Schneier on Security

Nick P • June 17, 2011 1:54 PM

The interesting thing is that it's not very expensive to set up a transfer mechanism that would defeat most malware. The system might use a dedicated, small PC with very hardened software, trusted boot, attestation, and the bank's public key. The system could only connect to the bank, only runs the transfer related applications, and accepts data from external devices in a low risk way. If two factor was used, then a token generator or smart card could be used. The customers would pay for the cost of the computer.

Banks just don't care about the security. They're not liable for these problems. The court's need to rule that banks are liable unless they implement security measures that can actually counter at least common attacks. That would be "commercially reasonable" for a service that advertises itself as "safe" or "secure." I also consider the current practice to be fraud.

Nick P • June 17, 2011 2:17 PM

@ Clive Robinson

I posted a comment in another article regarding the quality of information in this blog's comment section vs other's. I thought you might like to see it. (It's the bottom part of my post.)

http://www.schneier.com/blog/archives/2011/06/25_of_us_crimin.html?nc=69#comment-552639

Nick P • June 17, 2011 4:54 PM

@ Marcos

"That's too expensive and user unfriendly."

Most of the losses reported are in the six digit range. That's more expensive than spending a few hundred or a few grand once every few years. This is one of the few situations where medium to high assurance solutions make financial sense.

"Banks need only to send code tables for their clients, on paper, of course. "

That won't work. You're inputing the codes into a hijacked computer and trusting what it's displaying to you is correct. There's already malware in the wild that defeats two factor authentication codes for specific banks. A standardized, widely-deployed two factor technology would probably be targeted by these groups. Any scheme that uses the user's computer to enter transaction parameters must either secure the computer from attack or make it untrusted. The scheme I used does the former.

Note that the solution I posted is not my favorite or preferred scheme: it's just one of many approaches I've come up with just for kicks. I like toying with new ideas. The approach I commonly push, which I've described on this blog previously, is to use a dedicated appliance to display the transaction to the user and authenticate it. Essentially, a trusted path, no hardware bypass, and protection of crypto keys.

Basically, the user sets up the transaction in their GUI, malware loving OS. They hit Send or whatever, then the data is formatted into an easily parsed text form and sent to the appliance over a non-DMA connection. The appliance loads it, displays it (a KVM switch can eliminate two monitors), and asks the user for confirmation. The user might insert a token, enter a password or just say yes, depending on how it's designed. The system then cryptographically signs the transaction with its private key and sends that to the PC over the non-DMA link and the PC sends it to the bank.

Using this scheme, the PC is untrusted because it can't perform transactions by itself, it can't authorize transactions, it can't modify them, and it can't trick the user by spoofing transaction data. Malware on the PC cannot steal the money. The appliance can be really cheap because it basically needs the capabilities of a thin client and crypto acceleration. A number of x86 and POWER processors already do this. It's also easy to use: the user starts in easy to use app, hits a button, waits a second, visually compares the transactions, and authorizes it on the other machine. What do you think about this scheme?

(Note: IBM's recent ZTIC takes this approach and makes it extremely simple. It's more limited in the types of authentication and functionality it can have, but it's good for individual wire transfers. See the link below to see how easily a scheme like mind can be implemented.)

IBM Zone Trusted Information Channel
http://www.zurich.ibm.com/ztic/

Nick P • June 17, 2011 8:53 PM

@ Richard Steven Hack

"Nick: That approach sounds good. It would only cost a few hundred dollars for the appliance, well within the reach of even small business."

Thanks for the feedback. That's the idea. It's affordable, relatively simple, and the complexity is low enough that high assurance design techniques may be used.

"But how do you verify that the text file does not contain an invisible attachment added by malware on the PC which can compromise the appliance?"

Input validation is applied to the text. A transaction set that fails input validation instantly kills the whole process, is possibly logged to a no-execute medium, and is zeroized from memory. The user might be notified of the failure. Remember that, since this isn't just a crypto processor, the banks can put extra functionality in there to help with stuff like this. For instance, the user might "register" valid account numbers for payroll with the appliance. Later, during a transfer attempt, the software might check that the destination account is on that list. There's other tricks, too.

The main defense is the visual inspection step. Any data it receives is rendered as text for the user to verify. It will be quite obvious if extra data was tacked on: it will look like a bunch of strange characters. Obvious changes or extra data is obvious to the user in this step. Slight changes, like a digit difference, might be harder to detect. We could add in a feature whereby the hash of the transaction details is displayed on the user's PC and on the appliance during verification. If it doesn't match, the user would be instructed to contact support or an administrator to determine if it's a severe glitch or a compromise.

"That device does one thing and one only: it scans the transaction and re-formats it into pure text."

You can do that in software. My design would be implemented with medium or high assurance design principles. That means the input validation is a separate software process. It takes input from the communications stack, copies it into a buffer (fixed amount of copying to prevent overflows), validates, converts, stores it in a new buffer, repeat until transaction data is converted, and and notifies the next component. There's a similar component and strategy for sending the signed transaction back to the main machine.

The reason I use a design like this is it allows us to leverage a separation kernel, like Integrity-178B, to much of the heavy lifting. So long as the IPC communications policy is correct & the components are functionally correct, then the overall system is secure [enough]. For instance, I can make the buffer's or components containing them different address spaces, with any attempt to interact with those buffers invoking the kernel for a security check to prevent unauthorized information flows. This turns the situation from "Are all of my software functions' potential interactions secure?" to "Is the kernel secure & my access control lattice correct?" Much easier problem, esp. with certified kernel. Isolating the communication part from the rest of the system also let's me use simple tricks to prevent externally visible covert timing channels. I hate timing channels with a passion. They are insidious and difficult to find in complex comms stacks.

