This is a (fictional) Request for Proposals for a new PDA for the President of the United States.
The President requests vendors of PDA-type devices to submit a proposal for a device to upgrade the President's existing PDA, to fulfill the listed requirements.
The President takes notes extensively on his
PDA. He is skilled
with Grafitti
but is willing to learn a new input method, such as
Dasher
or Hexinput
, if he can become proficient quickly.
The President coordinates his activities and calendar with the White House server. The calendar is made available over a HTTPS connection as a XML file using the CXO ontology. The calendar server is not going to be changed to accomodate the new PDA, that is, the new PDA must accomodate the existing server, since the whole White House staff uses this ontology and synchronization method.
While the President's contact list is maintained by his staff, he keeps a copy on his PDA, synchronizing similar to the calendar.
The President makes voice phone calls over a secure channel to a portal at the White House, using inconvenient separate equipment. He would like the new PDA to also act as a cell phone, specifically to do VOIP tunneled over a SSL connection, or an IPv6 encrypted tunnel, through the public data service(s) to the White House portal.
The President views general web content on a regular basis, and would like to be able to do this on the PDA, which is not really practical with the present one.
The President needs to view and edit classified documents, and would like to be able to do this on the PDA. According to White House security rules, this has several implications, beyond the obvious ones that text editing must be supported and secure authentication must be feasible:
We don't do WebDAV (a HTML form containing the editable content, which is sent back to the server after modification), because we can't be sure that intermediate copies are identified and not just deleted but wiped properly, e.g. in the web server's upload directory.
In order that local temporary copies be completely volatile regardless of design details of the web browser, it must be able to operate with only a memory cache.
While the ability to do a VPN is a plus, we don't do insecure protocols over a VPN; we use protocols that include a security component intrinsically.
We need a convenient procedure to copy files over an encrypted link to and from the server. A GUI is helpful. Mounting the server's directory is another alternative.
The filesystem where these files are written must be encrypted.
The President is taking this opportunity to introduce digital signatures on all documents including web pages, so their authenticity can be assessed. The web browser and PDF viewer must be able to verify these signatures and display the status.
Fairly regularly the President shows documents on his PDA to other people such as staff, Congressional leaders and foreign dignitaries. Several features are desireable for this:
Enlarge the font easily: one click to a preset large font would be ideal.
Lock the viewer or web browser on top and/or full screen: instant kiosk mode.
Intelligent forgetting of secrets: the PDA should go into sleep mode except the viewer needs to stay functional; the web browser should lose its authentication keys, but the subject document should be displayable from the memory cache, and the browser should be able to follow publicly viewable links.
Reversion from this mode should be the same as from suspend state: biometric and possession key.
For relaxation the President reads E-books stored on the PDA.
The President would like to be able to listen to music and to view videos that are stored on the PDA, which is beyond the current one's ability.
While the President will probably not use GPS personally, support staff (Secret Service) will be getting similar PDAs, and they certainly will. A secure wireless connection to a separate GPS receiver is acceptable. Readout of the position on map images provided by the U.S. Army Map Service is required.
A number of activities involve high-security authentication. The White House security staff, in consultation with the President, have developed these requirements for authentication.
To make the authentication system work, a master password must be entered, which will persist for at most 12 hours after which it must be entered again. More frequent password authentication is strongly resisted by the President.
Individual high security actions, like connecting to a server, happen often throughout the day. To make these happen the President will authenticate biometrically, e.g. a fingerprint, plus will make available a possession key. One acceptable such key is a RFID chip hidden behind the jewel of a signet ring. Another, less preferred, is an artificial pattern to be viewed by the fingerprint reader.
A remotely sensed authentication device shall remain hidden until probed by a verifiably authorized partner. For example, a RFID chip shall require an encrypted time-synchronous or one-time-use challenge string which it can decrypt with a prespecified public key, before it will emit any response. Think of a bomb set to explode at the closest approach of the RFID chip of interest.
A number of activities involve establishing a secure connection to a server, which requires wielding a RSA secret key whose matching public key is held by the server. The server knows authoritatively who the client is because this information is attached to the signed public key, and only the holder of the secret key could encrypt or decrypt a random challenge string upon which the inverse operation is done by the public key. Access to the secret key shall be governed by the standard authentication system without additional passwords or manual selection of the key.
