[Cryptography] recommending ChaCha20 instead of RC4 (RC4 again)
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Fri Mar 14 00:58:06 EDT 2014
<dan at geer.org> writes:
>* Embedded systems that have a remote management interface must be certified
>by their maker to be designed such that when said remote management interface
>is operated according to spec, the maker shall be found negligent, per se,
>were the management interface found to have been be jimmied by an attacker.
>
>* Embedded systems that have no remote management interface shall be so
>designed as to die without fail no later than some fixed time, which time is
>stated in advance.
The problem this runs into is that in the embedded world security is job #9,
after reliability/availability, reliability/availability,
reliability/availability, reliability/availability, reliability/availability,
reliability/availability, reliability/availability, and
reliability/availability.
(A lesser problem is that the devices are mostly built by hardware guys for
whom software development consists of "it compiles, ship it". Obviously
that's an over-generalisation, but I don't know how much embedded stuff I've
looked at that has beautifully-engineered hardware and software that looks
like someone's incomplete undergrad project. That's an issue that you can try
and legislate though, with the emphasis on "try").
Peter.
More information about the cryptography
mailing list