[Cryptography] [FORGED] Attackers will always win, and it's getting worse!
Tom Mitchell
mitch at niftyegg.com
Mon Jul 17 07:16:27 EDT 2017
On Fri, Jul 14, 2017 at 8:51 PM, Jason Richards <jjr2 at gmx.com> wrote:
> Peter Gutmann:
>> I don't know whether using an FPGA can strictly be described as
>> "hardware" any more.
>>
>> Programmable crypto hardware does have the significant advantage that
>> the crypto device is non-sensitive until the algorithm is loaded into
>> it, and one piece of hardware can do many jobs.
>
> If the hardware is classified as non-sensitive then it will be
> protected accordingly, which could mean that it won't have had the
> appropriate protections once it has had the algorithm loaded and
> therefore has been reclassified.
>
> It should really be classified according to what it will or could or is
> likely to be used for.
>
> Of course I'm assuming that people actually take notice of a thing's
> classification ...
Yes necessary but the "could be used for" mind set is not a workable mind set.
While necessary it opens the door for paranoid minds to rule us all.
This is mostly covered by ITAR rules for computer export.
The volatility and data retention of the hardware comes to play.
EEPROMs get pulled. Memory boards have to be powered down
and boxed for X hours. NVRAM has to be ground off with an angle grinder.
to service the board. Modern Flash is ground to bits. Some parts
cannot be serviced at all.
A FPGA that is loaded from flash on power up would not be returned for
repair service as the flash could contain data or functional code.
Some data like 'secret keys' has value well beyond the size.
There are keys to hack boot loaders, decrypt terabytes of data,
hack cell phones... unlock cell phones. This challenges the one
bit per second rule for some systems.
While most TLAs understand classification companies and individuals
do not. The brain hurts too much and the necessary paranoia
is difficult to temper with considered reflection.
Protocols for a suicide watch lockup cell apply when "could be used
for" language is applied. Some would place the entire nation under
suicide watch and confiscate dual purpose materials and watch
everyone 7x24.
--
T o m M i t c h e l l
More information about the cryptography
mailing list