The Reliable Security Environment

- Documentation -

March 2000

Copyrights, patents and warranties

RSE contains copyrighted software!

The design of RSE - The Reliable Security Environment - is Copyright © Ralf Senderek 2000. All rights reserved.
RSE includes this documentation which is also Copyright © Ralf Senderek 2000. All rights reserved.
Most of the content of RSE has not been created by the author, and every piece of software which is copyrighted has been signed with the authors PGP-key to indicate the copyright. All of this software is readable text and can be scrutinized without limitation.

These rights include but are not limited to any foreign language translation of this documentation or the copyrighted software, and all derivative works of both.

All other parts of RSE which are not signed by the author - LINUX, SSH, PINE, and PGP - are subject to their authors copyrights, patents and regulations respectively and it is entirely to the user's duty to comply with any legal implication of this software.

The author explicitly grants licence to anyone for non-commercial use of RSE. But to ensure the reliablity of the author's copyrighted software, changing the code and redistributing changed code is not permitted under any circumstances.

The author assumes no liability for damages resulting from the use of this software, even if the damage results from defects in this software, and makes no representations concerning the merchantability of this software or its suitability for any specific purpose. It is provided "as is" without expressed or implied warranty of any kind. Because of the fact that certain actions may delete files or render them unrecoverable, the author assumes no responsibility for the loss or modification of any data.

What is SECT ?

SECT is the first part of the Reliable Security Environment (RSE) which provides a bootdisk to turn your PC into a running LINUX-system with reliable security features which are described in greater detail in the documentation.

The main purpose of SECT which has determined its design is to provide a platform for establishing a secure contact to a remote computer system, using strong cryptography and therefore allows you to work on the remote and reliable system using a totally insecure network to establish the connection. SECT is the basis for using the RSE-disk as well, because if you do not have a reliable system on the net you can turn your local computer into a Reliable Security Environment by running the program "RSE start" on SECT or by configuring SECT to run RSE automatically.

What is RSE ?

RSE will provide a reliably secure working environment running entirely in the main memory of your local computer system. This environment comprises everything to use pgp-2.6.3i transparently integrated into a mail software, so you can safely enter your passphrase without the risc of its compromitation. RSE also makes available some tools to backup and store your data locally which make use of strong cryptography as well.

Preparing Your RSE-disk

You can download SECT from https://senderek.com/RSE/download.html

After having checked the signature of the file RSE.dd.pgp you can build your initial RSE-disk from the file RSE.dd using UNIX or DOS.

UNIX

Put a formatted 3½'' floppy into the first drive and use the following command:

dd if=RSE.dd of=/dev/fd0 bs=1k

DOS

You can use dd.exe, a shareware programm made by Helmut Schellong. See the documentation.
Put a formatted 3½'' floppy into the first drive and use the following command:

dd if=RSE.dd of=fd0:c80h2s18 bs=1k

Running RSE for the first time.

Checking RSE

To check the integrity of your RSE-disk ther is a program "checkRSE" that will compute MD5-fingerprints of the the filesystem and your encrypted homedirectory including the keys you have created and stored on your RSE-disk. The output of checkRSE will be i.e: 

Checking RSEs integrity ...


Are you sure the RSE-disk is in the drive ? [yes/] : yes
66c618714f4011f2038ab1cef491d4f2  filesystem
Because of the fact the fingerprint of your encrypted home will change each time it is encrypted again it is of no use to display it here. But the fingerprint of the filesystem (Blocks 200 - 1240) should only vary with new versions of RSE. But to rely on those fingerprints you have to check the integrity of the md5-binary with "checkSECT" first.

