[149011] in cryptography@c2.net mail archive
Re: [Cryptography] Dumb idea: open-source hardware USB key for
daemon@ATHENA.MIT.EDU (ianG)
Mon Jan 13 13:13:22 2014
X-Original-To: cryptography@metzdowd.com
Date: Mon, 13 Jan 2014 10:51:28 +0300
From: ianG <iang@iang.org>
To: Joshua Marpet <joshua.marpet@guardedrisk.com>
In-Reply-To: <CAC4EX57AtuH2Z6NhixxEvmgTy44viQ0jz4Db_BuBoc-qW9oWoA@mail.gmail.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>,
Bill Cox <waywardgeek@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 13/01/14 02:16 AM, Joshua Marpet wrote:
> I'm friends with Travis Goodspeed, and if you don't know who he is, he's
> the crazed lunatic (said fondly) who decaps chips for fun, to read out,
> for example, the entire RSA SecurID chip on a keyfob, or a cryptographic
> system of all shapes and sizes. FYI, he can re-enable an expired
> SecurID fob. So epoxying chips is good as a detective measure (as in, I
> see something was done!) It's not so good as a preventative measure.
>
> He's the one who taught me to use syringe needles as probes to find JTAG
> ports on IC's, since they're stiff, come to a point, and are easy to
> manipulate. (Works great, by the way)
Sounds like lots of fun! For the most part, I would say that all
devices can be defeated in the lab by persistent attack, and the primary
protection is: Don't lose your stick!
In the first instance we need to get things going.
Much later on, it might be fun to start attacking the various ideas and
see which can resist, which can boost their resistance, etc.
What does Travis recommend for preventing attacks? Microswitches? Acid
bottles? Plastique?
iang
> On Sun, Jan 12, 2014 at 3:01 AM, ianG <iang@iang.org
> <mailto:iang@iang.org>> wrote:
>
> On 11/01/14 01:53 AM, Bill Cox wrote:
>
> I've been noodling the idea of a USB stick designed in a way that we
> can trust the crypto that goes on there. It's a hard problem, but
> there seems to be some guidelines that could help:
>...
>
> Responding to all, it seems that the only constant here is USB, and
> nobody's particularly wedded to that.
>
> So, we don't know what the best solution is.
>
>
>
> Could we make such a beast?
>
>
>
> Let a thousand flowers bloom. Get your ideas out and try it. One
> thing is clear: not having anything is generally less secure than
> having something...
>
> iang
>
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
