"BitMessage Secure Station" open-hardware open-core project #1003

Open
opened 2017-05-31 14:07:36 +02:00 by stman · 7 comments
stman commented 2017-05-31 14:07:36 +02:00 (Migrated from github.com)

We are working on the development of a simple open-hardware dedicated platform, the "BitMessage Secure Station", that will allow BitMessage users to reach military grade anonymity and privacy protection : The biggest mistake (We call it betrayl) of all the security/privacy free tools developpers is that they never want to take in consideration that their tools would work well on a perfect secure non backdoored and non backdoorable / compromizable computer, which don't exist yet.

And here I am clearly refering to the most important things Edward Snowden reminded us : "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." (Edward Snowden)

Indeed, this project we are developping is aiming at solving the best as we can (Military grade) the issues Snowden perfectly described and reminded us about End-Points (Computers) weaknesses when connected to the internet, and we do it radicaly using the best state of the art known technics, consisting in using a double-computer architecture :

The draft "BitMessage Secure Station" hardware is detailed here (Used for BitMessage software developpers as an early 'simple version SDK) :

http://picpaste.com/BitMessageSecureStation-gYTXbL2l.png

The final "BitMessage Secure Station" hardware architecture being here :

http://picpaste.com/BitMessage_Secure_Station_V2-MWbERDLf.png

The overall cost of a full "BitMessage Secure Station" should be less than 100€, accessible to everybody. We encourage other P2P applications developers to port their own software project to the BitMessage Secure Station hardware, and we are willing to help and support all those that will plan to do it. Please do not hesitate to contact us.

As you will understand, this add-on project is not about, at least for the moment, doing any major change to the BitMessage software, but to create a dedicated hardware that solves security issues that cannot be solved by software with a "Mono-processor" architecture : In the architecture we are designing, we are using a 2 microprocessors + 1 microcontroller model :

• A first computer (Low cost Raspberry Pi, accessible to everybody for 30$) connected to the internet, that must considered compromised.

• A second computer (Low cost Raspberry Pi) fully air gapped from the internet, you will use this one to read/enter your messages securely.

The drivers for the SPI Port handling on both Raspberry Pi will be developed in C, for Raspbian OS, so that Peter Surda can easily integrate then to the PyBitMessage software written in Python.

• Interconnectiong both with an SPI synchrone serial port, but for added security, this serial port goes through a "Firewall", acting as the "Secure Element" of the overall system (Made out of a PIC 24 micro-controller), that will check & filter any kind of side channels attackers could try to build over our dedicated protocol over the SPI serial port, by ensuring the protocol defined for transferring data between the 2 computers is strictly respected, filtering at the same time all time-based side channels on the SPI serial port.

• The PIC 24 Micro-controller handling two SPI serial ports and relayings data between each port bidirectionnaly, with its software highly secured (coded 100% in assembly language, with no OS and no LIBC libraries used, just handling interrupt routines and a few timers to make the secure element / firewall work).

In the definitive version of the PCB, the PIC 24 Micro-controller will be replaced by a Xilinx Spartan 6 LX 9 FPGA, to implement a custom free and open non-backdoored microprocessor in the FPGA, and we will also take advantage of this FPGA to build our own hardware RNG that will be used by the Air-Gapped Raspberry Pi, integrating Cryptech open core FPGA based hardware RNG with two distincts entropy sources. In a final version, for added security, we will replace the FPGA based custom microprocessor + its software in assembly language by a new design where we will implement all those functionnalities made by software on this custom FPGA based microprocessor, by the equivalent fully hardcoded into the FPGA in the form of finite state machines, reaching above military grade security because there is no more processor and no more software running, having therefore an true software attack surface prooven null.

At BitMessage software level, we are going to split the BitMessage software into two parts, one part running on the "non secure" Raspberry Pi, mainly handling all the P2P network connections and data broadcast throught the P2P network, and holding a new "CIPHERED-MESSAGES.DAT", while the second "Secure Air-Gapped" Raspberry Pi will hold all those important files (KEYS.DAT, and eventually a CLEAR-TEXT-MESSAGES.DAT caching the CIPHERED-MESSAGES.DAT but deciphered), and we will manage all cryptographic functions and end-user GUI.

We are working with Peter Surda on how to adapt the BitMessage software to this "splitted" architecture in the most efficient way.