Basic Configurations

There is some specific information to be configured in the main configuration file "/RSE/rse/.RSEconfiguration" in the user's homedirectory before you can use RSE as your personal environment. Please have a look at the default configuration. You can edit the main configuration file using the editor pico or vi which is a link to pico (sorry, but a floppy is small, I would have included the real thing, if possible ;-) )

The configuration "/RSE/rse/.RSEconfiguration" can contain the following entries:

Protecting Your Homedirectory

If you have configured your login name in the main configuration file, next time you start RSE you can login with this name and you will be in the user's homedirectory "/RSE/rse". Before that you can login as user "rse" (UID=3).

The first 200 blocks of your RSE-disk are reserved to store your homedirectory in a PGP-encrypted and compressed format. If you start RSE for the first time you are prompted for the passphrase to use for the protection of your homedirectory, which has set to "rse" for obvious reasons and should be changed, while you stop RSE, when you are asked to enter a passphrase to finally save your homedirectory again. Please choose a secure passphrase. I have tried to give some hints which may be useful to select a secure passphrase you will find at the URL
https://senderek.com/security/secret-key.protection.html#passphrase.

Note, that while PGP-encryption and compression is used to store all the files in your homedirectory, you can possibly store up to 400 MByte data in your homedirectory. But as your mail is coming in this space might get too small, so you have to do some backup and saving with the tools described below to keep enough space in your homedirectory.

If you shut down RSE while using "RSE stop" or "save.RSE" and your homedirectory holds too big files to be saved to the RSE-disk, you will be warned, and exactly those files or directories will be saved on the RSE-disk which are listed in the file "/RSE/rse/.save" . Note, that this will overwrite the existing data on the RSE-disk. You should then backup all important data before you turn off the power, because everything will then be gone.

The Firewall

The only network connections SECT will allow are for the use of the Secure Shell. Running RSE requires to weaken the firewall, because your mail has to find a way to enter your local system and to go out to your mail host. Consequently the packet filter will establish an outgoing connection for SMTP, which transfers mail you like to send to the outside world and an incoming connection for POP3 which will be used automatically by a program called "getmail", which is started with RSE to get your incoming mail to the local system.

Getting Your Mail

You will find your incoming mail in the usual place /var/spool/mail/loginname and appended to a folder called "oldmail" to use with PINE as well. This job is done by a program "getmail" which runs once after starting RSE to fetch your mail automatically. You can run this program any time you like to query your mail host for new mail, but you have to enter your mail-password every time.

If you wish to have established a periodical query for new mail automatically you can store your mail-password in clear text in a file /RSE/rse/.mailsecret and getmail will then do its job quietly in intervals you can specify in the configuration file. All output from the mail server will be appended to a file /tmp/.maillog where you can scrutinize the progress of the queries which will be forgotten after rebooting the system.

Storing your mail-password in clear text is a risc, if someone is able to see your homedirectory while the system is running in RAM. But that one should only be you. The firewall should not permit remote connections to your local system, and your homedirectory will always be stored on the RSE-disk encrypted.

PINE - The Mail Client

Although PINE is not the only mail client available, I think that this programm will be ideal for RSE, because it provides a simple way to integrate PGP without using it on the commandline, and it always shows the use of PGP purely without hiding it behind a mysterious shell with doubtful features. For the use of PINE please see the documentation respectively.

Using Securemail

RSE comprises a piece of software called "securemail" which acts as a filter-software for the mail client PINE. Whenever PINE uses an editor, a program "securemail" is used as an editor, which looks for an environment variable EDITOR which overwrites the default editor PICO and starts the editor, exiting normally with the comment, that PGP will not be used and the text remains unchanged.

But if a file ".securemail" is present in the user's homedirectory, even if it is of zero bytes length, a menu will pop up and you can choose SIGNING and/or ENCRYPTION or you can SEARCH for public keys in your keyring with a single keystroke. PGP will then be used to perform signing and encryption and the result will be displayed in the mail client immediately. So PGP is transparently used as an appendix to the alternate editor of your mail client.