"No matter what you do with the resulting encrypted transaction, sending it from the untrusted PC allows for the possibility of some sort of spoofing of the transaction details."

The trusted display on the appliance prevents spoofing: it signs what the user see's. Any modifications are caught by verifying the transaction details against the signature. Malware has to access the private key on the appliance to forge a signature and the bank gets the appliance's public key during user registration or when issuing the device. In the abstract, this is basically the same way that products like Safenet's Luna CA4 use to protect root keys while signing other CA's. I've just expanded it to use cheaper hardware & have more functionality. TU Dresden's e-Commerce Nizza Architecture demo also uses a similar approach.

"I'd prefer to trust the encryption appliance to do the actual data transmission."

I warn you to NEVER do that if the comms stack and appliance's software run on the same processor or SOC. Unlike a serial/ATA driver w/ simple comm's stack, adding Ethernet + TCP/IP + VPN to the appliance drives complexity way up. Vulnerabilities in this complex software might lead to compromises through their interactions with the hardware, drivers, or OS. Simple is better. So, I leave that whole mess outside of my appliance in exchange for a very simple, maybe mathematically verifiable, comms stack. If the networking is taken out on the main PC, then the user might not want to be attempting transactions anyway: something is really wrong at that point and they should at least boot with a Linux LiveCD. The system might come with one as a backup option and it would include the relevant public keys, interface software, etc. A support contract might provide regular, updated LiveCD's for users by mail or collectable at the bank.

Although, we could tweak the design to allow a backup (or simply different) system to be plugged-in in mid transaction. The user would use the non-default option, "authenticate but don't send yet." The user would plug in the other networked system, wait for the connection, and then hit "Send." This tweak still leaves the other system untrusted, only present for availability.

Actually, while I'm on this brainstorming tangent, you suggesting gave me an idea that would allow us to do what you say and meet my security requirements. We could put networking on the device without putting it on the device. (Paradox, huh?) I've done this in previous designs & Rockwell Collins does it in their Turnstile cross-domain guard. Basically, the device is two devices or boards: one high quality board doing the security-critical stuff and a really cheap, replaceable networking board. (The user interface portions MUST be on the high assurance board or a separate, cheap board for security reasons.) The networking board would have Linux/BSD, networking, VPN, etc and simply relay information between the high assurance appliance and the bank. That meets both our goals.

I usually use this trick of offloading something onto another board when I want a COTS functionality, like RAID storage or complex networking, in a high assurance system. Isolate the COTS functionality onto other boards, connect them to the trusted system with non-DMA hardware, and interface with a careful protocol. It can't be used all the time for performance reasons but it's often effective. If the system allows for medium instead of high robustness, DO-178B Ethernet and TCP/UDP/IP stacks might be used to meet higher performance requirements with a low probability of defects.

"Remember - the appliance is a computing device. It will have security flaws. So ANY communication with the device from an untrusted device other than direct input from the user is likely to have a channel allowing compromise."

We definitely share the same concern. Which is why we're using the most robust hardware and software platforms we can get. My initial design employs a Freescale or Curtis-Wright PPC board with no known security critical errata, increased assurance BIOS/firmware, and a DO-178B or EAL6+ certified kernel, drivers, and filesystem. We can get all that without extra effort if we use one of the existing EAL6+ hardware and software configurations. High assurance techniques would be applied to the interfaces between trusted and untrusted software, especially comms stack.

Several systems designed the way I would design the comms stack have achieved high assurance certification, survived years of NSA pen testing, etc. They were also fielded for years without any known compromises or security-critical flaws found. So, it definitely can be done. It's just hard work. Most of that was achieved with mid-80's to mid-90's technology. I'm sure we can do better now. Actually, the L4.Verified project only took a few million to do most of what used to be $15-25 mil. Development tools, from IDE's to bug hunting tools, are also light years ahead of what they had back then. It's also been done recently: INTEGRITY-178B and MULTOS were both certified after 2000 to EAL6+ and E6/EAL7 respectively, with Caernarvon preparing for EAL7 evaluation.

"Moving a CD from one PC to the appliance isn't that bad. "

I totally agree. It's very usable. The issue I have is solely with it's complexity & firmware-level attack issues. Serial or non-DMA ATA + simple comms protocol stack is *much* simpler than a ATA/IDE driver + CD-ROM driver. This makes it easier to get right. Also, the hardware is cheaper/smaller, and it lasts longer. The simpler design could also use custom hardware or firmware implementation using the same verified process if clients called for it. Verifying a CD-ROM interface and implementation is another matter entirely... The firmware worry refers to attacks like Heasman's on device's firmware. A simpler mechanism can be implemented in a way that resists these attacks, especially since there's no device between the PC and the appliance: just a wire whose input is untrusted and scrutinized.

Disclaimer: I didn't mean to drop a Clive-sized post, but I figured spelling it out is useful as we're basically designing a product right now. I figured if I posted what I've already gathered about transaction signing, you guys might spot areas of improvement in functionality, assurance or cost reduction.

Nick P • June 17, 2011 9:31 PM

"Why isn't anyone examining Patco's system to find how the trojan got there, and the million other insecurities in their setup?"

There's no doubt they are partly responsible. However, I think most of us are siding with them because the banks are committing these evils:

1. Forcing the use of weak authentication methods that don't counter known malware (and supporting it with non-sense legal claims about what constitutes two-factor authentication).

2. Telling companies that their money will be safe because the banks systems are secure and the authentication method is safe.

3. Banks not informing customers of threats and countermeasures. By contrast, Krebs on Security has done more in that regard than any of the banks offering the online banking schemes.

