The Crypto Bone

privacy and secure communication
under your control


The Crypto Bone's Threat Model

The discussion about a realistic and appropriate threat model for the Crypto Bone is ongoing and has been started within the cryptography mailing list.

Recently, Ray Dillinger ( went to the trouble of working out a complete formal threat model for the External Crypto Bone. This is his analysis in his own words:

1. Opponent may compromise browsers on user's main machine.

2. Opponent may exploit some combination of OS, key
   management software, or user's key management discipline,
   to compromise keys or messages if they are stored on the
   user's main machine.

3. Opponent may pwn any machine not in the direct control of
   the user.

4. There exist programs for reading mail, writing mail, and
   transferring mail to/from the crypto bone via ssh, which
   can run on the user's main machine and which the opponent
   may not compromise. These are "Trusted" programs meaning
   they're the ones in which any malfunction or malfeasance
   could destroy our security.  They must be audited to
   ensure that they are also "Trustworthy" programs.

5. In case of #1 through 4, message privacy is maintained
   eg, opponent may not read private messages.

6. In case of #1 through 4, authentication is maintained
   eg, opponent may not impersonate any user.

7. Opponent may A) steal Crypto Bone hardware, B) steal or
   pwn user's main machine, or C) steal media containing
   master key.

   Resulting degradation of properties is: (correct me
   wherever I've got it wrong; I'm assuming you meant to say
   that the three components contain secrets useful only
   in combination).

   A:   Authentication and Privacy intact.
   B:   Authentication and Privacy intact.
   AB:  Authentication and Privacy intact.
   AC:  Authentication and Privacy intact.
   BC:  Authentication and Privacy intact.
   ABC: Authentication broken(opponent can pretend to be
        user whose key has been stolen); Privacy degraded
        to Forward Secrecy (Opponent can read new private
        messages to that user but still can't read past
        private messages to the user).

8. BADUSB is not considered as part of this threat model.