The ideal is if all authentication uses one RSA key pair, which can be replaced easily and without introducing bugs, periodically or if suspected of being compromised. With a large flock of keys, cracking one key gives the Black Hats access to only one function, but the complexity makes it more likely that the system will not work when reliability is vital, and hinders security audits.
The processor in the PDA and any active partner shall have access to truly random numbers, to be used as cryptographic padding and as challenge strings.
After a short period of non-use, the PDA must unmount encrypted filesystems and forget secrets. Routine authentication (biometric and possession key) is required, and sufficient, to wake up the PDA.
Electromagnetic radiation from the PDA, e.g. spurious emissions from the display and keypad, and particularly 1/r2 radiation from RFID must be unhelpful to the enemy. Think of an antenna attached to the underside of a table.
This RFP does not require that any specific software or operating system be used to meet the requirements, but vendors should address several points in their proposals:
No known PDA meets all the listed requirements, but the general public needs to be able to do these things to varying degrees. In other words, the President's needs are more varied and more demanding than is typical, but not qualitatively different from what PDAs should be providing already.
Certainly the vendor in cooperation with the White House IT staff will need to bring together software from a variety of sources, including some components developed at the White House specifically for this project. Vendors should discuss problems that might hinder such aggregation. Software development kits must be available on reasonable terms.
Vendors whose offering minimizes the amount of special development will be preferred.
Government work products are for the people's benefit. We would hope to make specially developed software available to the public, preferably on an open source basis.
The White House security staff insists on reviewing the source code of all programs, including the operating system and including device drivers, that run on the PDA, and on personally building all binary modules.
All these activities are done in lighting conditions ranging from full sunlight to total darkness. This implies:
We have found no satisfactory self-luminous display in direct sunlight; the display must modulate reflected sunlight.
On the other hand, self-luminosity is required for nighttime use. The ideal is if it switches on gradually as the light level decreases.
Reflective monochrome displays appear to be more available than color. While the President would much prefer a color display, he considers the requirement for outdoor use to be higher priority. A dual mode display would be given a high score: self-luminous color in moderate light, but in full sunlight or when power must particularly be saved it would shift to reflective mode, likely with limited color or grayscale.
The President uses his PDA a lot, with these implications for the power supply:
The most power-efficient processor must be used. Power must not be wasted on, for example, display lighting, unless current conditions require it.
It must be possible to change batteries unobtrusively and without shutting down the whole PDA. A pair of batteries, used alternately (not in parallel), could satisfy this requirement. If a long-life power supply is proposed -- and this would be rated highly if feasible -- it will be tested by playing eight hours of video without a break.
Due to an old injury to the President's finger, prying things out with a fingernail is not going to be feasible.
We will expect an external battery charger to be available as part of the package, with an option to charge from a 12 VDC vehicle power supply. The ideal is if the batteries have a standard configuration so a commercial charger, accomodating multiple cells, can be used.
We want an unobtrusive but effective continuous display of the battery's charge. If there are multiple batteries, each should be shown. The readout should be not too nonlinear; as a counterexample, if 100% down to 20% all give the same reading, this is not helpful.
Photovoltaic capture of ambient light energy should be considered as a supplementary power source.
The PDA must fit in a shirt pocket (14x8x2 cm max). 200 grams is about the maximum mass. Smaller is preferred: 125 grams and 10x8x1 cm would be ideal.
The PDA will be rained on, and treated to spilled coffee, and subsequent cleanup. A big plus is floating if dropped in seawater, and surviving to two meters depth without losing reliability afterward.
The PDA must survive (functionally, not case scratches) being dropped in any orientation 1.5 meters on concrete.
The PDA must function normally, with only limited and reversible display degradation, at -20C ambient, and sitting face up on a wood table in direct tropical sunlight at 32C ambient (the device temperature will depend on the color of its case).
Wires are a big minus, in particular for the audio headphone and the separate GPS receiver. Wireless accessory connections must be as secure as the main data paths, including the issue of forgetting secrets on command.
The PDA must be able to do data communication on whichever of these wireless networks is available, automatically choosing the best (first on the list):