4. Banks aren't making options available, like better transaction authentication, that make these remote attacks harder or impossible. RSH and I have already worked out a design whose final unit cost would be $50-$2,500 depending on the features and level of assurance. Spend, at most, $2500 to prevent a loss of $100,000+ regardless of flaws in your PC or software? Problem solved at bargain price.

So, banks are being both careless and deceptive. Additionally, they are mandating weak authentication schemes. This is a regulated industry. Many of us think courts (via liability) or government (via regulation) should force banks to adopt a higher standard of commercial security so that small businesses left and right aren't wiped out by malicious individuals. There are actually many solutions on the market already from the likes of Barclay's. There's just no effort on the part of most banks to even make them an option, much less mandate them.

Nick P • June 19, 2011 1:37 AM

"but that the untrusted system might somehow have a way to completely create a separate, damaging transaction (one for more money to a different destination, say) and replace the encrypted one with their own"

The beauty of the design is that's not possible without compromising the appliance. This is actually the whole reason for using a digital signature scheme. Any transaction details the bank receives must have been hashed and signed with the appliance's private key. Without the private key (stored in appliance), malware on the PC cannot (1) create *any* authorized transaction or (2) modify any signed transaction. The user see's, via appliance, exactly what they are signing. Transactions are dropped unless they are signed by the appliance. The situation you are describing can't happen by design. Only availability issues or perhaps psychological tricks to make the user distrust the appliance (those are always available though).

But, assuming we want that availability or reliability, we can move forward with your idea...

"But in this case the separation would be done precisely because of the lack of trust of the PC Internet access. The appliance takes care of the problem of compromising a single machine with both Internet and VPN by splitting off the VPN part into another device separate from the potentially compromised PC."

True. This doesn't add to transaction protection for reasons described in previous paragraphs. This only increases security if the appliance is leans more toward low assurance than high. However, it does make it a harder target and increase the effort for the attacker, increasing availability. This adds cost to the device. Whether it's worth it or not depends on the person purchasing it. That's how it looks to me so far.

Nick P • June 19, 2011 1:05 PM

@ Mark Currie

"All these solutions require service providers to make huge financial investments in user gadgets and back-end security servers."

Traditional solutions do. This is a problem my design was intended to solve. It only requires software modifications on the backend. The front end investment is paid for by the customer so their liability is reduced. It's purely a client-side security scheme.

"I wrote a paper on this a while back and if anyone is interested here is the link. "

Thanks for the paper. I'll check it out.

"Passwords, account numbers, ID number etc. can be pre-stored on the device, or directly entered via an integrated user input mechanism."

Sounds neat so far.

"It only implements a very small core of the TLS stack (necesary for security) and it also understands a very small subset of HTTP/HTML allowing it to filter and display/insert information in the clear text."

Then the complexity creeps in. There have been few implementations of HTTP/HTML parsers w/out errors. The assurance level of this device would necessarily be smaller than a simpler device. I do like the functionality. Even so, it seems like it would require more software development investment for each client than a standardized signing app. What are your thoughts on that?

Nick P • June 19, 2011 5:27 PM

@ jbaurer

I wasnt aware of them. Sounds similar in principle. Just goes to show even more how so many modern IT security problems were solved in the 80's. We just keep reimventing the wheel.

Nick P • June 19, 2011 6:49 PM

@ clive robinson

Im away from a pc right now and cant do a detailed reply yet. I did want to reply about ur strange claim that the design we were discussing doesnt keep people in the loop, etc. I think ur looking at the first design i posted: a castle approach i threw together for shits and giggles.

My real design/recommendation was in my next post. It uses a TAD-like scheme, but the transaction appliance has different functionality. It was alse specifically designed to account for driver issues and some basic interface covert channels. If u want details, see the reply to marcos then my discussion with RSH.

Nick P • June 20, 2011 2:05 AM

@ jay

That's right. His design is conceptually the same, but two steps are now manual. Will probably be the last time he slips like that. ;)

@ Richard Steven Hack

"This would seem to introduce the possibility of vulnerabilities in the TAC encryption while it's on the PC or possible manipulations of the TAD encrypt/decrypt software via the PC, which is what Nick wants to avoid by only transferring the transaction in pure text. But I'm inclined to dismiss that; we have to draw the line somewhere. If the crypto software is not trusted, the whole exercise is a waste of time."

You can transfer the initial setup and signed authorization to the bank however you want for your needs. The important part is that the appliance receives the transaction details, displays them, contains the private key(s), and signs (or doesn't) the transaction details. This is what provides the real security. Any problems in the rest only lead to availability (e.g. Denial of service) issues. That's why I focus on these critical parts.

"So the TAD needs to be authenticated by the bank as belonging to the correct user, no? And as Clive says, how can we make that immutable? If a hacker can get his own TAD, and it is not immutable, then he modify it to imitate another company's TAD."

My scheme includes that. I elaborated in my post at 1:37am that...

"Any transaction details the bank receives must have been hashed and signed with the >>>appliance's private key

And the bank issues them. I can't remember if I mentioned that, but I should have. The bank would link a certain device's public key with specific users, accounts or however they look at it. As for stolen devices or imitation, I mentioned authentication mechanism but didn't elaborate to leave it open. Here's more detail: the private key would be encrypted in storage, and decrypted upon use. The authentication process would include the decryption. Dresden e-Commerce demo inspired this addition. The authentication will involve at least a password, possibly plus smartcard or usb token.

Regardless, that each device has a unique key pair and the public key is associated to specific bank customers should prevent many forms of spoofing (aside from theft of transaction appliance).

