[cryptography] Preserve us from poorly described/implemented crypto

Peter Gutmann pgut001 at cs.auckland.ac.nz
Sun Jun 5 02:26:03 EDT 2011


"Kevin W. Wall" <kevin.w.wall at gmail.com> writes:

>OTOH, I suppose one could argue that this better than your normal wireless
>keyboard which is just communicating over an unencrypted channel.

That's the thing, you have to consider the threat model: If anyone's really
that desperately interested in watching your tweets about what your cat's
doing as you type them then there are far easier attack channels than going
through the crypto.

>If they use random IVs and appropriate cipher mode or couple the ciphertext
>with an HMAC to ensure message authenticity, I think they should be OK.

It's a consumer-grade keyboard, not military-crypto hardware, chances are
it'll use something like AES in CTR mode with an all-zero IV on startup, so
all you need to do is force a disassociate, it'll reuse the keystream, and you
can recover everything with an XOR.

(I looooove the counter mode crypto fashion statement, it's the RC4 debacle
all over again.  Now that we've finally got rid of RC4 after 20-odd years
we're reintroducing the same problem using AES).

Peter.



More information about the cryptography mailing list