Forum Rule: Always post complete source code & details to reproduce any issue!
Page 1 of 2 1 2 LastLast
Results 1 to 25 of 27

Thread: NSA Proof Teensy 3.0/3.1 Data Vault Project. Used by the paranoid or secure users.

  1. #1
    Senior Member
    Join Date
    Nov 2012
    Posts
    412

    NSA Proof Teensy 3.0/3.1 Data Vault Project. Used by the paranoid or secure users.

    In the revelations from Edward Snowden, the NSA is capable of obtaining data on US citizens when they connect to a computer network or
    communicate by mobile phone/landline.

    We came up with a very secure, but simple system, to prevent government NSA data snooping using the Teensy 3.

    There are three parts to our secure data vault system:

    1. Off the shelf portable 1.8 inch screen 6th gen digital Clip MP3 MP4 Player with FM/Video/E-book Support 1-16GB Micro memory. ($10 USD)
    http://www.aliexpress.com/item/1set-...745957951.html
    Portable E-book reader of data vault text (has no network or Wifi)

    2. Transflash SD ( Stores user personal data in encrypted format.)

    3. Battery powered Teensy 3.0/3.1 with microSD.

    We created special Teensy 3.0/3.1 battery operated hardware with special algorithms to hash/encode/decode text files.
    Our special hash algorithms do not use the standard published algorithms, on the net, that have "backdoors" for NSA.

    Notes:
    The miniature transflash is extremely small it can be easily transported or hidden or sent undetected.
    The portable Teensy 3.0/3.1 hardware is needed to decode/encode user data for user viewing.
    All Teensy 3 development is being done on a XP PC computer with no network connection for secure development.


  2. #2
    Senior Member pictographer's Avatar
    Join Date
    May 2013
    Location
    San Jose, CA
    Posts
    665
    I'd love to have secure computing resources. I don't mean to discourage you, but what makes you think that your hash algorithms are new and unbroken or difficult to break? NSA has wickedly deep expertise in reversing crypto.

    What's your threat model? If you're "interesting" for any reason, that XP PC without a net connection isn't much of a barrier. How do you handle keys? If you key doesn't have much entropy, it doesn't matter how good your crypto is. If your key is complex, how does the user enter it quickly? If it's hard to enter, they will leave the device unlocked. How does it scale? Keeping your personal notes secure is nice, but we can't change the world without collaborating.

    Have you listened to Jacob Applebaum's talks on TOR? Bad crypto gets people jailed, tortured, and killed. Would you still claim your system was secure if someone under a repressive government wanted to use it?

  3. #3
    Senior Member
    Join Date
    Sep 2013
    Location
    Hamburg, Germany
    Posts
    894
    Currently the only place to store information securely is a brain.

  4. #4
    Member AverageGuy's Avatar
    Join Date
    Aug 2013
    Location
    Atlanta
    Posts
    51
    Quote Originally Posted by christoph View Post
    Currently the only place to store information securely is a brain.
    You haven't heard of torchure?

  5. #5
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    21,293
    I'm not a crypto expert, but it does seem like security through obscurity implemented on top of well establish algorithms (eg, encrypt with known algorithms and *then* encrypt that with an obscure one) would likely be better that only using a custom/obscure algorithm.

    But whether any of this helps your privacy from the NSA is a good question. Odds seem pretty good they probably learn everything they could want to know about you by observing your communication and its metadata as you electronically interact with the rest of the world.

  6. #6
    Senior Member
    Join Date
    Jun 2013
    Location
    So. Calif
    Posts
    2,828
    Unless you are an evil-doer, or a wanna-be, just use common encryption of your financial info to protect from simple theft.

  7. #7
    Senior Member
    Join Date
    Sep 2013
    Location
    Hamburg, Germany
    Posts
    894
    Quote Originally Posted by AverageGuy View Post
    You haven't heard of torchure?
    my bad, but isn't that also somehow moving the goal posts?

  8. #8
    Senior Member
    Join Date
    Jan 2013
    Posts
    966
    Well...yeah! Nothing is save if you have unhindered access to the device. He He ;-)

  9. #9
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    21,293
    Quote Originally Posted by stevech View Post
    Unless you are an evil-doer, or a wanna-be, just use common encryption of your financial info to protect from simple theft.
    Or if you happen to look like or happen to speak with an accent similar to the evil-doers in the major Hollywood movies.

    I personally don't know any real evil-doers.... only mischief makers.
    Last edited by PaulStoffregen; 01-30-2014 at 05:16 PM.

