1998-02-11 - TEMPEST open-source definition version 0.1alpha

Header Data

From: Ryan Lackey <rdl@mit.edu>
To: cypherpunks@Algebra.COM
Message Hash: 350539490ef71e337c36bf7a4271c83d31b68426da2152dc94d629ecdeb0677f
Message ID: <199802110119.UAA04666@the-great-machine.mit.edu>
Reply To: N/A
UTC Datetime: 1998-02-11 01:22:21 UTC
Raw Date: Wed, 11 Feb 1998 09:22:21 +0800

Raw message

From: Ryan Lackey <rdl@mit.edu>
Date: Wed, 11 Feb 1998 09:22:21 +0800
To: cypherpunks@Algebra.COM
Subject: TEMPEST open-source definition version 0.1alpha
Message-ID: <199802110119.UAA04666@the-great-machine.mit.edu>
MIME-Version: 1.0
Content-Type: text/plain



-----BEGIN PGP SIGNED MESSAGE-----


So, if we're going to try to protect computers from TEMPEST threats, and we
don't have access to the multiple government classified standards, we should
come up with the Cypherpunks TEMPEST standard.

A theoretical definition of what we want to do (strong) is that we should be
able to put the equipment in a virtual box, have an empty virtual box,
and then nothing anything which is not in the TCB can do can distinguish
one box from the other.  Perhaps the "empty" box should also contain
simulators for the ethernet, visible light output, and straight power
draw (harmonics are still to be avoided), or in some other definitional
way they should be accounted for.  This prevents non-TCB programs from
utilizing the EM spectrum as a covert channel.

Additionally, we need to protect the user from divulging state information
about his TCB.  I guess this condition can best be met by simply saying
"take the target system and clone its state perfectly.  Separate the two
systems.  Allow the user to modify the state of the target system while you
retain the clone -- you do not have a non-negiligible improvement in
matching future state using the EM emissions of the first system over
not using the EM emissions."  I think there is a better way of stating
this, though.

So, given a workable theoretical definition which defines perfection, it's
time to reverse engineer the practical TEMPEST systems (and in so doing
perhaps the classified TEMPEST spec) out there.  Next time I find a
TEMPEST case at swapfest, or at a con, I'll pick it up (if someone wants to
ship me one, so much the better).  You *can* buy them from some vendors,
although they often refuse to sell them to non-government affiliated entities).
MIT's quasi-affiliated Draper Labs has proper TEMPEST verification equipment,
and I think some places on MIT's campus have some general purpose equipment
which can be used for such purposes.  If not, I have a copy of NI LabView
and some DAQ hardware which, coupled with some antenna frobbery, can be
used to do a quick spectrum analyzer, and there's the capacity to do
some serious analysis once the data are on the computer.

It would be nice to know how good government TEMPEST systems really are.
In practice, matching them would probably be enough.  The above theoretical
definition doesn't really help that much -- in practice, there's going to be
some information coming out, and just because you can't figure out how to use
it, doesn't mean no one can.  I think preventing the covert channel attack
might actually go beyond the government's TEMPEST spec -- certainly if a
non-TCB program can cause a system reboot, or power up a peripheral, you
can detect the change in power draw, unless the system naturally throws away
the difference between its max power consumption and its present power 
consumption all the time.  Being able to telegraph even 1 bit of information
might be enough, and if you've got an arbitrary precision clock, you could
use this method to send an arbitrary codeword from an arbitrary-length 
codebook given an arbitrary time interval.

The rainbow books talked about covert channel elimination being a really
hard problem.  Now I see even more why they were right.  IIRC, it's only
at the not-really-commercially-available levels (A1) that covert channels
are utterly eliminated; usually they are comfortable just documenting them.

Of course, it would probably make a lot of sense to do TEMPEST reverse 
engineering in a country that has neither an OSA nor the ability to randomly
classify research.  Yet another project for cypherpunks.to, Lucky?

A practical way of approaching theoretical TEMPEST-perfection is just
a decent faraday cage with a lead-glass monitor cover, shielded or
eliminated cables, and a serious double-conversion UPS.  From the government
TEMPEST products I've seen, that's all they are (or they use mesh).  I've
mainly seen thinks like the SafeKeyper, not general purpose computers, though.
I don't think Jim was that far off the mark in thinking class B machines
are a worthwhile starting point, but it doesn't go anywhere near far enough.

ObCrypto: I've been looking at implementing a cipher in a reconfigurable
processor.  I might even customize one.  Yay.

ObGuns: I got to use a .22cal nail gun.  It was fun.

ObPersonalAttacks: There are a lot of people who are not Real US Citizens
on this list.  Beware the evil multinationalist conspiacy in our midst, good
followers of Bill Clinton!

ObQuestion: Can the US government deny a passport for no reason to a random
US citizen who is not a felon?
- -- 
Ryan Lackey
rdl@mit.edu
http://mit.edu/rdl/		



-----BEGIN PGP SIGNATURE-----
Version: 2.6.2

iQEVAwUBNOD8sawefxtEUY69AQG3NQf9GWJjz3pwORa4y5V1YQA/BBAebDJNlnhd
gauYxwALwsEIID20Da3x7f/ZZ/ipVH1fhk9SJYGgPK+mtc7HMpPA7WhEfR1awuyE
FaP6VrJ18vKy6Cf+JlUbag2w5luQfSlo4o1jK0v6Os3D+PpuDyRN3GUI05dTxKyC
+VfS8oiw+SaM455l1knHGnegLZzivCKGS/xXDFD71dl5QCRQsAMBaGrjg0pej8gJ
ByiO4X7ae8OdlUytdQpfaNOtJTdSQJ7C3FLjczp9dQKvb7msfQUWzAWG9L8XneUP
b6xRF5Ra1JaixfFEJisnP+CfZbtJknvNlffUh+//b17ql8Jz5WsFJg==
=IRsn
-----END PGP SIGNATURE-----






Thread