Re: question on trust in chaoskey

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, 2016-05-20 at 17:13 -0700, Steve Calfee wrote:

> A clever attacker would provide a false USB key which is "almost"
> random. This would allow them to decrypt messages based on the false
> key, with nobody else knowing there was a vulnerability. An almost
> random number simplifies cracking.
> 
> It is easy to exactly duplicate all the descriptors and functionality
> in a false device. It could be easily done with a PIC, Arduino, or $9
> CHIP. Who could tell a key is false or genuine? The false device could
> do the same dance with public keys (or whatever secret handshake you
> setup).

To a point.There is no reason a key would ever have to go over the wire
unencrypted. You can get at it only by man-in-the-middle or if you get
at the hardware.
We can protect against sniffing and require authentification.

> If a user cannot be sure a key is genuine, and a false key can leak
> information, I don't see the point of anyone using such a USB device.

You will have to trust your hardware if you run a computer.
The questions of whether your hardware is indeed your hardware
and whether you can trust your hardware are distinct.
The former problem we can address.

	Regards
		Oliver


--
To unsubscribe from this list: send the line "unsubscribe linux-usb" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Media]     [Linux Input]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]     [Old Linux USB Devel Archive]

  Powered by Linux