[cryptography] airgaps in CAs

Thierry Moreau thierry.moreau at connotech.com
Sun Jan 8 10:50:55 EST 2012

Florian Weimer wrote:
> * Eugen Leitl:
>> Is anyone aware of a CA that actually maintains its signing
>> secrets on secured, airgapped machines, with transfers batched and
>> done purely by sneakernet?
> Does airgapping provide significant security benefits these days,
> compared to its costs?
> File systems are generally less robust than network stacks.  USB
> auto-detection is somewhat difficult to control on COTS systems.  So
> unless you build your own transfer mechanism, a single TCP port
> exposes less code, and code which has received more scrutiny.
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography

About the same scrutiny that you need to make sure a single IP port 
would be listening can be applied to preventing USB port leaks.

In practice, I had to configure a Linux kernel devoid of USB support as 
a first motivation but it provided assurance about IP potential 
vulnerabilities (I don't recall the details). Thereafter, the selection 
of software packages was required for IP port restriction, but it also 
provided assurance about file system leaks.

I guess you can not equate high security (whether is labeled "air gap" 
or "IP port restricted") with any segment of the COTS system market.

With respect to the costs, both "air gap" and "IP port restricted" imply 
higher operational costs: they require more direct physical contact with 
the physical object (at least if you request *a*single*TCP* port, in 
which case you don't get SSH).

Overall, "air gap" (and certified HSM) are public relations security 
slogans. The real challenge in security encompasses key management and 
authentication/authorization management, but you seldom see them 
addressed in public records of secure operations (the ICANN DNSSEC root 
KSK management is the exception).


- Thierry Moreau

CONNOTECH Experts-conseils inc.
9130 Place de Montgolfier
Montreal, QC, Canada H2M 2A1

Tel. +1-514-385-5691

More information about the cryptography mailing list