With the BitMessage Secure Station, we are simply taking in account the best state of the art knowledge in defensive cyber security & crypto-anarchist tricks in order to build an "hardened end-point", that can resist "NSA & friends" or "competitors" grade military attacks, therefore truly and proovenly protecting you from :

► Keyloggers malware protection :

It is achieved architecturaly by having a double processor system, with one computer being compromized and connected to the internet, and another one air-gapped and not connected to the internet : The messages in clear text are being entered on the computer not connected to the internet : Assuming that there is no side channel or hidden channel on the serial port connecting the two processors (Will be discussed below), even if there is a keylogger installer on the air gapped computer, it will not be able to transfer its data if we can ensure there is no side channel or hidden channels between the two computers.

► Keyescrow malware protection (Protection of KEYS.DAT and MESSAGES.DAT):

Same as above. (Prevent the private keys used by BitMessage from being stolen by agencies/hackers)

► Hardware integrated circuits serial numbers fingerprinting identification technic protection when using TOR or VPNs :

This problem is solved by dedicating a new hardware for the first computer, connected to the internet and that will be compromized, whose serial numbers where never associated to the user identity before : A brand new Raspberry Pi bought in cash in an electronic store is the perfect way to achieve this. It also mean dedicating this hardware exclusively for this usage, and never connect to it any device :

Exemple :

Never connect USB Flashdisc key to it, whose serial number, already associated to the user's identity, to it, because it would allow to extrapolate the identity to associate to the Raspbery serial number to the identity already associated with the USB Flashdisc key. Same thing for LCD screen : They transmit serial number (VGA, DVI, or HDMI) to the graphic card, and can have the same terrible effect as a USB flashdisc key.

We will have to give the user a list I have already been working on for years, of all the parts or subsystems known in a computer to have serial numbers.

Let's say this issue is a matter of respecting a strict security procedure.

► Hardware characteristics (Speed of each processor analysis) fingerprinting identification technic protection when using TOR or VPNs :

Same as above.

► Keystroke timing fingerprinting identification technic protection when using TOR or VPNs :

This problem is solved architecturaly exactly like the Keylogger protection above.

► Phrasing and wording fingerprinting identification technic protection when using TOR or VPNs :

We can use a trick many hackers know, and implement a kind of wording and rephrasing system : Using a translator for exemple, from english to french, and back french to english.... But there are other programs that do exist and to the job, There are many ways to do it indeed.

This issue is also solved architecturaly as the Keylogger protection mecanism described above.

► Side channel & hidden channels protection between the first and the second computers, interconnected through a serial port :

This problem is solved by inserting a microcontroller having two serial ports, on the serial link between the two computers :
If the technic of using two microprocessor connected with a serial port that offers the lowest attack surface possible, it can be improved greatly inserting a microcontroller that will do the following :

• Check that the little protocol we will have to invent and implement (And design as much hidden channel proof as possible) is correctly implemented, and that no other unwanted data are transmitted on the serial link.
• Fight the timing side channel attack surface on the serial port : Serial ports offer the lowest attack surface regarding side & hidden channels, but it is still vulnerable to timing-between-each-byte-sent-on-the-serial-port side channel. The microcontroller code can "filter" these timings by buffering and normalizing them. Time based side channels are well known, and must be & can be fighted.

As you see, when we where talking about giving you true crypto-anarchist tools reaching military grade security, we were not laughting at you, we were very serious about this.
We had enough bullshit driven by FEDS worldwide. We perfectly know were most of the problems are : End-Point weaknesses.

And we decided to solve it for BitMessage. BitMessage being already one of the best Crypto-Anarchist communication tool available, but as all other "good" tools, if they are running on comprimized weak end-point, it's USELESS.

The "BitMessage Secure Station" Open-hardware project is being discussed on the Crypto-Anarchist Federation channel on BitMessage :

Chan name : Crypto-Anarchist Federation
Chan address : BM-2cWdaAUTrGZ21RzCpsReCk8n86ghu2oY3v

Contacts if you want to participate or support :

Peter Surda BitMessage Software Core Developper BM Address :
BM-2cX62WCeFcUwzXWqxTBfaAzNy4j1y8yZVm

Stman BitMessage Secure Station open-hardware Core Developper BM Address :
BM-2cWZW87PJN5VZjtJCpk3hXcYefhNCxdjU6

BitCoin donations for the "BitMessage Secure Station" open-hardware prototypes development :
1DnEzQvKb7hzgmfAwP1oFU9WQEDBHCqFRM

For the first Beta Version of the PCB, we are planning to build 10 prototypes that will be sent in priority to those collaborating to the project.

