[Cryptography] USB hardware token for $2??

Fri Dec 23 16:08:09 EST 2016

On Thu, 22 Dec 2016 10:02 Phillip Hallam-Baker asked: 

> I saw this:
> 
> http://www.ebay.com/itm/1PC-Digispark-Kickstarter-Attiny85-Mini-USB-Micro-Development-Board-for-Arduino-/282162475109?hash=item41b231b065:g:RIQAAOSw0HVWBMbq <http://www.ebay.com/itm/1PC-Digispark-Kickstarter-Attiny85-Mini-USB-Micro-Development-Board-for-Arduino-/282162475109?hash=item41b231b065:g:RIQAAOSw0HVWBMbq>
> 
> It has an 8 bit CPU with 512bytes of RAM and 2K of ROM. There is a fuseable
> link for fixing the firmware.
> 
> Any chance one of these could be used as a low cost HSM? Specifically, the
> use I would have for it would be to provide a second factor for sensitive
> key management operations. I would not store the whole key on the device,
> just a share of the key.

The units in the link you give look similar to ones I purchased about 8 months ago. They are knockoffs of the Digispark design and I could never get them to work. There may have been something wonky about the boot loader (if there was one).  

The real Digispark units work great and don’t cost that much more. (Yes a PI zero costs less, but you need accessories, and good luck auditing the software—an operating system is not always a plus.) The Arduino development environment is a pleasure to use and programming the AVR chips is fun.  The 512 bytes of RAM prevents some crypto algorithms from being used. RC4 works, but takes up more than half of RAM. I was able to get Speck to work on the chip. An analog accelerometer chip could make a good random bit source, and ferroelectric RAM boards ($10 from Adafruit) can store 32K bytes that can be reliably erased (unlike flash), if 512B EEPROM isn't enough.

You can also buy raw ATTiny 85 chips and get them working with minimal components.  

Peter Gutmann <pgut001 at cs.auckland.ac.nz <mailto:pgut001 at cs.auckland.ac.nz>> added:

> ...To generalise this, the problem with almost any consumer-level hardware device
> isn't the hardware, it's the software. …

Packaging a processor in a compact but usable form factor is not a trivial task. Having a well thought out design available for small money saves a lot of time and aggravation. Add in a good development environment, lots of libraries, accessory boards and a strong developer community and you are way ahead using boards like this. For simple uses, the software may not be that bad.

Arnold Reinhold

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161223/f8b9223f/attachment.html>