BitLocker, Development, Encryption, Security, Trust

The Thames River Scenario and XKCD

This is a great comic, and I love XKCD.  Love it! However the attack referred to in this comic is one good crypto systems understand and counter.

I refer to it as “the thames river scenario”, and BitLocker (Windows Vista) will actually mitigate it if you want it to. 

Let’s back up for a second, and consider the scenario. I’ll simplify it for a second. There’s a key – called a password – that is needed to get at some information. PW are handy as a “thing you know” factor in authentication because we carry them around in our brains, but that is also the problem with them. Because they are in our brains they wind up being easy to remember, and anything easy to remember is easy to guess. Or to extract from someone’s brain… 

Most of us will never be tortured because someone wants the information off of our laptops. That’s because most of us don’t have the stuff on our laptops which people who feel the urge to torture want. However, there are people out there with things on their laptops that people want really really badly…

Meet Kumar. (Kumar isn’t a real person. I just made him up. However there are people like Kumar.)

Kumar works in the domestic intelligence in his central European country. He has been working very hard to crack a terrorist group  in his country, a group which he knows is responsible for at least 14 deaths and which has aspirations for many, many more.  We’ll call this group “El Patriots”, or EP for short. EP is at least thought to be funded by at least one foreign government, possibly more, because it seems better organized and more effective than it ought to be.

EP is also famous amongst the intelligence community for being cagey and extraordinarily secretive and very violent. They kill people. 

Kumar’s agency tracks EP in a variety of ways – cel phone data, GPS, data mining, and good old informants. Kumar is an affable and thoughtful man and thus he’s particularly effective at  “humint” – human intel, aka informants. The people he works with are often directly or indirectly involved in EP and usually speak to him because they think EP are evil and must be stopped, but also because they want money, or revenge, or like the excitement involved in being involved. 

Because Kumar is also organized, he keeps notes and lists about his network of informants – over 100 of them. He has spreadsheets, photos, files, extensive background checks, family trees, social networks… he knows a lot about these people and he keeps detailed notes about them because that’s his job. You never know if a trifling little fact – a mention that a suspected EP supplier stops at a certain coffee shop every Thursday after dropping his kids off at school – will turn out to be incredibly important. 

Kumar stores all of this information on his laptop. He uses data synching to keep as little of it as he can on the laptop, but there’s still quite a bit. If EP were to get the information on his laptop, people would die in a matter of days, perhaps even hours. Families living in other countries would be killed or kidnapped and tortured. It would be really bad.

When Kumar’s infosec team considered what security he needed on his laptop, they included Kumar in their threat model. They assumed they had a very skilled adversary with an essentially unlimited amount of money (foreign intelligence), and they assumed that this adversary actually knows that Kumar is an intelligence agent, so they and EP will be targetting Kumar’s laptop specifically because they are pretty sure that what’s on there is really worth stealing. Possibly worth killing for, possibly worth torturing for. 

So how do they protect that data? There are a variety of architectures to do this, but presuming that there’s data that Kumar needs on his laptop to SAVE lives, and at the same time that same data in the wrong hands will LOSE lives, then he’s going to need either access to the data locally or to actually possess the data locally to do the job of SAVING while minimizing the risk of LOSING. 

First off, encrypt the entire laptop. That’s a no brainer.

Then never rely on a single factor of authentication which is easy for Kumar to remember. PW = bad. It would be really lame if EP snatched the laptop and the PW turned out to be something they can brute-force in a few hours. 

If the hard drive is always encrypted, then the attacks shift to getting at the laptop in state where it is cheerfully giving up unencrypted data – eg when Kumar is logged in.

Aha! Kumar is now part of the threat model!

This has to happen sometimes, so you use policy enforcement to make sure that the system is in hibernate whenever the lid closes or it isn’t used for more than just a few minutes. That ensures that the keys used to managed the system aren’t in memory as well, where they are vulnerable. Reduce moments of “logged in” to when Kumar wants them to happen, like in a secure location. 

