From 67395704d1b44def970b9395369cddbb49405bba Mon Sep 17 00:00:00 2001 From: jaseg Date: Tue, 23 Nov 2021 17:18:40 +0100 Subject: Blog post WIP --- blogpost/ihsm-hiig-blog.txt | 158 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 158 insertions(+) create mode 100644 blogpost/ihsm-hiig-blog.txt diff --git a/blogpost/ihsm-hiig-blog.txt b/blogpost/ihsm-hiig-blog.txt new file mode 100644 index 0000000..0591507 --- /dev/null +++ b/blogpost/ihsm-hiig-blog.txt @@ -0,0 +1,158 @@ +IHSMs for Grassroots Digital Autonomy +===================================== + +In today's digital age, all of us depend on a number of large companies to mean well with us. To guard our data, or at +least not to abuse it too much without asking. Even if we wanted, we cannot take things into our own hands and reclaim +our digital autonomy because too much depends on too many system operators. To help small-time users and sysadmins to +fight this dependence, Jan Götte and Björn Scheuermann from HIIG have developed Inertial Hardware Security Modules, or +IHSMs. IHSMs enable low-budget servers to provide high security anywhere, even outside of well-protected datacenters. + + +Digital Dependencies +-------------------- + +The rise of networked computers has revolutionized many aspects of our modern lives. However, in lock-step with all the +quality of life improvements that the internet brought us, today we can observe a worrying trend of increasing digital +dependency. *Opting out* of the digital life on social media or e-commerce platforms becomes increasingly difficult to +sustain all the while the power of these platforms over their users is steadily increasing. Anyone who has ever had +their Twitter or Facebook account suspended for an alleged Terms of Service violation or who has been locked out of +their Google or Amaazon account pending some complicated and frustrating “account verification” process for unnamed +“security reasons” will know how acute this dependency is. What the platform decides is law. There is no way for us as +users to meaningfully challenge its decisions because we are the platform's product, not its customers. + +Don't it Yourself +----------------- + +The obvious solution to this state of digital dependency is for us to take things into our own hands. On this premise, +open-source projects such as Nextcloud and Mastodon have created +de-centralized alternatives to some of the big platforms. But DIY'ing has a drawback beyond the time spent on installing +and maintaining these solutions. While open-source software has made great strides over the last decades and offers +viable alternatives to many proprietary, centralized platforms today, this software has to run on someone's computer. +This underlying physical infrastructure is where things get complicated. Today, the only real option to run one's own +digital infrastructure is to rent a server (or part of one) from one of a number of large cloud providers. And in this +case, whoever runs the data center ultimately controls access to the data stored within. + +At first, this fact of life might not seem concerning. After all, a data center operator would risk a lot if it +compromised its customers' security. However, in the past we have seen several physical attacks targeting high-value +data . Large companies can mitigate such +attacks by tightly controlling their entire infrastructure, from the application software down to the data center's +access control systems. For smaller organizations and private individuals, this option does not exist. + +Inertial Hardware Security Modules +---------------------------------- + +# Gaining back control over our digital lives is a monumental task. In software, through an ecosystem of open source +# projects, we have seen steady progress throughout the last decades. But all of that open source software needs to run +# somewhere, and today that usually means renting processing time at one of the large cloud providers. Avoiding them means +# buying your own hardware, and even then, that hardware needs to be put somewhere in a data center operated by yet +# another large company. Security-wise, this is not great since whoever runs the cloud or the datacenter can technically +# access everything running inside it. In the end it comes down to physical access: Even passwords or strong encryption +# cannot (yet) prevent someone with physical access to a machine from learning everything about its contents. + +At HIIG, Björn and I have asked ourselves if there might be ways to claw back control over our hardware. If we can find +a way for someone someone much smaller than an Amazon or Google to build a special physically secure server that is +invulnerable to physical attaks, this server can be put into any commercial data center while completely decoupling the +security of the data stored in it from the operator of the data center around it. + +With Inertial Hardware Security Modules (short, IHSMs) we believe we have developed a strong approach towards a solution +to this problem. You can read the full paper here . The gist +of our solution is that we are able to build an enclosure that physically protects a server from any attempt at +siphoning off its secrets, no matter who tries to attack it. IHSMs are similar to a type of device used in payment +processing applications called Hardware Security Modules. Both provide a similar level of security. The main difference +is that IHSMs allow much larger systems to be protected and bump both size and computing power from that of a smartphone +to that of a server, a difference of about 100 × in space, processing power and cooling capacity. IHSMs are simple to +construct and can be built with basic tools that can be found in most electronic labs. We envision a world where small +organizations can build their own secure servers that even a hostile secret service will not be able to compromise +physically. + +IHSMs work by putting the server's mainboard, CPU, and memory inside of a tamper detection “mesh.” This mesh is a very +delicate component that will sense when someone tries to cut, drill or poke through it. When tampering is detected, an +alarm is activated and all sensitive data inside the server is deleted. To make the tamper detection mesh itself hard to +tamper with, this mesh is spinning at around the speed of a washing machine during its spin cycle. + +Trusting and Un-trusting +------------------------ + +In computer security terms, what we are doing with IHSMs is that we are “untrusting” the server's physical environment. +Computer security has a funny definition of trust that is pretty much the opposite of everyone else. In