Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Pete Stephenson]

On Tue, Oct 10, 2017, at 05:39 PM, Whitey wrote:
> Pete Stephenson wrote:
> > On Mon, Oct 9, 2017, at 06:53 PM, Stefan Claas wrote:
> >> I read once here on the Mailing List that one should only use
> >> trusted USB devices, whatever that means, when using an USB
> >> device.
> > 
> > If you must use USB devices for some reason, take a look at the
> > 
> > flash drive.
> > 
> > It's designed specifically to protect against "badUSB", where the
> > controller and firmware can be compromised. The controller has the
> > developer's public key baked in during manufacture. The firmware is
> > signed and can only be loaded once (no provision is made for
> > in-the-field firmware updates). The controller verifies the firmware and
> > its signature at every power-on. If a malicious actor had physical
> > access and re-flashed the firmware, the controller would notice and fail
> > to load.
> > 
> > It also has a physical write-protect switch that can prevent unwanted
> > writes.
> 
> Since a flash drive is a read/write device, when would writes be
> unwanted?  When should I use this?

Vague answer: that depends on your threat model.

When interacting with an untrusted system, you may not want the
untrusted system to be able to write data to the USB drive that might
also be used on the trusted system. In my use case, I was more
interested in the novelty and principle of having a signed, verified
firmware running on the device that is not vulnerable to the badUSB
attack. The write protect switch is actually a bit of a hassle for me,
as the screen printing indicating which position is read-only has worn
off with use, so I always accidentally set it to read-only when I want
it in read/write mode (in much the same way that all USB plugs exist in
a superposition of multiple states, all aligned the wrong way). :)

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Andrew Gallagher]

On 11/10/17 13:04, Robert J. Hansen wrote:
> Permitting
> trusted machines to communicate in a *provably* one-way manner with
> systems outside the DMZ is an important problem -- not just being able
> to do it, but coming up with a way simple enough that non-technical
> users can understand.

Point a webcam at the local console. ;-)

-- 
Andrew Gallagher



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Robert J. Hansen]

> Our frames of reference were different: I was actually mostly
> thinking about a duplex system, which if needed could be reduced to
> simplex, in which case it would be the other way around than your
> use-case. I never considered the scenario where the trusted system
> was already compromised and you need to make sure it is completely
> deaf and blind so an attacker can't influence it in real time.

Right.  Our assumption was that the web server would be compromised
within moments of bringing up the external-facing network.  Permitting
trusted machines to communicate in a *provably* one-way manner with
systems outside the DMZ is an important problem -- not just being able
to do it, but coming up with a way simple enough that non-technical
users can understand.

> The disadvantage for your attacker is lack of economy of scale: an
> attack through internet can be done from your home to anywhere on the
> planet. If you need to be in the vicinity of your target, you lose
> that.

That's why the vote tabulating office is guarded by people with guns.  :)

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Peter Lebbing]

On 11/10/17 04:49, Robert J. Hansen wrote:
> The assumption was the web server was compromised: given that, how
> can you be absolutely sure there's no communication channel back to
> the trusted tabulator?

Ah, this isn't about corrupting data on the line, about getting wrong
data in what is the correct direction.

This is about ensuring that a simplex link is really a simplex link.
It's about data not going in the wrong direction.

Furthermore, it is a simplex link from a trusted to an untrusted system.
Whereas the OP was talking about wanting to transfer data from an
untrusted to a trusted system.

Our frames of reference were different: I was actually mostly thinking
about a duplex system, which if needed could be reduced to simplex, in
which case it would be the other way around than your use-case. I never
considered the scenario where the trusted system was already compromised
and you need to make sure it is completely deaf and blind so an attacker
can't influence it in real time.

> We didn't need a fast link from the tabulator to the web server: we 
> needed a slow and absolutely, positively, definitively one-way link.

I'm sure you're aware of this, but I think it's useful to point out
since this is a public mailing list :-).

If your attacker can get physically somewhat close to your tabulator,
there are RF and powerline attacks to consider as well... if you don't
trust the IC's in the tabulator, that can get tricky. The disadvantage
for your attacker is lack of economy of scale: an attack through
internet can be done from your home to anywhere on the planet. If you
need to be in the vicinity of your target, you lose that.

