Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM
On Apr 13, 2016, at 4:16 PM, Jerry Leichterwrote: >>> Yes, make it significantly smaller than the current form factor. >> >> Ah. OK, well, that is certainly doable, though how small you can make it is >> ultimately limited by the size of the display. How small do you want it, >> and how much are you willing to pay? > I wonder if one could get rid of the display per se and add some kind of MEMS > steerable laser to it. The output would be projected onto some nearby > surface. This could be physically much smaller. Hm, that is an interesting idea. But I think it’s a little more than I want to bite off for version 1. > In another message, you suggested using a passphrase to unlock the thing, so > even decapping wouldn't reveal the secrets. That requires a secure input > device. Only if you have an adversary that pwns your client machine *and* then obtains physical control of the device. For either of these attacks in isolation, a non-secure input suffices. > Going all the way to a virtual keyboard might do the trick. The keyboard > doesn't have to be very good, just functional for this one purpose. > > Of course, this would add significantly to cost, though the one I listed > above only costs $40. What size you could end up with isn't clear. I’m not trying to protect against every conceivable attack, I’m just trying to design an 80/20 solution (actually I think what I have is closer to a 99/1 solution, but it’s early yet). One must always keep Munroe’s law in mind: https://xkcd.com/538/ rg ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM
On Apr 13, 2016, at 2:22 PM, Bill Frantzwrote: > On 4/13/16 at 10:14 AM, r...@flownet.com (Ron Garret) wrote: > >> Here’s a photo of an earlier version of the HSM using a seven-segment >> display instead of the current 128x32 pixel OLED, next to the current >> version for size comparison: > > I normally carry a USB flash drive in my pocket. With the connector > retracted, it is a bit less than 3 US nickels (2.25 inches, 58mm) long. I > would have no problem with either of the pictured devices. The prototype SC4-HSM case is 57x21x9 mm. The USB connector extends out 14mm beyond the edge of the case. It’s bigger than some portable USB devices, smaller than others. It’s almost exactly the same size as e.g. the MobileMate SD+ card reader: http://www.amazon.com/Sandisk-Mobilemate-Plus-Memory-Reader/dp/B002PX99D4/ref=pd_sim_147_5 The case is 3-D printed plastic so a production version could probably shave a couple of mm off of that. There is also quite a bit of extra length on the board to support the debug connector that will be be taken of in the final design. I abandoned the smaller design because the seven-segment display turned out to be inadequate for security. 4x7 segments gives you 28 bits of output at most (and realistically only 16 bits under non-geek UI constraints), and that’s not enough. rg ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM
On Wed, Apr 13, 2016 at 10:14 AM, Ron Garretwrote: > Is that small enough for you? > Yes, that's significantly better. Sorry if I was overly negative before. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM
On Apr 13, 2016, at 8:27 AM, John Ioannidiswrote: > On Tue, Apr 12, 2016 at 11:28 AM, Ron Garret wrote: >> One of the biggest challenges in crypto is protecting your keys against an >> attacker who pwns your machine. The fundamental problem is that such an >> attacker can do anything you can do, including access hardware tokens that >> are connected to the machine. Some hardware tokens have an input device >> built in (usually a push button, sometimes a fingerprint sensor) which needs >> to be activated before the token will operate, but these are still subject >> to phishing attacks. In order to really be secure, a hardware token must >> have not just an input device, but a display as well so that information >> about the operation being authorized can be shown to the user in a way that >> is guaranteed to be out of the control of an attacker who pwns the host >> machine. >> > > You are addressing crypto professionals here. Don't you think we > already know this? I didn’t want to assume that *everyone* on this list was a professional cryptographer. And it certainly does not appear to be common knowledge that a USB token needs to have built-in I/O in order to be secure against ownership of the client device. In fact, it seems to be a rather controversial claim. But if you thought my original post was inappropriate I apologize. >> I did a market survey and could not find a device that met these >> requirements. The closest thing I could find was the Trezor bitcoin wallet, >> but at $99 it seemed a bit pricey so I decided to roll my own. The result >> is the SC4-HSM, a USB dongle with an STM32F405 processor (32-bit ARM cortex >> M4 with a built-in hardware RNG, 1MB flash, 192k RAM) and a 128-32 pixel >> monochrome Adafruit display. It also has two user pushbuttons and two LEDs >> (though I’m going to be changing that to a single tri-color LED). It >> currently runs TweetNaCl, but there’s a lot of headroom for more complex >> crypto. It’s also possible to swap the