Krsti? delivered the spec at the RSA security conference here and sounded a call for security research professionals to pick it apart, provide feedback and pitch in to help secure the notebook machines from malicious hackers.
Bitfrost, which gets its name from Norse mythology, provides a comprehensive overview of the security model, which covers everything from use of passwords, hard drive encryption, machine authentication, security updates and data loss prevention.
In an interview following his RSA conference presentation, Krsti? said the spec was created with input from about a dozen well-known security pros. "Let's face it, this project will have enemies. We're shipping these machines to countries with political instability so we're assuming there are real attackers interested in hacking into killing these machines. We had to look at all the potential attack angles," he explained.
Krsti?, who is studying theoretical mathematics and computer science at Harvard University, said the inability to make strong assumptions about Internet connectivity drove many of the decisions around security updates. The spec does not include any mention of how the OLPC machines will be patched but Krsti? said it's a strong possibility that automatic updates will be enabled by default.
"We've figured out how to handle automatic updates. By default, whenever the laptop connects to the Internet, it will ask the school's server if there are patches or updates available. This will be in place even if you're not in contact with the school server, you can ask the OLPC server to push down the update," he explained.
The project's goal is to ship millions of identical, network-attached computers into some of the most remote locations -- all managed by schoolteachers and kids with no computer experience -- so Krsti?'s team had to make sure the security model was as uncomplicated as possible.
The goals of the spec:
No user passwords
With users as young as five years old, the security of the laptop cannot depend on the user's ability to remember a password. Users cannot be expected to choose passwords when they first receive computers.
No unencrypted authentication
Authentication of laptops or users will not depend upon identifiers that are sent unencrypted over the network. This means no cleartext passwords of any kind will be used in any OLPC protocol and Ethernet MAC addresses will never be used for authentication.
The laptop should be both usable and secure out-of-the-box, without the need to download security updates when at all possible.
Limited institutional PKI
The laptop will be supplied with public keys from OLPC and the country or regional authority (e.g. the ministry or department of education), but these keys will not be used to validate the identity of laptop users. The sole purpose of these keys will be to verify the integrity of bundled software and content. Users will be identified through an organically-grown PKI without a certified chain of trust — in other words, our approach to PKI is KCM, or key continuity management.
No permanent data loss
Information on the laptop will be replicated to some centralized storage place so that the student can recover it in the even that the laptop is lost, stolen or destroyed.
The machine will also feature an anti-theft kill switch that gives school administrators the ability to permanently disable lost laptops. Krsti? said the OLPC received "very strong requests from certain countries" for a powerful anti-theft mechanism, leading to the decision to add a call-home feature that pings an anti-theft server for authentication.
The security process actually starts at the time the machine is manufactured, Krsti? said, pointing out that a randomly generated serial and UUID number is fitted into each laptop at the manufacturing plant. A brand new OLPC machine is largely non-functional unless it it activated with the key and UUID number.
This helps to deal with a potential weakness in the distribution component, when millions of machines are shipped internationally. The OLPC will generate and deliver the keys on a USB key to the schools and, once an OLPC server is installed, the keys for specific laptops can be turned on to bring the machine to life.
The spec assumes the machines will be potential targets for many of the threats on mainstream computes -- from data theft to viruses and malware to botnets -- and Krsti? said the threat model calls for the machine to be resilient even if an attacker is successful.
"For all but the most pathological scenarios, I really think this platform will provide stronger protections than anything you'll find out there in mainstream use. I'm pretty confident that this model will hold up very well," said Krsti?, who spent the last seven months working 16- to 18-hour days on the spec.
As much as he's confident, Krsti? remains nervous. "I won't start sleeping soundly at night until we actually implement all this and see that it works."