[Cryptography] Dumb idea: open-source hardware USB key for crypto
Owen Shepherd
owen.shepherd at e43.eu
Sat Jan 11 19:07:05 EST 2014
My initial consideration, as an open hardware design, wasn't something for
somebody to just go out and buy.
If that's what you want, there are hundreds of PKCS#11 smart cards out
there. They're not going to be any less provaly secure than a USB stick you
buy from somebody.
The assumption is that you would at most buy it as a pre-soldered kit, hook
up a programmer, and program and lock it yourself, and finally epoxy it
yourself. Then you know the code is not tampered with.
I can't see a way to make this kind of thing at least equally provably
secure which doesn't involve some form of programming apparatus,
unfortunately.
Owen Shepherd
http://owenshepherd.net | owen.shepherd at e43.eu
On 12 January 2014 00:01, Bill Cox <waywardgeek at gmail.com> wrote:
> A keypad and display would be great, but for users who just want to
> carry it in their pockets, a USB stick form-factor would be
> preferable. I personally was thinking that I would have a Raspberry
> Pi based system with keyboard and display that was isolated from the
> Internet to help me generate keys, but of course average users would
> plug them into their Windows machines, and who knows who's watching
> them type passwords in that case.
>
> Your preference for epoxy encased circuits, and read-protected
> microcontrollers is interesting. That's one way to go, but I'm more
> worried that our USB sticks will be subverted somewhere along the
> build chain, so my preference is to make it easy to read out the
> programming information and to be able to probe the internal signals.
> You probably are right that in reality users would never bother with
> such authentication, which is why I would like to see a volunteer
> group of people who do bother to prove that most of these USB keys are
> safe.
>
> But you are right that my version makes it easy for an attacker to
> steal my USB key and read out the keys...
>
> It's a tough problem...
>
> Bill
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140112/7a6809f3/attachment.html>
More information about the cryptography
mailing list