Nick P • June 20, 2011 2:13 AM

@ Dirk Praet

I look at its description. It seems much like a forensics type LiveCD with productivity apps. I don't think it achieves much more than other LiveCD's in terms of either security or privacy. In the privacy case, the type of distro, plugins, etc. can be a trace itself. The most common are Incognito, Knoppix, and Ubuntu. In security, the description says it appears to trust the boot process and the BIOS. Advanced persistent threats, especially on BIOS or PCI/DMA devices, are still a risk.

Nick P • June 20, 2011 8:18 PM

@ tommy

Thanks for the heads up. Im on my fone now and dont get home till 1am CST tonight. Ill respond in depth to both posts then. We discussed the LiveCD approach on Krebs before, strengths + drawbacks. Till latet, u can google my name, krebs, jcitizen and livecd if u want to find it.

Nick P • June 21, 2011 2:06 AM

@ tommy on banking livecd's

Alright, now for a real reply. Tommy, what might have been hidden in the Krebs article is the attacks that are still present. We agreed on Krebs that a LiveCD for banking, even Ubuntu, is *currently* a good idea for individuals because most malware targets (a) windows machines and (b) OS's with persistence (i.e. not LiveCD's). If banks started deploying Linux LiveCD's en masse, you'd see a shift among the more sophisticated groups to targetting them. So, what's the risk from there?

The first risks involve spoofing the bank. Many people are tricked into going to sites that look like their bank, which then perform MITM attacks. Knowing that banks love JavaScript, other browser-based attacks might work as well. Then, as we must assume they can access the public network, they might look for signs of banking activity and only attack when the livecd's are loaded. Just reinfect and compromise each time its loaded. BIOS, SMM and Intel VT type attacks are still available. Covert channels leaking key material is still a possibility. Most of these are prevented by the secure appliance designs, but present in the LiveCD designs.

That said, your proposal is an improvement on LiveCD schemes. It even immunizes a user to several of the above attacks and makes the others harder. Banks or 3rd party companies could, like RSH agreed, pool together to make the lifecycle of the LiveCD cheap. Now, for a few problems.

The first is subversion. The LiveCD would be made using commercial software development methods, 3rd party components, a low assurance repository, etc. Subversion of the software to include a backdoor could happen at any point. It's more likely than in a medium assurance development process. Recent examples of subversion include the Borland Interbase backdoor and Microsoft's quality control people not noticing an entire games hidden in their Office software (one of RSH's favorites).

The second is the user. Any good scheme must be seemless enough that users wont pass it over for convenience. Pressing a button, looking at another device, and pressing/typing something on that device isn't that bad. Heck, it's what we do when we use debit cards at most POS terminals. Shutting down our system, loading a LiveCD (that's SLLOOOWW), doing the work, shutting that down, reloading the main system, and reloading the work is more than most users do today even when they know the risks & the benefits of a LiveCD. (I've occasionally skipped the LiveCD when I was too impatient for a wait: "I have a locked-down Linux system. What's the odds I'm infected anyway!?") They prefer something quicker.

The third is interaction between LiveCD and filesystem. The software on the untrusted PC in my design can have arbitrary complexity. It can be Quickbooks or ADP for all I care. The user looks at a convient format, clicks "Pay the Bastards", and the software transparently converts it to a simplified format for the transaction appliance. If we use a LiveCD, does it include software to create and process the complex files? Potentially buggy software that could be exploited by a malware-modified payroll file? Or does it interface with the filesystem and attempt to parse these files? Legacy software and big vendor's ACH software interoperability must be considered. These two issues increase the odds of an exploit via rigged file, LiveCD or not. Granted, they will need privilege escalation capability to use this to the best of their ability, but it's a risk with potentially unforseen angles. People keep finding holes in the Linux TCB so I'm sure we'd at least see one damaging zero day.

The fourth concern is specifically for Tommy's scheme. His is one of the most secure LiveCD's because it's so locked down and tied to the bank. This might be its downfall, too. Studies on C.A.'s and certs show most sites have domain errors with their certs and many let their certs expire. Currently, even the average bank can't manage its PKI right. Networks, IP's, etc. often change regularly as well. A LiveCD locked down enough might be so inflexible as to lock OUT a user from their account. I'm not saying this would happen in your design, but that it should be considered. This is such an annoyingly complicated problem that I make comms stacks untrusted partly just so I can ignore such issues.

So, these are my risk considerations (right off top of head anyway) with a LiveCD (or LiveWORM-USB or LiveWORM-Whatever) approach. A secure appliance avoids these. Notice I've shown that, if a small percentage of banks used them, then there are serious security advantages to a LiveCD approach. Tommy's extra lock-downs are better than most. However, widespread popularity would necessitate a change to more secure appliance designs like those proposed by Mark, Clive and I. Many have agreed the up-front cost would be worth the near total risk mitigation it earns against online, six-digit threats. My preference is that, if we're investing big in something, to go ahead and do risk mitigation in this case instead of "risk management" (read: vulnerability breeding).

Btw: Acronis is a great product for backup and recovery, among my favorites. It's LiveCD is great too on many types of hardware. There's a reason though: Acronis' LiveCD is Windows, possibly Windows Embedded. Windows forensic or recovery LiveCD's tend to work pretty well on PC hardware designed to run Windows. But, is Windows Embedded a good base for a widespread, secure banking platform? (See the Office subversion above for why my skin crawls at the idea.) A Linux LiveCD wouldn't work nearly as well, as experience shows, although it's security profile is better. Tradeoffs, tradeoffs...

Nick P • June 21, 2011 2:17 AM

@ Mark

I'm sorry I haven't given a detail response and really read your paper. I've been a tad busy. I should have a response in by the next few days.