To get this being effective your configuration file for PINE called /RSE/rse/.pinerc contains the following entries: 

editor=/RSE/securemail/securemail
display-filters="-----BEGIN PGP"  /RSE/securemail/checkmail _TMPFILE_
Consequently every mail message you receive, which contains the string "-----BEGIN PGP" will be read using the program "checkmail", which runs PGP on the message and informs the user if the result contains a good signature or displays a warning.

Because of their filter-performance "securemail" and "checkmail" can be used independently with any other software which supports input and output filters.
"securemaileditor", a link to securemail can be used as a stand alone editor with PGP-functionality as well to produce and sign digital documents.

The file /RSE/rse/.securemail can contain the following two entries :

which determine the design of the user's menu. You always can add signing or encryption or you can decide to apply no change to the originally edited text at any time which gives you full flexibility while editing your outgoing mail.

Saving Files Securely

Although files in your homedirectory will be saved to the RSE-disk every time you shutdown RSE there are two programs "ssave" (secure-save) and "sex (secure-extraction)" which will help you to backup your data during every-day use of RSE. If you receive lots of data with your mail you will need a backup-tool quickly. Both programs are using archives to save the files, so that you will have a single archive on another medium for a backup. If you like to save files individually you can use the tools "scopy" (secure-copy) and "icopy" (insecure-copy) as user "root".

ssave

usage : ssave [-append] [files]

When invoked without any parameters, ssave will automatically save all files listed in the file /RSE/rse/.save to the floppy in the boot drive. Please use one or more special SECURE-DATA disks for the backup and avoid to overwrite your RSE-disk.
If you use the option "-append" ssave will read an archive from a disk, decrypt it using PGP and the content will be stored on a RAMDISK mounted on /backup. If your appended data will lead to no more than 1300 kByte the archive will be stored to (another) disk after being encrypted with PGP again.

Please bear in mind that you always will have only one archive on a single disk which is called "data.tar.pgp" and that you will replace the existing data unless you are using the option "-append" respectively.

If you like to have your data-archive on a floppy with a DOS-filesystem instead of using the disk as a tar-archive you can specify this in the main configuration file with the entry DISK="dos".

sex

usage : sex [files]

The meaning of sex is to extract all the goodies from an archive individually or when invoked without any parameters as listed in the file /RSE/rse/.load in a bunch. You can use sex with parameters to extract single files from an archive if they are actually stored there, but you have to remember the passphrase you have used with ssave.

Programs to Use with RSE as Root

There are some programs designed for the use of the user "root" only.

scopy

usage : scopy [files]
usage : scopy [-destination [device]] [files]
usage : scopy [-source [device]] [files]

The user "root" can use scopy to encrypt single files with PGP for storage on any medium which is available including harddisk-partitions. The devicefile to be used for storing the files can be specified using "-destination /dev/sda1" for instance. Accordingly the option "-source /dev/hdb4" specifies a partition to read files from this source that will be stored in the working directory.

Without any files specified scopy will look for files on the medium and missing a device file it will either try to access the medium which is set as SECUREMEDIUM in the main configuration file or it will use the boot floppy drive as a default. So you can use scopy to see the content of your storage medium. All files will be PGP-encrypted individually and are saved to the same medium.

morepace

This program creates another RAMDISK of 4 MByte size which is added to the filesystem as /A /B or /C.

extract.RSE

This program will be run from the script "RSE start" automatically creating a RAMDISK mounted to /RSE which holds all of the RSE-software. The user's homedirectory will be restored next , the mail software will be prepared according to the user's configuration and finally getmail will be started to fetch new mail. Normally this does not have to be done twice.

RSE stop

To shut down the Reliable Security Environment and to return to the state of the original SECT-disk the user's homedirectory will be saved to the RSE-disk and all changes RSE has done to the filesystem will be reverted.

save.RSE

During this process save.RSE is used to save all files in the user's homedirectory to the RSE-disk. This will replace all existing data on the RSE-disk.

Saving Files Insecurely

In case you are willing to store files to or from a medium
* without any encryption *
you can use "icopy" which can be used in exactly the same way as "scopy".

