From owner-freebsd-hackers@FreeBSD.ORG Thu May 15 15:14:37 2003 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DB2EA37B401 for ; Thu, 15 May 2003 15:14:36 -0700 (PDT) Received: from critter.freebsd.dk (critter.freebsd.dk [212.242.86.163]) by mx1.FreeBSD.org (Postfix) with ESMTP id 1127D43FA3 for ; Thu, 15 May 2003 15:14:36 -0700 (PDT) (envelope-from phk@phk.freebsd.dk) Received: from critter.freebsd.dk (localhost [127.0.0.1]) by critter.freebsd.dk (8.12.9/8.12.9) with ESMTP id h4FMEXxm003879 for ; Fri, 16 May 2003 00:14:34 +0200 (CEST) (envelope-from phk@phk.freebsd.dk) To: hackers@freebsd.org From: "Poul-Henning Kamp" In-Reply-To: Your message of "Fri, 16 May 2003 00:37:48 +0300." <20030515185823.X40030-100000@haldjas.folklore.ee> Date: Fri, 16 May 2003 00:14:33 +0200 Message-ID: <3878.1053036873@critter.freebsd.dk> Subject: Re: Crypted Disk Question X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 15 May 2003 22:14:37 -0000 >> Anything that doesn't require a human to intervene can be >> subverted. This is actually not true in a real world. I know of at least one setup where the combined security is pretty conclusive without human intervention. The idea used originates from the strong link/weak link concept used in permissive action links on atomic weapons. The idea is basically, that you put a very vulnerable barrier (the weak link) on the outside of a very hard barrier (the hard link), in such a way that a breach of the weak link will render the hard link permanently open. In certain atomic bombs, any attempt to open the outher casing will rupture a very sensible membrane on the inside of the casing, which again will trigger a carefully chosen trigger mode for the high explosive. According to the info available, the radioactive bits will "be made very hard to reconfigure as an weapon of mass destruction" and "casualties are almost certain". Since the only way to arm the weapon is through a pretty strong crypto key, or by tampering electronics inside the weapon, you're stuck without the crypto material. For an interesting introduction: http://www.research.att.com/~smb/nsam-160/pal.html http://www.brook.edu/dybdocroot/fp/projects/nucwcost/box9-2.htm In the computer setup I'm talking about here, a computer is physically located inside a heavily armoured facility and the rather interesting intrusion detection is wired to the computer. One of the interesting details is that the computer controls the lock on the inner door. Under normal circumstances, regular and heavily protected network access to the computer will be used to disarm and open the containment if access is needed. This requires some pretty normal two-man procedures to be followed. If somebody breaks in, the computer locks (or rather, doesn't unlock) the inner door, and makes sure that even if that door is breached, there is nothing to get hold off by umounting, and erasing the keymaterial from the key media and shutting down everything. I have not been able to confirm this, but it was hinted that breaking the inner containment would "set off something bad for your health", in all likelyhood some explosive. After activation of the alarm sequence, reactivation consists of cutting the power to the room for a very specific length of time, and using the normal two-man access procedure to gain access so keymaterial can be reloaded. In case of a external power failure, the system shuts mostly down, leaving only the weak/strong link functionality operating, and multiple redundant sets of batteries keeps the intrusion detection running for a very, very long time. (You would surely read sensational headlines about what happened to Denmark in your local newspaper before power is exhausted.) When power is restored, the system resumes normal operation. The end result is a system which I will argue is as secure as the network protocols they have implemented, requires no manual intervention under normal circumstances, and yet it is still maintainable using only slightly more involved than normal procedures. Total size: about 3 by 3 by 3 meter. Total cost: less than what the feasibility study which said it was impossible to do cost them. So it can be done... -- Poul-Henning Kamp | UNIX since Zilog Zeus 3.20 phk@FreeBSD.ORG | TCP/IP since RFC 956 FreeBSD committer | BSD since 4.3-tahoe Never attribute to malice what can adequately be explained by incompetence.