[cryptography] Quick review of US Air Force (!) "Lightweight Portable *Security*" Linux Distribution

Thierry Moreau thierry.moreau at connotech.com
Fri Jun 10 11:55:10 EDT 2011

Dear all:

In another discussion, the link http://www.spi.dod.mil/lipose.htm was 
mentioned. (LPS: Lightweight Portable Security)

I was intrigued by the idea of a trustworthy kernel, Linux, packaged as 
a "features-lean" (my term) system, made available in s 
not-so-cumbersome form factor and cost structure (bootable CD or USB 
memory stick on x86 PCs), and providing this important lost item in a 
security-minded geek tool box: a terminal for remote access to servers 
characterized by trustworthy keyboard, display, and removable digital 
media (where you can store secrets).

So, I quickly reviewed this thing. Generally neat. But I am quite sure 
there are tons of things to fix (e.g. rng in support of SSH protocol 
handshake seems to rely on haveged for entropy but implementation 
minefield concerns remain).

Basically, the foundations of a secure system are (A) rng, (B) method 
for hiding a secret, (C) assurance of software integrity, and (D) tamper 
detection mechanism up to awakening someone who cares (no Linux system 
call for the latter).

With respect to (C) assurance of software integrity, the LPS is 
technically sound, but organizationally questionable. On the plus side, 
you trust the Air Force, don't you, and if it's usable and you actually 
do use it, you met the CYA criteria. On the minus side, usability and 
affordability weighted much more than any customization requirements 
(say I would like my own list of trusted CAs in the browser client in 
this trusted client environment, plus security fixes are facts of life 
and Air-Force-in-the-loop is much more demanding than just trusting them 
in the first place).

The plain organizational bug is that this is a (specialized) Linux 
distribution without providing access to the source code.

Let me whine a moment. I don't want to be forced to trust the Air Force 
simply because they benefited from GPL-ed software that they 
re-distribute. It's unfair that they wouldn't let me to likewise benefit 
per GPL terms and conditions.

As a reviewer, my background is installation of Linux Crux (something 
like Linux-from-scratch, but workable) for software assurance on the 
*server* side (the "Open source HSM" idea). So, I am in a position to 
appreciate the relevance and technical intricacies of the equivalent 
process for the *client* side that the air force went through. But their 
apparent non-compliance to GPL provisions is disturbing.

In summary:

- I share partial results of my limited review.

- Should I ask Obama (or whoever in the Air Force organization) for the 
source code of the LPS components that are GPL, or is this privilege 
reserved for the respective copyright holders of these components?

- Anybody has examples of source code distribution practical 
arrangements for other specialized Linux distributions?

- Anyone else sees the relevance of the LPS basic ideas? If not, how do 
I make sure my SSH connection to my secure server is not hacked locally 
on my laptop given that my children could have had root access to it at 
least on one occasion? (OK, I could trust them more than the Air Force, 
but you should see the point.)


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691

More information about the cryptography mailing list