Note: This article reflects a draft spec. The final product may be slightly different from what is herein described.
What's the idea here ?
The idea is that the 'computer insecurity industry' walks one path, while we walk another. It is plainly impossible to either securely operate computers or operate secure computers - or for that matter even live - unless absolute guarantees can be presented. While teeming with all sorts of reptilian and insect pullulation, the swamp of relativism is not hospitable to human life.
It is sad reality that such guarantees are all but absent in today's computing world. We make it our business and purpose in life to create products that may be used to enact absolute guarantees, to verify them and to enforce them - and in the process we both create the measures by which you can evaluate the freedom available in the world in which you live as well as provide the bricks upon which a free world may be built, one bit at a time.
Today's installment of these lofty ideas is a simple USB stick to make your private keys absolutely secure.
What is this Cardano thing then ?
The Cardanoi is a custom made solid-state USB mass-storage device, similar in size and shape to a standard external hard drive. The unit comes equipped with a USB connector, a red toggle switch (enclosed under a safety flip-cover) and a bicolor indicator light.
What does it do ?
The Cardano allows you to sign and decrypt gpg messages while ensuring that your private key remains inaccessible to an attacker, even should that attacker have controlii of the machine Cardano is attached to.
Consider the case of visiting a random net cafe or public library. Without Cardano you are in a relatively tough spot : even should you carry your gpg keyring and gpg software on a USB stick, and even should you be able to install gpg software on the respective computer, typing in the keyring passphrase would in all likelihood compromise that key. For instance if there's a keylogger present on the computer, the keylogger's owner now possessed of your gpg keyring and your gpg passphrase is just as much in control of your private key as you are.
With Cardano you simply pop the unit in, install no further software and proceed on your merry way, as if you had an airgappediii, linux based system available right there. One example use case would be identifying with gribble : you receive the challenge encrypted message from gribble, you put it through Cardano and you have the decrypted line necessary to indentify - all while your private key remains 100% safe.
Another use case would be the implementation of a better 2FA system. Yet another use case would be secure backups of a remote system : simply encrypt your backup to the correct key on the remote machine, download the encrypted file (even over a cleartext connection). Whenever the backups are needed you can retrieve the plaintext content by copying your encrypted back-up to a local Cardano unit.
How does it work ?
A) Key generation.
This step is mandatory upon first use. It is not necessary to supply power via the USB connector for this process - the internal battery will power Cardano during key generation.
1) Flip open the safety cover and throw the red toggle switch into the position marked 'ZAP.' The indicator light will flash red.
2) Return the toggle to the 'ARMED' position. The indicator light will flash green, and after approximately thirty seconds key generation will have completed.iv
The indicator will then turn a solid green. The device can now be plugged into a PC, which will recognize it as a thumb drive containing a 'FAT16' partition. Look for the file named 'PUB'. This is a gpg-compatible 'ASCII armored' public key. The key's identifier string is fixed, and contains the serial number printed on the bottom of the chassis.
B) GPG signature.
- Attach your Cardano to a PC and copy over the payload to be signed in the appropriate directory.
On a sane operating system your device will at this point signal that it has been ejected (without any need for you to physically touch it), process the file, write the intended result to the FAT partition and signal that it has been re-inserted, at which point you will find the signed file on the USB drive, which you may copy normally. At no point does Cardano store what you send to it, but simply processes the incoming data stream and stores it as the intended result. The filename will be changed to append the operation count after the filename, before the extension.
If running MS Windows or Mac OS you will need to software-'eject' the device yourself to ensure that the OS actually flushes your copied file to the stick.v
Attach your Cardano to a PC and place the payload to be decrypted in the appropriate directory. The drive will go through the same process as explained in B above.
This is in fact the first half of the Key Generation operation. (Section A.) Your Cardano is not actually destroyed or otherwise rendered inoperable by this action, but the current contents of your private key storage will be irretrievably lost.
1) Flip open the safety cover and throw the red toggle switch into the position marked 'ZAP.' The indicator light will flash red. While the toggle remains in this position, the key storage EEPROM will be filled in its entirety with zeroes, then with ones, and then once again with a sequence of random bits distilled from the built-in analog entropy source. This process will repeat until the toggle is returned to the 'ARMED' position or until the internal battery is exhausted.vi
If you are faced with the imminent loss of your Cardano to a malefactor, leave the red toggle in this position. There is absolutely no way known or conceivable through which a private key could be retrieved after this process. Do not casually throw the zap switch without having fully considered the implications for your security arrangements. Once zapped that key is gone. Gone.
2) Return the toggle to the 'ARMED' position. The indicator light will flash green, and after approximately half a minute key generation is complete. The old key has vanished, and a new one will have taken its place.
At the end of this procedure, the working slate will have been re-formatted, and will appear empty - as Cardano no longer possesses the old block-cipher key.vii
How is it made ?