We are working on the development of a simple open-hardware dedicated platform, the "BitMessage Secure Station", that will allow BitMessage users to reach military grade anonymity and privacy protection : The biggest mistake (We call it betrayl) of all the security/privacy free tools developpers is that they never want to take in consideration that their tools would work well on a perfect secure non backdoored and non backdoorable / compromizable computer, which don't exist yet. And here I am clearly refering to the most important things Edward Snowden reminded us : "Encryption works. Properly implemented strong crypto systems are one of the few things that you can rely on. Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it." (Edward Snowden) Indeed, this project we are developping is aiming at solving the best as we can (Military grade) the issues Snowden perfectly described and reminded us about End-Points (Computers) weaknesses when connected to the internet, and we do it radicaly using the best state of the art known technics, consisting in using a double-computer architecture : The draft "BitMessage Secure Station" hardware is detailed here (Used for BitMessage software developpers as an early 'simple version SDK) : http://picpaste.com/BitMessageSecureStation-gYTXbL2l.png The final "BitMessage Secure Station" hardware architecture being here : http://picpaste.com/BitMessage_Secure_Station_V2-MWbERDLf.png The overall cost of a full "BitMessage Secure Station" should be less than 100€, accessible to everybody. We encourage other P2P applications developers to port their own software project to the BitMessage Secure Station hardware, and we are willing to help and support all those that will plan to do it. Please do not hesitate to contact us. As you will understand, this add-on project is not about, at least for the moment, doing any major change to the BitMessage software, but to create a dedicated hardware that solves security issues that cannot be solved by software with a "Mono-processor" architecture : In the architecture we are designing, we are using a 2 microprocessors + 1 microcontroller model : • A first computer (Low cost Raspberry Pi, accessible to everybody for 30$) connected to the internet, that must considered compromised. • A second computer (Low cost Raspberry Pi) fully air gapped from the internet, you will use this one to read/enter your messages securely. The drivers for the SPI Port handling on both Raspberry Pi will be developed in C, for Raspbian OS, so that Peter Surda can easily integrate then to the PyBitMessage software written in Python. • Interconnectiong both with an SPI synchrone serial port, but for added security, this serial port goes through a "Firewall", acting as the "Secure Element" of the overall system (Made out of a PIC 24 micro-controller), that will check & filter any kind of side channels attackers could try to build over our dedicated protocol over the SPI serial port, by ensuring the protocol defined for transferring data between the 2 computers is strictly respected, filtering at the same time all time-based side channels on the SPI serial port. • The PIC 24 Micro-controller handling two SPI serial ports and relayings data between each port bidirectionnaly, with its software highly secured (coded 100% in assembly language, with no OS and no LIBC libraries used, just handling interrupt routines and a few timers to make the secure element / firewall work). In the definitive version of the PCB, the PIC 24 Micro-controller will be replaced by a Xilinx Spartan 6 LX 9 FPGA, to implement a custom free and open non-backdoored microprocessor in the FPGA, and we will also take advantage of this FPGA to build our own hardware RNG that will be used by the Air-Gapped Raspberry Pi, integrating Cryptech open core FPGA based hardware RNG with two distincts entropy sources. In a final version, for added security, we will replace the FPGA based custom microprocessor + its software in assembly language by a new design where we will implement all those functionnalities made by software on this custom FPGA based microprocessor, by the equivalent fully hardcoded into the FPGA in the form of finite state machines, reaching above military grade security because there is no more processor and no more software running, having therefore an true software attack surface prooven null. At BitMessage software level, we are going to split the BitMessage software into two parts, one part running on the "non secure" Raspberry Pi, mainly handling all the P2P network connections and data broadcast throught the P2P network, and holding a new "CIPHERED-MESSAGES.DAT", while the second "Secure Air-Gapped" Raspberry Pi will hold all those important files (KEYS.DAT, and eventually a CLEAR-TEXT-MESSAGES.DAT caching the CIPHERED-MESSAGES.DAT but deciphered), and we will manage all cryptographic functions and end-user GUI. We are working with Peter Surda on how to adapt the BitMessage software to this "splitted" architecture in the most efficient way. With the BitMessage Secure Station, we are simply taking in account the best state of the art knowledge in defensive cyber security & crypto-anarchist tricks in order to build an "hardened end-point", that can resist "NSA & friends" or "competitors" grade