Betrusted is a cryptoprocessor with a dedicated display and keyboard. It’s a protected place for your private matters.
The Birds, the Bees, and the Private Keys
A hacked phone or laptop means all of your passwords, private keys, authenticator tokens and other secrets are potentially compromised. To guard against this, systems are starting to incorporate physically distinct “enclaves” (aka secure elements or TPMs). An enclave is like having a safe in your house: even if the lock on the front door is broken, the thief still can’t access the contents of the safe.
Today’s enclaves protect only certain cryptographic secrets, such as private keys. These enclaves lack human-friendly I/O and must delegate the task of rendering and recording information to a less secure host.
This leads to an important nuance: protecting private keys is not the same thing as protecting your private bits. A remotely-controlled keyboard logger can still record your passwords as you type them; a screen grabber can still read your messages, photos, and authenticator tokens as easily as you can.
Betrusted solves this problem by incorporating easily auditable Human-Computer Interaction (HCI) elements to the security enclave. Betrusted ensures that human-readable secrets are never stored, displayed, or transmitted beyond the confines of the betrusted device: betrusted is a security enclave with human-friendly I/O.
HCI-driven security model
HCI stands for Human-Computer Interaction. It’s about making computers usable.
Adding human I/O to an enclave means tackling the diversity of human language without compromising security. Thus a key challenge for betrusted is striking a balance between best security practices and a native-language HCI: more features means more attack surfaces, while too few features renders the device too difficult to use.
Therefore, correctly scoping the HCI aspect is critical. Betrusted’s HCI scope includes text and voice messaging support.
- The HCI rationale page explores the core HCI requirements.
- The betrusted architecture page covers how HCI and security requirements come together into a single device.
Trust starts with transparency. Food is labelled with their ingredients, and subject to routine tests for quality and contamination. This keeps us safe from foodborne illnesses. As long as technology remains a black box, we should not be surprised that bad actors can hide viruses in our devices.
Betrusted aims to build a full technology stack, including silicon, device, OS, and UX, that is open for inspection and verification by anyone: experts, governments, and users are free to audit, critique, confirm and improve its ability to keep secrets. You, the user, get to pick which version or provider for betrusted you trust the most. Thus, the only secrets in betrusted are the ones you put in it.
The depth of this tech stack represents a significant engineering effort, spanning multiple disciplines across the techology spectrum. We welcome the contributions of all free/libre software developers: please visit our github repo.
The project is currently at the feasability and planning stage. The current plan divides the project into three phases: a developer-only alpha; an early-adopter beta; and finally, a consumer-ready product.
Learn more about the betrusted development plan.
Betrusted device concept
Betrusted is not a phone: it is a secure enclave with auditable input and output surfaces. Betrusted relies on sharing your existing connectivity – such as your phone or cable modem – to access the Internet. Say you’re on the road and you want to securely message a friend. You would tether betrusted to your phone’s wifi, so that the phone is just an untrusted relay for encrypted messages coming too and from betrusted. The only place the decrypted messages will ever appear is on the trusted screen of a betrusted device.
The first generation of betrusted will incorporate a WiFi interface. Read more about how betrusted handles networking to understand how your betrusted can be extended to handle your favorite network interface.
As a secondary device, betrusted aims to occupy a minimal footprint. The typical usage scenario integrates betrusted into the protective case of your existing mobile phone. This usage scenario requires betrusted to be physically as thin as practical. This “thin as practical” criteria influences virtually all of the design decisions around the device hardware.
betrusted is also designed with a special low-power consumption “memory LCD” screen that can display information all day without draining its battery. This always-on feature allows betrusted to serve as a kind of notepad for your life’s private details. For example, saving bitmap images of your airplane boarding passes on betrusted allows you to board an airplane without having to turn on your phone.
Below are some concept renderings to give an idea of what the betrusted device might eventually look like.
Developer-Only Alpha Hardware
The alpha hardware is implemented using a FPGA containing a RISC-V soft core. The primary goal of this phase is to solidify the specs of the eventual betrusted ASIC through development and testing on a looks-like, works-like prototype.
Above is a concept rendering of what the alpha hardware might look like. The enclave is thicker than the production units, as it houses an oversized battery to complement the high leakage power of the FPGA. A superset of proposed features are represented in this prototype to facilitate HCI experimentation.
Read more about the alpha hardware FPGA.
Early-Adopter Beta Hardware
Betrusted’s second phase translates the FPGA design into an ASIC enclave. In addition to providing physical tamper resistance, the ASIC will consume much less power while running at higher speeds, enabling the device hardware to be sleeker. This phase aims to harden the codebase, while validating novel technological concepts built into the ASIC meant to harden against supply chain attacks while enhancing transparency despite the extremely closed nature of the silicon foundry business.
This concept shoots for a thin-as-practical design so that betrusted can properly fill the role of a phone companion. Such a thin form factor will require developing a novel keyboard element and incorporating features such as inductive charging.
Read more about the beta hardware custom SoC.
The final phase is a “consumer-ready product”. As the name implies, the product will be ready to use out of the box, with special effort put into the out of box user experience and documentation such that anyone can set up and use betrusted to communicate, transact, and safeguard secret data.
This phase will incorporate a substantial amount of learning from the first two phases. There is no placeholder concept rendering, as the final design will be born of the unknown unknowns.
Please visit the betrusted wiki for more technical information. The main betrusted github repository will also begin to fill in as more technical details come online.
Morsels you may be interested in
- Avalanche Noise Source design notes
Who is behind betrusted?
The betrusted-io github repository’s people page lists the developers that have elected to reveal their participation publicly.
The administrative contact for the betrusted.io project is Andrew ‘bunnie’ Huang (@bunniestudios/blog).