[cryptography] Preserve us from poorly described/implemented crypto
marsh at extendedsubset.com
Sun Jun 5 14:35:31 EDT 2011
On 06/05/2011 12:28 AM, Kevin W. Wall wrote:
> Are you asking if there is only a single hardwired key for that is
> the same for *all* keyboard / receiver pairs? That would be insane.
Yeah no one would ever do anything that dumb...right?
> I certainly did NOT get that impression. I thought they just meant
> that each keyboard/mouse and receiver had a fixed, but unique AES
> key hardwired into it.
The way the Senior Product Marketing Manager uses the term "unique
pre-programmed 128-bit encryption key" suggests to me that the product
design did at least give these issues some thought. Otherwise he might
have just said "secret advanced encryption key" or the old favorite
> Or perhaps you are simply saying that they are susceptible to timing
> attacks just because they use a single fixed key? While that
> _could_ be true for their given implementation, I don't think that
> that necessarily follows just because a single keyboard/receiver,
> mouse/receiver pair uses a single fixed key. If they use random IVs
> and appropriate cipher mode or couple the ciphertext with an HMAC to
> ensure message authenticity, I think they should be OK. However,
> without technical details, it's impossible to tell.
My guess is that the keyboard and base exchange unauthenticated random
nonces at the time of initial association and derive AES and MAC keys
from that. I doubt it's using RSA or DH for authenticated session key
Some hardware includes a physical button on each device which must be
pressed to perform the association. This is obviously more secure than
something allowing a wireless attacker to induce a reassociation
whenever he needs to. But "user experience" designers and manufacturing
costs like to eliminate "unnecessary" buttons whenever possible.
> And if they did
> something stupid like basing the AES key on a serial #, that would
> not bode well either. (Even if they used an HMAC of the S/N "signed"
> by a secret held only by Microsoft, that's way too brittle...someone
> steals that one secret and it would be game over.)
It would also require a coordination step at the factory which would add
a few cents to the cost. Not going to happen.
> OTOH, I suppose one could argue that this better than your normal
> wireless keyboard which is just communicating over an unencrypted
Maybe, but only if you know who your adversary is going to be, and what
his capabilities are, in advance.
> However if one is close to pick up wireless signals, than
> Van Eck phreaking is also probably a possibility.
Rest assured that somewhere in some government office, someone will be
using this keyboard along with a tempest-shielded monitor and it will be
OK because it's AES-certified.
> So probably not suitable for spys. ;-)
Or rather, those who prefer not to be spied on.
More information about the cryptography