216 lines
16 KiB
TeX
216 lines
16 KiB
TeX
|
||
\chapterquote{Meredith Whittaker~\cite{greenbergSignalMoreEncrypted2024}}{
|
||
It’s not for lack of ideas or possibilities. It’s that we actually have to start taking seriously the shifts that
|
||
are going to be required to do this thing—to build tech that rejects surveillance and centralized control—whose
|
||
necessity is now obvious to everyone.
|
||
}
|
||
|
||
\chaptertitle{Introduction}
|
||
\label{chapter-intro}
|
||
|
||
% New draft:
|
||
%
|
||
% Passionate statement about democracy and academic freedom
|
||
%
|
||
% We live in times of rising fascist and authoritarian sentiment worldwide. While computer science and cryptography are
|
||
% often portrayed as politically neutral technologies, their practice is a political act and can have grave real-world
|
||
% consequences.
|
||
% maybe: Within mathematics and computer science, the field of cryptography is unique in that it smainstream views
|
||
% link to cypherpunks, hackers
|
||
% Hardware Security Modules (HSMs) are an example of such a political technology. The core function of HSMs is to
|
||
% protect cryptographic secrets against \emph{any} physical attack. Even though they are widely used in finance and
|
||
% business applications, in their design, they curiously embody the radical idiology of the cypherpunk and hacker
|
||
% movements.
|
||
%
|
||
% We believe physically secure devices like HSMs can be a keystone technology in the creation of secure systems for
|
||
% communication and computation in a free, democratic society. However, while current state-of-the art commercial
|
||
% devices can be expected to resist a fascist police force or even some authoritarian states' secret services, their
|
||
% physical security is still lacking due to misaligned ecosystem incentices. As Anderson put it,
|
||
% todo cite: betrusted
|
||
%
|
||
% FIXME: quote from anderson: Security economics remains a big soft spot, with security chips being in many
|
||
% ways a market for lemons. A banker buying HSMs probably won’t be aware of
|
||
% the huge gap between FIPS [US national HSM security standard] level 3 and level 4, and understand that level 3 can
|
||
% sometimes be defeated with a Swiss army knife. The buying incentive there is
|
||
% compliance, and where real security clashes with operations it’s not surprising
|
||
% to see weaker standards designed to make compliance easier. API security is
|
||
% too hard, and the difference between HSMs’ internal and external APIs makes
|
||
% it too confusing. The near-abdication of FIPS in favour of ISO 19790 and vari-
|
||
% ous protection profiles touted under the Common Criteria will confuse things
|
||
% further, as will the UK’s move away from the Criteria. Confusion marketing
|
||
% and liability games appear set to continue.
|
||
%
|
||
% Meanwhile in academia,
|
||
% In this thesis, we aim to significantly advance the field of hardware security module construction. We publish all
|
||
% designs, code and data as open source to create the groundwork for future research, and sow the seeds for a new
|
||
% generation of secure hardware that will be able to resist a rising tide of fascist and authoritarian movements.
|
||
%
|
||
%
|
||
%
|
||
% Research questions:
|
||
% 1. can hsm w/o proprietary mesh?
|
||
% 2. how do meshes look like in practice?
|
||
% 3. can we improve monitoring?
|
||
% 4. can we solve power transfer issue
|
||
% 5. applications
|
||
%
|
||
|
||
All Cops Are Bastards, or ACAB is a slogan popular in far left and anarchist circles since the mid-twentieth century
|
||
that expresses a rejection of state authority~\cite{constantinouAppliedResearchPolicing2021}. While politically, this
|
||
blanket rejection is a fringe viewpoint with no mainstream acceptance, there exists a parallel between this and modern
|
||
cryptographic best practice. In modern cryptography, it is generally seen as best practice to have the least amount of
|
||
keys possible involved in any computation and cryptographers have time and time again strongly rejected attempts by
|
||
states and other authorities to insert backdoor access mechanisms into cryptographic systems~\cite{
|
||
abelsonRisksKeyRecovery1997,
|
||
abelsonKeysDoormats2015,
|
||
andersonSecurityEngineeringGuide2020,
|
||
rogawayMoralCharacterCryptographic2015,
|
||
}.