  10. #10
    Senior Member pictographer's Avatar
    Join Date
    May 2013
    Location
    San Jose, CA
    Posts
    665

  11. #11
    Senior Member
    Join Date
    Nov 2012
    Posts
    412
    I'd love to have secure computing resources. I don't mean to discourage you, but what makes
    you think that your hash algorithms are new and unbroken or difficult to break?
    Finding a good programmer with credentials of being at the top of the class in IT at the university
    and with over 30 years of industry experience does make coding the Teensy 3 with special custom made hash algorithms
    a snap. (It's his hobby)

    NSA has wickedly deep expertise in reversing crypto.
    NSA is lazy and took the easy way out. NSA made it easy to snoop on US citizens by encouraging "standards"
    in networking and encryption. There are probably many "backdoors" on the AES encryption standard used for
    internet commerce. They probably had many paid accomplices, with American tax dollars, like Oracle,
    Microsoft, Yahoo, IBM, CISCO, and to date, these companies never claimed they where in kahoots with the NSA because
    they would lose a lot of overseas revenue if they did.


  12. #12
    Senior Member pictographer's Avatar
    Join Date
    May 2013
    Location
    San Jose, CA
    Posts
    665
    Are you planning to share the code?

  13. #13
    Senior Member+ MichaelMeissner's Avatar
    Join Date
    Nov 2012
    Location
    Ayer Massachussetts
    Posts
    3,482
    Of course there is no such thing as perfect security. For example, if you were a high value target, someone could read your keypesses, some distance away from your computer through various means, or they could simply break in and put a tap between your keyboard/monitor and the computer.

  14. #14
    Senior Member PaulStoffregen's Avatar
    Join Date
    Nov 2012
    Posts
    21,293
    Quote Originally Posted by MichaelMeissner View Post
    Of course there is no such thing as perfect security.
    Not even a special hat made from tin foil?

  15. #15
    Senior Member
    Join Date
    Sep 2013
    Location
    Hamburg, Germany
    Posts
    894
    Quote Originally Posted by PaulStoffregen View Post
    Not even a special hat made from tin foil?
    That'd be security by obscurity I guess...

  16. #16
    Senior Member Constantin's Avatar
    Join Date
    Nov 2012
    Location
    In the yard with a 17' Dia. Ferris Wheel
    Posts
    1,408

    I thank Mr. Snowden...

    ... for opening everyone's eyes to the sheer scale with which the NSA is operating to actively undermine the security of standards, paying off companies (RSA, et al), etc. For all I know, their work on quantum computers is complete, obviating the benefit most currently-used algorithms. Bottom line: if you want to be free of the eavesdropping, etc. may I suggest a hermit-like existence on a remote island that's yours, living off the land and communicating by smoke signals with passing boats.

    For the rest of us that live in populated areas, hold employment, use credit cards, etc. the best option is to choose politicians to at the ballot box that take security and privacy seriously.

  17. #17
    Senior Member
    Join Date
    Jan 2013
    Posts
    966
    Quote Originally Posted by Constantin View Post
    For the rest of us that live in populated areas, hold employment, use credit cards, etc. the best option is to choose politicians to at the ballot box that take security and privacy seriously.
    Amen to that!

  18. #18
    Senior Member
    Join Date
    Nov 2012
    Posts
    412
    may I suggest a hermit-like existence on a remote island that's yours, living off the land and communicating by smoke signals with passing boats.
    Not necessary. It's really a quite simple solution. If you don't want NSA snooping, keep all your data away from the network or internet.

  19. #19
    Senior Member+ MichaelMeissner's Avatar
    Join Date
    Nov 2012
    Location
    Ayer Massachussetts
    Posts
    3,482
    Quote Originally Posted by t3andy View Post
    Not necessary. It's really a quite simple solution. If you don't want NSA snooping, keep all your data away from the network or internet.
    That still doesn't stop somebody from physically breaking and entering into your stronghold and copying your data.

  20. #20
    Senior Member
    Join Date
    Nov 2012
    Posts
    412
    That still doesn't stop somebody from physically breaking and entering into your stronghold and copying your data.
    All they will be copying would be encrypted data with a very secure hash algorithm.

  21. #21
    Senior Member+ MichaelMeissner's Avatar
    Join Date
    Nov 2012
    Location
    Ayer Massachussetts
    Posts
    3,482
    So do you encrypt the files in your head and read the encrypted messages without having a computer decrypt them? Otherwise, it is subject to something that 'reads' the message over your shoulder as you are reading it or writing it, i.e. a bug that was planted on you or in your computer. I assume you would have to continually sweep for 'bugs', and only do things inside of a lead lined faraday cage, and even then I could imagine ways to get the bug in/out of the cage, when you enter it. Of course this all depends on whether you are such a high value target that it would be worth the enormous amount of effort it would be to do this spying. For most people, they aren't worth the effort, but that doesn't mean security can't be breached.

    And another thing is if you are such a high value target, and the NSA thinks you are a bad guy, if they locate you, they might decide it is simpler to just eliminate you.

