This page is about client hardware (and related security) used to sign transfer requests. (not server hardware, which is usually ordinary PC, set up in a secure way). Challenge: almost anyone should be able to use her wallet securely, without prohibitive hardware or labor costs.
Because of the trashgrade Microsoft Windows spyware operating system, it has become very unsecure to provide secret key by keystrokes.
- Clicking part of the passphrase like loom.cc suggests (using keyboard.js javascript) helps a bit
- it is even better, if the keyboard is moved around slowly, quazi-randomly (seed coming from the server) on a bigger canvas: the user can easily click, but the cracker has harder time to find out which key was actually clicked.
- For real security, dedicated hardware key is need. Luckily, if the dedicated HW is a PC, it can be used for other tasks at other times which reduces financial investment / costs to near zero. The only cost is a few minutes to boot a separate system (eg. from a CDROM) for EpointSystemWebBalance, and removing the storage device (USB-stick) wallet afterwards so it is unaccessible by any spyware, like Microsoft windows.
An off-the shelf solution: Mepis8
We successfully booted mepis8 (32 bit version) on a 32 bit PC, and used pgp.epointsystem.org JAVA applet (so EpointSystemWebBalance will also run) out of the box (with firefox).
- Nothing special was needed. Mepis connected to network automatically (via ethernet in this case, but we also used it with WIFI on notebooks), and JAVA (1.6) was installed, and firefox was configured to allow JAVA (and flash also, not very interesting for us).
- We actually booted from a DVD, not a CD. After the 700 MByte CD image, we had 3.5+ GByte other data (can be mounted with losetup -o 712577024). This might be useful for something - eg. watch movies (from mplayer also available on Mepis8) about the monetary system. The Money Masters I-II ?
- An USB stick (or other removable storage device) can be used to store permanent data not to be lost after reboot. This includes
- keys (wallet)
- backup of transaction requests and results
- Mepis data, like WIFI-setup (SSID, credentials, etc...), proxy settings, etc...
Brainstorming about advanced features possible with Mepis8
- while it is theoretically possible to append to the DVD (Mepis-8 has k3b installed too), this requires much experience. The risk to make the DVD unbootable or lose more data than just the current session (power outage during DVD-writing) is high.
- When someone uses proper encrypted network storage (accessing directly, or through an applet's server), than it might be safe to experiment with DVD-appending, but than it's not much needed anyway.
- We might create an iso image, in which firefox allows only epoint.* url-s by default (and comes up to the preconfigured URL of the given LETS system).
- This helps to prevent spyware being installed when the user checks his video-feed before accessing his web-balance. The filter MUST be able to circumvent if one explicitely chooses so (and click "OK, I know this worsens the security risks").
In any case, people MUST be trained to follow certain protocol: always use web-balance first (right after booting), and only play with the PC (youtube, email, etc...) after the wallet USB-storage was removed.
Own hardware - postponed indefinitely
A few years ago, we planned to roll an own hardware key with ARM processor, small LCD and USB device capability. Note that most MP3 nowadays have this specs for 15-30 EUR (some can also send sound via FM radio). It would be nice to get the programming interface of a cheap mp3 device. With all the PDA (even an old compaq ipaq can easily be used for the purpose) and cheap PC out there, it is meaningful to prepare easy-to use software tools so people can boot them for signing.
If the USB key is inserted just before EpointSystemWebBalance operations, the operating system, eg. made from
- systemrescuecd (small)
- or mepis linux (bigger, but usually allows WIFI connection easily and provides persistent storage on the USB stick)
- or installer of other linux, eg. Ubuntu
- or ncurses web-balance application integrated inside grub. Currently GRUB networking is a bit limited, so there must be a "relay" set up nearby, or we must teach GRUB some TCP-IP, including https. Might be a bit much work unless someone is very experienced in network coding and available libraries
- or some other method
Rolling our own "display HW" which can be used as a perfect wallet is postponed (the cheapest 4x20 alphanumeric display is 12 EUR), unless needed for some other controlling embedded task, like GazMotor
We have several displayless HW designs though, a few of them can be used as USB-RS232 adapter. This, being connected to USB, can provide signatures. But without display, how does the user see what is being signed ? This (setting up the device, eg. to adjust transfer limits, a-priori or during the signing operation) requires a secondary connection to the device. If that is forged (eg. 100 EUR limit is presented to the user, while the PC actually sends 666 EUR limit. Or worse, the destination is forged !). Without a display, this can only be noticed too late.
Most PC can easily boot from CDROM. Not so easy from USB, and Etherboot is a bit even harder. We must make a widely usable method available.
A CDROM and a dedicated USB stick (USB stick only used for balance and keys, should not EVER be inserted in any Microsoft Windows or other spyware)
We call it USB-stick, but, of course, other removable storage like SD-card can be used the same way if the notebook (and BIOS, if used for booting as well, not just data storage) allows.
EEE PC - small, high performance notebook, but it has no CDROM
- First enable USB boot and then put USB boot at the top of the list.
- They usually avoid having it enabled as it cause a lot of support calls when people forget an USB stick in the computer.
- I forgot how I booted it. Mine insist that the USB drive is an harddrive, not a removable device.
- " insist that the USB drive is an harddrive, not a removable " => good hint, thanx ! I only tried removable
- So you have to set the boot order of your harddisks correctly...bloody china-men...
- It's worse then that... it depends on which tool you use to write the USB stick. When using the image writer tool recommended by the Moblin guys it comes up in the hard disk list. When using the win tool recommended by the Ubuntu guys for the ISO files it comes up in the boot priority list...