|
||
|
||
While at a glance it might sound like a fringe position held by people from the Cypherpunk and Hacker movements~\cite{
|
||
andersonCypherpunkEthicsRadical2022,
|
||
hughesCypherpunksManifesto,
|
||
jarvisCryptoWarsFight2020,
|
||
marlinspikeWeShouldAll2013},
|
||
it enjoys support far beyond those circles and throughout mainstream academic cryptography. From cryptographic protocol
|
||
standards like TLS, to cryptographic applications like the Signal messenger, backdoor access is not only excluded from
|
||
the system design, its possibility is considered a vulnerability.
|
||
% Measures such as forward secrecy and post-compromise security are taken to mitigate its impact. In computing, this
|
||
% design aspect makes cryptographic protocols a unique holdout. In other parts of the stack, explicit or implicit
|
||
% backdoor access is commonplace, and attempts at preventing it are rare. For instance, network providers are generally
|
||
% required to comply with so-called \emph{Lawful Interception} orders on particular customers or traffic types, and
|
||
% datacenter operators commonly provide hardware access to state authorities. The design decisions in cryptographic
|
||
% protocols generally hold, and the gold standard for backdoor access to modern systems is either exploiting a
|
||
% \emph{zero-day} flaw that is not yet publicly known, or acquiring physical access to the target system.
|
||
|
||
In this thesis, we aim to extend the level of protection afforded by cryptographic protocol design down the technology
|
||
stack. While cryptographic protocols and modern software from the operating system up make it possible to secure the
|
||
software side of the stack to a high level, the hardware side remains poorly protected. There are a variety of hardware
|
||
security solutions used in practice, but the majority of them either do not target protection against local, physical
|
||
attacks -- such as Trusted Platform Modules (TPMs) -- or are not widely available due to market segmentation or cost --
|
||
such as conventional Hardware Security Modules (HSMs).
|
||
|
||
While anarchists, Cypherpunks and Hackers often reject backdoor access out of political conviction alone,
|
||
Cryptographers' aversion to backdoor access derives from a combination of two fundamental computing principles:
|
||
Kerckhoffs' principle, and the principle of least authority. Kerckhoffs' principle\footnote{
|
||
\textcite{petitcolasKerckhoffsPrinciplesCryptographie} contains a high-quality OCR'ed copy of the original source,
|
||
as well as a translation of the cited part from French. The original source is
|
||
\textcite{kerckhoffsCryptographieMilitaire1883}.
|
||
}, named after Dutch military cryptographer Auguste Kerckhoffs, expresses that the security of a cryptographic system
|
||
should only depend on the secrecy of its keys, not on the secrecy of its design. In this way, Kerckhoff's principle
|
||
states the opposite of the widespread industry practice of \emph{Security by Obscurity}, which aims to achieve security
|
||
by making it sufficiently costly to cryptoanalyze a system that the attempt becomes unattractive. The reliance of
|
||
contemporary hardware security measures such as the majority of Physically Unclonable Functions (PUFs) on chip-scale
|
||
integration as their main barrier against manipulation is an instance where Kerckhoffs' principle is violated.
|
||
|
||
Complementary to Kerckhoff's principle is the principle of least authority, which describes that in a secure system each
|
||
component should only have access to the smallest set of capabilities necessary to fulfill its purpose. Applying both to
|
||
a cryptographic system means that the system's design should be transparent and not include any hidden components or
|
||
opaque parts that cannot be inspected, and that the system's keys should be scoped to place the least amount of trust
|
||
possible in each participating party. Existing HSMs are an example of a violation of the principle of least authority
|
||
since they elevate the HSM manufacturer to a single point of failure. Since the tamper sensing mesh foils used in
|
||
conventional HSMs are made in proprietary, bespoke processes, they cannot be manufactured independently.
