summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorjaseg <git@jaseg.de>2021-09-28 18:16:51 +0200
committerjaseg <git@jaseg.de>2021-09-28 18:16:51 +0200
commita2ba8712e30d48fb2139dec7a783c90d9370366c (patch)
treed68cbfeb32b2f7539a43e72292aba65593715c4a
parentfffef5e79470759bf3c8f9d2d90dce32702da14e (diff)
downloadihsm-a2ba8712e30d48fb2139dec7a783c90d9370366c.tar.gz
ihsm-a2ba8712e30d48fb2139dec7a783c90d9370366c.tar.bz2
ihsm-a2ba8712e30d48fb2139dec7a783c90d9370366c.zip
Improve use cases
-rw-r--r--paper/ihsm_paper.tex34
1 files changed, 18 insertions, 16 deletions
diff --git a/paper/ihsm_paper.tex b/paper/ihsm_paper.tex
index b9d73ec..0358519 100644
--- a/paper/ihsm_paper.tex
+++ b/paper/ihsm_paper.tex
@@ -224,25 +224,27 @@ The core questions in the design of an inertial HSM are the following:
\end{enumerate}
We will approach these questions one by one in the following subsections and conclude this section with an exploration
-of the practical implications that these aspects of IHSM construction have on IHSM operation.
+of the practical implications that these aspects of IHSM construction have on IHSM operation, but first we will motivate
+our concept with two use cases and outline our attacker model.
\subsection{Use Cases and Attacker Model}
-We motivate our work on IHSM security with a number of use cases. For instance, a healthcare provider may wish to
-perform advanced data analysis on a large database of patient health information. While the processing result may be
-needed for the common good, accumulating large amounts of sensitive data on a single system for such processing poses a
-risk. By collecting valuable data in a single computer, this computer is effectively made a target for organized
-cyber-criminals and other determined attackers. Mitigations such as cryptographic protocols and firewalls are effective
-for the network security side of things, but the physical hardware is difficult to secure against e.g.\ bribing of
-insiders. A similar use case would be that of a bank processing customer data. Here, too, a very high level of physical
-security is necessary since adversaries may include foreign secret services. Finally, consider a provider of large-scale
-group communication. Right now, practical systems such as messenger apps fall back to non-end-to-end-encrypted processes
-for large groups since a sufficiently lightweight, performant cryptographic solution does not exist yet. Similar to the
-banking use case, such services need to consider advanced adversaries such as foreign nation states' secret services
-that might attempt physical attacks to extract unencrypted messages from a message broker server.
-
-Our goal with IHSMs is to eventually arrive at a system that, at low-cost, can persist against a smart, well-funded
-adversary such as a secret service or organized cyber-crime.
+The target application of an IHSM is high-risk data processing. This risk can be implied by either high-value data, or
+by difficult physical security constraints. Our goal with IHSMs is to eventually arrive at a system that, at low-cost,
+can persist against a smart, well-funded adversary such as a secret service or organized cyber-crime.
+
+Consider a group of healthcare providers intending to analyze a large database of patient health information.
+Accumulating potentially millions of sensitive medical records on a single system for such processing poses an inherent
+risk as this system becomes a valuable target for organized cyber-criminals looking for ransom. IHSMs allow for a level
+of physical security against e.g.\ a bribed insider that is as good as the level of network security afforded by modern
+firewalls and cryptographic protocols.
+
+On the other end of the spectrum, consider a real-time group video communication provider. Relaying and transcoding
+video data between participants is hard to solve without trusting the server, but at the same time latency requires that
+the server is physically located close to its users. Given the global history of privacy-invasive cyber-attacks by
+secret services and other well-funded attackers, this may pose an issue. In this scenario, IHSMs allow for the secure
+deployment of trusted server components closer to the user, or even at the network edge, where physical security is
+challenging.
\subsection{Inertial HSM motion}
\label{sec_ihsm_motion}