[33093] in cryptography@c2.net mail archive
Re: Crypto to defend chip IP: snake oil or good idea?
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Sat Jul 29 14:42:35 2006
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Fri, 28 Jul 2006 19:16:59 -0400
From: Thor Lancelot Simon <tls@rek.tjls.com>
To: Anne & Lynn Wheeler <lynn@garlic.com>
Cc: cryptography@metzdowd.com
Reply-To: tls@rek.tjls.com
In-Reply-To: <44CA8737.3040802@garlic.com>
On Fri, Jul 28, 2006 at 03:52:55PM -0600, Anne & Lynn Wheeler wrote:
> Thor Lancelot Simon wrote:
> >I don't get it. How is there "no increase in vulnerability and threat"
> >if a manufacturer of counterfeit / copy chips can simply read the already
> >generated private key out of a legitimate chip (because it's not protected
> >by a tamperproof module, and the "significant post-fab security handling"
> >has been eliminated) and make as many chips with that private key as he
> >may care to?
> >
> >Why should I believe it's any harder to steal the private key than to
> >steal a "static serial number"?
>
> so for more drift ... given another example of issues with static
> data authentication operations is that static serial numbers are
> normally considered particularly secret ... and partially as a result
> ... they tend to have a fairly regular pattern ... frequently even
> sequential. there is high probability that having captured a single
> static serial number ... you could possibly correctly guess another
> million or so static serial numbers w/o a lot of additional effort. This
> enables the possibly trivial initial effort to capture the first serial
> number to be further amortized over an additional million static serial
> numbers ... in effect, in the same effort it has taken to steal a single
> static serial number ... a million static serial numbers have
> effectively been stolen.
The simple, cost-effective solution, then, would seem to be to generate
"static serial numbers" like cipher keys -- with sufficient randomness
and length that their sequence cannot be predicted. I still do not see
the advantage (except to Certicom, who would doubtless like to charge a
bunch of money for their "20-40k gate crypto code") of using asymmetric
cryptography in this application.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
