Introduction:#
This article aims to outline my thoughts and designs on Secret that have emerged in the past, including toolchains and ideas. They are not generally applicable, and there is nothing like this in the Secret aspect. I'm just giving an example of my design. Since the structure of this design itself is a leak, I can only provide reference sources for its details in the highest requirements.
Is it necessary?#
Certainly, most of the time, the methods mentioned in this article are excessive, but for the sake of interest, we can also try some means. And I try my best to make this article realistic (compared to many such articles that are not realistic in terms of high requirements and convenience).
To be supplemented:#
The topic of this article has no end, and all available tools, methods, and ideas for thinking are welcome to be supplemented.
Evaluation strategy:#
In fact, there are drawbacks to the solutions for Secret: sometimes they are difficult to deploy, maintain, or use; sometimes you can choose between various technologies, but none of them fully meet your "specifications"; sometimes they are too new to determine if they are really effective.
Therefore, people should first ask a few simple questions to establish a threat model, which is the identification and prioritization of potential threats.
What do we want to protect?#
What we want to protect may be so extensive that it is impractical, or it may be so indifferent in the current situation that it is rotten.
The term "protection" covers different needs:
- Privacy: Hide information to prevent leakage;
- Integrity: Maintain the integrity of information and prevent others from modifying it;
- Accessibility: Ensure accessibility.
These requirements often conflict, so it is necessary to determine priorities and find compromises. At least one compromise principle is needed because different compromises together may compromise the security of all parts.
Who do we want to protect ourselves from?#
The assessment of adversaries is crucial, and the capabilities of adversaries have a significant impact on our strategies. Traditional tutorials often tell us to make the right assessment, but in reality, there is a difficult situation: we cannot assess in advance. In theory, we can only consider the worst case, which is what most of this series will do most of the time. But please note that we often cannot deploy all strategies. Therefore, it becomes a challenge to maintain progressive security. This also makes it a point of our research, which often can only be achieved through strategic rather than technical means.
The means of adversaries are quite extensive. Indeed, people lacking imagination either lack technical awareness of adversaries or non-technical awareness that technical difficulties can be ignored. But in reality, Secret is a problem with multiple dimensions, and the means of adversaries may be legitimate or covert; there may be many technical resources, or they may mainly rely on social engineering methods; economic means are also a problem, can the adversary really and will they pay enough costs?; of course, there are also political means.
The issue of compromise:#
The possibilities of attack and surveillance are infinite, and so are the devices to resist them. However, every additional protection we want to implement corresponds to learning and time efforts. Therefore, in each case, it is necessary to find a suitable compromise between usability and the required level of protection. Sometimes, this balance point does not exist. The effort to guard against seemingly non-existent risks is too painful, either take the risk or simply do not use digital tools to store certain data or discuss certain things.
What to do?#
Which practices and tools are sufficient to protect me from the previously evaluated risks?
For a certain strategy, ask:
- In the face of such a security strategy, what attack angles will my adversaries use?
- What means should my adversaries take?
- Are these means available to my adversaries?
Some rules:#
In terms of security, simple solutions are always better than complex ones. A complex solution provides more "attack surfaces". Someone once said:
"We cannot trust a security strategy that we do not understand."
A complex system has many links, and the security of each link and their interaction must be reviewed. This is a big project! However, a complex strategy provides more choices and availability. In a well-combined situation, security will not be lower than the lowest link. You must consider the complexity of the strategy that can be maintained and will be maintained. Once it does not match, the system will collapse.
No one is absolutely reliable:#
Most computer problems sit between the keyboard and the chair.
People are always the problem, and here it is almost most of the problem.
A good strategy cannot always rely on the user's focus. The system must provide solid requirements and strictly fix the sources of risks.
Nothing is forever:#
The field of computer security changes very quickly, and solutions that are considered quite secure today may be easily attacked next year. The toolchain used must be kept up to date and preferably have alternative solutions to replace each node. At least ensure that it is not irreparable once disconnected. All of this takes a little time and should be planned from the beginning.
...To be continued...