From: GPCG Talk List [mailto:[EMAIL PROTECTED] On > Behalf Of Horst Herb > Sent: Friday, 22 October 2004 9:53 AM > To: [EMAIL PROTECTED] > Subject: [GPCG_TALK] Virtual Privacy Machine > > The seems to resolve many of our security problems arising > from inadequate choices of software and operating system: > http://pvpm.metropipe.net/ > > I will review it and comment when I am finished, but this > looks like something EXTREMELY promising, and might even be > expanded to a complete electronic heath record system on a > USB stick (not just the data, but the software to view and > modify the health records as well)
Yes, this is extremely clever and extremely interesting. The innovative part is that it does not require you to reboot the computer into which you plug the USB memory stick. Instead, it loads a CPU emulator (they use QEMU) under the currently running operating system - Windows or Linux - and then boots a completely separate Linux operating system inside the emulator. This emulated Linux environment is configured to only store data on the USB memory stick, so there is no danger of inadvertently leaving security-sensitive data on the host machine which may be your computer, or it may be someone else's computer. This has several implications: A) It provides an excellent environment for accessing privacy-sensitive Web sites, such as one's bank accounts, or one's Web-based HER. It is a much under-appreciated fact that the biggest security vulnerability with Web-based applications is the client-side browser and all the information it leaves behind, such as cache files, cookies, stored passwords and other automatic form fill-ins. Things like Google Desktop Search (see http://desktop.google.com/ ) now make it incredibly easy to access all this stored-or-captured but not-directly-visible information. If you always use the same computer, and you are the only person to use that computer, none of this matters too much, but that situation is quite rare. At the very least, every computer is in some danger of being lost or stolen at some stage. Yes, you can use an encrypting filesystem to protect every file stored on a machine, but how many of us actually do that? Up until now, it has been possible to use a bootable Linux distribution like Knoppix or one of its many derivatives to overcome this problem, by storing all data on removal media like a USB memory stick. Knoppix provides excellent facilities for doing this, including encryption of the entire data partition on the USB stick. However, the need to reboot into the Knoppix or similar environment is often inconvenient - you need to close what you are doing, and if it is not your computer, the owners often get a worried look on their faces when they see a strange version of Linux booting on their machine. This Virtual Privacy Machine overcomes these objections. B) PKI key generation, storage and use. There have been two broad choices for the generation, storage and handling of PKI keys and certificates until now: i) generation, use and storage of the keys/certificates on a general purpose computer - thus exposing the private keys to possible compromise via all the security holes and flaws present in general purpose computers used for everyday things. ii) Generate, store and process the private keys/certificates on a device which has an embedded processor and special-purpose operating system and software (typically a dongle, memory card or stick) - all access is via an API, and private keys are never transferred to the host computer. Typically a password is also needed to unlock the private keys on the cryptographic hardware module. Disadvantages of this approach include the cost of the special-purpose hardware device, and the fact that they are proprietary, which means you must trust the manufacturer to have gotten everything right - and there are several examples where this has not be the case. However, this Virtual Privacy Machine seems to offers an interesting middle path between the two: two-factor security due to the physical device (the USB memory stick) which one must possess, as well as a password to unlock it; and, as the name implies, a virtual private environment in which to do cryptographic and other processing - sure you are still using the host computer's CPU - but nothing else - in particular you are not using (and thus having to trust) the host computer's operating system or other files, and you are not using its hard disc. The real advantage is that the hardware part is a commodity item - any USB memory stick will do - and these are now very cheap - as opposed to a proprietary cryptographic device which tends to be expensive due to their low volume. Add to that the open source nature of the software components, and the fact that the system is far more general-purpose than a cryptographic device, and it has to be a winner. I think that government agencies and other organisations which are promoting both Web-based access to privacy-sensitive EHRs by health professionals and, most importantly, by patients, should look into this project and invest in its further development. Likewise, government agencies and other organisations which are promoting PKI regimes for use by health professional and agencies should look into this project and invest in its further development as a cheaper, more flexible alternative to proprietary cryptographic devices, and as a more secure alternative to "soft certificates" or keys store on PC hard disks. Tim C > > Horst >