Cheers,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Robert J. Hansen]

>> The point of using the
>> old photoreceptor was that way we were dead certain there was no
>> exploitable integrated circuit in the photoreceptor...
> 
> I don't really see the point of purposely reducing the bitrate of a
> serial link.

Supply chain security.  The more complicated the hardware, the harder it
is to prove the ICs and firmware haven't been exploited.  If you're
using hardware you scavenged from a ham radio swap meet, you can be
pretty sure there's nothing malicious in the hardware.

Our use case was a vote tabulating system communicating realtime updates
with a publicly-facing web server.  The assumption was the web server
was compromised: given that, how can you be absolutely sure there's no
communication channel back to the trusted tabulator?

Answer: a 1960s photoreceptor.

We didn't need a fast link from the tabulator to the web server: we
needed a slow and absolutely, positively, definitively one-way link.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 17-10-10 02:04 PM, Daniel Kahn Gillmor wrote:
> On Mon 2017-10-09 23:30:22 -0300, Duane Whitty wrote:
>> After saying all that I recall reading an article by the
>> Washington Post (if I recall correctly) that they use two
>> computers in their "safe-drop" system.
> 
> The link you're looking for is:
> 
> https://securedrop.org/
> 
> their documentation for transfer between machines is here:
> 
> https://docs.securedrop.org/en/stable/set_up_transfer_device.html
> 
> regards,
> 
> --dkg
> 
Thanks!

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZ3QPOAAoJEOJfpr8UVxtkp3kH/27bVFIV4hzz1t3MFfJpM1pW
xXtznE+5pzdxA4YXDRN7zIEfchbjTjqT70phXDX5SkVT4agY9MgNs8MhYOy8aeAi
pHVg+aNyDFp9kRvPahRpOQAhjhewEgPO4yaEyenKH4hCQ2EZMK9U93tlYG11rKBu
8EaN64d/NScLx7ngEPB9tooV1F9dyzDuNaXDw787YsapTG4N/hgjuKXMwu5YSOVb
CE/6ppxTJJRxbYBPCymZvVmAiQ6hzWEMYfgsyL+D3AjgXIf1nLlcM1/3JSAaCuZ5
w9FmoX5BbTEMRL1/6GRDOYcv7Z4KeHOazZcjdaVYHTtZZcuiGd59VEjKBQGHixw=
=9JNr
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Daniel Kahn Gillmor]

On Mon 2017-10-09 23:30:22 -0300, Duane Whitty wrote:
> After saying all that I recall reading an article by the Washington
> Post (if I recall correctly) that they use two computers in their
> "safe-drop" system.

The link you're looking for is:

   https://securedrop.org/

their documentation for transfer between machines is here:

   https://docs.securedrop.org/en/stable/set_up_transfer_device.html

regards,

   --dkg


signature.asc
Description: PGP signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Whitey]

Pete Stephenson wrote:
> On Mon, Oct 9, 2017, at 06:53 PM, Stefan Claas wrote:
>> I read once here on the Mailing List that one should only use
>> trusted USB devices, whatever that means, when using an USB
>> device.
> 
> If you must use USB devices for some reason, take a look at the
> 
> flash drive.
> 
> It's designed specifically to protect against "badUSB", where the
> controller and firmware can be compromised. The controller has the
> developer's public key baked in during manufacture. The firmware is
> signed and can only be loaded once (no provision is made for
> in-the-field firmware updates). The controller verifies the firmware and
> its signature at every power-on. If a malicious actor had physical
> access and re-flashed the firmware, the controller would notice and fail
> to load.
> 
> It also has a physical write-protect switch that can prevent unwanted
> writes.

Since a flash drive is a read/write device, when would writes be
unwanted?  When should I use this?

--
Whitey

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Stefan Claas]

Am 10.10.2017 um 13:59 schrieb Stefan Claas:



My thread model is not as high as of other peoples,  i assume.


threat model of course...