@ RobertT

"No disrespect intended, but you guys must be living in a time warp if laptop's and desktops are even remotely relevant. "

Considering how much banking is done on them, I'd say the time warp only goes back a few minutes. ;) Remember also, Robert, that we're mainly talking in the context of the ACH and wire transfer frauds that are hitting businesses hard right now. They typically involve compromising a corporate desktop or laptop, altering the transaction details, and picking up the money.

These schemes are targeting those things, not mobile payment. You and I have already discussed some issues with that. It's a whole different beast. I'm glad this beast is easier to tame. ;)

Nick P • June 21, 2011 2:56 PM

@ RobertT

"Most corporate desktops have the USB's and DVD disabled , to reduce network infection vectors."

Most small businesses that are making the news don't do this stuff. They do whatever their bank tells them to do on a regular PC. My setup is primarily targeted at them. For corporate systems, you're right: that would be an obstacle. RSH had suggested building networking into the device so it could connect directly to the bank. I said, if we did, it would be a separate SOC connecting to the appliance SOC over non-DMA. Customers wouldn't know the device contained two computers and don't need to. If ports were available but incompatible, I'd just use an adapter.

But a corporate PC probably has at least network access, so I could use an onboard networking feature to send the data that way. The secure part of the transaction appliance would still receive the data over a non-DMA link with a simple protocol. It would just go to an untrusted, networked component first. Setup in the corporate environment would basically mean entering some network information into the system and changing some firewall rules. (Maybe trickier in very complex environments, but not much harder than putting in a new corporate PC)

"so your solution would not work for me especially when I'm traveling (because I don't typically take my own laptop) but I often need to do internet banking and money transfers when abroad, sometimes personal banking sometimes corporate banking."

Maybe, maybe not. If we added wired/wireless networking component described above, could it be made to work for you? I could imagine you connecting it to the internet and it connects to the bank. Then, you connect on a different device. You get a transaction going, the bank sends it to the device, etc. What do you think?

Nick P • June 21, 2011 3:15 PM

@ tommy

"Do you think it's not worth my burning, booting, test-driving, and poking? I don't mind, but the time could be used for other things if you think it unlikely to be of any genuine benefit."

I don't really see any benefit. The government is usually way behind on stuff like this. Especially with Linux because Linux's development and release pace far exceeds anything the government produces. Their secure configuration guides are nice, but even those came after the hardening guides that hackers and security gurus posted.

Far as LiveCD's go, your time is probably better spent improving an existing LiveCD setup for banking or trying to create an OpenBSD livecd for banking. Those OpenBSD livecd's keep falling out of maintenance and support. Would be good to see someone keep one going.

"The first part of that statement eliminates 99.9% of those with bank accounts. I'm trying to make something that Juan and Juanita Normal-Medio can use with almost no instruction. "Pop in our CD and power on" - browser prompts for creds, and they're in. "

That's was one of my primary complaints with the system. Who would keep track of parsing rules, templates, etc. for the bank web sites? It might be best if the banks themselves designed their login pages to make that work, but if a 3rd party builds this then someone has to maintain that stuff and constantly run scripts against banks to detect if they have changed their login in a way that breaks the functionality. If they do, then the device either won't work anymore or might do something wrong in a way that causes problems. Again, though, these are just thoughts I had during a quick skim. I want to suspend judgement until I read & analyze the paper thoroughly. I will say that, whether I prefer it or not, it is a novel design.

Nick P • June 22, 2011 1:54 AM

@ RobertT

"I still have the problem that the PC and PC_OS are potentially infected so I'm not sure that any malware caused MITM attacks have been prevented. "

If you read my design description, you'd know the PC can be 100% subverted and that the security policy is still in effect. My design, modified for your situation, uses something like this: secure, minimalist, device for transaction verification/signing + untrusted PC to setup a transaction + untrusted device to connect PC or bank to secure device.

Other than the non-DMA link & careful protocol design, the reason the PC and communications devices can be untrusted is that anything the secure device receives is displayed to the user in text form. If you see a modification, then a MITM has happened. If you like what you see, hit the authorize button on the secure device and it signs the transaction with the onboard private key & sends the result to the bank. Only the secure device has the private key, so forging transactions is out of the question. The user must approve of what's being signed, so tampering is evident. The worst thing that can happen is a loss of availability. (We can design around that too, but it's easier for them to just use a different computer/network or fix their existing one.)

"You see I work in the new product/ device chip development area, so what is new for Joe Public is something that I have usually spent the last 3 to 5 years working on. (BTW the first Iphone came out in 2007). "

I figured that. But, I wonder why you've never mentioned who you work for. You work on classified projects or just confidential?

"At this time I expect there to be a significant shift to Pad's and smart-phones as the dominant mobile computing devices. "

Agreed, as do most commentators. The push for people to just be content consumers is working.

"The smart-phone is the laptop of the future, so if we don't want a complete disaster than we need to be thinking about high assurance smart-phone systems, and thinking about them today!"

Have you seen OK Lab's Nirvana phone demonstration? I mention their OKL4 kernel on this blog a lot, but they've gotten more professional than academic these days. Rolling out lots of "solutions." The Nirvana phone is basically a remote desktop client [on a smartphone] that you plug a monitor, keyboard and mouse into. Then, bam, you have a PC at your fingertips. Sweet, huh! Also can be behind the corporate firewall: using OKL4's isolation capabilities to protect VPN keys from smartphone OS's was one of the earlier design goals of the kernel. I'm sure they got that part covered at least as well as the competition.

