Rich Freeman on 10 Feb 2018 19:22:24 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] plug Digest, Vol 159, Issue 16

On Sat, Feb 10, 2018 at 10:02 PM, brent timothy saner
<> wrote:
> it does not solve the problems that none of the other solutions can
> solve, which are:

IMO the TPM-based solution can solve most of this, at least within the
PC itself (caveat below):

> - how do you prevent duplication of that data, either via a direct byte
> copy out somewhere or via some sort of screen capture

Within the PC the TPM-based solution would work by ensuring the key is
only released when trusted software is running.  The trusted software
wouldn't have the ability to copy the data anywhere, and the screen
contents would be protected as well within the computer hardware.

The viewer could be as simple as an initramfs containing the encrypted
data, a PDF viewer and an X server, and a bit of scripting to glue it
together (and virtually nothing else).  The scripting prompts for a
PIN and passes it to the TPM to retrieve the key(s) if the PIN is
valid and the PCRs match.  After the expiration time passes a script
tells the kernel to poweroff.  The PDF viewer would basically have no
functionality other than scrolling around, and there would be no way
for a user to run any software other than it.  The bootloader would
store the kernel+initramfs hash in a PCR before executing it, so any
modification to either would make the keys inaccessible.  As far as I
can tell trusted grub already supports this out of the box, so all you
would need to do is build a minimal initramfs.

Now, pointing a camera at the screen is a different matter, and it is
impossible to protect against this.

> - how do you have this data deleted after having been recalled in a way
> that cannot be thwarted

I already outlined the solution here.  I still am not convinced the OP
actually needs the data to be auto-deleted, but if it is necessary you
just have a two part key and after the software retrieves the first
part it instructs the TPM to delete it before retrieving the second

Philadelphia Linux Users Group         --
Announcements -
General Discussion  --