Crypto dongles to secure online transactions

Jeremy Stanley fungi at
Tue Nov 17 09:18:03 EST 2009

On Mon, Nov 16, 2009 at 11:20:27PM -0500, Jerry Leichter wrote:
> I'm not sure that's the right lesson to learn.

I might have, perhaps, phrased it a little better. Regardless of
initial planning, TI continued selling devices relying on this
particular code signing implementation well past what the original
design engineers hopefully expected would be its maximum lifespan.

> A system has to be designed to work with available technology. The
> TI83 dates back to 1996, and used technology that was old even at
> the time: The CPU is a 6MHz Z80. A 512-bit RSA was probably near
> the outer limits of what one could expect to use in practice on such
> a machine, and at the time, that was quite secure.

If this is true, then it makes an interesting case study for the
topic of this thread...

> Nothing lasts forever, though, and an effective 13 year lifetime
> for cryptography in such a low-end product is pretty good.

Not such a low-end product, when compared to the bank transaction
authenticating crypto we're discussing (I had a TI-83 back when they
first came out, and it was far from cheap on a starving student
budget). Assume what TI had built was one of these banking crypto
devices... they implemented a code signing mechanism so it could be
updated in a secure fashion, since they didn't want it to be so
disposable... the best code signing mechanism the processor could
handle... in 13 years a hobbyist with a few months and basically no
budget is able to trojan these devices.

This speaks to an inherent lifespan for "low-end" devices anyway,
since a time will come when they need better code signing than their
processors can handle. If the hobbyist can do it 13 years later for
a relatively low-value target (programmable calculators), how about
something which has a lot more potential for profit? A decade ago I
was working on (relatively) low-budget beowulf distributed compute
clusters which easily rivalled the speed of the machine used to
crack TI's code signing keys. This was well within the budget of a
criminal organization--probably a tiny fraction of what they could
have made selling the code signing keys for widely-deployed bank
transaction authenticator devices.

Maybe calculators are a bad example, but if 3-4 years is all it
takes to put the code signing key for an inexpensive device in the
hands of criminals, then is it worth the risk (or even expense) to
make dedicated banking crypto hardware updateable?
{ IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657);
SMTP(fungi at; IRC(fungi at; ICQ(114362511);
AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fungi at;
MUD(fungi at; WWW(; }

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list