[Cryptography] Dumb idea: open-source hardware USB key for crypto

grarpamp grarpamp at gmail.com
Fri Jan 10 23:35:39 PST 2014


On Fri, Jan 10, 2014 at 5:53 PM, Bill Cox <waywardgeek at gmail.com> wrote:
> I've been noodling the idea of a USB stick designed in a way that we
> can trust the crypto that goes on there.  It's a hard problem, but
> there seems to be some guidelines that could help:
>
> - Open source hardware - schematics and everything including board
> layout need to be free
> - No ICs that could be compromised.  Any CPU would have to be a
> soft-core in an FPGA, with an open-source design
> - FPGA configuration memory both readable and writable over a JTAG port
> - External flash program memory also read/writeable through JTAG
> - Reasonable hardware RNG where every node in the circuit can be probed
> - Signal isolation from the PC: solid state relays would swap a simple
> memory back and forth between the PC side and USB stick side.  Maybe
> power draw should be randomized to obscure any processing going on.
> RF shielding should cover the USB stick.  No other communication
> should be possible.  This is similar to an air gap.
> - A community supported audit trail verifying produced USB keys are secure
>
> The idea still has issues.  Where would I be able to store secret keys
> securely such that an attacker who stole my USB stick could not
> recover it?  Anyway, it's just a fun idea.  I'd love to have such a
> device in my pocket.  There's a lot of applications I can think of
> that could benefit from it, from electronic voting to
> microtransactions.  As one security expert once said in an
> electronic-voting discussion I followed, no machine ever connected to
> the Internet has proven secure.  Could we make such a beast?  I
> probably don't really have time to work on it, but if a group were
> building it, I'd participate.

Many of these open hardware ideas come down to the fab level...
can you examine (and trust) the fab process. Sure, publish all your
schematics, VHDL, die masks, etc. But unless some number of
random people can routinely make unannounced access-all-areas
verification visits to the fab to verify those masks are the ones in use,
it's moot. Or unless they can pull unannounced random samples
and decap and analyse them, it's moot. That's why I've previously
suggested people get together to making hardware RNG's out of
discrete components... you don't have those worries then.

I agree with the softcore loadable fpga and probe points ideas, they're
good things. But in general, once you exceed a certain number of
presupplied closed source and relatively unauditable gates [1], you
should consider yourself potentially and generally fucked... and
start taking a serious defense in depth approach.

[1] Let's call it the number required to perform dumb leaks or take
pseudo intelligent actions against you. The current lineup from
Intel/AMD certainly fall in this category.  As would quite a few
lesser things... ARM, phones, cards, etc... firmware things.
Does it not scare you that the next PC you're about to buy
for your firewall is one of these systems, potentially hiding out
to honor magic packets? Look at AMD's new CPU's coming
out in a few weeks... besides gate count we all know about, it
has embedded ARM cores. And just who is going to bring
the aforesaid open model upon this class of gear? So it's
+1 for spooks.



More information about the cypherpunks mailing list