computer +security, trust is a de-facto property of something that we de-facto rely on being good. In computer security, something +trusted should be trustworthy (but does not have to be). Contrast that to the common-sense meaning, where something +trustworthy should be trusted (but does not have to be). + +Untrusting the data center gives us the chance to decouple software security from physical security. Using an IHSM, a +small organization such as the HIIG, the Chaos Computer Club, or a small company can operate software on a physical +foundation that is as secure as that of the large cloud companies, but with no one but themselves holding the keys to +the data. + +Examples for applications where this increased security matters are group chat, cloud photo storage, and calendar and +contact synchronization systems. All of these already encrypt the network connection between their users phone or laptop +and the server, but only rarely encrypt the actual data stored on these servers. + +# In terms of computer security, these platform behemoths are trusted parts of our lives. Not trusted as in +# “Google/Facebook/Amazon is a trustworthy company”, but trusted in the computer security sense of the world: they are +# de-facto trusted. We act as if we trust them, without actually considering whether they really are worth our trust. We +# need them, and we depend on them not acting against our interests. But if they abuse our trust, there is nothing we can +# do about it if we even notice. +# +# Confusingly, this computer security meaning of trustedness is the exact opposite of our common-sense understanding of +# trust. In a common-sense world, a trustworthy thing should be trusted (but does not have to be). In the computer +# security world, a trusted thing should be trustworthy (but does not have to be). While the two seem close at first, +# there is a large difference in meaning. Understanding this difference is necessary to understand the things computer +# security people say. +# +# The computer security concept of de-facto trust is counter-intuitve. However, its complement, which has no common-sense +# counterpart, is very useful. In computer security, the opposite of a trusted component is an untrusted component. +# Untrusted does not mean untrustworthy. An untrusted part is simply one that does not *need to be* trusted for things to +# work. An example for an untrusted part is a coffeeshop wifi network. While we need it to get online, we do not have to +# trust it to guard our data in any way since all our connections are authenticated and encrypted anyway using the TLS +# protocol that underlies HTTPS. In this case, by basing everything on an authenticated and encrypted network protocol, we +# remove trust from the coffeeshop wifi. We still need the wifi, but because our connections on top of it are encrypted +# separately, we do not have to care anymore whether someone is snooping on it or not. +# +# From a computer security point of view, untrusting as many parts of a system as possible is highly desirable. The fewer +# parts you trust, the fewer you can concentrate your security engineering efforts on. Not only does this save time and +# money, the overall system will actually become more secure by doing this as more time is spent on less parts, leading to +# better-quality results. + +# opposite of what everybody else calls trust. Take the sentence “Riley trusts Alex to take care of his cat.” In an +# everyday, common-sense way this sentence parses quite easily. Apparently Riley is out of town for a vacation or +# work-related trip and needs someone to feed their cat. Among Riley's friends, Riley asked Alex because they are +# reliable. The key concept here is that this sentence implies that *because Alex is trustworthy*, Riley asked them to +# take care of their cat. +# +# In computer-land, trust means something very different. While in the common-sense interpretation trusting something +# implies that that thing is “trustworthy”, in computer security things are exactly backwards. In computer security, a +# trusted part of a system is one that has to be trusted because without it the system doesn't work. The distinction here +# is that this part *should* better be “trustworthy”, but that is not a given. +# +# Now, why should we care about this rather pedantic distinction? That is because we have to keep in mind this linguistic +# quirk to correctly understand what security people mean when they are talking about computers. If we interpret things a +# computer security person says in a common-sense way, they might seem to make sense at first, but this important detail +# can get lost in translation. +# +# There is a useful concept in computer security called “untrustedness”. In computer security, a thing is untrusted when +# we do not rely on it being trustworthy. + + +#The concept of a trusted thing as “something that must be trustworthy” is useful in computer security, but its +#complement is even more interesting. If there + + +# The rise of networked computers has revolutionized many aspects of our modern lives. For most of us, the internet has +# made everyday things more convenient and improved our overall quality of life. Large platform companies can serve +# millions or even billions of users with only a few hundred people in design and development. However, these same +# economies of scale that have brought us incredibly polished software products that improve our lives in many ways, also +# have a dark side. +# +# Through the last few decades, we can observe a shift in how we use computers in our lives. The computer systems we use +# have become increasingly complex and have proliferated throughout all aspects of our modern lives. At the same time, the +# internet's economies of scale have led to the operators of these systems consolidating. For instance, while in the 2000s +# an online business would have had to operate its own physical servers in a datacenter somewhere, today the entire +# internet rests on a small number of cloud computing providers. +# +# On one axis, there is the shift towards increasing integration of digital systems into our lives. On the other axis +# there is the shift towards large centralized operators providing the infrastructure for most of these systems. These two +# effects compound each other to produce a steeply rising dependence towards system operators. On a national level, this +# is seen as a threat of an emerging concept dubbed “digital sovereignty”, and is perceived to be an acute issue. However, +# on an individual level, things are not better in any meaningful way--they are just talked about less. +# -- cgit