On 03/01/15 23:31, David Gil wrote: > Re Sam's proposal, essentially. > > I thought it might be worthwhile to be more explicit about my models for > device compromise: > > Ephemeral compromise: The adversary can read the contents of some (possibly > limited) set of memory locations, including the location where the key is > stored. > (E.g., some browser security bugs, Heartbleed.) > > Temporary compromise: > t=day 0. Adversary uses a vulnerability to establish persistent presence > (formerly hard in-browser, but now possible via, e.g., ServiceWorkers...) > t=... malicious software uses other vulnerabilities to read keys > t=n days. The bug is fixed and platform-level protection mechanisms eliminate > the malicious software. > > Permanent compromise: The adversary replaces part of the platform's trusted > computing base (be it hardware or software) with code it controls. > > Keeping private keys unencrypted in memory for only a short period of time is > an okay way to protect against ephemeral compromise. It does nothing to > protect against temporary compromise. >
Unless the temporary compromise does not coincide with a requirement for a master key to be in memory. So if, for example, a master key is used only when enrolling a new device (and only on that device), when activating a new service, and when changing public metadata, then that is probably going to be not very often. > > (And nothing we do can protect against permanent compromise; for code running in a browser, that's the browser's responsibility.) > If the compromise happens when the key is not currently in use, and when it is unlikely to be used again, for example if lost / stolen, then there is protection. Also I should note that my main focus for the system idea was for preventing mass (passive / MITM) surveillance for the general population rather than device compromise, along with having safeguards in place when a device is lost / stolen with data accessible. Sam.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Messaging mailing list [email protected] https://moderncrypto.org/mailman/listinfo/messaging
