background image
Tech Note #110: Concept for a Secure Network Computer
©
2000 Bionic Buffalo Corporation; All Rights Reserved.
         Tuesday, 11 January 2000
http://www.tatanka.com
  [tn0110]
Page 14 of 18
 
observation of power consumption patterns, or of signals leaking out through power
supplies, which sometimes can provide insight into key values and algorithms
 
observation using X-rays, ultrasonic devices, or similar techniques (it is possible to map the
inside of a closed container the way seismography charts the inside of the earth, or as CAT
scans and NMR map the inside of living organisms)
 
modification of environmental factors (as temperature) or introduction of signals to alter the
behaviour of the system
The most crucial danger is that the private keys of the SNC might be extracted, allowing some
other device to impersonate the SNC. However, a great deal of other information from inside
the SNC also has value, and must be protected.
Protection against all of these threats includes both design and manufacturing activities. A
design must consider and counter them, but the manufacturing process itself is also subject to
sabotage or simple mismanagement. For instance, if a component is substituted or a process
altered during assembly, the security of the system can be compromised. This is especially
significant, since complex devices such as the SNC and its subassemblies cannot be fully
inspected and tested once they are assembled. It is imperative, for the highest level of security,
to perform inspections and testing during the manufacturing operation, and not only at the end.
Software Security
Producing secure software is, in many ways, similar to the production of secure hardware.
Security cannot be assured merely by inspection and testing at the end. Security comes from
control of the entire programming operation, including design and coding reviews and
inspection at all phases of development. It also requires the fundamental process of ascertaining
that the assured software is, in fact, the software loaded into the SNC, and not a substitute
program.
As with hardware security, the principles of software security are beyond the scope of this
document. In general, they might be characterized by the following:
 
the same good practices which characterize other good software development efforts (in the
end, the software should do what is intended to do, and should not exhibit any form of
undesirable, unintended behaviour or other errors)
 
elimination of those unnecessary features which can be removed easily without increasing
the likelihood of failure (every superfluous feature is an opportunity for failure or sabotage)
 
a high level of paranoia, including a willingness to consider any individual component or
team member as potentially hostile