Protecting encryption server

Denis BEURIVE denis.beurive at gmail.com
Tue Jul 28 22:33:42 CEST 2020


> Oh, quite the contrary.  It just forces the attacker to get clever.

If your server only sends data through an "outgoing data diode", then it
does not expose any entry point (you just disable all services : no SSH, no
ping, no HTTP... nothing). There is no way you can establish a connection
to the server. How can you hack a server if you have absolutely no way to
access it from the outside ? It seems just impossible.

Now if you also use an "incoming data diode" to receive data, then you have
no direct feedback. The only feedback you get is through the "outgoing data
diode." It will be very difficult to get information about the server
internals in this condition. Imagine : you have a black box and you try to
model it from indirect feedback. Although it is theoretically possible, it
would be very difficult. All depends on the resources you are intended to
spend... Is the game worth the candle?

To make this task even harder, you can make the feedback very difficult to
analyze. For example, you can voluntarily introduce randomness. GNUNET does
it, for example. When you send a message to a node, you also send "fake"
messages to many other nodes (chosen at random). A spy (man in the middle)
could not distinguish between "fake" and "real" messages... You can
although randomly delay the responses : measuring duration between
responses won't give any usable information. These are just examples. You
can think of many ways to make life harder to a "malicious man in the
middle" that tries to reverse engineer your system by collecting and
analyzing data collected by observing your black box.

Denis

Le mar. 28 juil. 2020 à 21:59, Robert J. Hansen <rjh at sixdemonbag.org> a
écrit :

> > Have you heard about data diodes ? If not, then you can read this
> > document
> > <
> https://owlcyberdefense.com/blog/what-is-data-diode-technology-how-does-it-work/
> >.
>
> Strange but true: although I can't claim to have been on the research
> team that invented the data diode, I *was* on the research team that
> invented the first cheap optical data diode.  We packaged it up into an
> Altoids tin.  Total materials cost was under $100, and most of that was
> spent on the custom PCB.
>
> > Data diodes are unhackable because it relies on the law of physics...
>
> Oh, quite the contrary.  It just forces the attacker to get clever.
>
> Our paper from 2006:
>
>
> https://www.usenix.org/legacy/event/evt06/tech/full_papers/jones/jones_html/index.html
>
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnupg-users/attachments/20200728/90c93240/attachment-0001.html>


More information about the Gnupg-users mailing list