5

What options are available for transferring data between unix machines separated by an air gap?

  • USB flash drives
  • Optical media eg CDs and DVDs
  • Printed paper and Scanning+OCR
  • QR Code software, displays or printers, and cameras
  • Pen, paper and typing!
  • Smartcards / ISO 7816
  • Contactless / NFC / ISO 14443

Each of these have pros and cons, and I'm having a hard time identifying the smartest way to move things like certificates, private and public keys and other relatively short data, to and from an offline machine.

jon
  • 153
  • 6
  • I suppose you can't hook it up to another machine via ethernet? The advantage would be that you could do it permanently, and just disable the connection (in "Network and Internet" on Windows computers) while it's not needed. Depending on how secure you need to be, this may be too compromising for your taste (although if the connection is truly disabled, I don't think a hacker could do much with it...) – KnightOfNi Aug 26 '14 at 21:56
  • 1
    Hooking the machines up permanently via Ethernet kind of defeats the purpose of an air gap. Especially when an attacker who gains access to the machine can simply reenable the connection in software. – Stephen Touset Aug 26 '14 at 22:01
  • @StephenTouset I disagree, based upon the premise that the purpose of an air gap is to PREVENT access to the machine. If an attacker gains this, you're screwed anyway, right? If you're saying he might gain access to the machine that isn't behind the air gap, I don't think that that machine can change settings on the protected computer until the aforementioned computer enables the connection - and that's not much more dangerous than accepting files, done correctly. – KnightOfNi Aug 26 '14 at 22:48
  • I recall recently seeing special devices for this purpose, something like "crytographic transport devices". I would imagine you would mostly want to ensure the key was encrypted such that only the recipient machine could decrypt before it left and that recovery would be difficulty except at the other airgrap. – Eric G Aug 27 '14 at 02:58

3 Answers3

1

There is no "golden rule" on how to to move the data. The options you have listed give you a tradeoff between security and convenience. You should think of threat models and analyze your security needs.

When there is data on the machine I wanted to protect, I would use convenient means (like CD or throw-away usb sticks) to get data onto the machine, knowing that a malware could have been transported onto the machine, and very secure means (like QR code software or papers and typing) to get them back. Of course, if the data were really important, I'd ensure a good air-gap to defend against badbios-like (ultrasound) communication methods, or use very secure means for the other direction, to prevent malware to get onto the isolated machine.

user10008
  • 4,315
  • 21
  • 33
  • QR codes are a very good idea - you can get a fairly high information density, and they're easy to generate and read (as easy or easier than typing, as far as I know). +1! – KnightOfNi Aug 27 '14 at 17:05
  • Why do you consider QR codes secure? – Eric G Aug 28 '14 at 13:13
  • @EricG In your answer, you don't trust the people that transport the information. And you also see a risk during transport. My assumptions were that somebody with physical access to the machine would be abled to do more severe things than just read out some printer memory, like install a keylogger. I also assumed that both machines were on-site, so the transport were already secure. I think CDs are insecure, as they could easily contain large amounts of data, while QR codes give physical control over the amount of data transported. – user10008 Aug 28 '14 at 18:38
  • Physical access to terminal does not mean physical access to a machine (Sever cage). Access to copy one file does not mean access to the whole system (root should not be needed to copy this file). Both air gaps being on site has no impact on the malicious human. I am not sure why you would ever trust a human in a security context, trust is not a compensating control. The capacity of the medium has no impact on what is allowed to be written to it. – Eric G Aug 28 '14 at 19:13
1

Generally, you have a few goals:

  • Keep the data secure during transport
  • Prevent leakage during the transmission from system to output and back to system
  • Limit possible exposure, even of the encrypted value after the transmission.
  • Ensure that the person who is transporting the secret cannot obtain or abscond with it

If you are moving a symmetric key or copying a private key, you may want to set up pub/private keys between the two air gaps as well if you are doing this through some manual mechanism like copying to a flash drive, even if the flash drive itself it encrypted, so that only in the presence of the private key can the secret being based be decrypted. If you are just moving public keys, those may not need the same level of security.

Let's look at some risks in the QR code scenario. You need to generate the QR code with some program and then print it. You need to ensure that the printer is secured (even if the printer is in the air gap, can someone later check the memory of the printer, force a reprint of the last page, etc). You also have the risk that the value will be stored in an insecure temporary file or print cache somewhere on the disk which can later be retrieved. Now when the person with the QR code is moving it between the sites, can they take a photo of it? Did they ensure the print out is in a secure, possibly tamper evident photo, so we can ensure that they do not switch it with a malicious print out in the process and no video camera between the air gap steal the photo? At the other air gap, how is the QR code being read back in? Is the camera/scanner secure, is the program reading in the QR code going to leave a trace in a temp file? Do you need to store the QR code value in a temp file to be read in to the encrypted storage or HSM?

I would say QR codes are likely a bad choice for this. You would ideally want something that is providing cryptographic security, tamper resistant (to human or a device which intercepts or copies in the air), and tamper evidence between the two sites.

Some type of HSM would be a good choice. Beyond that a write-once CD/DVD may be a good option with proper public/private key encryption because you can use trusted hardware on both sides and then destroy the disc cheaply and easily. However, you will have trouble detecting unauthorized duplication. A USB device is much more likely to be infected with malware and its harder to detect or block (check out the presentation from this year's blackhat). With any method, you may want to split the key and require two couriers so that collusion is required to leak the ciphertext. A nice feature would be if you had a device that would only write back the value once and then not write it again (self destruct after write) so if there is a leak you could not prevent, you could at least detect it.

(As noted in my comment, I am still looking to see if I can find those devices; the ones I found going back were for specific proprietary military systems).

You may be interested in some of the NIST SP-800 guidelines related to this:

Section 6.6.1 Key Transport of Draft SP 800-152 addresses key transport, Section 6.6.1 of SP 800-130, is also very similar.

SP 800-57 Part 2 has some scenarios showing key management, and gets pretty technical. Even more technical details are addressed in FIPS PUB 140-2

Eric G
  • 9,691
  • 4
  • 31
  • 58
1

I always suggest using FIPS level 3 (140-2) certified device when moving sensitive data (non-government workers cannot buy level 4 devices). A level 3 device will stop anyone [other than the government] from accessing your encrypted data. Devices require a key to be put in to unlock the drive to access the encrypted data, and upon x amount attempts wrong (user set, but it can't be more than 10), the device wipes itself. Level 3 is very tamper resistant.

According to Seagate (a lot of other sources said similar things, but Seagate included all aspects):

"Level 3 adds physical tamper resistance to disassembly or modification, making it extremely difficult to hack. If tampering is detected, the device must be able to erase critical security parameters. Level 3 also includes robust cryptographic protection and key management, identity-based authentication, and physical or logical separation between the interfaces by which critical security parameters enter and leave."

An example of one of these usb drives would be: http://www.apricorn.com/aegis-secure-key.html

crypto
  • 104
  • 5