light: secure messaging
Here’s a secure messaging system that you can’t hack remotely. You can use this to talk to your friends in a way that even mercenary spyware can’t access your messages. This is guaranteed by hardware-level primitives. Let’s call it light.
The basic idea #
light is an endpoint architecture: three hardware-isolated nodes connected by unidirectional links. On top of this endpoint architecture, we implement public-key cryptography to encrypt+authenticate messages between peers. The nuance here is how each “endpoint” is constructed.
A conventional secure messenger does everything in one machine: parse untrusted network input, run crypto, handle keys, render + store plaintext, accept keyboard input.
light doesn’t do this. Instead, light carefully decomposes this monolithic networking + cryptographic stack into 3 different hardware-isolated nodes, connected via unidirectional links (data diodes).
System architecture #
Each endpoint is partitioned into three discrete nodes:
-
a TX computer (“the source”): takes plaintext you want to send, encrypts/authenticates it, outputs ciphertext and sends it to the GW
-
a RX computer (“the sink”): receives messages from GW, decrypts and displays plaintext on a dedicated display
-
a GW computer (an untrusted “proxy”): this computer is connected to the internet and is connected to RX and from TX
System properties #
The trick is that the links are unidirectional. Observe that:
-
TX never sees untrusted input. This means this computer will always execute the original code, and it’s impossible to remotely exploit it. Egress messages will always be encrypted to the intended recipient.
-
RX does not have an egress path to the internet. This means that if this computer gets compromised, it’s impossible to exfiltrate keys or plaintext from this computer. The only “output” from this computer is a screen.
Human-in-the-loop social engineering #
Note that there is an exfiltration path to the internet: via the human operating the node. A compromised RX node can’t send bits to the GW, but it can send bits to the user’s brain (by lying on the screen). For example, a compromised RX could display “Sync error. Please type the following ‘session recovery code’ into your TX terminal to reconnect: [hex-encoded private key]”.
There are two ways to mitigate this:
- Train the human operator
- Make exfil expensive: use big-key cryptography
The second one is more interesting. This essentially means using very long keys (instead of 32-byte, say it’s a 10MB key) so that exfiltration isn’t possible.
INTERNET
│
│ (bidirectional)
│
┌────▼────┐
│ GW │ (untrusted proxy)
│ │
└─┬───────┘───────┬
│ ▲
│ │
encrypted │ │ encrypted
(to RX) │ │ (from TX)
▼ │
┌──────────┐ ┌──────────┐
│ RX │ │ TX │
│ (sink) │ │ (source) │
└────┬─────┘ └─────▲────┘
│ │
│ │ plaintext
│ │ (input)
▼ │
┌──────────┐ ┌──────────┐
│ Screen │◄───┤ Keyboard │
│ │ │ │
└──────────┘ └──────────┘
▲
│
┌─────────────┐│
│ Human ││
│ Operator │┘
└─────────────┘
Cryptographic constructions #
It is easy to
- based on identity-based encryption