[Cryptography] Lenovo laptops with preloaded adware and an evil CA

Jerry Leichter leichter at lrw.com
Sun Feb 22 10:02:33 EST 2015


On Feb 22, 2015, at 12:21 AM, Christian Huitema <huitema at huitema.net> wrote:
I agree with the earlier comments in this message about past mistakes, but:

> A particular example of phishing led to the recently disclosed attack on SIM
> cards. But phishing was not the only past mistake there. Static shared
> secrets, really?
And just what is your proposed alternative for a way to set up a shared, mutually authenticated connection between a phone and a network?  At some point, there have to be secrets.  You can use symmetric cryptography and have a single secret, or asymmetric and have a pair of them, but in either case, someone has to make those secrets available to the appropriate parties - and that someone is the SIM card programmer.  If the SIM card programmer is fully penetrated, as is the case here ... just what is it that you propose to do?  The only alternative I know of is pure DH - secure but inherently unauthenticated.  Even so, probably beyond the capability of most phones in the world even today - we in the rich white west have a rather special idea of what makes for a minimally acceptable phone.

> No forward secrecy? What year is this, 1994? Or 1984 maybe?
None of the above.  Forward secrecy was first proposed in 1992, but it didn't really get much interest until 2000 or so - and it would likely have been too compute-intensive for even desk-top class machines (much less phones) until years later.  SIM cards, on the other hand, go back much further than you might expect:  The first one dates back to 1991!  Even the "modern" min-SIM dates to 1996.  These are dates of introduction; given that these are international standards, design must go back at least a year earlier, probably more.

So we're not really talking about dumb design decisions here.  We're talking about the inevitable delay and inertia in changing literally billions of end-points, all over the world, under the administrative responsibility of hundreds of telco's.  The lesson *I* would take from this is given what we now know about the nature and scale of attacks on this massive infrastructure, the mistake is to think it can possibly be secure.  View it like the raw Internet:  Any security will have to be built on top.

The other lesson, which needs to be repeated over and over to those not versed in the whole crypto thought process is:  This is why the notion of a "golden key" accessible only to law enforcement is just nonsense.  If there's a central database of keying information, someone will get at it.  The techniques used to steal this information, from what we know, were nowhere near the level of sophistication required to, say, implant root kits in disk firmware.  Phishing, breaking into individual systems, monitoring what they're doing, learning procedures - the guys who stole hundreds of millions from many of the world's banks could have done the same thing.  So could much small criminal organizations.  And if it makes you happy that it's *our guys* who did it - this is also well within the reach of many other intelligence organizations.  Since passive listening once you've stolen all the keys is undetectable, any number of parties could be doing it at the same time.  For all you know, your conversations are being tapped by GCHQ/NSA, the Russians, the Chinese, the Germans, the Israelis, the North and South Koreans, and who knows who else, all at the same time.
                                                        -- Jerry



More information about the cryptography mailing list