[149008] in cryptography@c2.net mail archive
Re: [Cryptography] Dumb idea: open-source hardware USB key for
daemon@ATHENA.MIT.EDU (Joshua Marpet)
Sun Jan 12 18:19:23 2014
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <52D24BE7.40200@iang.org>
Date: Sun, 12 Jan 2014 18:16:23 -0500
From: Joshua Marpet <joshua.marpet@guardedrisk.com>
To: ianG <iang@iang.org>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Bill Cox <waywardgeek@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
--===============3405869437137007768==
Content-Type: multipart/alternative; boundary=047d7b5d5888d0887a04efce250c
--047d7b5d5888d0887a04efce250c
Content-Type: text/plain; charset=ISO-8859-1
I'm friends with Travis Goodspeed, and if you don't know who he is, he's
the crazed lunatic (said fondly) who decaps chips for fun, to read out, for
example, the entire RSA SecurID chip on a keyfob, or a cryptographic system
of all shapes and sizes. FYI, he can re-enable an expired SecurID fob. So
epoxying chips is good as a detective measure (as in, I see something was
done!) It's not so good as a preventative measure.
He's the one who taught me to use syringe needles as probes to find JTAG
ports on IC's, since they're stiff, come to a point, and are easy to
manipulate. (Works great, by the way)
Joshua
On Sun, Jan 12, 2014 at 3:01 AM, ianG <iang@iang.org> wrote:
> On 11/01/14 01:53 AM, Bill Cox wrote:
>
>> I've been noodling the idea of a USB stick designed in a way that we
>> can trust the crypto that goes on there. It's a hard problem, but
>> there seems to be some guidelines that could help:
>>
> ...
>
> The idea still has issues.
>>
>
>
> Responding to all, it seems that the only constant here is USB, and
> nobody's particularly wedded to that.
>
> So, we don't know what the best solution is.
>
>
>
> Could we make such a beast?
>>
>
>
> Let a thousand flowers bloom. Get your ideas out and try it. One thing
> is clear: not having anything is generally less secure than having
> something...
>
> iang
>
> _______________________________________________
> The cryptography mailing list
> cryptography@metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
>
--047d7b5d5888d0887a04efce250c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<div dir=3D"ltr">I'm friends with Travis Goodspeed, and if you don'=
t know who he is, he's the crazed lunatic (said fondly) who decaps chip=
s for fun, to read out, for example, the entire RSA SecurID chip on a keyfo=
b, or a cryptographic system of all shapes and sizes. =A0FYI, he can re-ena=
ble an expired SecurID fob. =A0So epoxying chips is good as a detective mea=
sure (as in, I see something was done!) =A0It's not so good as a preven=
tative measure.<div>
<br></div><div>He's the one who taught me to use syringe needles as pro=
bes to find JTAG ports on IC's, since they're stiff, come to a poin=
t, and are easy to manipulate. =A0(Works great, by the way)</div><div><br>
</div><div>Joshua</div><div class=3D"gmail_extra"><br><br><div class=3D"gma=
il_quote">On Sun, Jan 12, 2014 at 3:01 AM, ianG <span dir=3D"ltr"><<a hr=
ef=3D"mailto:iang@iang.org" target=3D"_blank">iang@iang.org</a>></span> =
wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex"><div class=3D"im">On 11/01/14 01:53 AM, Bill=
Cox wrote:<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
I've been noodling the idea of a USB stick designed in a way that we<br=
>
can trust the crypto that goes on there. =A0It's a hard problem, but<br=
>
there seems to be some guidelines that could help:<br>
</blockquote></div>
...<div class=3D"im"><br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
The idea still has issues.<br>
</blockquote>
<br>
<br></div>
Responding to all, it seems that the only constant here is USB, and nobody&=
#39;s particularly wedded to that.<br>
<br>
So, we don't know what the best solution is.<div class=3D"im"><br>
<br>
<br>
<blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p=
x #ccc solid;padding-left:1ex">
=A0Could we make such a beast?<br>
</blockquote>
<br>
<br></div>
Let a thousand flowers bloom. =A0Get your ideas out and try it. =A0One thin=
g is clear: =A0not having anything is generally less secure than having som=
ething...<span class=3D"HOEnZb"><font color=3D"#888888"><br>
<br>
iang</font></span><div class=3D"HOEnZb"><div class=3D"h5"><br>
______________________________<u></u>_________________<br>
The cryptography mailing list<br>
<a href=3D"mailto:cryptography@metzdowd.com" target=3D"_blank">cryptography=
@metzdowd.com</a><br>
<a href=3D"http://www.metzdowd.com/mailman/listinfo/cryptography" target=3D=
"_blank">http://www.metzdowd.com/<u></u>mailman/listinfo/cryptography</a><b=
r>
</div></div></blockquote></div><br><br clear=3D"all"><div><br></div><div di=
r=3D"ltr"><p style=3D"margin:0px;color:rgb(80,0,80);text-align:justify"><br=
></p></div>
</div></div>
--047d7b5d5888d0887a04efce250c--
--===============3405869437137007768==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
--===============3405869437137007768==--
