Protecting encryption server

Denis BEURIVE denis.beurive at gmail.com
Tue Jul 28 21:51:52 CEST 2020 

It all depends on what you want to do. Very secured technical solutions
exist. But these solutions may not be applicable to any situations.

Have you heard about data diodes ? If not, then you can read this document
<https://owlcyberdefense.com/blog/what-is-data-diode-technology-how-does-it-work/>
.

Data diodes are unhackable because it relies on the law of physics : IT is
hackable. The laws of physics, on the other hand, are not. You cannot get
around the laws of physics, regardless of the amount of resources you are
ready to spend.

So, you may use a data diode to make use that nobody can infiltrate your
signing server from the Internet.

However, this solution is 100% bulletproof on the condition of your signing
server "only sends data," that is if it does not need to respond to
requests from the Internet. In this situation, your server does not expose
any network entry point. It only exposes an "unhackable  one way only" exit
point.

If your signing server needs to respond to requests from the Internet, then
you can implement "air gap isolation" with another data diode. An (unsafe)
server receives a request. It extracts the data from the request, and send
it to the (secure) signing server through a one way only exit point (a data
diode).

Therefore, your secure signing server has two data diodes : one for the
reception of requests and the other for the emission of signed documents.

This solution is not 100% bulletproof since a carefully crafted request may
be used to hack the secure server (you use the technique known as "buffer
overflow" to inject malicious code). However, without direct feedback (the
data diode forbids feedback) and without knowledge of the server software
environment, doing so is really difficult. I doubt that it is practically
doable, although it theoretically is.

Thus, you could create a "practically" (as opposed as "theoretically")
unhackable (from the Internet) signing server.

Now, the question is : what can you do about the administrators ?

The response maybe : create a server that does not need to be administered
and protect it physically (place it in a safe, for example).

If your server only needs to sign documents, then it can be very "rustic
and cheap." A Raspbery Pi should be more than enough. You install a minimal
Linux distribution with only the bare requirements for your application. It
should not need to be administered. And if a problem occurs, don't bother
to fix it... just replace the server with a new one (ready to be used).

Denis




Le mar. 28 juil. 2020 à 17:39, Ayoub Misherghi <ayoubhm at gmail.com> a écrit :

> A human environment went insane and uncontrollable. The system is
> intended to bring sanity back and maintain it.
>
>
> Client programs access server(s) for real-time encryption or decryption.
> Network of servers that may be located at different geographic
> locations. Each server would need keys that need to be protected. The
> servers are in a hierarchy communicating with each other securely as
> needed. Horrible environment to protect.
>
>
> Server design may need to be specialized with immunity to tampering and
> abuse. Operator and admin may need to be on constant
> monitoring/surveillance with biometric ID. Equipment may need to be
> identifiable and be under constant monitoring and surveillance.
>
>
> Grateful for all suggestions. Keep them coming. I have a lot to learn.
>
>
> Ayoub
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200728/7b1a20c9/attachment.html>

More information about the Gnupg-users mailing list