military attacks, therefore truly and proovenly protecting you from : ► Keyloggers malware protection : It is achieved architecturaly by having a double processor system, with one computer being compromized and connected to the internet, and another one air-gapped and not connected to the internet : The messages in clear text are being entered on the computer not connected to the internet : Assuming that there is no side channel or hidden channel on the serial port connecting the two processors (Will be discussed below), even if there is a keylogger installer on the air gapped computer, it will not be able to transfer its data if we can ensure there is no side channel or hidden channels between the two computers. ► Keyescrow malware protection (Protection of KEYS.DAT and MESSAGES.DAT): Same as above. (Prevent the private keys used by BitMessage from being stolen by agencies/hackers) ► Hardware integrated circuits serial numbers fingerprinting identification technic protection when using TOR or VPNs : This problem is solved by dedicating a new hardware for the first computer, connected to the internet and that will be compromized, whose serial numbers where never associated to the user identity before : A brand new Raspberry Pi bought in cash in an electronic store is the perfect way to achieve this. It also mean dedicating this hardware exclusively for this usage, and never connect to it any device : Exemple : Never connect USB Flashdisc key to it, whose serial number, already associated to the user's identity, to it, because it would allow to extrapolate the identity to associate to the Raspbery serial number to the identity already associated with the USB Flashdisc key. Same thing for LCD screen : They transmit serial number (VGA, DVI, or HDMI) to the graphic card, and can have the same terrible effect as a USB flashdisc key. We will have to give the user a list I have already been working on for years, of all the parts or subsystems known in a computer to have serial numbers. Let's say this issue is a matter of respecting a strict security procedure. ► Hardware characteristics (Speed of each processor analysis) fingerprinting identification technic protection when using TOR or VPNs : Same as above. ► Keystroke timing fingerprinting identification technic protection when using TOR or VPNs : This problem is solved architecturaly exactly like the Keylogger protection above. ► Phrasing and wording fingerprinting identification technic protection when using TOR or VPNs : We can use a trick many hackers know, and implement a kind of wording and rephrasing system : Using a translator for exemple, from english to french, and back french to english.... But there are other programs that do exist and to the job, There are many ways to do it indeed. This issue is also solved architecturaly as the Keylogger protection mecanism described above. ► Side channel & hidden channels protection between the first and the second computers, interconnected through a serial port : This problem is solved by inserting a microcontroller having two serial ports, on the serial link between the two computers : If the technic of using two microprocessor connected with a serial port that offers the lowest attack surface possible, it can be improved greatly inserting a microcontroller that will do the following : • Check that the little protocol we will have to invent and implement (And design as much hidden channel proof as possible) is correctly implemented, and that no other unwanted data are transmitted on the serial link. • Fight the timing side channel attack surface on the serial port : Serial ports offer the lowest attack surface regarding side & hidden channels, but it is still vulnerable to timing-between-each-byte-sent-on-the-serial-port side channel. The microcontroller code can "filter" these timings by buffering and normalizing them. Time based side channels are well known, and must be & can be fighted. As you see, when we where talking about giving you true crypto-anarchist tools reaching military grade security, we were not laughting at you, we were very serious about this. We had enough bullshit driven by FEDS worldwide. We perfectly know were most of the problems are : End-Point weaknesses. And we decided to solve it for BitMessage. BitMessage being already one of the best Crypto-Anarchist communication tool available, but as all other "good" tools, if they are running on comprimized weak end-point, it's USELESS. The "BitMessage Secure Station" Open-hardware project is being discussed on the Crypto-Anarchist Federation channel on BitMessage : Chan name : Crypto-Anarchist Federation Chan address : BM-2cWdaAUTrGZ21RzCpsReCk8n86ghu2oY3v Contacts if you want to participate or support : Peter Surda BitMessage Software Core Developper BM Address : BM-2cX62WCeFcUwzXWqxTBfaAzNy4j1y8yZVm Stman BitMessage Secure Station open-hardware Core Developper BM Address : BM-2cWZW87PJN5VZjtJCpk3hXcYefhNCxdjU6 BitCoin donations for the "BitMessage Secure Station" open-hardware prototypes development : 1DnEzQvKb7hzgmfAwP1oFU9WQEDBHCqFRM For the first Beta Version of the PCB, we are planning to build 10 prototypes that will be sent in priority to those collaborating to the project.
smaragdus commented 2017-06-02 10:05:15 +02:00 (Migrated from github.com)

