Electrically Isolated HDD for File Server, and method / Computer Science / Forums

Forums

4hv.org :: Forums :: Computer Science

« Previous topic | Next topic »

Electrically Isolated HDD for File Server, and method

Move Thread

LAN_403

Hon1nbo

Tue Jul 12 2011, 03:10AM

Registered Member #902 Joined: Sun Jul 15 2007, 08:17PM
Location: North Texas
Posts: 1040

Hello all,

I am thinking about putting back up a web based file server for emergency use, but these files are meant to be kept Confidential. On top of the serious encryption I will have, I am also making the HDD of the server which has said files Electrically Isolated from the server until Authentication is done via a secondary method, which involves One Time Passwords (OTPs). This way, even if my server box is rooted the HDD is still inaccessible unless the second server with the OTP authentication restores electrical power to the drive.

Now, the reason I haven't implemented this in the past is that the OTP server must be put online then to authenticate the user, and that would be prone to security issues and make the physical isolation a waste as then that box would be rooted instead.
I thought about an Arduino or other uC based web server to make it less likely that a hack take place due to their extreme simplicity, but if it got DOS'd and restarted then the pins might spike on (and hence activate the switch timer for the HDD)...

And while I thought about using a uC for the web server and another for the actual control of the switch (so if the server went down and spiked then the other uC wouldn't necessarily reset)... However, since security of uC's via web servers is still relatively unknown, I didn't want to have a connection that could possibly work two ways and I wanted the OTP authentication to be independent to save resources and prevent possible electrical attacks by the hardware.

I came up with this method which, while overkill for my purposes, might work very well and be relatively simple. Opto-isolation would be used to make sure that no one can cause the uC to fail in a way that might send out a spike on the sensitive logic pins and prevent HV probing, as this uC will be encased in epoxy)

Here is the run through: 1) HDD is electrically severed from file server, making it impossible to access even with root account. 2) user connects to uC with web server to provide OTP 3) uC web server sends OTP to second uC via optoisolators to prevent probing the uC for my secret key should physical access occur. 4) second uC verifies OTP ,and will activate timed relay to HDD to allow mounting on the server 5) relay will deactivate on a timer or manually if triggered by either web server

Anyone got any comments on this?
The only weakness here that I can see is physical theft of the drive (which would be in a heavily monitored datacenter and under layers of encryption), or not checking for breaches to the server before opening the drive's connection.
It may be a little bit complicated with the optoisolators, but it is to protect my Secret Keys for my OTP generation by being able to encase the entire drive in epoxy preventing electrical connections that might dump the code.

-Jimmy

P.S: here is a block diagram:

1310440217 902 FT0 Electrically Isolated Dataserver Jpeg

Carbon_Rod

Tue Jul 12 2011, 08:09AM

Registered Member #65 Joined: Thu Feb 09 2006, 06:43AM
Location:
Posts: 1155

I am not sure why you chose the optical interface, but there are existing tamper resistant enclosures that have specially designed RAID cards with very strong transparent "volatile" encryption on-chip.

Even better security:

Hon1nbo

Tue Jul 12 2011, 02:02PM

Registered Member #902 Joined: Sun Jul 15 2007, 08:17PM
Location: North Texas
Posts: 1040

Carbon_Rod wrote ...

I am not sure why you chose the optical interface, but there are existing tamper resistant enclosures that have specially designed RAID cards with very strong transparent "volatile" encryption on-chip.

Even better security:

I have encryption on the drive array, the optical would be to protect my micro-controller from having the code, which has my OTP generator keys, from being dumped.
By using optical isolation, an attacker would have no usable electrical channels to the chip, which would be encased in epoxy.

-Jimmy

Nicko

Tue Jul 12 2011, 02:10PM

Registered Member #1334 Joined: Tue Feb 19 2008, 04:37PM
Location: Nr. London, UK
Posts: 615

Not original at all. Bruce Schneier, in his seminal text "Applied Cryptography", refers to the use of physical brute force as "Rubber Hose Cryptanalysis". Its not only cheaper, its generally far faster...

You are far better of using some form of deniable encryption, such as that employed by TrueCrypt and others. Then, if implemented correctly, you cannot differentiate between a disk that is just unformatted rubbish, and encrypted data. If the attacker knows there is something there, then they can go after it. If its not possible to state with any certainty at all that there is encrypted data there, then the whole nature of the "discussion" changes...

Hon1nbo

Tue Jul 12 2011, 03:01PM

Registered Member #902 Joined: Sun Jul 15 2007, 08:17PM
Location: North Texas
Posts: 1040

Nicko wrote ...

The physical attack would assume someone has access to the datacenter and my rack there, which is unlikely but possible - it would just be nice to not worry about that. If the drive were physically removed, I would know about it and the datacenter logs every last person in and out and what they had with them (you can't even bring in a computer assembled, it must be disassembled for inspection of what's inside).
,
The data will be encrypted as I stated originally, but if someone rooted my box I would still not like having an entire drive with nothing but apparently garbage data visible to an attacker! - the box will be a server for my business as well, but there is clearly another server there that just appears to have nothing on it. (one physical unit, but I'm giving one CPU to each server of the two Xeons inside)

I know how to setup deniability etc, but I am still concerned about someone being able to steal a copy of it and try to get it offline. I may not have much for many attackers, but running a business server which is at risk, then there being a second data storage server on the same machine with no apparent web use, might appear lead the attacker to think he has found customer data, business records, etc.

-Jimmy

Moderator(s): Chris Russell, Noelle, Alex, Tesladownunder, Dave Marshall, Dave Billington, Bjørn, Steve Conner, Wolfram, Kizmo, Mads Barnkob