[cryptography] Preserve us from poorly described/implemented crypto

Marsh Ray marsh at extendedsubset.com
Mon Jun 6 00:53:01 EDT 2011


On 06/05/2011 08:57 PM, David G. Koontz wrote:
>
> On 5/06/11 6:26 PM, Peter Gutmann wrote:
>> That's the thing, you have to consider the threat model: If
>> anyone's really that desperately interested in watching your tweets
>> about what your cat's doing as you type them then there are far
>> easier attack channels than going through the crypto.

Come on. There are people in tall glass buildings that will be using
this keyboard to enter passwords that manage accounts containing
millions of dollars on a regular basis. And there's a very high
practical limit on the gain of the antenna that could be aimed directly
at them from an office on the same floor across the street.

>> It's a consumer-grade keyboard, not military-crypto hardware,
>> chances are

The military uses tons of off-the-shelf stuff like everybody else.

>> it'll use something like AES in CTR mode with an all-zero IV on
>> startup, so all you need to do is force a disassociate, it'll reuse
>> the keystream, and you can recover everything with an XOR.

Microsoft has some very capable crypto people working for them. But who
knows to what extent they were able to influence the design process for
this thing?

> There are other ways to deny effectiveness. If the fixed keys are
> generated from things knowable during Bluetooth device negotiation
> the security would be illusory.

It could perform a Diffie-Hellman key exchange, which would convert the
passive eavesdropping attack into an active MitM requirement. Or it
could reassociate only under direct user control (hopefully long before
the adversary began monitoring). But again, who knows how it really
works until it's described by someone (preferably Microsoft).

> If that security were dependent on an external security factor but
> otherwise based on knowable elements you'd have key escrow.

Or if the system has major PRNG weaknesses it has de facto key escrow,
at least to the parties that know the chip design, i.e., Microsoft and
China.

> It's hard to imagine as Peter said there'd be any great interest in
> cryptanalytic attacks on keyboard communications.

I don't agree. There have been a lot of interesting research on
Bluetooth security and keyboard sniffing (both wired and wireless).
There was a case years back where the FBI broke into a suspects house
twice to install and recover a keyboard tap (to get his PGP passphrase).
A human operation that risky would definitely motivate interest.
Interestingly, there's been no mention of that technique being needed
lately.

On the defense side, the agencies that are experienced at looking at
signals also have the mission of protecting the US government itself.
Surely they realize it's impractical to keep every off-the-shelf
keyboard out of every marginally sensitive location.

Check this out:
http://www.spi.dod.mil/liposeFAQ.htm
Someone please tell them they ought to require HTTPS for this kind of
download.

> You could counter the threat by using your laptop's built-in
> keyboard.

Or a wired one. Maybe.

> It sounds like a marketing gimmick, and could be considered a mild
> form of snake oil - the threat hasn't been defined, nor the
> effectiveness of the countermeasure proven. A tick box item to show
> sincerity without demonstrating dedication.

I consider the threat to be real. I'm willing to use a wireless mouse,
but not a wireless keyboard, that's where I currently draw the line.

I think it's too early to call this snake oil. I'd consider using it 
keyboard once the protocol is documented.

- Marsh



More information about the cryptography mailing list