Schneier on Security

Clive Robinson • November 10, 2021 10:50 AM

@ Bruce, ALL,

I just don’t think it’s possible to create a hack-proof computer system, especially when the system is physically in the hands of the hackers.

It all turns on one thing,

“The root of Trust”

If you can keep it out of an attackers hands, then if you have done the rest of the job right, the only option open to the attacker is to brut force the system.

So assuming properly applied strong encryption, as physicall prevention will not be possible, the question then becomes one of,

“How do you prevent an attacker of any level from getting to the root of trust?”

Well we should all know the XKCD $5 wrench -v- 4096-bit RSA encryption comic strip[1] shows the “soft option” that Level III attackers might deem appropriate involving a “black bag job” for “end run attacks” or the so call “wet work” for up close and personal with the plumbing aids.

In reality that’s only ever going to happen for propriatory systems, where other attacks such as those via OS or other Apps are not available and the priority is considered high. Though courts are now nodding through “forced / coerced” bio-metric opening of mobile phones etc, and it’s nolonger news-worthy. So the question becomes a little more complicated,

“How do you prevent an attacker of any level from getting to the root of trust, even when they have access to the legitimate user?”

Well the obvious answer is to not give the legitimate user access to the root of trust at any time, yet get the required access when needed.

Supprisingly to some there are ways this can be done. Which have been discussed on this blog before. However they all involve at some point,

1, Valid perception of time.
2, Verifiably secure communications.

Both of which have significant issues.

But one thing else is needed, which is a way for the legitimate user to be able to demonstrate beyond reasonable doubt that they do not have currently, nor have they ever had access to the root of trust.

[1] For those that don’t but are at least PG-13 for “adult content” 😉

https://xkcd.com/538/

Clive Robinson • November 12, 2021 7:02 AM

@ SpaceLifeForm,

I guess my consternation here, is that I am not clear as to the definition of a ‘legitimate user’

One who has the owner of the devices autherisation to use the device.

Same principle as being the legitimate driver of a vehicle, but not it’s owner.

Which vrings us to,

Why does the user have to prove a negative?

Because the legislation requires them to do so or end up in jail…

The law requires you to “disclose crypto keys upon lawfull request” it’s not optional[1] you can be sent to jail for upto six years in the UK for not doing so.

In theory there is a defence, which is showing you do not know the crypto keys so can not comply.

As you should be aware to many prosecuters and certain judges trying to claim that defence is just the excuse required to asking for harsher conditions on the defendant. Such as no bail, held in Special Administrative Measures”(SAM) or equivalent, increased tariff or indefinate detention as “contempt” which is beyond a writ of Habeas corpus[2].

Thus you need to have some realistic evidence that you never had need to know the crypto keys, nor could have had access to them in any way.

One such is a “Hardware Security Module”(HSM) where encryption / decryption is done entirely inside the HSM to which by definition of being “the user” not “the administrator” you don’t get access to KeyMat to write or read.

You have thereby switched the “burden of proof” “of a negative” which is theoretically impossible with a binary choice, to the prosecution so that their “burden of proof” is to prove a positive, “beyond reasonable doubt” which is the way the law is supposed to operate.

[1] Apparently it overrides the legal protections on “Privileged communications”…

[2] Sometimes known as a “produce the body writ”. The purpose of the writ is to force a person holding another to bring them to court, where the lawfulness of the detention can be established or disposed of. Unfortunatly when you are in contempt it is “the court” that has put you in confinment so it’s assumed to be lawfull irrespective of if it is or not.

https://en.wikipedia.org/wiki/Habeas_corpus

I would say have a look at Graig Murray’s web site where he explained how he was being “rights stripped” by a Scottish judge for very political reasons. Unfortunately you can not because of the “establishment” forcing it to be removed.

So essentially from memory a very senior Scottish Politician has been accused of significant and serious sexual misconduct. There were four witnesses standing against them with apparanatly harrowing accounts. The witnesses names had actually been published in other Main Stream Media. As Craig Murray’s position was very much against the futility of establishment attempts to keep it covered up he mentioned that it was futil because the details had been already published in the MSM.

The court however used the near impossible to refute “jigsaw” argument (ie “prove a negative”), that Craig had committed contempt as he had alledgedly –remember zero proof of the assertion– provided sufficient information to put it together and unmask the witnesses identities. Something that was blatently untrue as it was easier to do a Google Search on the politicians name and “sexual”… And the MSM article that named them was on the first page… Now the MSM has had a very paltry fine for actually naming the witnesses thus doing the establishment a favour, but Graig who is 62 and known to be very unwell has been sentanced to eight months. Most of which you can read in,

https://www.judiciary.scot/home/sentences-judgments/sentences-and-opinions/2021/05/11/craig-murray-petition-and-complaint

Of course this hash treatment does have a lot to do with Graig being just about the only journalist reporting on the establishments atrociius behaviour with regards Julian Assange. (you will even see it being used as consideration for the increased severity of the harsh sentancing in the above court judgment…).