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Stefan Claas]

Am 10.10.2017 um 11:22 schrieb Peter Lebbing:


On 09/10/17 21:14, Stefan Claas wrote:

So i thought maybe i buy one, let's say with Windows 10, never update
or upgrade it due to it's permanent offline state

Whether I would consider this sane or not depends a lot on the type of
data you'll be handling on the offline machine. If it's just checking
signatures on plain text, it sounds somewhat reasonable though I would
never consider Windows 10 for it. You don't know all the ways in which
it is trying to be user-friendly by interpreting data. So for all I know
even a short file stored as .txt might be checked to see if perhaps it
can be interpreted as an icon to show in the file manager. Add a buffer
overflow in the icon image parser, and you have an attack vector. At
least with free software, you can inspect the way it works, and probably
isolate all the services that are trying too hard to be helpful.

If, on the other hand, you are using rich file formats like images or
marked up documents, it sounds like a really bad idea to not patch
security vulnerabilities.

Same for Certificate Requests you are going to sign with an X.509
Certificate Authority on the offline system. A much too rich format
(ASN.1!) to not update security issues, but it would be a very common
use case for an offline system.

It would be really helpful if all you needed to transfer to the offline
system were secure data rather than software updates. But if that secure
data is anything more than trivial, I think you really do need updates,
unfortunately.



Thanks for your detailed explanation!

The only purpose i will use this offline Netbook for is to 
encrypt/decrypt and sign/verify

messages. Nothing more. O.k. and write messages in notepad.

Regards
Stefan

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Stefan Claas]

Am 10.10.2017 um 13:59 schrieb Stefan Claas:


I came up with this idea while reading about black/red boxes computers,
which act as online/offline computers. And i recently discovered Neal
Walfield's "An Avanced Introduction to GnuPG". At page 42 of his .pdf
he speaks of offline computers as well.

https://begriffs.com/pdf/an-advanced-introduction-to-gnupg.pdf



Appologies, here is the complete page link:

https://begriffs.com/posts/2016-11-05-advanced-intro-gnupg.html

Regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Stefan Claas]

Am 10.10.2017 um 09:26 schrieb Pete Stephenson:


On Mon, Oct 9, 2017, at 06:53 PM, Stefan Claas wrote:

I read once here on the Mailing List that one should only use
trusted USB devices, whatever that means, when using an USB
device.

If you must use USB devices for some reason, take a look at the

flash drive.


Thanks a lot for the information, much appreciated!

Best regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Stefan Claas]

Am 10.10.2017 um 04:51 schrieb Duane Whitty:


I find this topic quite interesting so if I may comment a little more...

Firstly, I think it's really easy to get carried away here with
security measures one probably doesn't really need.  If you do have a
need for air-gapped computers then you also have a need for a lot of
other security measures.

1) How good are the locks on the doors to your house?
2) What about your windows?
3) What about fire protection?
4) What about data backups?
5) Do you have a policy and mechanism in place for how long you keep dat
a?
6) How about backup security, both on-site and off-site?
7) What mechanism will you use for media destruction when your policy
indicates you don't need certain data any longer?
8) How are you protecting your public/private keys?
9)...

I could continue to go on but maybe I'm getting carried away here.
The point I'm trying to make is that if there are lots of attack
vectors and just focusing on where you encrypt/decrypt messages
doesn't necessarily make you that much more protected.

Just my opinion and it's not meant as criticism just as "food for though
t"



Thanks for your reply and the points you have outlined!

I do find this topic interesting as well, hence why i started it. :-)

My thread model is not as high as of other peoples,  i assume.

I came up with this idea while reading about black/red boxes computers,
which act as online/offline computers. And i recently discovered Neal
Walfield's "An Avanced Introduction to GnuPG". At page 42 of his .pdf
he speaks of offline computers as well.

https://begriffs.com/pdf/an-advanced-introduction-to-gnupg.pdf

Even if i'm maybe now on the radar of some folks and i could have no
chance to properly secure my PGP communications in the future,
at least this discussion may help the interested reader how to use
GnuPG in the future, in a more secured way.

