Digitale Autonomie zurückgewinnen

Im heutigen digitalen Zeitalter sind wir alle von einer Reihe großer Unternehmen abhängig und davon dass sie unsere Daten schützen oder sie zumindest nicht zu sehr missbrauchen, ohne uns zu fragen. Selbst wenn wir wollten, können wir die Dinge nicht selbst in die Hand nehmen und unsere digitale Autonomie zurückgewinnen. Zu viel hängt von zu vielen Systembetreibern ab. Um kleinen Nutzer*innen und Systemadministratoren zu helfen, diese Abhängigkeit zu bekämpfen, haben Jan Götte und Björn Scheuermann vom HIIG Inertial Hardware Security Modules, kurz IHSMs, entwickelt. Mit IHSM ausgestattete Low-Budget-Server bieten eine hohe Sicherheit auch außerhalb gut geschützter Rechenzentren und ermöglichen es uns, unsere digitale Autonomie zurückzugewinnen.

Digital Dependencies

The rise of networked computers has revolutionized many aspects of our modern lives. However, in lock-step with all the quality of life improvements that the internet brought us, today we can observe a worrying trend of increasing digital dependency. ”Opting out” of the digital life on social media or e-commerce platforms becomes increasingly difficult to sustain. At the same time the power of these platforms over their users is steadily increasing. Anyone who has ever had their Twitter or Facebook account suspended for an alleged Terms of Service violation or who has been locked out of their Google or Amazon account will know how acute this dependency and lack of digital autonomy is. What the platform decides is law and therefore we have to accept complicated and frustrating “account verification” processes for unnamed “security reasons” There is no way for us as users to meaningfully challenge its decisions because we are the platform’s product, not its customers.

Do it Yourself

With policy solutions to this issue still being in the distant future, the next-best approach would be technical, in order to take things into our own hands. On this premise, open-source projects such as Nextcloud and Mastodon have created de-centralized alternatives to some of the big platforms. Open-source software has great potential, but DIY’ing has a drawback beyond the time spent on installing and maintaining these solutions. While open-source software has made great strides over the last decades and offers viable alternatives to many proprietary, centralized platforms today, this software still has to run on someone’s computer. This underlying physical infrastructure is where things get complicated. Today, the only real option to run one’s own digital infrastructure is to rent a server (or part of one) from one of a number of large cloud providers. And in this case, whoever runs the data center ultimately controls access to the data stored within.

At first, this fact of life might not seem concerning. After all, a data center operator would risk a lot if it compromised its customers’ security. However, in the past we have seen several physical attacks targeting high-value data (Example). Large companies can mitigate such attacks by tightly controlling their entire infrastructure, from the application software down to the data center’s access control systems. For smaller organizations and private individuals, this option does not exist. If we cannot even escape reliance on these large cloud providers if we run our own open-source software, the question becomes what we have really gained through our efforts.

Inertial Hardware Security Modules – first steps towards digital autonomy

At HIIG, Björn and I have asked ourselves if there might be ways to claw back control over our hardware in order to build a solid foundation for a decentralized software ecosystem.  If we can find a way thatsomeone much smaller than an Amazon or Google can build a special physically secure server that is invulnerable to physical attacks, this server can be put into any commercial data center. At the same time it is completely decoupling the security of the data stored in it from the operator of the data center around it.

With Inertial Hardware Security Modules (short, IHSMs) we believe we have developed a promising approach towards this problem. You can read the full paper here. The gist of our solution is that we are able to build an enclosure that physically protects a server from any attempt at siphoning off its secrets, no matter who tries to attack it. IHSMs are similar to a type of device used in payment processing applications called Hardware Security Modules. Both provide a similar level of security. The main difference is that IHSMs allow much larger systems to be protected and bump both size and computing power from that of a smartphone to that of a server. This is a difference of about factor 100 in space, processing power and cooling capacity. IHSMs are simple to construct and can be built with basic tools that can be found in most electronic labs.

IHSMs work by putting the server’s mainboard, CPU, and memory inside of a tamper detection “mesh”. This mesh is a very delicate component that will sense when someone tries to cut, drill or poke through it. When tampering is detected, an alarm is activated and all sensitive data inside the server is securely deleted. To make the tamper detection mesh itself hard to tamper with, this mesh is spinning at around the speed of a washing machine during its spin cycle.

Trusting and Un-trusting

In computer security terms, what we are doing with IHSMs is that we are “untrusting” the server’s physical environment. Computer security has a rather remarkable definition of trust that is pretty much the opposite of all the others. In computer security, trust is a de-facto property of something that we rely on as being good. In computer security, something trusted should be trustworthy (but does not have to be). Contrast that to the common-sense meaning, where something trustworthy should be trusted (but does not have to be).

Untrusting the data center gives us the chance to decouple software security from physical security. Using an IHSM, a comparably small organization such as the HIIG, the Chaos Computer Club, or a small company can operate software on a physical foundation that is as secure as that of the large cloud companies. With the benefit that no one but themselves holds the keys to the data.

Examples for applications where this increased security matters are group chats, cloud photo storages, and calendar and contact synchronization systems. All of these already encrypt the network connection between their user’s phone or laptop and the server, but only rarely encrypt the actual data stored on these servers.

Digital autonomy through your own secure servers

We envision a world where small organizations can gain digital autonomy by building their own secure servers that even a hostile secret service will not be able to compromise physically. As a first step towards this world, our paper is open access, and we have applied the principles of open-source hardware. All of our code and CAD models are available through git.

Our full paper introducing Inertial Hardware security Modules has been published at TCHES 22’1. You can download it for free here at the publisher’s website.