Tweet
I think I have figured out a "perfect" way to transfer keys for tunnelling an internet connection. The problem with transferring keys is that there always has to be a "first key" which must be sent unencrypted. If it is sent over a tapped line, it gets snorted up into the NSA key pile and any subsequent data sent over that key's encrypted line isn't secure.
To solve this we must send the first key by mail. this key is used to establish an encrypted link to download the permanent key. But even the mail might be read, and a thumb drive in a letter might be dumped, giving the NSA the first key.
The solution is to store the data on a copy protection dongle. I understand that they are essentially just a little vault which contains some encrypted data and the only way to decrypt the data or even to dump it in encrypted form (without cracking open the dongle and hooking wires to the chip) is to have a password. This password will not be included in the package with the dongle, but there will be a link to my server which has a file containing the password. What makes it secure is that password can only be downloaded ONCE. And once the password is downloaded (through tapped lines) and the NSA knows it, the dongle is physically out of their hands and (providing they didn't crack open the plastic and solder wires to the chip to dump it) they will not have the code which the password decrypts. After the password is downloaded, the users computer must open the vault on the dongle, remove the encryption key, and write gibberish over it before closing the vault. Thus the NSA can now steal the dongle and it has nothing meaningful on it.
This is contingent upon there not being a "master password" which can open all of the dongles of that make. I think the SecuTech UniKey is a good choice of dongle because it allows for multiple passworded vaults allowing for users to pass the dongle to their friends, and take one key after another from the dongle until they are all used up. This company also allows the developer to set the password, not like some crappy companies who the NSA can call and give the serial number to and they will cough up the password. The only thing I wish these dongles had is a way to overwrite the serial number. It's best if they absolutely can't be looked up in a database.
What do you think? Do these dongles keep a secret? Is there any reason to suspect back-doors/master passwords? Is SecuTech known to be any good?
Tell me if my analysis is all wet.
To solve this we must send the first key by mail. this key is used to establish an encrypted link to download the permanent key. But even the mail might be read, and a thumb drive in a letter might be dumped, giving the NSA the first key.
The solution is to store the data on a copy protection dongle. I understand that they are essentially just a little vault which contains some encrypted data and the only way to decrypt the data or even to dump it in encrypted form (without cracking open the dongle and hooking wires to the chip) is to have a password. This password will not be included in the package with the dongle, but there will be a link to my server which has a file containing the password. What makes it secure is that password can only be downloaded ONCE. And once the password is downloaded (through tapped lines) and the NSA knows it, the dongle is physically out of their hands and (providing they didn't crack open the plastic and solder wires to the chip to dump it) they will not have the code which the password decrypts. After the password is downloaded, the users computer must open the vault on the dongle, remove the encryption key, and write gibberish over it before closing the vault. Thus the NSA can now steal the dongle and it has nothing meaningful on it.
This is contingent upon there not being a "master password" which can open all of the dongles of that make. I think the SecuTech UniKey is a good choice of dongle because it allows for multiple passworded vaults allowing for users to pass the dongle to their friends, and take one key after another from the dongle until they are all used up. This company also allows the developer to set the password, not like some crappy companies who the NSA can call and give the serial number to and they will cough up the password. The only thing I wish these dongles had is a way to overwrite the serial number. It's best if they absolutely can't be looked up in a database.
What do you think? Do these dongles keep a secret? Is there any reason to suspect back-doors/master passwords? Is SecuTech known to be any good?
Tell me if my analysis is all wet.
Comment