- Other than the metal USB connector and the chassis with its lights and lever which are visible to visual inspection, the Cardano contains :
A) The key storage EEPROM. This is socketed for ease of removal and destruction should your application demand this.viii It can be replaced with any industry-standard SPI EEPROM of 8KB capacity or greater. Do not expect to be able to retrieve keys by removing this EEPROM : all keys are enciphered with a random block-cipherix key which is unique to your particular unit's firmware.
B) Cardano's firmware. This is a socketed antifuse (OTP) ROM which is unique to your unit and is engraved with the latter's serial number. If desired, it can be read on a common instrument sold for this purpose and its contents checksummed or otherwise perused. The checksum of your firmware ROM is printed on the bottom of the chassis, under the unit's serial number. For your safety, this ROM is non-reprogrammable. Please contact us for upgrades.
C) Working slate ROM. This Flash ROM is removable, and may be inspected or replacedx by customers either before deploying the unit or at any point during.
D) Internal battery. This is a disposable lithium cell. Please contact us or your favourite local electronics vendor for replacements. A working battery is required for the Key Generation / Self-Destruct operation, and in the interest of your own safety you are advised to not let it get to its absolute last legs.
E) Entropy generator. This is an avalanche noise array, with some sanity checking in place.xi
These components are assembled together in such a way that only the firmware has access to the private key storage, which it uses in specified, non-reprogrammable ways which do not include any way to dump the key.
What if the thing breaks ?
If the file 'SAD' appears on your working slate, please consult its contents for maintenance instructions. Something has gone seriously wrong, included but not limited to: failure of the key-storage EEPROM; the working slate; the entropy generator; or the internal battery.
What if someone steals my Cardano ?
You should probably let any third parties you are in communication with know that you will be using a new public key. Ideally you accomplish this by signing a declaration / the new public key with your known master, such as for instance by use of your secret, buried-in-the-garden master Cardano. Because yes, you can have more than one of these things.
I forgot my Cardano at the library, and now I don't know if someone used it while I was away.
Yes, you do know. The Cardano counts each operation. If the current count is above what it was when you left the unit behind, it has been used that many times. There is no easy way for an attacker to modify that value, and any casual attempt would likely leave the unit in quite a sad state.
That aside, note that this is not the intended mode of operation for the unit, and if at all possible you would be well advised to rescind as a matter of policy any public keys for any units which you did not maintain under your uninterrupted physical control.
Why is Cardano better than just buying an old laptop off eBay ?
For one, a Cardano is smaller and lighter. For another, a Cardano is probably cheaper.xii More importantly, the Cardano has much better entropy generation than is available on any consumer x86 machine made before 2005 or soxiii.
I am a developer, can I help ?
Yes. The most useful thing you can do is change any system that you control which relies on "2FA" to be able to use Cardano based 2FA. This will require you to obtain and store a user's public key, and then issue challenges encrypted to that public key as part of the verification process. This is very much in your best interest, as the Cardano provides much better security than what can be obtained from generic 2FA usb sticks or smart phones.
- So named in honor of Girolamo Cardano (1501-1576), Italian Renaissance polymath, as well as one of the girl's cats, which hereby promises to not chew electronic parts ever again. [↩]
- Including physical. [↩]
- This is not a misrepresentation of fact, as you will see in the technical description. [↩]
- For increasing the safety of your key it is advisable to place the unit into a Faraday cage - such as for instance a correctly installed, not powered on microwave oven - during key generation. [↩]
- You still won't need to actually unplug the stick. In many cases it may also be possible to issue an equivalent command to linux' mount -o sync /dev/sdb1 /mnt/usb or otherwise disable the overbearing OS cache for USB drives - please refer to your OS documentation for further instructions. [↩]
- On a fresh Cardano the battery lifetime will far exceed any reasonable application of this procedure. If your battery is getting iffy you are well advised to either replace it or get in touch with us to have your unit serviced. [↩]
- Yes, the working slate is encrypted [↩]
- The indicated manner of destroying EEPROMS is through oxidation, for instance through the use of a high temperature controlled flame such as from a magnesium strip. Alternative chemical destruction such as for instance through Brønsted acids may also be effectual. Do not rely on electric or electromagnetic means for this application. [↩]
- Practically speaking an OTP in this application. [↩]
- Should you not wish to obtain a new unit it can be replaced when it has exhausted its maximum write-cycle count. Stressing your Cardano unit in this manner is perhaps unadvisable, but you are entitled to your own decisions. [↩]
- Note that if you are a security researcher or cryptography specialist and would like to verify the quality of our on-board entropy generation we will be happy to send you our entropy generator at no cost to you, in consideration of a promise to publish your review within some reasonable time frame. Please contact us with an url to your blog for this purpose. [↩]
- On a cash basis. It would take you at the minimum a few hours of expert time to set-up your second hand laptop in such a way as to offer the same guarantees Cardano offers out of the box, putting the full cost of the laptop alternative squarely in the four figures range. [↩]
- After that date the odds that the CPU has been diddled to provide crackable "entropy" are significant. [↩]