I definitely agree that smartphones and mobile devices are big for the future. But, we need to plan for all of whats in the future and what can be done in the present. Remember how many said that, with cheap laptops available, desktops would die out? How many people do you know with desktops? Probably plenty, but less than in the mid to late 90's. The future will have desktops, laptops, smartphones and more. I think we need parallel efforts to develop high assurance solutions for each. The cost of entry into secure SOC development is so high I can't stand a chance there. But, developing a little secure banking appliance that connects to desktops, laptops or bank networks is a lot more realistic for some of us. And the target market could and would use such a solution if the benefits were worth it.

Btw, I was wondering what the development cost of the hardware would be like. I was going to take an existing, high quality board and put new BIOS/firmware on it. What's it normally cost to develop custom firmware for a board whose hardware specs are known? The custom firmware would be developed in a way to increase trust in its operations, maybe modular and layered. The board would probably be POWER processor and have some basic IO options. What kind of cost range would I be looking at?

Nick P • June 22, 2011 2:03 PM

@ RobertT

All makes sense. As for Nirvana, I didn't mean for it to be an example of security, nor OKL4 high assurance. You mentioned your belief that smartphones would become our computers. Nirvana is an implementation of that concept.

Nick P • June 23, 2011 3:20 PM

@ tommy

"The loader text went by too fast to read while it booted, so I searched the kernel.dat file with a free tool, Analog X Text Scan. It found the string, "Linux Version 2.6", and did not find any occurrence of the string "Windows". "

They must have switched. Mine was certainly Windows, from appearance to how it loaded/functioned. I was guessing Windows Embedded but I forgot about WinPE. My CD used one of them. I guess they switched to Linux once its hardware support got really good. I'll respond to your other posts later on today when I have free time.

Nick P • June 23, 2011 10:55 PM

@ tommy

Alright, rather than responding to every point, I'm going to summarize the issues, what your design nullified, and what's remaining.

1. Attacks on active LiveCD. Browser-based attacks, DNS-based attacks, etc. A good SSL setup on a mandatory URL with a hardcoded cert should work, assuming it's all implemented correctly. Doing this essentially turns the general purpose online system into a specific purpose, reducing attack surface.

2. BIOS attacks. This is still a real threat because any real-time attack on the Linux TCB might be used to drop a BIOS rootkit. Good sandboxing and permissions might defeat this. The LOMAC and SMACK M.A.C. schemes come to mind.

3. Hardware issues. Linux hardware support is better than ever, but if that fails who knows what happens. Bank might standardize on a cheap netbook, keeping a working Linux install on it (or several banks rely on 3rd party for this). The LiveCD software will be certified for these cheap platforms, which a customer can buy if they don't like hardware & performance issues.

4. Slowness. The thing will still take time to boot. Reduction will help but several seconds of waiting occur during BIOS initialization and CD must still be extracted. Best alternative is netbook.

5. Subversion. As I'll probably not be the developer, this is still a consideration. Assuming I wrote the client software, there's no guarantee that this is what's on your CD or that the bank is following the standard protocol. An improvement would be having the files (or compressed filesystem image) hashed and signed by the developer. Then, any user could just mount the CD in a running system and check its files against the signature. Still must trust the developers and their repository.

6. Convenience. It still isn't. Users might not choose such a device. Banks could mandate it for online banking. This creates a potential loss of customers to a competing bank that claims its solution is secure & is more convenient. Users don't know the difference. Convenience is a big issue for livecd-based approaches.

7. Cost. This is the advantage and isn't security relevant, but I should mentioned it. The LiveCD costs much less to deploy than a secure appliance. Of course, hardware issues might necessitate spending $200 on a netbook or nettop. This is comparable to what I figured Mark's device would cost and the lower assurance (maybe market entry) version of mine would. At this point, it's not competitive. It's still cheaper than high assurance but... of course it is. ;) So, it's the best from a cost perspective if it works on the user's hardware.

8. Cert management. I'm only half convinced on this. For the lockdown to work, it must be strict. Strict means that the certificate must absolutely be valid. Many web sites have a hard time with this. However, banks are a bit better than most & might do better if it was central to preventing massive fraud that they might be partly liable for.

9. Javascript. Minimalized risks. Primary issue comes from 3rd party interactions with the bank: XSS. Might be necessary to include bloated firefox + noscript on this thing as indicated in 9.

10. Integration with existing Windows payroll & finance apps. You kind of dodged this one, but it's important. Remember, our target market is mainly small businesses doing ACH and stuff. Many use proprietary applications dedicated to this or to accounting/finance in general. Loading data from such devices will be *essential*. The new solution doesn't address this. It can integrate with online applications, perhaps, by adding permissions. (Then, we open a can of worms with attacks like XSS. Can't just a simplified browers or thin UI anymore.)

Best proposal would be extending those apps to export it in a simplified, easily validated format (like in my appliance). Then, the livecd would mount the HD, pull the file off it, parse/validate it, and proceed with the banking. This addition might be easy for apps that support plugins, but other proprietary apps might prove a challenge. This also could create additional risks, as the HD is untrusted & possibly maliciously altered.

The VPN idea requires more thought and consideration. It might be hard to give a judgement call on it because it will depend a lot on what technologies, topologies, etc. each bank network uses. I think a properly constructed, strict SSLv3/TLS connection should do. We've already discussed a user key pair and device key pair. If we used two tunnels, this might be conceptually easier: one strong tunnel using device key pair between the PC and the bank. This forms the VPN. Then, the user's key pair (probably unlocked/decrypted with password) is used to create another tunnel between the bank application server & the client software that simply maintains integrity and authenticates the user. No need for special segments and fancy stuff: SSL and SSL acceleration is already widely deployed in banks.