  22. #22
    Senior Member
    Join Date
    Nov 2012
    Posts
    412
    So do you encrypt the files in your head and read the encrypted messages without having a computer decrypt them?
    I think you really missed the point of this project. I have the portable Teensy 3.0/3.1, (not computer) with some special attached user inputs and microSD, that encrypts my data files on a transflash memory SD. When I need to access the encrypted data, the Teensy 3 is put in the decrypt mode and it decodes the data files for viewing on a portable E-reader. After viewing the data, the Teensy 3 encrypts all the data files back for
    NSA proof security.

    Both the transflash and the portable Teensy 3 hash hardware will need to be found for NSA to be a real threat. By finding both pieces hardware together does not mean that NSA would be able to decrypt the data. NSA is no better than the ace programmer that designed the hash programs
    on the Teensy 3.

    On another note ... Edward Snowden is being nominated for the Nobel Peace Prize in which O' Bama won several years ago. go figure.
    Last edited by t3andy; 02-01-2014 at 06:53 PM. Reason: clarification

  23. #23
    Senior Member
    Join Date
    Jan 2013
    Posts
    966
    I think this project is a step in the right direction. Micro controllers have grown very powerful and have permeated the lives of most people. With the Internet of things upon us I think data encryption, protection of privacy and associated topics will grow in importance.

    Just because there are always people and methods that crack certain security measures does not mean we should not implement any or be overly critical of a project that implements security measures. It is an interesting topic that deserves more attention.

  24. #24
    Senior Member
    Join Date
    Nov 2012
    Posts
    412
    Are you planning to share the code?
    If we share the code, on the internet, NSA will scan it and it will become useless.

    The hardware cost, in this project, is very inexpensive but creating the complex hash algorithms is not.
    If every user, on this board, decided to "go their own way" and develop their own encryption/decryption
    algorithms to protect their data from NSA then NSA would have their work cut out for them.

  25. #25
    Quote Originally Posted by t3andy View Post
    If we share the code, on the internet, NSA will scan it and it will become useless.
    I think you've accidentally stated the very reason to be skeptical of your idea.

    If the security of your system depends on the source code being secret, then it's not encryption, it's security via obscurity. It's well established that obscurity is no security at all; it's at best a speed bump. Taking your statement to the logical conclusion, if you leak your source code even once to the wrong person, then everything anyone's tried to protect using it is now at risk. People who really care about their data want nothing to do with such a system.

    And I presume you will be encrypting the source code while it's under development? If the system you use to protect your source code is strong enough -- since revealing it could compromise all future data that it protects -- then why do you need a new system in the first place?

    Security industry consensus is that we need a smaller number of thoroughly-vetted algorithms and implementations which are shown by MANY independent people to be secure when properly used, even if everyone can see every detail of how they work. If you disagree with that consensus, the onus is really on you to prove otherwise.

    Quote Originally Posted by t3andy
    NSA is lazy and took the easy way out. NSA made it easy to snoop on US citizens by encouraging "standards" in networking and encryption.
    The fact that the NSA takes the easy way when they can means they're not stupid. It doesn't mean they're incapable of taking the hard way when they want/need to. History shows they've done just that on many occasions. The NSA is smart enough to get your keys and snare your data when you decrypt it to make use of it, so they don't always have to crack or have back doors into the algorithm. Assume for a moment that you make your device and it's uncrackable and works perfectly; the instant you decrypt the data and put it on a computer where you can use it, all of your work becomes irrelevant.

    Quote Originally Posted by t3andy
    Finding a good programmer with credentials of being at the top of the class in IT at the university and with over 30 years of industry experience does make coding the Teensy 3 with special custom made hash algorithms a snap. (It's his hobby)
    Quote Originally Posted by t3andy
    NSA is no better than the ace programmer that designed the hash programs on the Teensy 3.
    These quotes demonstrate extreme hubris and an underestimation of your enemy, both of which have been the root cause of cracked encryption schemes in the past. You are turning a blind eye to the history of information security. Doing encryption right is hard, and people who won't learn from others' mistakes can be relied upon to make the same naive mistakes others have and leave easily-exploited implementation flaws that can be attacked without knowing the source code or algorithm.

    You really only get one chance to design the algorithm. The attackers get an infinite number of chances to attack it, bounded only by the amount of time/money they are willing to throw at the attempt.

    Personally, I think your core idea to use the Teensy as a hardware encryption device is interesting, and if you're only interested in using it for your own use and will be rewarded by the effort, then absolutely you should go ahead and write the whole system. It will certainly be educational. Just don't expect it to be acceptable to anyone else or better than what's already out there.

    Arguments about security theory aside, I think that you could make something really interesting if you were to take an accepted, non-NSA-associated encryption system, and then use the hardware features of the Teensy (the ability to make the flash non-readable from outside the chip) to make a hardware encryption-key management device, so you can implement the idea you describe for using the Teensy as a hardware key to unlock your flash drive. Hardware tokens aren't a new idea, but an open-source implementation on Teensy would be very interesting and could eventually be genuinely useful.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •