At 8:52 PM -0800 3/20/02, Mike Brodhead wrote: > > The usual good solution is to make a human type in a secret. > >Of course, the downside is that the appropriate human must be present >for the system to come up properly.
It's not clear to me what having the human present accomplishes. While the power was out, the node computer could have been tampered with, e.g. a key logger attached. > >In some situations, the system must be able to boot into a working >state. That way, even if somebody accidentally trips the power-- I've >had this happen on production boxen --the system outage lasts only as >long as the boot time. If a particular human (or one of a small >number of secret holders) must be involved, then the outage could be >measured in hours rather than minutes. Who said you were allowed to lose power and stay secure? Laptops are pretty cheap and come with multi-hour batteries. There should be enough physical security around the node to prevent someone from "tripping" power. One approach might be to surround a remote node with enough sensors so that it can detect an unauthorized attempt to physically approach it. Web cams are pretty cheap. Several cameras and/or mirrors would be required to get 4Pi coverage. Software could detect frame to frame changes that indicated an intrusion. The machine would be kept in a secure closet or cabinet. The the machine would be set up in what ever location by a trusted person or team and would remain "conscious" from then on. Entry would be authorized via an authenticated link. Any unauthorized entry would result in the node destroying it's secrets. It would then have to be replaced. > >Don't forget that Availability is also an important aspect of >security. It all depends on your threat model. > The approach I outlined offers very high availability. Arnold Reinhold --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]