But all files will be stored on the medium as clear text. There will be no protection!

The Security of Your System

Secure filesystem
Your system will be running in a RAMDISK entirely. There is no permanent storage medium included in your system. You can check this executing the command df which shows the devices which make up your filesystem. 

Filesystem         1024-blocks  Used Available Capacity Mounted on
/dev/ram2               3963    2467     1496     62%   /
/dev/ram3               3963    3206      553     85%   /RSE
/dev/ram5               3963      13     3746      0%   /A
If you create new space in the filesystem this will also be a RAMDISK. The integrity of your RSE-disk can be checked at any time with checkRSE which will produce the md5-fingerprint of the filesystem as stored on the disk. There is also no device used for swapping, so that no part of the memory can be found elsewhere. So your passphrase which unlocks your secret-key will not be stored anywhere except the main memory of the system.

Minimal access to the system
Access to your system will be permitted from the console only, the keyboard being directly connected to your system. So the only one who can execute "root-powers" will be you. You can log into your system as "root" and as "logname" which you have specified in the main configuration file, simultanously switching between both screens using ALT-F1/ALT-F2. There should be no access to your system from the net, because the firewall software will block all IP-traffic except those on port 22 which is indispensable to use the Secure Shell and on ports 25 and 110 to get your mail out (SMTP) and in (POP3).
As a matter of fact there are no daemons running in the background which provide services to the net and there is not even a smail-daemon running on RSE, because smail will be invoked on demand when outgoing mail is sent. That will ensure that your system has minimal connectivity, just sufficient to open a secure connection to one single system and to transport your mail.

Strong encryption
Your homedirectory which holds your encrypted PGP-keys but also sensible data as clear text will always be stored on the RSE-disk after having been encrypted with an 128-bit IDEA-key. The security of your data in the homedirectory as well as your data on backup-disks will depend on the quality of your passphrase.

In case you decide to use the program "icopy" to write clear text data to some device which only root can do you are warned that there will be no protection for your files you save. Be cautious while using this tool.

Transparency
Everything I contributed to RSE is readable text and all programs are shell-scripts signed with PGP.

Securemail is designed to act as a transparent input/output filter software which shows the use of PGP any time it is invoked. As you can see the filtersoftware does never read passphrases, this job is done by PGP entirely.

Leaving nothing behind ...
And you can turn off the power at any time you like knowing that you don't leave anything behind! But be aware you have to shutdown RSE properly to have your modified homedirectory ready next time you use RSE.

Credits

The Reliable Security Environment uses : All rights are reserved to the authors of this famous software and everyone who has contributed. I am glad that I could find such a professional basis for the design of RSE. I thank you all very much.

Files

/RSE/rse/.RSEconfiguration
is the main configuration file for RSE.
/RSE/rse/.save
holds the names of files and directories which will be saved (while stopping RSE with "/root/RSE stop") if the files in rse's homedirectory exceed the space for user-data on the RSE-disk.
/RSE/rse/.load
holds names of files and directories which will be used during automatic extraction of user data with "sex".
/RSE/rse/.hosts
holds the names of local host names that will be appended to /etc/hosts.
/RSE/rse/.mailsecet
holds the password for queries to the POP3-mailserver to enable automatic queries. This information has to be protected using access control. It will be stored as part of rse's homedirectory encrypted on the RSE-disk.
/RSE/rse/.pinerc
holds the main configurations for PINE. This file will be updated with information from .RSEconfiguration. Changes will be permanent if made to /RSE/rse/.pinerc.empty.
/RSE/rse/.securemail
holds options for automatic signing and encryption.
/RSE/rse/manual/RSE.manual
is a plaintext version of this documentation.
/RSE/rse/ssh-keys
I recommend to save your ssh-keys here as a backup in case you have lost or deleted your SECT-disk.

Copyright © Ralf Senderek 2000