[cryptography] Preserve us from poorly described/implemented crypto

Marsh Ray marsh at extendedsubset.com
Sun Jun 5 14:35:31 EDT 2011

On 06/05/2011 12:28 AM, Kevin W. Wall wrote:
> Are you asking if there is only a single hardwired key for that is
> the same for *all* keyboard / receiver pairs? That would be insane.

Yeah no one would ever do anything that dumb...right?

> I certainly did NOT get that impression. I thought they just meant
> that each keyboard/mouse and receiver had a fixed, but unique AES
> key hardwired into it.

The way the Senior Product Marketing Manager uses the term "unique 
pre-programmed 128-bit encryption key" suggests to me that the product 
design did at least give these issues some thought. Otherwise he might 
have just said "secret advanced encryption key" or the old favorite 
"military-grade encryption".

> Or perhaps you are simply saying that they are susceptible to timing
> attacks just because they use a single fixed key?  While that
> _could_ be true for their given implementation, I don't think that
> that necessarily follows just because a single keyboard/receiver,
> mouse/receiver pair uses a single fixed key. If they use random IVs
> and appropriate cipher mode or couple the ciphertext with an HMAC to
> ensure message authenticity, I think they should be OK. However,
> without technical details, it's impossible to tell.

My guess is that the keyboard and base exchange unauthenticated random 
nonces at the time of initial association and derive AES and MAC keys 
from that. I doubt it's using RSA or DH for authenticated session key 

Some hardware includes a physical button on each device which must be 
pressed to perform the association. This is obviously more secure than 
something allowing a wireless attacker to induce a reassociation 
whenever he needs to. But "user experience" designers and manufacturing 
costs like to eliminate "unnecessary" buttons whenever possible.

> And if they did
> something stupid like basing the AES key on a serial #, that would
> not bode well either. (Even if they used an HMAC of the S/N "signed"
> by a secret held only by Microsoft, that's way too brittle...someone
> steals that one secret and it would be game over.)

It would also require a coordination step at the factory which would add 
a few cents to the cost. Not going to happen.

> OTOH, I suppose one could argue that this better than your normal
> wireless keyboard which is just communicating over an unencrypted
> channel.

Maybe, but only if you know who your adversary is going to be, and what 
his capabilities are, in advance.

> However if one is close to pick up wireless signals, than
> Van Eck phreaking is also probably a possibility.

Rest assured that somewhere in some government office, someone will be 
using this keyboard along with a tempest-shielded monitor and it will be 
OK because it's AES-certified.

> So probably not suitable for spys. ;-)

Or rather, those who prefer not to be spied on.

- Marsh

More information about the cryptography mailing list