As for Acronis secure zone, I've always had my doubts about that. It relies on obscurity, runs on a possibly compromised machine, etc. I just feel shaky about it. I think we should treat the machine as totally untrusted & start root of trust with boot cd. If the HD was used, it would be for faster load time. In this case, the CD would load the filesystem image from the HD into memory, hash it, check the signature, and then boot as usual. If it didn't match, it would tell the user something was up and boot from CD instead. Must start with and entirely rely on integrity of CDROM/CDR data to ensure we get the strengths of a LiveCD.

And, btw, I had no idea about the OpenOffice thing. So, here I was using this "open-source" program all along and didn't know it had a game built into it. Subversion is insidious. Fortunately, it was a harmless subversion by non-malicious developers. I don't feel I made a bad judgment call because I trusted them not to intentionally harm my computer: I figured software glitches in Word conversion would do me in. So far, so... painful...

Nick P • June 24, 2011 1:54 PM

@ RobertT

"Anyway, I've probably left most readers scratching their heads, and wondering if I'm just a complete nutter."

Just the first. I know enough about security engineering to understand, conceptually, what your doing in some of the specific examples. But I lack the domain knowledge to understand it at any concrete level.

@ Mark

"The manufactured cost for my current memory stick version is around the $10 mark in volume so it’s not really fair to put it in the netbook cost category."

I remember that your paper mentioned a trusted path on your device. The illustration showed a screen (LCD?) and a keypad. The original problem area we were discussing involved small businesses running batches of payroll transactions. To get real security, they need to see what they are signing on the secure device. A tiny LCD screen would cause a time consuming review. Strong or long passwords are also horrific to type on a primitive keyboard, necessitating a miniature qwerty or something like the old electronic organizers.

These requirements and issues led my transaction appliance to be a somewhat large device. A few inches of keyboard, maybe a four+ line screen, maybe foldable to save room. Anything less would be a real headache. Putting a trusted path in your design that's good for things like payroll verification seems like it wouldn't be a USB stick and would be more than $10. Just a hunch, but I can't mentally fit this in a USB form factor. ;)

Your substitution approach looks like it's fine for logins & very simple transactions. Things like payroll that deal with lots of transactions would require a whole lot of preset form data to be input in your little device. That data could change often, too, as well as the data fields. My setup just requires a file to be exported to a simple text file, parsed into the device, & displayed verbatim. Your substitutions approach would require copying plenty of it by hand to prestored memory & configurations to match form fields of the application. Thoughts on this?

"Therefore as I mentioned earlier, for pretty much all major HTTPS services you can get a hardware-based mutually authenticated secure login."

I could see your device being useful for this. If it became widespread, might be able to get a few big sites to adopt it as a defacto standard. More people would use it, more web sites would get on the bandwagon, and it could become universal. I could see it happening. Look at OpenID's success.

Note: As I was writing this, I noticed Bruce post about a technology called AppFence that uses the substitution approach your talking about (with some blocking too). I commented that they were about two years behind you guys. lol

Nick P • June 26, 2011 7:53 PM

@ Mark Currie

Although I'm still concerned about complexity, I do like your device for one important reason: it should be easy to get banks to support that. The main requirement to make your device simple enough to assure to high levels is a standardized form structure for banks. The device could be programmed with custom parsing rules (and a separate, untrusted parsing module) for non-compliant banks. However, banks can comply simply by changing a few lines of HTML in a way that will have little to no impact on their backend functionality.

My approach, although much higher assurance, requires a backend system to authenticate the transactions. This might come with significant upfront costs for both hardware and software re-engineering. Many customers, banks and I might think it's worth it if the design existed and was marketed. However, I think the majority of banks are going to initially ignore a new scheme that requires significant effort on their part. They already have little liability thanks to the courts. The further reduction in liability must come at a proportionally low cost. My device's main market would be banks who are branding themselves as more secure via superior protection methods.

So, we could start with your device to set up an initial tunnel. If the HTML format is standardized and simple, this can provide reasonable assurance (exceeding "commercially reasonable" lol). The part that confuses me a little bit is where the user downloads it onto your device. Since it's just a USB stick with an LCD, this implies the user removes it from one PC and inserts it into the payroll PC to do the file transfer. The problem is that, as your paper indicates, the USB stick is maintaining the TLS connection. Removing it might disrupt the session somehow.

So, we have to have a way of doing the download. A few options come to mind: your devices is physically altered to connect to both simultaneously; the scheme is altered so device removal doesn't disrupt the transaction; scheme is modified so to allow a transfer from one PC to another, then to the device. The last seems easy to do with existing hardware. I'm focusing on it because I need to know more about your implementation to do No 2.

The old PC might be connected to the network during the ACH transaction and set to only send outgoing UDP connections (not even receive TCP acknowledgements). This means the user enters the untrusted PC's IP address. The signed data is sent to the untrusted PC, which relays it, and your device checks the signature. Signature prevents alterations. For reliability during transmission, we can just send each packet a few times, display a hash on both screens and let the user tell the trusted system things are fine or retransmit.This let's us get it onto your device without modifying your hardware. The device might also have restrictions like "only allow a download during a secure transaction", file size limits, and "only allow a download signed with X key."

(Note: The only time the trusted PC is connected to the Internet is to do updates. It's firewall settings are changed to allow incoming traffic that's solicited by the PC. A LiveCD might not be possible if 3rd party Windows applications are used. In that case, a hardened Windows installation is used.)

What are your thoughts?

(Btw: Who owns the rights to your device? Is it your intellectual property, your teams, university's or freely available?)

Nick P • June 26, 2011 7:57 PM

@ tommy

Nice work with the bank. What we need to do now is figure out how to teach companies to only deploy security measures that have a chance of accomplishing something.