|
||
|
||
\section{Research Questions and Contributions}
|
||
|
||
Based on the current state of the field of hardware security, we deduce three overarching research questions for this
|
||
thesis that progress from theory to practical deployment.
|
||
|
||
\begin{enumerate}
|
||
\item Can we achieve physical security without relying on conventional tamper-sensing meshes?
|
||
\item Can we monitor tamper-sensing meshes at a higher detail level than the state of the art of a single, scalar
|
||
measurement?
|
||
\item Can we create the support components necessary to integrate a system that provides a practical security
|
||
guarantee?
|
||
\end{enumerate}
|
||
|
||
To answer our first research question, we propose the Inertial Hardware Security Module (IHSM), a new type of HSM that
|
||
extends the high level of protection offered by the modern cryptographic software stack down to the hardware level,
|
||
enabling secure computation in insecure places.
|
||
|
||
To answer our second question, we propose improvements to the state of the art in HSM tamper sensors such as the use of
|
||
low-cost, embeddable Time-Domain Reflectometry (TDR) that not only improve the security of IHSMs, but that can even be
|
||
applied to conventional HSMs.
|
||
|
||
Finally, we answer our last research question by showing in two case studies how an end-to-end design of an IHSM-secured
|
||
data processing system could look like. Both case studies concern scenarios that IHSMs unlock that were previously
|
||
infeasible using conventional HSMs: Datacenter-scale Secure Multiparty Computation (SMPC) and long-range Quantum Key
|
||
Distribution (QKD) networks. As part of this effort we provide a solution adapting and improving upon the state of the
|
||
art in wireless power transfer to supply a rotating inertial HSM with a clean, stable power supply.
|
||
|
||
We chose to publish all of our research as open source and unencumbered by patents to enable widespread adoption. IHSMs
|
||
can be custom built with only basic manufacturing capabilities at small scale and enable the deployment of secure
|
||
computation in insecure places even to small organizations such as university research departments, NGOs and small
|
||
businesses.
|
||
|
||
%\section{Cryptographic Principles and Physical Reality}
|
||
|
||
%Let's take a basic videoconferencing system as an example. In our example system's deployment, users log on to a central
|
||
%conference server, which receives and distributes the users' video streams. Allowing backdoor access to the video
|
||
%streams to some third party like a datacenter operator or a state would violate Kerckhoffs' principle since it would
|
||
%have to be hidden from the systems' participants, who would therefore not have a complete view of the systems' deployed
|
||
%architecture. The principle of least authority would also be violated since in almost all cases, such a backdoor access
|
||
%system would not see legitimate use. As a result, it would possess capabilities that almost never would be essential to
|
||
%the proper function of the videoconference system.
|
||
|
||
%In their design, almost all modern software -- especially open source -- cleanly applies these principles. However, the
|
||
%practical reality after deployment almost always deviates from them. While backdoors are vanishingly rare in modern
|
||
%open-source software, practical deployments usually are vulnerable to physical attacks. Computer hardware generally is
|
||
%not designed with a local attacker with advanced physical attack capabilities in mind since no mitigation can fully
|
||
%prevent them---such attacks usually can only be detected, or at best slowed down. As a result, commonplace attacks
|
||
%against modern software often involve taking over the hardware at some point in the chain. Even End-to-End-Encrypted
|
||
%(E2EE) communication systems can be compromised if one of the encrypted channel's endpoints can be physically
|
||
%compromised. Corresponding \emph{digital forensics} capabilities are commonplace among state actors, and are available
|
||
%as a turnkey solution on the market.
