User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 2:55 am

Hi all,

I'm looking to send data from one RPi to another whilst ensuring that the reverse data flow is physically impossible.
Essencially, I need a data diode or unidirectional network between the 2 RPis, as is common in security applications: http://en.wikipedia.org/wiki/Unidirectional_network

I had originally thought about using an IR LED on one and an IR receiver on the other, but perhaps it's simpler (and faster) to do a simple serial connection using the GPIO and keeping only a single TX -> RX wire in place between the 2 RPis. Perhaps using a real diode in the middle to ensure the data only flows one way.

It's important to prove that, even if both RPis are compromised, the reverse data communication cannot take place via the data diode.

Obviously there won't be any 2-way connection handshakes, or acknowledgements from the receiving host. I suppose that's OK.

I haven't yet used GPIO, and I'm fairly new to electronics so I'd like to hear the opinions from the community before starting this little project.

karlkiste
Posts: 189
Joined: Tue Jan 22, 2013 8:50 am
Location: berlin, germany

Re: Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 5:32 am

That's the way: TX can only transmit, RX can only receive. This connection, plus GND connection, makes a one-way data link.

If you want to really make sure that even if both pis are compromised no data can be sent in the other direction, you'll need a buffer (CD4050 or so) in that TX->RX connection. Without that buffer, it's possible to use the wire for backwards communication, but that wouldn't be going unnoticed. The backward speed will be very low, and CPU usage will be very high.

EDIT:

A diode in that line does not prevent data from going "backwards", only current.

User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 1:52 pm

karlkiste wrote:If you want to really make sure that even if both pis are compromised no data can be sent in the other direction, you'll need a buffer (CD4050 or so) in that TX->RX connection. Without that buffer, it's possible to use the wire for backwards communication, but that wouldn't be going unnoticed. The backward speed will be very low, and CPU usage will be very high.
Thanks! That's exactly what I needed. I will make a simple TX->RX connection with a CD4050 in between.

Based on the pin headers of the GPIO and CD4050 I came up with the following connections. Please let me know if they are correct or not:
rpi_gpio_data_diode.png
RPi GPIO Data Diode
rpi_gpio_data_diode.png (58.39 KiB) Viewed 9781 times

Dutch_Master
Posts: 362
Joined: Sat Jul 27, 2013 11:36 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 1:57 pm

Keep in mind the low voltage on the GPIO pins. Most vendors selling you a CMOS chip assume you have a 5V supply. Choose one that can handle the 3V3 levels.

User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 2:10 pm

Dutch_Master wrote:Keep in mind the low voltage on the GPIO pins. Most vendors selling you a CMOS chip assume you have a 5V supply. Choose one that can handle the 3V3 levels.
Yes, I have checked the datasheet and the CD4050 suggested by karlkiste does support a supply voltage range of 3.0V to 15V.

karlkiste
Posts: 189
Joined: Tue Jan 22, 2013 8:50 am
Location: berlin, germany

Re: Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 2:21 pm

Yes, the schematic is what I had in mind. Just connect all unused inputs to GND or +3v3.

CD4050, HCF4050, HC4050 should all work with 3.3V. HCT4050 will probably not.

74HC125 would be an alternative, 74LS125 not.

User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 2:30 pm

Cool.
I tried searching for smaller, 4 pins (VDD, VSS, Input, Output), hex non-inverting buffers, but couldn't find any. I suppose there aren't many applications for them?

karlkiste
Posts: 189
Joined: Tue Jan 22, 2013 8:50 am
Location: berlin, germany

Re: Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 2:50 pm

Not really. But you might find AND or OR gates which can be used by tying both inputs together.

By the way, hex means "six in one package"

TC7S08F for example is a low pin count gate.

User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 3:32 pm

karlkiste wrote:By the way, hex means "six in one package"
Haha, doh! :oops:

The gate option looks even better. I'm really new to this, so I'll give both options a try. I'm curious to see what speeds I can achieve without corrupting data (since there's no way for the transmitting RPi to know when it happens).

