The Crypto Bone's Threat Model
The discussion about a realistic and appropriate threat model for the Crypto Bone is ongoing and has been started within the cryptography mailing list.
Recently, Ray Dillinger (firstname.lastname@example.org) went to the trouble of working out a complete formal threat model for the External Crypto Bone. This is his analysis in his own words:
"============================= 1. Opponent may compromise browsers on user's main machine. 2. Opponent may exploit some combination of OS, key management software, or user's key management discipline, to compromise keys or messages if they are stored on the user's main machine. 3. Opponent may pwn any machine not in the direct control of the user. 4. There exist programs for reading mail, writing mail, and transferring mail to/from the crypto bone via ssh, which can run on the user's main machine and which the opponent may not compromise. These are "Trusted" programs meaning they're the ones in which any malfunction or malfeasance could destroy our security. They must be audited to ensure that they are also "Trustworthy" programs. 5. In case of #1 through 4, message privacy is maintained eg, opponent may not read private messages. 6. In case of #1 through 4, authentication is maintained eg, opponent may not impersonate any user. 7. Opponent may A) steal Crypto Bone hardware, B) steal or pwn user's main machine, or C) steal media containing master key. Resulting degradation of properties is: (correct me wherever I've got it wrong; I'm assuming you meant to say that the three components contain secrets useful only in combination). A: Authentication and Privacy intact. B: Authentication and Privacy intact. AB: Authentication and Privacy intact. AC: Authentication and Privacy intact. BC: Authentication and Privacy intact. ABC: Authentication broken(opponent can pretend to be user whose key has been stolen); Privacy degraded to Forward Secrecy (Opponent can read new private messages to that user but still can't read past private messages to the user). 8. BADUSB is not considered as part of this threat model. =================================="