[146681] in cryptography@c2.net mail archive
Re: [Cryptography] Sabotaged hardware (was Re: Opening Discussion:
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Fri Sep 6 16:22:16 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <CABrqyHwR-LBhdCtWZ0kz_dwj+dBqHzmRVr=Z03nmfrx4ohA2=A@mail.gmail.com>
Date: Fri, 6 Sep 2013 14:05:43 -0400
To: John Ioannidis <ji@tla.org>
Cc: cryptography mailing list <cryptography@metzdowd.com>,
Perry Metzger <perry@piermont.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============6379968322057669167==
Content-Type: multipart/alternative; boundary="Apple-Mail=_9B687A60-36F3-4738-8BA3-5DD81D2FD2CC"
--Apple-Mail=_9B687A60-36F3-4738-8BA3-5DD81D2FD2CC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
charset=iso-8859-1
On Sep 6, 2013, at 11:37 AM, John Ioannidis wrote:
> I'm a lot more worried about FDE (full disk encryption) features on =
modern disk drives, for all the obvious reasons.
>=20
If you're talking about the FDE features built into disk drives - I =
don't know anyone who seriously trusts it. Every "secure disk" that's =
been analyzed has been found to be "secured" with amateur-level crypto. =
I seem to recall one that advertised itself as using AES (you know, =
military-grade encryption) which did something like: Encrypt the key =
with AES, then XOR with the result to "encrypt" all the data. Yes, it =
does indeed "use" AES....
There's very little to be gained, and a huge amount to be lost, be =
leaving the crypto to the drive, and whatever proprietary, hacked-up =
code the bit-twiddlers who do driver firmware decide to toss in to meet =
the marketing requirement of being able to say they are secure. Maybe =
when they rely on a published standard, *and* provide a test mode so I =
can check to see that what they wrote to the surface is what the =
standard says should be there, I might change my mind. At least them, =
I'd be worrying about deliberate attacks (which, if you can get into the =
supply chain are trivial - there's tons of space to hide away a copy of =
the key), rather than the nonsense we have today.
> And if I wanted to be truly paranoid, I'd worry about HSMs to
>=20
Now, wouldn't compromising HSM's be sweet. Not that many vendors make =
HSM's, and they are exactly the guys who already have a close =
relationship with the CI (crypto-industrial) complex....
-- Jerry
> /ji
--Apple-Mail=_9B687A60-36F3-4738-8BA3-5DD81D2FD2CC
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html;
charset=iso-8859-1
<html><head></head><body style=3D"word-wrap: break-word; =
-webkit-nbsp-mode: space; -webkit-line-break: after-white-space; =
"><div><div>On Sep 6, 2013, at 11:37 AM, John Ioannidis =
wrote:</div><blockquote type=3D"cite"><p dir=3D"ltr">I'm a lot more =
worried about FDE (full disk encryption) features on modern disk drives, =
for all the obvious reasons.</p></blockquote><div>If you're talking =
about the FDE features built into disk drives - I don't know anyone who =
seriously trusts it. Every "secure disk" that's been analyzed has =
been found to be "secured" with amateur-level crypto. I seem to =
recall one that advertised itself as using AES (you know, military-grade =
encryption) which did something like: Encrypt the key with AES, =
then XOR with the result to "encrypt" all the data. Yes, it does =
indeed "use" AES....</div><div><br></div><div>There's very little to be =
gained, and a huge amount to be lost, be leaving the crypto to the =
drive, and whatever proprietary, hacked-up code the bit-twiddlers who do =
driver firmware decide to toss in to meet the marketing requirement of =
being able to say they are secure. Maybe when they rely on a =
published standard, *and* provide a test mode so I can check to see that =
what they wrote to the surface is what the standard says should be =
there, I might change my mind. At least them, I'd be worrying =
about deliberate attacks (which, if you can get into the supply chain =
are trivial - there's tons of space to hide away a copy of the key), =
rather than the nonsense we have today.</div><br><blockquote =
type=3D"cite"><p dir=3D"ltr">And if I wanted to be truly paranoid, I'd =
worry about HSMs to</p></blockquote><div>Now, wouldn't compromising =
HSM's be sweet. Not that many vendors make HSM's, and they are =
exactly the guys who already have a close relationship with the CI =
(crypto-industrial) complex....</div><div><div> =
=
=
-- =
Jerry</div><div><br></div></div><br><blockquote type=3D"cite"><p =
dir=3D"ltr">/ji<br>
</p>
</blockquote></div><br></body></html>=
--Apple-Mail=_9B687A60-36F3-4738-8BA3-5DD81D2FD2CC--
--===============6379968322057669167==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============6379968322057669167==--