I like this approach because it's something I can quickly put together myself. A more complex solution might involve a circuit that handles Rx/Tx with each host (hence catches and corrects errors), but still overall acting as a data diode between the two hosts. It could potentially even buffer data internally when the receiving host is not ready to read. But the more complex it gets the more difficult it is to prove its suitability as a data diode, and it's definitely not for now.

Thanks again for your help!

User avatar
Richard-TX
Posts: 1549
Joined: Tue May 28, 2013 3:24 pm
Location: North Texas

Re: Data diode (unidirectional comm) between 2 RPis

Wed Oct 23, 2013 4:40 pm

Here is the only way to ensure your data is truly secure.


Image
Richard
Doing Unix since 1985.
The 9-25-2013 image of Wheezy can be found at:
http://downloads.raspberrypi.org/raspbian/images/raspbian-2013-09-27/2013-09-25-wheezy-raspbian.zip


User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 1:49 am

ephemeric, that's cool. Thanks for sharing the slides for your ZaCon presentation.

Here's my implementation of the Pi to Pi cheap data diode, using just the CD4050 as a one-way buffer.
Image

The public Pi (near side) connects to the network via the ethernet adaptor.

The private Pi (far side) only has a USB drive for storage and a FST-01 configured with NeuG random number generator. I'm playing with the idea of generating OTPs for securely transmitting data back to the private Pi via the Internet.

It works surprisingly well. This project is a part of my masters degree (working on a prototype for grokya) so I will publish all the details when I complete the masters.

User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 2:15 am

By the way, I'm working with the assumption that the software (including OS) running on the private Pi cannot be trusted. We just don't know how many backdoors there are, intentional or not (think heartbleed), in what is a fairly complex piece of software like GNU/Linux.

Therefore, slightly off-topic, but the Raspberry Pi comes with a FM transmitter out-of-the-box, so when air gap style security is required, a Faraday cage may also be necessary to enclose the Pi.

In the mean time I'm also trying to figure out how to prevent data leaking from the power cable. It's trivial to leak data (very slowly) just by manipulating the current draw (manipulating CPU/GPU usage) in the private Pi. There are probably other ways, but this is what came to my mind.

karlkiste
Posts: 189
Joined: Tue Jan 22, 2013 8:50 am
Location: berlin, germany

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 5:47 am

ktorn wrote:In the mean time I'm also trying to figure out how to prevent data leaking from the power cable.
That's easy, when efficiency is not a concern: Use a constant-current power-supply. The output is connected to the private pi, in parallel with a power resistor. Say, your power supply delivers 1000mA, the resistor is 5 Ohm (and minimum 5 Watt). The resistor will "regulate" the output voltage to 5V, while the total power will always be exactly 5 Watt. The pi takes as much as it needs, the rest is converted to heat by the resistor.

The heat generated by the pi and the resistor always sums up to 5 Watt, so if both are mounted inside a single case, the temperature can not give away information.

Greets,
Kiste

User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 2:10 pm

@karlkiste,

Sounds like a neat solution, so simple.

In my current setup (not pictured above) I'm actually powering both Pis from the same 5V 5A power supply (it's just what I had lying around with the right voltage and enough current). I did it by cutting a couple of micro USB cables and wiring them directly to the power supply, in parallel. It works well.

So to do what you suggest, I suppose I could get one of these LED drivers, place it between the main power supply and the private pi, and add the resistor in parallel.

Please check this schematic and let me know if it's correct:
Image

PiGraham
Posts: 3671
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 2:43 pm

I'm intrigued. What uses does this have. Stopping data getting out is trivial - don't make a connection at all. Networks are two-way. A client makes a request and a server responds to the request with some data. Request and response are both data.
A one-way link is broadcasting or 'unicasting' (?) from a source to clients, where what arrives at clients is only what the source sends. Clients can't make requests.

Getting old-school, the Teletext system is an example of one-way data. A server transmitted a fixed set of pages of text along with the TV signal. Receivers could select which of the pages to display, but they had no access to anything except that small fixed set and they had to wait until the selected page was sent.

