next up previous
Next: Mathematics or metal? Up: The Eternity Service Previous: The perjury trap

Using tamper-proof hardware

Using a perjury trap may block coercion of the abuse-of-process kind in many countries, but we must still consider more traditional kinds of coercion such as kidnapping, extortion and bribery.

In order to protect the owner of the file from such direct coercion, we have the rule that not even the owner may delete a file once posted. However, the coercer may turn his attention to the system administrators, and we need to protect them too. This can best be done if we arrange things so that no identifiable group of people -- including system administrators -- can delete any identifiable file in the system.

The simplest approach is to encapsulate the trusted computing base in tamper-resistant hardware, such as the security modules used by banks to protect the personal identification numbers used by their customers in autoteller machines [JDK+91]. Of course, such systems are not infallible; many of them have failed as a result of design errors and operational blunders [And94], and even if keys are kept in specially hardened silicon chips there are still many ways for a wealthy opponent to attack them [BFL+93].

However, given wide dispersal as one of our protection mechanisms, it may be too expensive for an opponent to obtain and break a quorum of tamper resistant devices within a short time window, and so the combination of tamper resistance with careful protocol design may be sufficient. In that case, the Eternity Service could be constructed as follows.

Each hardware security server will control a number of file servers. When a file is first loaded on to the system, it will be passed to the local security server which will share it with a number of security servers in other jurisdictions. These will each send an encrypted copy to a file server in yet another jurisdiction.

When a client requests a file that is not in the local cache, the request will go to the local security server which will contact remote ones chosen at random until one with a copy under its control is located. This copy will then be decrypted, encrypted under the requester's public key and shipped to him.

Communications will be anonymised to prevent an attacker using traffic analysis to link encrypted and plaintext files. Suitable mechanisms include mix-nets (networks of anonymous remailers) [Cha81] and rings [Cha88]. The former are suitable for sending the file to the user, and the latter for communications between security servers; even traffic analysis should not yield useful information about which file server contains a copy of which file, and this may be facilitated by traffic padding [VN94].

Note that the existence of secure hardware allows us to substantially reduce the number of copies of each file that have to be kept. It is sufficient that the attacker can no longer locate all copies of the file he wishes to destroy. Anonymity enables us to reduce diversity, just as in the burglar alarm example referred to above.

next up previous
Next: Mathematics or metal? Up: The Eternity Service Previous: The perjury trap

Ross Anderson
Tue Jun 17 15:08:09 BST 1997