Nick P • June 27, 2011 12:59 PM

@ Mark Currie

I have a tendency to overlook the obvious sometimes. The first method you mentioned is probably the best: downloading the data to the device before putting it into the untrusted PC. This helps maintain an "air gap" and that is the best method.

It's good that the I.P. is yours. That simplifies things. You should really consider releasing it in an open license in some way. Perhaps a start would be dual licensing it: free for personal, but not commercial, use. I'm thinking about building and deploying it. Marketing it is the hardest part, though. As for assurance, we could start the design with medium robustness on really cheap hardware. Then, future sales would fund a gradual increase of assurance.

I've also been thinking about using one of these EAL7 level smart card OS's and just retargeting it for a more powerful processor. Specifically, MULTOS or Caernarvon. They usually have filesystems, signed app loading, etc. What do you think?

Nick P • June 28, 2011 3:17 AM

@ RobertT

The sad, sad truth. This and more legal mumbo jumbo is the reason I've intentionally shelved the majority of my designs. I simply can't take the risk as an American citizen in an American market to deploy secure technologies that might accidentally step on some patents.

Did you know even Red-Black separation, as a concept, has been patented in the past? That's utterly ridiculous. Aside from being obvious, it's been done for decades now by all kinds of different groups. What crypto or guard can really claim it doesn't implement Red-Black to some degree? Any could be sued. Patent reform is essential for innovation. Otherwise, we [American citizens] just sit on good ideas worried about getting sued, while the rest of the world leaves us behind.

Nick P • June 28, 2011 12:59 PM

@ RobertT

"I left the US partly because of this patent issue, and I've really have not looked back."

I've been considering doing the same. Bangkok or Seoul, anyone? ;) That 1Gbps broadband at $26 a month is awfully tempting.

"but legally each and every one of those patents has the same legal weight and affords the owner the same legal rights. It's crazy!"

The crazier thing is that the legal standard of evidence required to dissolve a patent is higher than almost any other situation. It's "clear and convincing" instead of beyond a reasonable doubt. You can be convicted of rape and murder with weaker evidence than it takes to get rid of a bogus patent. I think the supreme court also recently upheld that standard of evidence.

So, they can say any superfluous thing to prove they own an idea, but the opposition is required to present nearly perfect, doubt-free arguments to prove they don't own it. Not fair in the least. They need to change the standard of proof so people can challenge bogus patents in a fair way.

Nick P • June 29, 2011 2:59 AM

@ Mark Currie

That was essentially the point we were making. If we had a real competitive chance, the big companies would take notice at the potential loss of profits. If any had similar patents, then they could sue us. The successes of Intellectual Ventures make me have a hard time putting faith in the potential success of informal arguments or prior art claims. It's not surprising to find patents like this:

https://w2.eff.org/patent/wanted/patent.php?p=acceris

This patent gives the owner the right to claim any VOIP service is an infringement. Fortunately, EFF got a reexamination approved. Will we be so lucky with whatever we get hit with? Not sure. If I do this design, I'll probably take Robert's advice and do it in another country. Maybe give ownership of the IP to a trustworthy non-profit group and get our companies an exclusive license of it for implementation. There's a good chance, though, that it might not survive in the US long.

Even so, I might still be willing to invest in the product if the breakeven period is rather quick. Then, might be forced into paying licenses or doing a buyout instead of being put into bankruptcy. They'd always rather increase their cash rather than accounts receivable. ;) I said "forced" because my secure designs can't be "bought:" too many have been shelved by COTS firms. You could say I have an ideological, rather than professional, interest in designing and deploying secure systems.

Nick P • June 29, 2011 3:21 AM

@ Mark Currie

I agree that one big company going with it may be what it takes. Might even let the first company have it for free if they don't disclose that. ;)

"Do you ever get involved in developing PUF’s ? I think that innovations in this area are valuable. This has probably been discussed before here..."

Actually, you should google "schneier" and "PUF." There have been quite a few interesting discussions of them. The biggest one involved a magnetic stripe technology that was based on PUF's. Clive was quite vocal against the implementation, believing certain techniques could defeat it. This topic get's quite a mixed rap here. Not being a hardware guy, I stay off it because I know when I'm dealing with issues beyond my knowledge. I don't remember RobertT's stance on it, if he ever pushed one. If I have a stance, I'm very suspicious of PUF's. The reason? See biometrics' promises vs delivered results. Biometrics and PUF's are very similar in the abstract.

As for the trusted supply chain problem, yes that's a huge problem. I don't know if PUF's will cover it. It's why I pick an attacker's enemies to make the device. For instance, if foreign spies are the issue, a DOD certified fab in the states might be good for subversion resistance. If the US govt is the issue, a neutral (gotta be careful there) or anti-US firm might do. I also try to use at least three suppliers with randomized ordering to reduce likelihood of compromise. Random sampling of a percentage of units and testing for anomalous circuitry might help as well.

Nick P • July 3, 2011 12:38 AM

@ tommy

"It seems the VPN idea brought up some ideas, then was dropped. "

I figure I should respond to this. I think all of us are trying to keep the security baked-in at the protocol level and close to the application. This is higher than where most VPN's operate (Ethernet or IP layers). You could say our scheme's more akin to SSL. Having it application directed has some advantages: easier to verify proper functioning; can be tuned to needs of application; entire network infrastructure can be untrusted.

I didn't use LogMeIn Hamachi because I didn't trust them. I think their IP addressing scheme is novel, even brilliant. It might pose a risk in enterprises because those routers might assume that address space isn't used and be ignoring, using or modifying such packets someway. Pure speculation, but I don't like unknowns. In any case, the idea is nice, but my main reason for not talking about it is that I'd have to thoroughly analyze it. I just don't have time recently to do that. Maybe in the future. :)