|
||
|
||
\section{Inertial Hardware Security Modules}
|
||
|
||
In this thesis, we propose Inertial Hardware Security Modules (IHSMs) to fill the gap of protecting systems that handle
|
||
highly sensitive data but that cannot use conventional HSMs for cost or performance reasons. In a system with a secure
|
||
software stack, the role of a HSM is to secure the hardware part of the stack. The basic approach of a HSM is to combine
|
||
a secure software stack with tamper sensors connected to a fast self-destruct mechanism. The tamper sensors are tasked
|
||
with detecting any physical attack an attacker could mount on the device. Common classes of such sensors include
|
||
environmental sensors such as temperature or radiation sensors that detect attempts at causing controllable faults in
|
||
the HSM by heating, cooling or irradiating it. Building on the basic protection offered by such sensors,
|
||
\emph{tamper-sensing meshes} are often employed. These \emph{meshes} are flexible foils containing circuit traces that
|
||
are attached to the HSM's enclosure to detect attempts at penetrating the shell of the device with probes.
|
||
Tamper-sensing meshes usually are the primary line of defense against most physical attacks. They are very effective at
|
||
mitigating a large variety of physical attacks, but they are difficult to construct securely as they usually require
|
||
bespoke manufacturing processes. As a result, they are currently only used in niche applications, and even there not
|
||
every realization is equally secure. The self-destruct mechanism can be hardware or software that quickly and securely
|
||
destroys all cryptographic secrets, thereby rendering the device worthless to an attacker.
|
||
|
||
IHSMs are a new design approach that utilizes mechanical motion to create secure tamper-sensing meshes from simple
|
||
components. IHSMs solve the issue of creating an impenetrable tamper-sensing envelope by replacing the bespoke
|
||
tamper-sensing mesh foil with a set of simple, rigid meshes made from commodity Printed Circuit Boards (PCBs) that are
|
||
rotating at high speed. In motion, these simple PCB tamper-sensing meshes are as secure as the much more sophisticated
|
||
bespoke foils used in conventional HSMs, yet they are simpler and less expensive to manufacture. To verify that the mesh
|
||
is rotating correctly, an accelerometer is placed on the rotating mesh, and its centrifugal force reading is used to
|
||
validate its path of motion.
|
||
|
||
IHSMs enable the protection of much larger payloads compared to conventional mesh designs, and they can support larger
|
||
power dissipation. Combined with their low cost, this enables the implementation of high-level hardware security in
|
||
applications that previously would not have been possible to secure.
|
||
|
||
IHSMs are the first fully open source HSM with advanced tamper sensing features. Across application domains, IHSMs can
|
||
be applied to gain resistance to physical attacks in scenarios where conventional HSMs were not used because of cost,
|
||
computing power or implementation effort. Where conventional HSMs come as fully integrated devices that only expose
|
||
limited APIs to their users, IHSMs at their core are just an enclosure that the user can put whatever hardware they need
|
||
into, adapting the tamper response to their application's needs. Since the simpler tamper-sensing mesh construction of
|
||
IHSMs scales to larger payload volumes, entire servers can be protected---something that is impossible with conventional
|
||
HSMs. Since the mesh in an IHSM is constantly moving, unlike a mesh in a conventional HSM, it does not have to entirely
|
||
cover the payload. Instead, it can have gaps that allow for air flow between outside and inside, enabling active cooling
|
||
of the IHSM's payload. This cooling capability sharply increases computing power by increasing feasible payload power
|
||
dissipation by two orders of magnitude.
|
||
|
||
\section{Conclusion}
|
||
|
||
Looking at the practice of applied hardware security, we observe that despite ample availability of commercial solutions
|
||
promising easy hardware security, clearly there is still a lack of solutions that provide the adaptability necessary for
|
||
some real use cases at low enough cost. By publishing the tamper-sensing technology we developed during the making of
|
||
this thesis as open source hardware designs, we aim to provide this missing building block to provide high-level
|
||
hardware security in real-world applications. Our hardware designs can be adapted to devices ranging from Single-Board
|
||
Computers (SBCs) to servers, they are compatible with non-computing applications like Quantum Key Distribution (QKD) and
|
||
their design approaches can even be integrated into existing HSM designs to provide better security at little additional
|
||
cost.
|
||
|