Re: [9fans] secret stuff

Re: [9fans] secret stuff

[presotto]

[-- Attachment #1: Type: text/plain, Size: 412 bytes --]

That's not really true.  We've had numerous smart cards come through with
tamper protection.  You couldn't get at the image without tearing it
apart, filing down the chips, and probing the memory physicaly.  IBM
made that even hard to do.  Certainly not something you did in 10
minutes.

Granted many of the smart cards on the market are just memories
that you cryptographicly store into but many are not.

[-- Attachment #2: Type: message/rfc822, Size: 2369 bytes --]

From: Jim Choate <ravage@ssz.com>
To: 9fans@cse.psu.edu
Cc: hangar18-general@open-forge.org, plan9-system-admin@open-forge.org
Subject: Re: [9fans] secret stuff
Date: Sat, 15 Jun 2002 07:49:24 -0500 (CDT)
Message-ID: <Pine.LNX.3.96.1020615074753.1158x-100000@einstein.ssz.com>


On Fri, 14 Jun 2002 presotto@plan9.bell-labs.com wrote:

> I don't.  I'ld use a smart card if I had one that I could get at most
> of the time.  As is we've made our secstore accessible from the outside
> of our firewall so I can use it even when I'm not at home.

Smart Cards have the same problem as PDA's, if you lose physical control
you lose your security. If anybody ever gets the card for 10 or more
minutes they can image the card and then at their leisure take a crack at
it.


 --
    ____________________________________________________________________

              When I die, I would like to be born again as me.

                                            Hugh Hefner
     ravage@ssz.com                                         www.ssz.com
     jchoate@open-forge.org                          www.open-forge.org

    --------------------------------------------------------------------

Re: [9fans] secret stuff

[Jim Choate]

On Sat, 15 Jun 2002 presotto@plan9.bell-labs.com wrote:

> That's not really true.  We've had numerous smart cards come through with
> tamper protection.  You couldn't get at the image without tearing it
> apart, filing down the chips, and probing the memory physicaly.  IBM
> made that even hard to do.  Certainly not something you did in 10
> minutes.

There are a variety of ways to get to the data on the card. There is even
a 'strobe attack' whereby one can flash extremely bright light on the
card. You can 'jitter' the power supply and clocks, etc.

The 'tamper proof' mechanisms are there to prevent PHYSICAL attacks only.
There are other attacks.

ps I work for IBM.


 --
    ____________________________________________________________________

              When I die, I would like to be born again as me.

                                            Hugh Hefner
     ravage@ssz.com                                         www.ssz.com
     jchoate@open-forge.org                          www.open-forge.org

    --------------------------------------------------------------------

Re: [9fans] secret stuff

[presotto]

I'm interested.  I've seen the power jitter attacks and they
generally had prettty good success over a fair amount of time on some
cards.  IBM claimed that they were not susceptible, since they disable
the card (permanently) if the power gets too wonky.  On the other hand,
the last I saw of their secure engine, it didn't look like my wallet
was big enough (either in volume or contents).

So is this just all a bunch of PR hooey and if I lend my card to someone
for 10 minutes I might as well kiss my data goodbye?

Re: [9fans] secret stuff

[Jim Choate]

On Fri, 14 Jun 2002 presotto@plan9.bell-labs.com wrote:

> I don't.  I'ld use a smart card if I had one that I could get at most
> of the time.  As is we've made our secstore accessible from the outside
> of our firewall so I can use it even when I'm not at home.

Smart Cards have the same problem as PDA's, if you lose physical control
you lose your security. If anybody ever gets the card for 10 or more
minutes they can image the card and then at their leisure take a crack at
it.


 --
    ____________________________________________________________________

              When I die, I would like to be born again as me.

                                            Hugh Hefner
     ravage@ssz.com                                         www.ssz.com
     jchoate@open-forge.org                          www.open-forge.org

    --------------------------------------------------------------------

Re: [9fans] secret stuff

[presotto]

I don't.  I'ld use a smart card if I had one that I could get at most
of the time.  As is we've made our secstore accessible from the outside
of our firewall so I can use it even when I'm not at home.

Re: [9fans] secret stuff

[Richard Miller]

> Running it on a hand held would also be a reasonable idea.  I considered just
> keeping my secstore on an ipaq with a wavelan in it.  At least then I have the
> stuff on the road.

The advantage of a smart card is tamper-resistance.  How do you know someone
hasn't borrowed your ipaq and installed a doctored version of secstored or
secuser?

-- Richard

Re: [9fans] secret stuff

[presotto]

[-- Attachment #1: Type: text/plain, Size: 177 bytes --]

Running it on a hand held would also be a reasonable idea.  I considered just
keeping my secstore on an ipaq with a wavelan in it.  At least then I have the
stuff on the road.

[-- Attachment #2: Type: message/rfc822, Size: 1497 bytes --]

From: Richard Miller <miller@hamnavoe.demon.co.uk>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] secret stuff
Date: Fri, 14 Jun 2002 09:02:58 0100
Message-ID: <20020614080309.7589D19AA8@mail.cse.psu.edu>

> ... However, you should talk
> the Plan 9 file system messages and have some want make a pipe twixt
> the smart card and a process.

My intention is to have the smart card itself talking 9P (like the
inferno styx-on-a-brick) so you can access its services directly via
mount.

-- Richard

Re: [9fans] secret stuff

[Richard Miller]

> ... However, you should talk
> the Plan 9 file system messages and have some want make a pipe twixt
> the smart card and a process.

My intention is to have the smart card itself talking 9P (like the
inferno styx-on-a-brick) so you can access its services directly via
mount.

-- Richard

Re: [9fans] secret stuff

[presotto]

[-- Attachment #1: Type: text/plain, Size: 174 bytes --]

yes and no.  The PAK stuff doesn't need plan 9.  However, you should talk
the Plan 9 file system messages and have some want make a pipe twixt
the smart card and a process.

[-- Attachment #2: Type: message/rfc822, Size: 1571 bytes --]

From: Richard Miller <miller@hamnavoe.demon.co.uk>
To: 9fans@cse.psu.edu
Subject: Re: [9fans] secret stuff
Date: Thu, 13 Jun 2002 20:41:03 0100
Message-ID: <20020613194113.E61F519A9F@mail.cse.psu.edu>

> Hah. And Secstore lives on the auth server for safety.
> Perhaps I'll get an auth server.

For standalone Plan 9 users not served by an auth server, would
it make sense to have a secstore server running on a smart card?
Would I have to implement all of Plan 9 on my smart card in order
to be allowed to use the patented key-exchange protocol?

-- Richard Miller

Re: [9fans] secret stuff

[Richard Miller]

> Hah. And Secstore lives on the auth server for safety.
> Perhaps I'll get an auth server.

For standalone Plan 9 users not served by an auth server, would
it make sense to have a secstore server running on a smart card?
Would I have to implement all of Plan 9 on my smart card in order
to be allowed to use the patented key-exchange protocol?

-- Richard Miller

Re: [9fans] secret stuff

[nigel]

Hah. And Secstore lives on the auth server for safety.
Perhaps I'll get an auth server.

Re: [9fans] secret stuff

[Russ Cox]

We set up a secstore account for bootes.
The nvram contains bootes's secstore password,
which is used to initialize factotum.

Russ

[9fans] secret stuff

[nigel]

How do I keep the secret key for the tls/ssl certificate safe?
It must be present on the cpu server (or file server) since it needs
to be loaded into factotum some time. I guess it could be done from
a floppy (or similar removeable device) after oboot, and then removed.

However, this prevents unattended reboot. Is making the key owned by
bootes and inaccessible by group and other enough?