[Cryptography] USB 3.0 authentication

Jerry Leichter leichter at lrw.com
Thu Apr 14 06:06:44 EDT 2016


There have been recent press reports about a new spec release by the USB 3.0 standards group for a mechanism to certify USB 3.0 devices and cables have them cryptographically authenticate.  The use case that drives much of the coverage is the story from a couple of month back in which a cheap mis-wired USB 3.0 cable fried someone's Chromebook.  Sounds reasonable.  But then you get to the use of "128-bit security for all cryptography", which is already sounding like a bit of overkill - and a press release (quoted 3rd hand so I have no real idea where it comes from) that:  "For a traveler concerned about charging their phone at a public terminal, their phone can implement a policy only allowing charge from certified USB chargers.  A company, tasked with protecting corporate assets, can set a policy in its PCs granting access only to verified USB storage devices."

Anyone know exactly what crypto is going into these things, and what its capabilities are?  The ability to limit connections to "verified" devices - depending on who gets to do the verifying - could be used to attempt to close down leaks by preventing people from transferring data onto devices they then take away with them.  Or it might be used for anti-competitive purposes:  XYZ Corp PC's only support external keyboards manufactured by XYZ Corp or its licensees.

As with TPM, likely both pluses and minuses,  But I've seen no discussion beyond repetition of press releases of what we are gaining - or potentially losing.

                                                        -- Jerry



More information about the cryptography mailing list