2

The essence of the problem as follows:

There is a server located on the side of our company.

There is a hardware client module, which is in a public place, which communicates with the server via a secure protocol.

The client module contains the key with which it is authenticated by the server.

We need to make sure that the key could not get into the wrong hands, in case of theft of client module.

A key condition is the absence of agents which would have to be administered, for example, to connect the encrypted volume when module is booting.

Does anyone have any ideas how this can be done?

TristanK
  • 423
  • 2
  • 8
Denis Bezrukov
  • 19
  • 1
  • 1
    Can you just generate an individual key for that particualr piece of hardware? Then if it gets stolen, revoke it's key. If all it does is connect to _your_ server, you should be able to act as your own CA. – Clockwork-Muse Mar 05 '12 at 20:49
  • @X-Zero I'm not sure you even need to go that far. Presuming that the described "client module key" is unique, they could just revoke permissions based on that. – Iszi Mar 05 '12 at 21:19
  • It is, however, perhaps before it is discovered that the key is compromised, an attacker could cause bad things. This may be critical for the system. Necessary to fully deprive him of this opportunity, or as it more difficult. – Denis Bezrukov Mar 06 '12 at 11:01
  • An additional complication is that the module can be offline for a long time and the system will be difficult to know for sure: if the module is idle due to a temporary lack of communication or is stolen, and his attempt to crack. – Denis Bezrukov Mar 06 '12 at 11:04
  • 1
    I think you need to elaborate a bit more... or you'll end up thinking that you have a solution, just to discover someday that it wasn't really protecting you. – woliveirajr Mar 06 '12 at 17:42
  • 2
    @DenisBezrukov - Why are you worried about the removal of said device. Just prevent access to the room with the device itself. Issue it a device specfic key. Why exactly can this module be offline for a long period of time? – Ramhound Mar 06 '12 at 18:38

3 Answers3

4

It's going to very hard, almost impossible, to do that in a simple way.

If you just wanted to protect the key, it would be easy: just put the key inside a device that is tamper-resistant like any token or smartcard. In a smartcard, someone can perform computation inside it, but can't access the code, or a stored key, etc.

Your problem is a bit deeper than that: given a computer that is outside your control (client environment), no matter how long it is turned off, etc, you want to be sure that when it tries to connect to your server, it hasn't been changed / messed in any way.

And to that there's no fully possible way to guarantee that. It's the third rule:

Law #3: If a bad guy has unrestricted physical access to your computer, it's
not your computer anymore
(source: http://technet.microsoft.com/en-us/library/cc722487.aspx)

Specially if your computer can be turned off as a regular use.

Think that someone could try jamming the GPS signal, or opne your case and remove any special hardware you put, or try to change the OS of your computer, or put a device between the computer and the keyboard, or remove your HD and copy everything, or...

If you just want to protect some key, go with tokens or smartcards. But that wouldn't prevent someone from accessing it the same way your original software would do.

If you want to protect the client module from being stolen, put some armed guys at its side. Or tell us more about exactly you want to protect, so we can elaborate a bit more.

woliveirajr
  • 4,462
  • 2
  • 17
  • 26
  • 1
    It would probably be cheaper to get a manufacturer to build a rugged and tamper resistant tablet, than to hire armed guards to watch over a retail device. – Henrick Hellström Mar 07 '12 at 14:50
3

You need tamper resistant hardware.

Henrick Hellström
  • 316
  • 2
  • 6
  • Unfortunately, I have not found what I needed. Basically, as I understand it, this equipment is designed to guarantee the absence of a copy of the key opportunities in order to be assured that as long as the key for me, no one has access to my information. But in this case, such equipment must operate independently and can be stolen, along with the module. Or have I understood you correctly? – Denis Bezrukov Mar 05 '12 at 20:21
  • Equip the device with a gyro and GPS and design the hardware to automatically erase all internal data if it moves more than some tolerance limit. – Henrick Hellström Mar 05 '12 at 20:51
  • Hmm... GPS - it is an interesting variant. I'll have to look for variants of existing hard drives or watchdogs. Thank you! – Denis Bezrukov Mar 05 '12 at 21:15
  • @Henrick Hellström: Easy DOS: get a GPS jammer (or for more sophisticated attack, a constellation simulator) - *poof*, the device is now unusable (as the watchdog has erased it). – Piskvor left the building Mar 07 '12 at 10:47
  • Sure, if it is going to be secure at all, there has to be ways to trigger the security mechanisms (after all, they are there to be triggered by something). But it doesn't have to be that easy. If the device is supposed to be placed in public, it is supposed to be used by the public. I presume the requirement is just that it shouldn't be possible to use it for an extended period of time in case it is stolen, so the obvious solution would be for it to send alerts to the server it is connected to in case of unusual gyro or GPS readings, and the server will eventually decide how to act. – Henrick Hellström Mar 07 '12 at 11:50
-1

Thank you all. It seems I have a solution. The key will not be in the module and will be requested from the server. The channel will be protected by SSL. Requests from the server will be accepted by our customer support. Perhaps we will make the client side to confirm such a request a phone call. The modules will not be rebooted frequently, so we should have enough resources to do so. So we at least protect themselves against anonymous attacks. The key will be stored in memory and thus be lost when power is turned off in case of theft device. If anyone sees flaws in this scheme, please tell us about it. Once again thank you all.

Denis Bezrukov
  • 19
  • 1
  • 1
    Is it running on an external power supply? What prevents a reasonably skilled electrician from cross-wiring the power cord without cutting the power to the device? – Henrick Hellström Mar 07 '12 at 12:47
  • And now just wait if the peer-review allows the edit, I made observations in your affirmations. – woliveirajr Mar 07 '12 at 14:45
  • @Henrick Hellström: And how he can extract the key from RAM? About the possibility of freezing, I know, but I think that doing so will not. The module has no external interfaces with which you can access the already booted OS. – Denis Bezrukov Mar 07 '12 at 14:57