[Cryptography] USB 3.0 authentication
dj at deadhat.com
dj at deadhat.com
Fri Apr 29 14:21:37 EDT 2016
>> Anyone know exactly what crypto is going into these things, and what
>> its capabilities are?
>
It's X.509 certs and a 1 way authentication exchange. No link cipher, no
key agreement. All crypto is aimed at 128 bit security (so 256 bit curves
and hashes). There's P-256 and SHA-3 (or SHA-256 it's gone back and
forth).
This may look odd. There are reasons.
This spec is the first part. It's addressing the authenticity of PD (power
delivery) devices by checking that they have been provisioned with certs
under a root controlled by the certification body. These devices may not
have USB data capability. The PD wires carry a low speed protocol to
negotiate volts and amps. The 'problem' is counterfeit chargers and
defective cables that can and do damage expensive computers and phones.
What it is not doing is protecting any data. That is part 2 and it hasn't
been written yet. Part 2 will nominally have a mutual authentication, key
agreement, link cipher and is intended to protect against a variety of USB
threats we are familiar with - MITM key loggers, driver abuse, car park
flash attacks etc.
The use of X.509 and NIST curves was not my idea, but you can't always get
what you want.
More information about the cryptography
mailing list