Will you be sending a small set of data packets out on a schedule for clients to select from? You could serve a small website like that, pushing pages out so that clients might cache the data into a local copy of the sever web site that can be browsed locally on the client. I suppose that could have some uses. The sever can update the feed and the clients that are listening will eventually update themselves with the latest content.

karlkiste
Posts: 189
Joined: Tue Jan 22, 2013 8:50 am
Location: berlin, germany

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 2:48 pm

Yes and no... The schematics is what I had in mind, but the constant current module needs some voltage to work with. So, it must be powered with probably 7 volt or more.

And, thinking again about what I wrote earlier, I'm starting to find it might be nonsense...

While the resistor does limit the voltage to 5V, it will in fact not *regulate* it. What you need (apart from the constant current source and a higher voltage supply) is called a shunt regulator. It can be simply a high-power zener diode, or a circuit in which a transistor is controlled to keep the voltage at 5V level.

So, it's not all that easy, but far from impossible ;-)

Greets,
Kiste

karlkiste
Posts: 189
Joined: Tue Jan 22, 2013 8:50 am
Location: berlin, germany

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 2:57 pm

PiGraham wrote:I'm intrigued. What uses does this have.
I also was confused at first. But there are use cases.

Think of "data leaking out" not like an accident, but as the result of an evil hacker attack. Say, it is log files of a high-security system which a hacker wants to modify to conceal his dirty work. If there's only a way for data to get into the recording device, not out of it, it's only possible to append data, not modify existing data. (That's a bit mixed with WORM, but it points to the same direction.)

Of course there's a way to get data out again, but only with physical actions done on the security device itself. If there was no way to get data out at all, /dev/null would be the place to use :-D

Greets,
Kiste

User avatar
Mortimer
Posts: 924
Joined: Sun Jun 10, 2012 3:57 pm

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 3:05 pm

I am intrigued by what you are doing here.

Most of the mainstream fully accredited data diode solutions are based on having an optical path somewhere in the chain. Any electrical connections, even notionally unidirectional connection like the one here, where only the Tx connection is made at one end and the Rx the other would be seen as a big NO NO, but security accreditors. I have used data diodes, and they had to be placed in an optical path, and the two ends of the link had to be at least 1m apart.
--------------
The purpose of a little toe is to ensure you keep your furniture in the right place.

User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 3:55 pm

PiGraham wrote:I'm intrigued. What uses does this have. Stopping data getting out is trivial - don't make a connection at all.
If heartbleed taught us anything, is that we can't trust anything, not even some of most important building blocks of Internet security, like OpenSSL.

As karlkiste already pointed out, the world is full of very capable individuals who will "make the connection" and extract private data from your systems against your wishes. Those breaches are made possible because the stack (from the hardware, to the OS, and applications) simply allows it, due to bugs and vulnerabilities (and if you are really paranoid, due to intentional backdoors).

There are many uses for protecting data behind data diodes, and I'm just exploring a really simple and cheap solution using 2 Pis.
karlkiste wrote:If there was no way to get data out at all, /dev/null would be the place to use
The funny thing is that, for the purpose of my masters project it is pretty much acting as a temporary /dev/null.

A little background on the project. In a nutshell I'm working on a prototype of what I call a digital mind extension, which you can think of as "an artificial brain where you upload your mind". Currently the private Pi will simply store my detailed lifelog (I record myself 24/7, including audio, location, biometrics, activities on laptop, phone, etc). Later I will work on analysis/mining of this data in order to create a "digital mind" that could one day represent myself in the Internet of Minds (IoM).
As part of my masters I will use the public Pi as a simple API to my "mind" that can answer simple queries about my preferences, without giving direct access to my demographics (this feature will not make use of the private Pi, for obvious reasons). The idea is to create a viable privacy-protecting alternative to consumer profiling techniques by corporations.

So, the private Pi is really just to store the really private stuff until one day I'm ready to use it. Think of it like cryogenics for one day resurrecting my digital self. :)

User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 4:05 pm

Mortimer wrote:Any electrical connections, even notionally unidirectional connection like the one here, where only the Tx connection is made at one end and the Rx the other would be seen as a big NO NO, but security accreditors.
My original idea did involve an "optical" solution, using IR, but this seems better for the Pi scenario.