Best regards
Stefan


___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Nils Vogels]

On 10 Oct 2017 4:06 am, "Robert J. Hansen"  wrote:
I do know about subverting SATA harddisks, but haven't heard about it
actually being used, unlike USB. SATA sounds reasonable as well.
Yep!  Been done.  SATA firmware has been exploited via the JTAG
interface, new firmware loaded onto it, and been used as a vector.And this has been documented quite well, and is quite doable to repeat.http://spritesmods.com/?art=hddhack___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Peter Lebbing]

On 09/10/17 21:14, Stefan Claas wrote:
> So i thought maybe i buy one, let's say with Windows 10, never update
> or upgrade it due to it's permanent offline state

Whether I would consider this sane or not depends a lot on the type of
data you'll be handling on the offline machine. If it's just checking
signatures on plain text, it sounds somewhat reasonable though I would
never consider Windows 10 for it. You don't know all the ways in which
it is trying to be user-friendly by interpreting data. So for all I know
even a short file stored as .txt might be checked to see if perhaps it
can be interpreted as an icon to show in the file manager. Add a buffer
overflow in the icon image parser, and you have an attack vector. At
least with free software, you can inspect the way it works, and probably
isolate all the services that are trying too hard to be helpful.

If, on the other hand, you are using rich file formats like images or
marked up documents, it sounds like a really bad idea to not patch
security vulnerabilities.

Same for Certificate Requests you are going to sign with an X.509
Certificate Authority on the offline system. A much too rich format
(ASN.1!) to not update security issues, but it would be a very common
use case for an offline system.

It would be really helpful if all you needed to transfer to the offline
system were secure data rather than software updates. But if that secure
data is anything more than trivial, I think you really do need updates,
unfortunately.

HTH,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Pete Stephenson]

On Mon, Oct 9, 2017, at 06:53 PM, Stefan Claas wrote:
> I read once here on the Mailing List that one should only use
> trusted USB devices, whatever that means, when using an USB
> device.

If you must use USB devices for some reason, take a look at the

flash drive.

It's designed specifically to protect against "badUSB", where the
controller and firmware can be compromised. The controller has the
developer's public key baked in during manufacture. The firmware is
signed and can only be loaded once (no provision is made for
in-the-field firmware updates). The controller verifies the firmware and
its signature at every power-on. If a malicious actor had physical
access and re-flashed the firmware, the controller would notice and fail
to load.

It also has a physical write-protect switch that can prevent unwanted
writes.

It's a plain flash drive and doesn't have built-in encryption (though
the company sells those too) but it should have a higher assurance of
not being compromised or compromisable at the hardware level than a
typical off-the-shelf USB device.

I use it with my offline Raspberry Pi 2 that I use for private key
operations for my primary keys (as opposed to subkeys, which are on
smartcards). The Pi 2 uses LUKS for encrypting the microSD card it uses
for storage and is never connected to the network. It's more than
adequate in terms of performance and is cheap enough that I have a bunch
lying around the house anyway. ;)

Cheers!
-Pete

-- 
Pete Stephenson

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Peter Lebbing]

Let me start off by saying security is almost never absolute. I think it
approaches some really basic economics: how much do you think your
opponent is willing to spend to compromise your security? How much are
you willing to spend to protect it?

So there is no silver bullet. It depends on your threat model.

On 10/10/17 03:57, Robert J. Hansen wrote:
> The point of using the
> old photoreceptor was that way we were dead certain there was no
> exploitable integrated circuit in the photoreceptor...

I don't really see the point of purposely reducing the bitrate of a
serial link.

The online system on one end of the link is potentially hostile. It can
still be hostile through a completely bona fide serial link. It would be
indistinghuihable from a hostile integrated circuit on the online system
side of the link.

I don't consider it likely that the offline computer would just start
interpreting stuff sent over a serial port; there would be no software
running trying to make something of the data and accidentally expose an
arbitrary code execution through a flaw.

Instead, there would just be a data transfer utility, let's say zmodem,
which would be simple enough to audit and write in an extremely
defensive manner.

If you need to get data out of the offline system, you still need a wire
back. If not, you can cut it.

