IBM Running Linux On Secure Hardware

Schmad writes: "IBM announced at LinuxWorld today that IBM Research and Cryptographic Appliances have Linux running on FIPS 140 Level 4 hardware. Imagine, Linux running in a totally secure environment! Peter Gutmann, father of the crypto toolkit cryptlib, has some things to say about it here."

Aha

[Mike+Schiraldi]

By running Linux, it enables much easier migration and porting of applications into the secure environment than with the current CP/Q operating system

So, um, would CP/Q be the fifth version of CP/M? That would certainly explain why they found it lacking...

Re:Aha

[A+Commentor]

So, um, would CP/Q be the fifth version of CP/M? That would certainly explain why they found it lacking...

No the fifth version of CP/M is MS-DOS 5.0.

Secure Environment

[doorbot.com]

Apparently, the PCI card itself detects (physical?) intrusion attempts. What exactly it does when an attempt is made would be nice to know..

Does it shut down?
Send a pack of dogs with bees in their mouths for you?
High amperage electrical shock?
Immediately, and permanently bond itself to the intruding device/intruder?
Explode a packet of purple paint?

So while that sounds good and all, it still is a PCI card. Is this a "Linux as an OS" product or a "Linux Embedded" product?

Re:Secure Environment

[David+Price]

I believe that, upon intrusion detection, the IBM card zeroizes all its RAM in a secure and non-recoverable fashion. The idea is that you can generate your crypto keys and keep them on the card, never exposing them anywhere outside its secure perimeter. This means that if an attacker gains physical access to your server (by breaking into the machine room or somesuch), even that level of access will be insufficient to recover the key material.

This level of paranoia is appropriate for organizations for whom Crypto is Life (think CAs, credit card companies, banks, big e-commerce houses, etc.)

Re:Secure Environment

[Shortwave]

During the situation with the US Navy EP-3 on Hainan Island, CNN interviewed a gentleman (think he was NSA or some agency, not sure) who demonstrated some of the boxes on board the plane. Just removing a screw causes the box to zap to firmware inside and you're just left with an anchor - useless silicon with nothing on it.

I like the Superman III scenario personally. For some reason that scared the crud out of me when I saw it in the theater. I was about 7 then. Didn't look at my C64 for a week :-)

You mean?

[jmv]

Linux running in a totally secure environment

You mean that Linux runs on a powered-off PC cast in concrete? (That's the only totally secore environment I know)

Redneck secure mobile linux

[Ukab+the+Great]

I can get a mobile version same thing by tying my Agenda VR around the neck of a pit bull.His rate is actually quite competitive with that of a well-trained security specialist.

you're wrong.

[mirko]

IBM is an R&D company, they don't need to produce to make money, they rather rely on the royalties they get on each patent they may "rent" to their customer.
Actually this is the most secure way to make money as you can still rely on what you already patented.

I sure hope...

[cperciva]

I sure hope that this isn't running RedHat 6.2.

Jokes aside, secure hardware is useless when combined with insecure software -- and so far it seems that the software part has been a much bigger problem.

Is this thing REALY secure?

[HuskyDog]

For some time I've been thinking about the problem of having REAL computer security. I'm not a crypto expert, but at the end of the day it seems to me that the nub is that you need a good algorithm (these seem to exist) and you need to keep your secret key secret.

Now, I can run a secure version of Linux behind a decent firewall and keep my secret key on that, but what stops the feds from breaking into my house whilst I am at work a sniffing it straight off the hard drive. I could perhaps keep the key on a PDA or some sort of dongle and lug it around with me, but I could always be "mugged".

Bottom line. Is this IBM doo-hickey tamper resistant against the average thief or can it keep the feds at bay? As the DMCA (and forthcoming EUCD) makes more and more of us into potential felons this sort of issue is becoming increasingly relevant.

BTW, how much do they cost?

Re:Is this thing REALY secure?

[dasunt]

The encryption algorithms are secure. You can find more then a few solid encryption schemes available on the net if you look. Others that I trust say the mathmatics behind them are sound, and that by today's standards, breaking them would be difficult, if not impossible, even with the resources the feds have.

So, if you never keep your key on the hard drive, and instead only keep it in ram, having to manually retype it every time you want something, there is no possibility of anyone rebooting and having easy access to your encrypted data (if you disclude the possibility of unencrypted stuff showing up in swap, and with memory prices the way they are, I'd just throw a gig of ram at the problem and turn swap off.) If I had such a setup (and I don't, I'm a windows luser that is content with E4M), that actual encryption scheme and the way it was carried out would be secure to my heart's content.

Now, if this data is very important to you, I would only decrypt it when nessessary. That way, if the feds come, the chance of you having the data accessable is small. If you need to remotely access the data and it has to be up all the time, then you are in more trouble. However, it seems that when the feds do seize your equipment, they remove it, with removal, the power is turned off, and the memory is thus cleared. If you are really paranoid, just setup something in the door that as soon as its opened, it resets the power of the computer. Actually, it would be trivial for a skilled person to setup a nice motion sensor hooked up to the computer that can be remotely turned on/off, and if turned on, would reset the computer if it detects motion.

Just my $.02

Re:Allows for protection of intellectual property?

[Diomedes01]

So this new hardware will allow for the protection of intellectual property, which in turn will allow for cesorship and government control over the internet. This doesn't sound like good news to me.

