[Cryptography] USB 3.0 authentication: market power and DRM?

Kevin W. Wall kevin.w.wall at gmail.com
Sun May 1 11:41:13 EDT 2016 

On Sun, May 1, 2016 at 3:13 AM, John Gilmore <gnu at toad.com> wrote:
[snip]
>
> But I don't see how authentication fits in technically.  It looks like
> it's there to build monopolies.
>
> The alleged problem statement seems to be: Some expensive devices will
> decline to spend the money to protect themselves from overvoltage or
> overcurrent situations, thereby being damaged by out-of-spec power
> supplies.  We need to authenticate chargers so this won't happen.
> Let's examine this from an engineering point of view, then look at
> the politics.

If that is the concern, then certainly there are cheaper ways to
achieve that.
[snip]
> But if it does have circuitry that disconnects it from the power
> wires, why not trigger that disconnect based on measuring overvoltage or
> overcurrent, rather than triggering it on failed authentication?
>
> It seems to me that a counterfeit charger could short 110V down
> the USB3 cable, with or without authentication.  What protects
> the phone from that?
>
> Similarly, what prevents a counterfeit charger from using a chip and a
> flash image (including a signed certificate) that's identical to the
> one in a certified, tested, approved, paid-up charger.  The
> counterfeiter only has to clone that real chip one time, then they can
> put it in all their products.  Or they could actually buy the real
> chips on the open market, and just clone the firmware and the cert.
> Yet their shoddy wiring, Grade Z external components, faulty housing,
> etc, around that chip could still short 110V down the cable during the
> wrong phase of the moon.  So the authentication will pass, but the
> voltages and currents will at sudden times be dangerous.  I guess your
> expensive phone will fry anyway, despite the crypto, because you
> didn't spend 20c on protective components in the phone.
>
> What am I missing here?  It looks like the alleged solution doesn't
> solve the alleged problem.  Perhaps there's something else going on here.

Is perhaps the (alleged) reason for the authentication to prevent
altered chargers
from delivering malware, as was described at Blackhat USA 2013? E.g.,
see <https://media.blackhat.com/us-13/US-13-Lau-Mactans-Injecting-Malware-into-iOS-Devices-via-Malicious-Chargers-WP.pdf>.

Just a at thought. If nothing else, this might be the pretense of requiring
authentication even though it indeed might not be the true motives.

-kevin
-- 
Blog: http://off-the-wall-security.blogspot.com/    | Twitter: @KevinWWall
NSA: All your crypto bit are belong to us.

More information about the cryptography mailing list