F405 for an F415, which has built-in >> crypto operations (AES, 3DES, various SHA hashes). Both processors have >> hardware support for freezing a firmware load so that it cannot be >> overwritten, and so the contents of the flash cannot be read out even with >> physical access to the device. The target market for these chips is medical >> devices and process controllers, and one of the requirements is to keep the >> firmware out of the hands of Chinese industrial espionage agents. >> > > If the secret you are protecting is valuable enough, there are lots of > ways to uncover it. Read up about decapping chips with nitric acid, > micromanipulators, and other such fun stuff. If you want to get a bit > fancier, read up on FIBs. If your secret is worth more than $100, you > should really spend at least that much protecting it. You can make the SC4-HSM secure against decapping by encrypting the keys with a pass-phrase. > The part about freezing the firmware is valid, but even then, you have > to balance that against the need to do firmware upgrades for when bugs > are discovered. In that case you’d need to obtain a new HSM. But the SC4-HSM is ridiculously cheap, only about $20 in parts in single quantities, so replacing it is a viable solution. > The most valuable part of medical devices is not the code. It's the > process of getting them approved for medical use. That may well be, but I don’t understand why you think it’s relevant. Preventing firmware from being copied is a feature of sufficient value that hardware manufacturers are building it into their chips, and that’s all that matters for this application. > >> Photos of the prototype are attached. I’m about to do a small production >> run (O(10) units) which will cost about $50 each. If anyone here is >> interested in obtaining one of these please contact me privately. >> >> I’m also actively recruiting a consultant to help with firmware development >> and auditing. > > You just got some free consulting. Here is some more: do not hire > anyone who would not bring these points up right away. Thank you for your feedback. rg ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM
On Wed, Apr 13, 2016 at 9:40 AM, Ron Garretwrote: > Tony: I really don’t mind negative feedback when it’s constructive. In > fact, I very much appreciate it. But I’m really having a hard time > discerning a constructive purpose in your critique. What exactly do you > think that I should be doing differently? Change the design? > Yes, make it significantly smaller than the current form factor. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM
On Apr 13, 2016, at 8:56 AM, Tony Arcieriwrote: > On Wed, Apr 13, 2016 at 2:06 AM, Thierry Moreau > wrote: > Who wants to be optimistic with respect to threat models in the current IT > landscape? > > I prefer to be realistic about threats, especially when UX tradeoffs are > involved Everyone needs to choose their own risk posture, and different applications have different needs. There are certainly people out there for whom Yubikeys are adequate, and for whom the SC4-HSM won’t make sense. But I believe that there are applications and not-entirely-unreasonable risk postures for which a Yubikey might not be adequate. If nothing else, having a programmable USB dongle with a display makes kind of a cool toy to noodle around with. Tony: I really don’t mind negative feedback when it’s constructive. In fact, I very much appreciate it. But I’m really having a hard time discerning a constructive purpose in your critique. What exactly do you think that I should be doing differently? Change the design? Give up and join you in being an evangelist for Yubikeys? Something else? I really don’t get it. rg ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM
On Wed, Apr 13, 2016 at 2:06 AM, Thierry Moreau < thierry.mor...@connotech.com> wrote: > Who wants to be optimistic with respect to threat models in the current IT > landscape? I prefer to be realistic about threats, especially when UX tradeoffs are involved -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] [Cryptography] Show Crypto: prototype USB HSM
On 13/04/16 03:12 AM, Tony Arcieri wrote: On Tue, Apr 12, 2016 at 7:26 PM, Ron Garret> wrote: This HSM is much more general-purpose than a U2F token. Well, that's true, but it's also hundreds of times bigger than a token in the Yubikey "nano" form factor, which is actually convenient to keep permanently in the USB slot of a laptop. Your physical design seems pretty unwieldy for laptops (see also Yubico's keychain designs). Yubikey "nano" factor tokens like the NEO-n have also supported more general purposes than a U2F token (e.g. CCID interface, OpenPGP applets, see also PIV) I swear I'm not a paid shill for Yubico, but I'm a fan of small display-free hardware tokens. While a token like what you've built might provide Maximum Security under pessimistic threat models, its large size = Who wants to be optimistic with respect to threat models in the current IT landscape? Do you? (I much liked what I glimpsed from the original post.) - Thierry Moreau makes it look rather inconvenient to me. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography