cop-proof disk drives
Thomas Shaddack
shaddack at ns.arachne.cz
Sat Apr 24 11:37:05 PDT 2004
On Sat, 24 Apr 2004, Bill Stewart wrote:
> That's really overkill. Computers these days have enough
> horsepower to run file system encryption in the CPU.
That's true, but it's possible to get access to the key in memory. Once
the machine is compromised, the keys are leaked.
It's true that when the machine is compromised the plaintext data may be
leaked, but it's more difficult to inspect and transfer couple gigs of
data than just the key and then come and haul away the machine. Or to
compromise the encryption software itself. It's much more difficult to do
that with a hardware unit (and much more difficult if the case was eg.
spot-welded - you still can get inside using power tools, but not without
visibly damaging the case).
Another advantage of a pure-hardware solution is independence on software,
thus no risk of present nor future incompatiBILLities.
> If you want to get fancy about rubber-hose prevention
> and avoid the except-for-terrorism clause in the 5th amendment,
> you could do something with secret-sharing with your
> unindicted co-conspirators (oh, wait, they don't bother with
> indictments these days, do they?) so that all of you
> need to cooperate in a challenge-response thing
> to restart some of the services.
I'd suggest a m-of-n scheme because of reliability issues. It won't be
good to lose all data because one of the co-conspirators died in a car
crash.
> Or you could hide that little 802.11 widget on the shelf
> that stores one of the keyfiles you need to
> access the secure drive. Once UWB's widely available,
> it'll be better for that (lower power - harder to detect.)
A 802.11 standalone data storage unit (I think they're on sale already)
hidden under the floor, over the ceiling, or between the drywalls could do
the job nicely.
> Just make sure that your system _is_ restartable after
> power failures, because those are a much more likely event
> than cop invasions.
Reliability vs security is a big dilemma.
Maybe a good approach could be forgetting the key if the machine is moved
without telling the processor guarding the key that it should stop
watching a movement sensor for a given time interval, or after entering a
wrong (or kill-) PIN? A power blackout then won't affect the operation,
but switching the equipment off and hauling it away would destroy the
keys. Same as an attempt to bruteforce the access code, or opening the
machine case by force.
More information about the cypherpunks-legacy
mailing list