If I were making custom hardware, I'd do something like this:

An ARM microcontroller with USB-device port. Connected to, ah, let's say
two 20 MHz SPI links. Connected to a second identical ARM
microcontroller with USB-device port. It would just offer a basic
USB-to-serial interface to the connected PC. But instead of an actual
regular serial interface, it would transfer all data bytes over the SPI
links. The firmware of the microcontroller would be so straight-forward
that you can clearly see that it will never do anything other with data
on the SPI bus than relay it to the USB side.

Pick a high-performance microcontroller, and you could get a 40 Mbit/s
serial line. If the microcontroller connected to the online system were
compromised, it could still not do anything more than send plain data
bytes to the other, trusted, offline side. It can't do more than a
compromised online computer could already achieve.

> Yep, they are.  Seen them myself in the malware lab.  No further comment
> available, as I'm bound by NDA-of-doom.

Thanks a lot for sharing what you are allowed to divulge! I really think
it's great you chose to do that. Thanks.

> If you think about it for a while I'm
> pretty sure you'll figure out how, but I unfortunately cannot connect
> the dots for you.

I wrote a quick short e-mail with food for thought, there is so much
detail I left out.

The first thing I can think of relates directly to left out detail. If
there is a bug in a filesystem driver you have enabled, it's possible
that a manipulated filesystem could trigger arbitrary code execution,
with kernel privileges. This would be possible with any piece of
hardware that the kernel can treat as a block device, not just SD cards.

So you would need to configure your system in such a way that it never
*tries* to scan any new block devices you connect to the system after it
has booted[1]. This is where I don't think that you can ever be sure
what Windows all does when removable storage is connected. Yet with a
basic Linux or BSD system, it's much better possible to locate
functionality that tries to scan removable storage.

So you disable all removable storage scanning and just use an
incremental tar archive directly on the block device to transfer your
debian-security mirror and your encrypted/signed files. Again there is
an attack surface, the tar program, but it is greatly reduced.

The thing with evil USB is that there are so many device drivers with so
many different functions, and any one of them can become active and
start communicating with your compromised USB device. With an SD card,
at least you can reduce it to something like the driver for SD storage
(probably a good idea to remove SDIO drivers), the block layer, the
partition table parsers (don't think you'll be able to lose those), and
some more stuff. Interestingly, with (U)EFI, it's also possible there is
still some firmware actually active during operation.

Note that it's not enough to just actually *use* a plain tar archive
directly on a block device. You need to make sure that your offline
system will never *try* to interpret it differently. It's not how you
use it, it's how it *can* be used. I see people sometimes forgetting
this important distinction. Even if /you/ don't place a plain,
unencrypted filesystem on the block device, your attacker could still do
that anyway.

> Yep!  Been done.  SATA firmware has been exploited via the JTAG
> interface, new firmware loaded onto it, and been used as a vector.

In fact, a good friend of mine did this and did a fantastic talk about
it at the OHM2013 hackers camp:



He went 

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 17-10-09 11:30 PM, Duane Whitty wrote:
> 
> 
> On 17-10-09 01:53 PM, Stefan Claas wrote:
>> Hi all,
> 
>> A question for the experts.
> 
>> I plan to buy me a little Netbook next year, to use it as an 
>> Offline Computer, for GnuPG usage. The idea is to use my Online 
>> Computer to send and receive messages and to encrypt and decrypt
>>  messages to use the Offline Computer. So far so good. My
>> question is what is the best practice to transfer the Data
>> between those two Computers?
> 
>> I read once here on the Mailing List that one should only use 
>> trusted USB devices, whatever that means, when using an USB 
>> device.
> 
>> My idea is to use the software minimodem between the two 
>> Computers, connected, when required, via audio cables.
> 
>> Is this a good idea, or does something speaks against this
>> method?
> 
>> Any thoughts are welcome!
> 
>> Regards Stefan
> 
> 
> I'm a little surprised no one has reminded us that there are no
> best practices, just practices that serve our needs depending on
> what value we perceive our data to have and what we perceive the
> capabilities of our adversaries to have, and what the consequences
> of compromise are.
> 
> After saying all that I recall reading an article by the
> Washington Post (if I recall correctly) that they use two computers
> in their "safe-drop" system.  Again, IIRC, the computer connected
> to the Internet is not ever connected to the computer used to
> encrypt or decrypt messages.  The computer used to encrypt/decrypt
> is not connected to anything and is booted from a read-only CDROM
> which also has any required software.  Data transfer is done by
> recording to a write-once CDROM.  No clear text is ever on the
> computer connected to the Internet.  There are lots of other
> details to think about (defense in depth)
> 
> Best Regards, Duane
> 
> 
I find this topic quite interesting so if I may comment a little more...