Jesus H. Christ on a freakin' popsicle stick, man! I am really tired of people who immediately blow up when they hear the phrase "intellectual property". Yes, there have been some stupid patents approved by the US Patent Office. Yes, companies have been crying "protect intellectual property" whenever someone comes up with a way to view/edit/manipulate "protected" data. Does this mean that intellectual property is bad? No.

All this means is that some intellectual property laws need overhauling, and the Patent Office needs a swift kick in the ass. I bet that if you invented something that could conceivably make you a lot of money, you wouldn't want every Joe Schmoe making a cheap knock-off of it and selling it for 1/4 the price you could have charged. Someone will always lose; TANSTAAFL. Either the inventors lose, and there's no more innovation, or the consumers pay a bit more and support people who are inventing and making our world better.

One nit, and one stupidity....

[wowbagger]

First, the stupidity: the article says:

In addition, Linux provides better support for new features, which are not supported by the custom OS such as running multiple potentially hostile applications on the same 4758 coprocessor card....

This rather defeats the whole purpose: if you allow a "hostile app" (read: an application you don't control, don't have the source for, and don't trust implicitly (e.g. Windows)) to run on this card, you have just thrown the security of the card out the window. The whole idea is that the crypto functions take place in a secure environment where everything can be trusted. If you want to run Realplayer or something, run it on the host CPU, not the card!

Second, the nit. I work with secure comms products, and the term "zeroize" has always grated on my ears: You zero the keys, you randomize the keys, but you don't "zeroize" them. This is a typical case of the government type making up a word because it makes him sound more important. Yes, I know full well that "zeroize" is the accepted term in secure comms, but it still sounds stupid!

We use these at work

[landtuna]

We use IBM 4758s at work. They're a huge pain to deal with - we've had a bunch spontaneously die. Apparently the earlier boards were more sensitive to pressure and things like that, and they just gave up on life as a result.

The difficult thing about programming these boards is all the states they go through in the lifecycle of getting code securely loaded. There are a million different utility scripts to change the state of code trust.

I'm curious to see how linux handles all this secure code loading stuff. Let's hope it's easier.

(Not that I'm disparaging these boards. What they do is really amazing, as far as they can assure you that your secrets inside will never get out and the code that you have running there is your code.)

Re:We use these at work

[John+Harrison]

They're a huge pain to deal with - we've had a bunch spontaneously die. Apparently the earlier boards were more sensitive to pressure and things like that, and they just gave up on life as a result.

Here is my understanding of the situation. The internals of the 4758 are wrapped in paper that has a grid of conduting ink inside it. If any change in the conductivity of the ink is detected the 4758 is zeroed. So if someone manages to stick a logic probe thorugh the epoxy that seals the box, piercing the paper will zero the memory.

The supplier of this wrapper intially used ink that was past the expiration date. It degraded after manufacture and the boards detected this as an intrusion attempt. This has been fixed now.

Shipping the boards is also a pain. I think they are made in Italy and the changes that occur in temperature and pressure while they are in transit used to cause them to zero.

Re:This begs the question:

[A+Commentor]

So, since you're all so quick to bitch at people for the slightest possibility of a so-called GPL violation, will you also bitch at IBM if the entire software kit is not freely available to *ANYONE* who wishes to look at the source?

GPL does NOT require to you give it to ANYONE. You only have to give it to customers that ask for the source, but then you CAN NOT RESTRICT how those customers use or distribute it.

Re:Mirror- build your own

[Lumpy]

Sounds like a simple PC locked in a safe surrounded by Plastic explosive would be a cheaper option...

It's funny, they spend billions to make a "secure" hardware platform while you only have to spend a few million and common knowlege to make a generic platform secure. -- Put the PC where no-one can get to it, inside a faraday cage, and shoot anyone that comes near it.

pretty darn simple to get a secure computer.

Re:Cryptography != security

[jeffy124]

nope he's actually correct. crpyto is only one piece of a security puzzle. Crpyto provides confidentiality in communications, but there's also intergrity which is something like computing an md5 of the clear-text message and attaching it to the clear text then encrypt it, and authentication which is being able to determine that the public key given to you actually belongs to the person it says it does. Primary way of doing that is digital signitures.

Re:Unfortunatly this is our dreaded future...

[Tackhead]

> As cool as it is, it's hardware like this that will make it impossible to control our own computers - It will make content controll almost unbeatable, and turn personal computers into unfathomable black boxes.

Depends on the firmware, doesn't it?

I'd like to see hardware like this with field-programmable parts. Stick in a CD-ROM and a blank hard drive and boot.

I'd like to see it commoditized. You buy this box just like you'd buy a PC and an unformatted hard drive. The CD-ROM installs the OS and sets up everything through a series of dialogs.

I'd like to see such a box in every hax0r'z closet, effectively acting as a router with a big-ass cache, and hooked up by wire to another router, the other end of that router hooked up to a wireless link.

I'd like to see Freenet scale.

What FIPS-140-1 Level 4 buys you

[hal9000(jr)]

Among physical and electronic tampering detection and reaction (zeroing out the memory upon detection), and the requirment that data on the device doesn't leave the device (like secret keys, etc), you get detection against enviornmental attacks such as super cooling the device in an attempt to disable or disarm other tamper detection.

So if your IBM 4578 gets stolen, recovering the data there in will be that much more difficult.