I have no idea what security accreditors would think of this, but the fact is that the non-inverting buffer really seems to do the job here. I've tested it by reversing the Tx-Rx connections on both Pis and could not send anything back in the inverse direction. The buffer just won't let the signal travel in the reverse direction, and its behaviour can't be modified remotely.

stevend
Posts: 215
Joined: Fri Oct 11, 2013 12:28 pm

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 5:07 pm

The constant current idea won't quite work as described - you will end up with variable voltage. As soon as the Pi takes some current, the current through the parallel resistor will drop, so (using Ohm's law) the voltage across it will decrease - quite possibly to a level where the Pi stops working. Certainly you'd end up with an unstable/unreliable setup.

You would need to replace the resistor with a 'shunt' voltage regulator (as used with photovoltaic cells, wind generators etc, but lower current) to hold the voltage across the Pi to a nominal 5 volts. And whatever you do, you'll need to make sure that the generated heat has somewhere to go.

karlkiste
Posts: 189
Joined: Tue Jan 22, 2013 8:50 am
Location: berlin, germany

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 8:43 pm

stevend wrote:You would need to replace the resistor with a 'shunt' voltage regulator
Thank you for backing me up here, confirming the error I have made (and corrected in a later post). It's always better to have someone else check the ideas back before hardware is to be fried :-)

Greets,
Kiste

PiGraham
Posts: 3671
Joined: Fri Jun 07, 2013 12:37 pm
Location: Waterlooville

Re: Data diode (unidirectional comm) between 2 RPis

Wed Apr 16, 2014 9:13 pm

ktorn wrote:
PiGraham wrote:I'm intrigued. What uses does this have. Stopping data getting out is trivial - don't make a connection at all.
If heartbleed taught us anything, is that we can't trust anything, not even some of most important building blocks of Internet security, like OpenSSL.

As karlkiste already pointed out, the world is full of very capable individuals who will "make the connection" and extract private data from your systems against your wishes. Those breaches are made possible because the stack (from the hardware, to the OS, and applications) simply allows it, due to bugs and vulnerabilities (and if you are really paranoid, due to intentional backdoors).
This is true, but the 'data diode' is useless in securing internet connections where data must be exchanged to function. This form cannot possibly function through a data diode. Email is impossible. Google is impossible.

Turned the other way around, where a client sends data into a 'vault', or even a 'black hole' you could use it as a write only personal blog. The out side of the 'diode' is a data logger that just stores whatever comes in.

This raises another concern though. In this scenario all the data come in from the public side. The big archive is secure, but the channel into it may not be. That's what happened to google. The NSA tapped the traffic going in, making the security around the data store almost worthless.

Aren't we back at the 'cut the wire' solution? Log your private data directly onto the private machine and do not connect that machine to anything else.

User avatar
ktorn
Posts: 14
Joined: Fri Mar 29, 2013 8:49 am

Re: Data diode (unidirectional comm) between 2 RPis

Thu Apr 17, 2014 1:51 am

Yes, it doesn't make sense to use it if the system needs to send data back out the same way. In those cases you just have to live with the fact that your data is vulnerable.
PiGraham wrote:The big archive is secure, but the channel into it may not be.
Yes but it can be, which is why I'm looking into one time pads (OTPs) for securely sending private date to the vault.

With OTPs, you can have all the quantum computing power in the universe and you won't be able to break the encryption. It's mathematically proven to be unbreakable.

The idea is that the vault (private Pi) generates OTPs (with the help of the true random number generator dongle pictured above) and regularly transfers a copy of the OTP to the lifelogging device (say, mobile handset). I'm investigating ways to do that transfer without defeating the purpose of the data diode, so it will obviously involve some method that requires the 2 devices to be in close proximity. The scenario is that every night I will charge my lifelogging device in a special dock that will also "charge" it with fresh OTPs from the vault.

The weak link will then be the lifelogging device, but that's a whole different subject. Standard mobile handsets are known to have backdoors built into the hardware (GSM chipset). I'll look into a secure lifelogging device after the masters.

Edit: regarding the "cut-the-wire" remark, it's quite different. The data can be automatically logged/stored in real time without requiring effort from the user. The less time the data lingers in the lifelogging device, the better.

Return to “Interfacing (DSI, CSI, I2C, etc.)”