Firstly, I think it's really easy to get carried away here with
security measures one probably doesn't really need.  If you do have a
need for air-gapped computers then you also have a need for a lot of
other security measures.

1) How good are the locks on the doors to your house?
2) What about your windows?
3) What about fire protection?
4) What about data backups?
5) Do you have a policy and mechanism in place for how long you keep dat
a?
6) How about backup security, both on-site and off-site?
7) What mechanism will you use for media destruction when your policy
indicates you don't need certain data any longer?
8) How are you protecting your public/private keys?
9)...

I could continue to go on but maybe I'm getting carried away here.
The point I'm trying to make is that if there are lots of attack
vectors and just focusing on where you encrypt/decrypt messages
doesn't necessarily make you that much more protected.

Just my opinion and it's not meant as criticism just as "food for though
t"

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZ3DWtAAoJEOJfpr8UVxtkvHwH/1Bhxs7BbkE9046GI5b6nTJi
bkpEzamdKldIpA4TLPdxcfg1g5pNetddXCfXSxbvqcHE/yJyt57/4Uu4uucRHZfy
WPAdyXzu4LfZbGuMZNApvyJhCulzHxbFRbbCDe0B0+Tpe/tD/x65jbys8U3KpcN9
bX4V4Lml5BkjbSLGxBMNhfu53lDS7Oc8fB+pDhxFjsKtz4xEF5FRXPdep3hm6gbF
pzyX/0gCnyy2Lmb4QOowK08xHooPQcEf/g41pns4c/sXqRaNNm53ehlFtmtLsb9o
HLkLHlibo6r3yhwTXVmJfmA37F+aD33i9NIFbreEJlclidEwnKTYapg/WSPo2cA=
=BlK7
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Duane Whitty]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256



On 17-10-09 01:53 PM, Stefan Claas wrote:
> Hi all,
> 
> A question for the experts.
> 
> I plan to buy me a little Netbook next year, to use it as an 
> Offline Computer, for GnuPG usage. The idea is to use my Online 
> Computer to send and receive messages and to encrypt and decrypt 
> messages to use the Offline Computer. So far so good. My question 
> is what is the best practice to transfer the Data between those
> two Computers?
> 
> I read once here on the Mailing List that one should only use 
> trusted USB devices, whatever that means, when using an USB 
> device.
> 
> My idea is to use the software minimodem between the two
> Computers, connected, when required, via audio cables.
> 
> Is this a good idea, or does something speaks against this method?
> 
> Any thoughts are welcome!
> 
> Regards Stefan
> 

I'm a little surprised no one has reminded us that there are no best
practices, just practices that serve our needs depending on what value
we perceive our data to have and what we perceive the capabilities of
our adversaries to have, and what the consequences of compromise are.

After saying all that I recall reading an article by the Washington
Post (if I recall correctly) that they use two computers in their
"safe-drop" system.  Again, IIRC, the computer connected to the
Internet is not ever connected to the computer used to encrypt or
decrypt messages.  The computer used to encrypt/decrypt is not
connected to anything and is booted from a read-only CDROM which also
has any required software.  Data transfer is done by recording to a
write-once CDROM.  No clear text is ever on the computer connected to
the Internet.  There are lots of other details to think about (defense
in depth)

