On Wed, Apr 03, 2019 at 01:27:44AM +0100, James Catchpole (via tml list) wrote:
> I see the transponder issue as being one of not guaranteeing security but making it *difficult* for wrongdoers
> - within the Imperium at least.
>
> I was thinking that the transponder would be the key element, set up and sealed by the starport authority with
> a variety of anti-tamper mechanisms whose job is not to stop unauthorised access to the box, but to render it
> unusable if you do (including destroying the storage that contains the keys). That makes it *difficult* for
> anyone to get hold of any private keys - but not impossible (the corsair, for instance, is described as having
> a transponder that can be switched between several IDs). 
>
> As Catherine said, the authorities are going to maintain a separate database of public keys for verification.
> I see that as being for double checking rather than an intrinsic part of the system, though. After all, if you
> have the valid key pair for more than one ship of the same class then you can pretend to be any of them and no
> external database is going to spot that. I do like the idea of the handshake computation problems though, to
> try and establish that the unit broadcasting the signal is a real transponder (or at least a very, very good
> fake).
>
> Depending on where you are and who is checking on you, the response from the authorities is likely to vary
> from a casual once-over, through boarding your ship, to shooting on sight for any infraction.
>
> Of course, being caught using different transponder codes is going to get you treated as a suspected pirate at
> best...
>
>

* Transponder technology from the 2019 view

From the perspective of modern crypto this view, that ship's
transponders are *difficult* to hack but not _impossible_ to hack, is
essentially correct. But the problem isn't protecting the private
keys, that problem is largely solved today. If we assume the private
key / public key mechanism as the basis for the transponder
identification system, then the technology already exists cheaply on
Earth to create the system and store the keys in a fashion leaves them
hardened against theft:

   (Yubikey 5 NFC)[https://www.amazon.com/Yubico-YubiKey-USB-Authentication-Security/dp/B07HBD71HL/]

The linked device will store a set of RSA keys and has the code to use
those keys to sign or encrypt a data stream. The keys are pin
protected. Enter the wrong pin three times and the device will erase
the keys.

In Traveller such private keys would be part of an identification
device that enumerated who you were. The equivalent in 2019 is a
"certificate". A certificate is just a bundle of information
describing the bearer and a public key. You are who the certificate
says you are if you can decrypt a message encrypted with the
certificate's public key. Certificates are typically signed by other
certificate creating a chain. Signing certificates are distributed
such that the chain can be traced. If you can verify the decryption
and trace the chain to something that you trust then you can trust
bearer of the presented cert.

In Traveller there would be at least two types of identification
device. An individual ID for people and Transponders for space going
vessels. The trusted certs would come from core, through the sector
capital and then the subsector capital. They might go all the way down
to every class A and B star port.

* Transponder implications in Traveller

A good transponder would be a passkey of sorts. It verifies to people
that you don't know that you are probably who you claim to be. Starports could
charge an increased docking fee for ships that don't have a valid
transponder. If the fee was Cr500 and buying a valid transponder took
2 weeks and cost Cr250 then nearly every ship would get a valid
transponder at the time of it's annual overhaul.

A bad transponder wouldn't immediatly say that you are Pirate but in
deals with anyone who checked, it would be a warning sign that could
potentially increase costs. There are degrees here too. A transponder
that expired 5 days ago is technically bad but that kind of thing will
happen a lot.

Another common mode for bad transponders would be slight
infractions. Here in Connecticut in the U.S. we are pondering
automated tolls to pay for road repairs. The basis of the system
EZ*Pass but as a backup, the the system takes a picture of your
license plate. Massachusetts is complaining that a large number of
Connecticut drivers without EZ*Pass transponders are avoiding tolls
but they cannot convince the CT Department of Motor Vehicles to do
enforcement (by disallowing infractors from renewing the registration
on their cars). Certainly any legislation that brings transponder type
tolls to CT highways will also have the CT DMV revoking the
registration of a large list of vehicles that owe tolls in
Massachusetts. In the Traveller universe, expect that a transponder
that has a small fine attached would attract the attention of bribe
hungry petty officials at class C starports.

* Cracks in the system

The weakness in the system are as with any PKI. The person signing the
keys could be compromised. While the hardware might be _tamperproof_,
the unlock codes would always be subject to "Rubber hose decryption"
e.g. beat the person who knows owns the device with a rubber hose
until he tells you the pin. In the context of Traveller, a big issue
would be publishing the certificate revocation list or CRL. One has to
assume that a miscreant transponder will be listed and that list will
be published and distributed on the X-Boat network. The owner of ship
could run for quite a while before local authorities could catch up to
him. I think that this aspect is an actual design goal of the game.

There would be a black market for "Good Transponders" because in
security the rule is the integral of physical access crossed with time
will eventually trump any security measure. Pirates would certainly
have *a set* of good transponders on their ship. Depending on the cost
pirates engaged in piracy will either run with a "Good Transponder" or
run with the their transponder turned off lest their prey get off a
signal which invalidates the device. This would likely depend on the
prize.

--
Chris

     __o          "All I was trying to do was get home from work."
   _`\<,_           -Rosa Parks
___(*)/_(*)_____________________________________________________________
Christopher Sean Hilton                    [chris/at/vindaloo/dot/com]