Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 May 2003 00:14:33 +0200
From:      "Poul-Henning Kamp" <phk@phk.freebsd.dk>
To:        hackers@freebsd.org
Subject:   Re: Crypted Disk Question 
Message-ID:  <3878.1053036873@critter.freebsd.dk>
In-Reply-To: Your message of "Fri, 16 May 2003 00:37:48 %2B0300." <20030515185823.X40030-100000@haldjas.folklore.ee> 

next in thread | previous in thread | raw e-mail | index | archive | help

>> Anything that doesn't require a human to intervene can be
>> subverted.

This is actually not true in a real world.  I know of at least one
setup where the combined security is pretty conclusive without
human intervention.

The idea used originates from the strong link/weak link concept
used in permissive action links on atomic weapons.

The idea is basically, that you put a very vulnerable barrier (the
weak link) on the outside of a very hard barrier (the hard link),
in such a way that a breach of the weak link will render the
hard link permanently open.

In certain atomic bombs, any attempt to open the outher casing will
rupture a very sensible membrane on the inside of the casing, which
again will trigger a carefully chosen trigger mode for the high
explosive.  According to the info available, the radioactive bits
will "be made very hard to reconfigure as an weapon of mass
destruction" and "casualties are almost certain".  Since the only
way to arm the weapon is through a pretty strong crypto key, or by
tampering electronics inside the weapon, you're stuck without the
crypto material.

For an interesting introduction:
	http://www.research.att.com/~smb/nsam-160/pal.html
	http://www.brook.edu/dybdocroot/fp/projects/nucwcost/box9-2.htm


In the computer setup I'm talking about here, a computer is physically
located inside a heavily armoured facility and the rather interesting
intrusion detection is wired to the computer.

One of the interesting details is that the computer controls the
lock on the inner door.

Under normal circumstances, regular and heavily protected network
access to the computer will be used to disarm and open the containment
if access is needed.  This requires some pretty normal two-man
procedures to be followed.

If somebody breaks in, the computer locks (or rather, doesn't unlock)
the inner door, and makes sure that even if that door is breached,
there is nothing to get hold off by umounting, and erasing the
keymaterial from the key media and shutting down everything.

I have not been able to confirm this, but it was hinted that
breaking the inner containment would "set off something bad
for your health", in all likelyhood some explosive.

After activation of the alarm sequence, reactivation consists of
cutting the power to the room for a very specific length of time,
and using the normal two-man access procedure to gain access so
keymaterial can be reloaded.

In case of a external power failure, the system shuts mostly down,
leaving only the weak/strong link functionality operating, and
multiple redundant sets of batteries keeps the intrusion detection
running for a very, very long time.  (You would surely read sensational
headlines about what happened to Denmark in your local newspaper
before power is exhausted.)  When power is restored, the system
resumes normal operation.

The end result is a system which I will argue is as secure as the
network protocols they have implemented, requires no manual
intervention under normal circumstances, and yet it is still
maintainable using only slightly more involved than normal procedures.

Total size: about 3 by 3 by 3 meter.

Total cost: less than what the feasibility study which said it was
impossible to do cost them.

So it can be done...

-- 
Poul-Henning Kamp       | UNIX since Zilog Zeus 3.20
phk@FreeBSD.ORG         | TCP/IP since RFC 956
FreeBSD committer       | BSD since 4.3-tahoe    
Never attribute to malice what can adequately be explained by incompetence.



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3878.1053036873>