Best Regards,
Duane

- -- 
Duane Whitty
du...@nofroth.com
-BEGIN PGP SIGNATURE-

iQEcBAEBCAAGBQJZ3DC6AAoJEOJfpr8UVxtki/YH/Rj7+gl6usd3twkGQ10VuboR
qHBBpd+0zMrjfHDS713K50wexox0noCoUd7NTLt1pI8Lrl5c56+pCgdIIG+AjToX
XeOGXmydvS195EDBkuJM0WZhfmFLwN23sIHUXo2Pv/TpOJOQ23scsXRgNxM0ApeA
07HHD/Uh2AT9lo32i0kOx5zUkJLhdd63mhyHCkvYDaZxxGy29RsnwiEmG7YG69m6
faNxsRsecPBl1JnB/sPFdOYETjJHpVwmuWTwpGMQDFEZT37n8D8Ib66Tv7iPxMyr
RUxUNbZ5mXNqQ/TAl/ZQyejP2uIEo6Erq9w+/MHDANWe752s4l6HLnitQJXSr/M=
=NVie
-END PGP SIGNATURE-

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Robert J. Hansen]

> I think perhaps this is a little low-bandwidth for security updates for
> your OS. By the way, you could use a USB-to-serial converter and use a
> serial cable. The problem with USB is sharing the same USB device
> between multiple computers. If you always use the same converter in the
> same computer, it's not an infection vector. But this is still very low
> bandwidth. Many USB-to-serial converters can go to 0.5 Mbit/s. I think
> the max I've seen is 2 Mbit/s. So it's not as low as the ol' 115k2 anymore.

In '07, my research group developed some really low-tech data transfer
with admirable characteristics: it was provably one-way data transfer.

Get a serial cable and cut it in half.  On one end attach a laser; on
the other end attach a photoreceptor.  Mount the two.  You now have a
data diode -- a "cable" over which data can only flow in one direction.
We had to write custom drivers for it, but it wasn't hard.

If memory serves we weren't able to go over about 300 baud.  This was by
design: our photoreceptor was ***old*** (like 1960s tech) and had a
relatively long cycling period after each pulse.  The point of using the
old photoreceptor was that way we were dead certain there was no
exploitable integrated circuit in the photoreceptor...

> I haven't read about SD cards being infection vectors

Yep, they are.  Seen them myself in the malware lab.  No further comment
available, as I'm bound by NDA-of-doom.  But yes, SD cards have been
known to be infection vectors.  If you think about it for a while I'm
pretty sure you'll figure out how, but I unfortunately cannot connect
the dots for you.

> I do know about subverting SATA harddisks, but haven't heard about it
> actually being used, unlike USB. SATA sounds reasonable as well.

Yep!  Been done.  SATA firmware has been exploited via the JTAG
interface, new firmware loaded onto it, and been used as a vector.

___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users

Re: Working with an Online and Offline Computer when using GnuPG - Best Practice?

[Peter Lebbing]

On 09/10/17 18:53, Stefan Claas wrote:
> My idea is to use the software minimodem between the two
> Computers, connected, when required, via audio cables.

I think perhaps this is a little low-bandwidth for security updates for
your OS. By the way, you could use a USB-to-serial converter and use a
serial cable. The problem with USB is sharing the same USB device
between multiple computers. If you always use the same converter in the
same computer, it's not an infection vector. But this is still very low
bandwidth. Many USB-to-serial converters can go to 0.5 Mbit/s. I think
the max I've seen is 2 Mbit/s. So it's not as low as the ol' 115k2 anymore.

I haven't read about SD cards being infection vectors, and they have
many gigabytes. Enough for, for example, a mirror of the debian-security
archive for your architecture.

I do know about subverting SATA harddisks, but haven't heard about it
actually being used, unlike USB. SATA sounds reasonable as well.

For both SD cards and SATA harddisks, you could again use USB-to-X
converters, as long as they are dedicated to your offline system.

This is just my personal opinion, and should be read as ideas rather
than authority (not that I claim to have any, that's precisely the
point). Meanwhile, if somebody knows of a transfer method that has
enough bandwidth to be able to keep a Debian system up-to-date, or a
FreeBSD system alternatively, that looks better than SD-card or
SATA/PATA, I'm interested as well. I'd rather have something better.

My 2 cents,

Peter.

-- 
I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at 



signature.asc
Description: OpenPGP digital signature
___
Gnupg-users mailing list
Gnupg-users@gnupg.org
http://lists.gnupg.org/mailman/listinfo/gnupg-users