[cryptography] Quick review of US Air Force (!) "Lightweight Portable *Security*" Linux Distribution
thierry.moreau at connotech.com
Fri Jun 10 11:55:10 EDT 2011
In another discussion, the link http://www.spi.dod.mil/lipose.htm was
mentioned. (LPS: Lightweight Portable Security)
I was intrigued by the idea of a trustworthy kernel, Linux, packaged as
a "features-lean" (my term) system, made available in s
not-so-cumbersome form factor and cost structure (bootable CD or USB
memory stick on x86 PCs), and providing this important lost item in a
security-minded geek tool box: a terminal for remote access to servers
characterized by trustworthy keyboard, display, and removable digital
media (where you can store secrets).
So, I quickly reviewed this thing. Generally neat. But I am quite sure
there are tons of things to fix (e.g. rng in support of SSH protocol
handshake seems to rely on haveged for entropy but implementation
minefield concerns remain).
Basically, the foundations of a secure system are (A) rng, (B) method
for hiding a secret, (C) assurance of software integrity, and (D) tamper
detection mechanism up to awakening someone who cares (no Linux system
call for the latter).
With respect to (C) assurance of software integrity, the LPS is
technically sound, but organizationally questionable. On the plus side,
you trust the Air Force, don't you, and if it's usable and you actually
do use it, you met the CYA criteria. On the minus side, usability and
affordability weighted much more than any customization requirements
(say I would like my own list of trusted CAs in the browser client in
this trusted client environment, plus security fixes are facts of life
and Air-Force-in-the-loop is much more demanding than just trusting them
in the first place).
The plain organizational bug is that this is a (specialized) Linux
distribution without providing access to the source code.
Let me whine a moment. I don't want to be forced to trust the Air Force
simply because they benefited from GPL-ed software that they
re-distribute. It's unfair that they wouldn't let me to likewise benefit
per GPL terms and conditions.
As a reviewer, my background is installation of Linux Crux (something
like Linux-from-scratch, but workable) for software assurance on the
*server* side (the "Open source HSM" idea). So, I am in a position to
appreciate the relevance and technical intricacies of the equivalent
process for the *client* side that the air force went through. But their
apparent non-compliance to GPL provisions is disturbing.
- I share partial results of my limited review.
- Should I ask Obama (or whoever in the Air Force organization) for the
source code of the LPS components that are GPL, or is this privilege
reserved for the respective copyright holders of these components?
- Anybody has examples of source code distribution practical
arrangements for other specialized Linux distributions?
- Anyone else sees the relevance of the LPS basic ideas? If not, how do
I make sure my SSH connection to my secure server is not hacked locally
on my laptop given that my children could have had root access to it at
least on one occasion? (OK, I could trust them more than the Air Force,
but you should see the point.)
- Thierry Moreau
CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1
More information about the cryptography