ptrei at rsasecurity.com
Thu Jul 31 09:04:13 PDT 2003
> pgut001 at cs.auckland.ac.nz[SMTP:pgut001 at cs.auckland.ac.nz]
> "Trei, Peter" <ptrei at rsasecurity.com> writes:
> >It's a move in the right direction, but I wish they had followed through
> >done the right things:
> >* [AES | 3DES]/CBC
> I get the feeling they use ECB for speed (heavy pipelining) rather than
Possibly - they're using an ASIC, so I'd have thought that speed would not
be the issue. I have not run the numbers.
> >with a good distribution of IVs
> Where would you store them? The feature of this is that it's fully
> transparent, so you can't store IVs anywhere.
I'm not really up on crypto file systems, but I beleive at least some
use the sector address as the IV. IVs don't need to be random,
secret, or unpredictable - they just need to be unrepeated. (I'm
assuming sector-at-a-time encryption).
> >* User-generated keys (before initial disk setup, of course).
> That one's the only thing I can't find a good technical reason for...
> it's just commercial, since they see the dongles as a revenue source and
> sell you software to set up n dongles yourself, where price is
> proportional to
Having the user generate the key and load it on the dongle
means that he has good assurance that the manufacturer doesn't
have the key. Any kind of backup will open a possible route of
attack. If the user can specify the raw key value (it's short - this
is symmetric crypto), they can choose their own backup - up to
and including writing it on paper and carefuly hiding it.
> >* Some kind of PIN or password protection on the dongle.
> How would you do this without a custom BIOS (remember that their general
> product is for dropping into any PC)?
We're talking about two different products. The ABIT is a MB,
presumably with it's own custom BIOS, so that's not an issue
> >40 bit DES is not secure against your kid sister (if she's a cypherpunk
> >much less industrial espionage.
> I'm more worried about key backup - it's bad enough having
> components IDE drives without complicating it further with a second point
> failure. In the meantime a better option is still the triumvirate of:
> - Sensitive data saved only to RAM disk.
> - 3DES-encrypted volume mounted as a filesystem, which I can back up in
> encrypted form if necessary, and with all crypto done in software with
> sector random IVs, user-generated keys, and all the other stuff you
> - Encrypted swap.
> (Oh yeah, and a UPS so you're not tempted to temporarily save stuff to
> elsewhere in case the RAM drive goes away suddenly).
> >"40-bit DES (US Data Encryption Standard) is adequate for general users"
> >Yeah. Right.
> If you're worried about Joe Burglar grabbing your laptop (for the value of
> laptop) and your business data being leaked as collateral damage, or
> stumbling across your warez or pr0n, then it's probably adequate. Since
> is what general users would be worried about, I'd agree with the
> Anyone worried about more than that (probably about 0.01% of the market)
> a general user any more.
More information about the cypherpunks-legacy