At 05:09 AM 1/12/01 -0500, drevil@sidereal.kz wrote:
So here's another solution. The hard drive itself is encrypted, and the encryption/decryption hardware is part of the hard drive chips, and all are mounted within a tamper-resistant enclosure. Also mounted in this enclosure is a little battery which will last for the lifetime of the harddrive, and a large-enough capacitor. When the enclosure is tampered with, the capacitor sends a jolt through the chip that holds the encryption key. This jolt is big enough to melt the silicon, so no key bits could be recovered (this would not require much of a jolt, I would think). Then the attacker would have the hard drive, but no way to decrypt it. Obviously, it would need sensors to detect tampering with the case, and tricks liking freezing the thing, using radiation, whatever.
That is how its done. Tamper detect can look for voltages, freqs, temps out of range, pressure changes, acceleration, mechanical intrustion, etc. If you see tampering, you zeroize your key, your disk is suddently filled with useless noise. There is a patent on thermite-like pastes you can build into a chip, which helps against reverse engineering the circuitry, post-mortem. For you, simple zeroizing will probably be enough; though see the work on remenance in RAMs for caveats.
This allows us to have data be permenantly destroyed, and the hard drive permenantly deactivated, without doing any crazy stuff involving pyrotechnics which looks bad in the media.
Worse than looking bad, you can't take energetic materials on airplanes. Check the archives, this gets discussed periodically, and there are commercial tamper-resistant/detecting modules out there. dh
participants (2)
-
David Honig
-
drevil@sidereal.kz