Who deleted Scott King's comment? If it was not the author this would mean explicit censorship.

Who deleted [Scott King's](https://github.com/Lvl4Sword) [comment](https://github.com/Bitmessage/PyBitmessage/issues/1003#issuecomment-305694059)? If it was not the author this would mean explicit censorship.
Lvl4Sword commented 2017-06-02 10:06:34 +02:00 (Migrated from github.com)

No censorship. I just don't see this "Bitmessage Secure Station" going anywhere.

"Check that the little protocol we will have to invent and implement"

  • The protocol isn't displayed anywhere at all and reads as if they still need to create it.
  • These people are mysterious and we don't know of their backgrounds
  • Too many times have they brought up "Military Grade", which is a buzzword
  • They want to use Raspberry Pis as Super High Security Devices even though it has a Broadcom chip. Some Raspberry Pis even have built-in wifi, and built-in bluetooth.
  • The initial post says Assuming that there is no side channel or hidden channel on the serial port connecting the two processors .. that's uh, not very reassuring.
  • If you're going to go this route, and create a fully SECURE ( whatever that means ) system just for Bitmessage, you'd put a little lot more effort into this.
  • Feels like I'm being enticed to fund a KickStarter project, and just all around scammy.
  • etc etc

It's doomed to fail.

No censorship. I just don't see this "Bitmessage Secure Station" going anywhere. > "Check that the little protocol we will have to invent and implement" - The protocol isn't displayed anywhere at all and reads as if they still need to create it. - These people are mysterious and we don't know of their backgrounds - Too many times have they brought up "Military Grade", which is a buzzword - They want to use Raspberry Pis as **Super High Security Devices** even though it has a Broadcom chip. Some Raspberry Pis even have built-in wifi, and built-in bluetooth. - The initial post says ``Assuming that there is no side channel or hidden channel on the serial port connecting the two processors`` .. that's uh, not very reassuring. - If you're going to go this route, and create a fully **SECURE** ( whatever that means ) system just for Bitmessage, you'd put a ~~little~~ lot more effort into this. - Feels like I'm being enticed to fund a KickStarter project, and just all around scammy. - etc etc It's doomed to fail.
smaragdus commented 2017-06-02 10:10:54 +02:00 (Migrated from github.com)

@Lvl4Sword
Thanks for the clarification. For me all your points were valid so if it were a comment of mine I would have kept it.

**@Lvl4Sword** Thanks for the clarification. For me all your points were valid so if it were a comment of mine I would have kept it.
Lvl4Sword commented 2017-06-02 23:46:44 +02:00 (Migrated from github.com)

@stman
Those were non-answers, though.
Are you the only person in this group?
What projects have you done that are remotely close to this? ( with links/proof preferably )
What is this protocol suppose to look like? What are the specs? Where's the whitepaper?

@stman Those were non-answers, though. Are you the only person in this group? What projects have you done that are remotely close to this? ( with links/proof preferably ) What is this protocol suppose to look like? What are the specs? Where's the whitepaper?
stman commented 2017-07-06 12:04:31 +02:00 (Migrated from github.com)

NO PASARAN

NO PASARAN
cryptomarauder commented 2017-08-09 12:44:10 +02:00 (Migrated from github.com)

I don't think for a second that this is doomed. In fact I'm guessing it's in use.

I don't think for a second that this is doomed. In fact I'm guessing it's in use.
stman commented 2017-08-09 13:09:37 +02:00 (Migrated from github.com)

There will always be evil folks that want to cyber dominate their friends to fuck them and exploit them, and there will always be Crypto-Anarchists fighting this shit.

Thank you for your support.

There will always be evil folks that want to cyber dominate their friends to fuck them and exploit them, and there will always be Crypto-Anarchists fighting this shit. Thank you for your support.
This repo is archived. You cannot comment on issues.
No Milestone
No project
No Assignees
1 Participants
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: Bitmessage/PyBitmessage-2024-12-10#1003
No description provided.