Okay, so what about Kumar? If they get Kumar along with the laptop, what happens then? Let’s say that Kumar is crossing a bridge in a foreign country and a van rolls up, out jump 3 armed men, they drag Kumar into the van and away they go… The best security system would mean that Kumar wouldn’t have to do ANYTHING and yet the laptop would be invulnerable. The hard part about this is that it implies the laptop is smarter than Kumar – it knows that Kumar has been snatched and so now it refuses to unlock even though Kumar is begging, pleading with it to open…

…this is hard. There are some really neat ideas for pulling this off, but as yet they tend to be so error prone that you might as well just not let Kumar carry the data (or access it) around. Dumb terminals on encrypted airgap copper networks in physically secure locations make SAVING lives too hard. 

Okay, so you are going to want to require multiple forms of authentication – eg one-time passwords, or smart cards, or biometrics are all examples…You want something that isn’t on the machine itself (needs to be separate, otherwise he can’t lock it if he’s, say, running away from the laptop which is now snatched). It needs to be small and portable, and it has to be impossible for Kumar to recreate, even under duress or subpoena.

You also want something that Kumar CAN’T give up. Thumb prints are terrible solutions for this – Kumar can’t stop someone from cutting his thumb off his dead body.  

I call this the “the thames river scenario” because it’s easy shorthand to encapsulate the situation. Kumar is on a bridge on the Thames and has a few seconds to render both himself and his laptop secure. In BitLocker the solution to this is to use a USB dongle containing a Very Large Key as an additional factor of authentication to the TPM and the PIN. Toss the USB dongle into the Thames and now there’s NO WAY that the system, which is in hibernation so there are no keys in memory (so no freon attacks)  can be unlocked. Kumar can’t unlock it, even if he wants to. Beat the crap out of him, it won’t matter. The key is huge and he couldn’t remember it even if he wanted to try. 

Smart crypto architects will note that there may be another key which can unlock it – a recovery key. But that is never with Kumar and Kumar doesn’t know it, can’t know it, has never even seen it. It’s printed on a piece of paper locked up in a very secure place inside Kumar’s intelligence agency and they won’t let it out, not even to save Kumar’s life.

So Kumar gets tortured, which is horrible and awful and bad. The only thing he can give up is what he remembers and the torturers now have to try and break him to get the data that he has in his head – eg names, addresses – out. It’s much harder. More people may die but then some evil-doers might die to as Kumar gives up names he knows of suspected EP members who aren’t his informants… Kumar is brave and dedicated and he knows if he talks then people die so feeds EP the wrong names, gives them false trails… in the end he coughs up everything he can remember but by then it’s less than it might otherwise be because the torturers are too violent and by the time Kumar is talking he’s so muddle headed and woozy he’s very compromised. EP has far less than they would have if they had the laptop. 

Note that in the less dramatic scenario where Kumar has his dongle in his pocket and the laptop in the briefcase and EP snatches the briefcase, they still can’t get in because he has the dongle.

If they get the dongle and laptop but no Kumar they still don’t have the PIN, which means, again, that they aren’t getting the data.

They need Kumar, concious and compliant (to get the PIN out of his head), the laptop, and the dongle. Not impossible, but now much much harder to pull off. Nearly as hard as we can make it. 

For us normal folks, BitLocker with TPM+USB+PIN is a bit much, but TPM+PIN w/hibernate is a good compromise.  

Good laptop encryption systems are capable of treating the possessor of the laptop as an adversary and are also capable of treating the rightful user of the laptop as no longer trustworthy. 

Be happy there are people like Kumar out there fighting the good fight against terrorist organizations who want to kill us, and be happy that there are good technologies out there which can help them.


2 thoughts on “The Thames River Scenario and XKCD

  1. Jeffrey Lemkin says:

    Systems like the ones you’ve described were probably at work in the background when Kumar broke out of Guantanamo.

    Multi-factor authentication like this became actually standard for every laptop at the place I last worked (Varolii) after several of our financial clients demanded it. The social reality was that the dongle was a PITA, so folks did things like attach it to their cardkey or their keyring or other, larger objects – or just popped it into the laptop case.

    Speaking as a writer – I personally find your scenario engaging, but it’s your next to last paragraph which really makes this post work for me. It’s clear, specific, and explicative of a rather technical issue to even a non-technical reader. You do good work, Peter.

  2. Thanks for the kind words, Jeff!

    Crypto dongles are too much of a PITA for most of us. However our cel-phones could one day fill that role pretty handily, and in a manner that is far less intrusive than a purpose-built or single-purpose dongle.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s