[cryptography] Preserve us from poorly described/implemented crypto
iang at iang.org
Tue Jun 7 08:12:48 EDT 2011
On 6/06/11 11:57 AM, David G. Koontz wrote:
> On 5/06/11 6:26 PM, Peter Gutmann wrote:
>> That's the thing, you have to consider the threat model: If anyone's really
>> that desperately interested in watching your tweets about what your cat's
>> doing as you type them then there are far easier attack channels than going
>> through the crypto.
>> It's a consumer-grade keyboard, not military-crypto hardware, chances are
>> it'll use something like AES in CTR mode with an all-zero IV on startup, so
>> all you need to do is force a disassociate, it'll reuse the keystream, and you
>> can recover everything with an XOR.
> There are other ways to deny effectiveness. If the fixed keys are generated
> from things knowable during Bluetooth device negotiation the security would
> be illusory. If that security were dependent on an external security factor
> but otherwise based on knowable elements you'd have key escrow.
> It's hard to imagine as Peter said there'd be any great interest in
> cryptanalytic attacks on keyboard communications. You could counter the
> threat by using your laptop's built-in keyboard. It sounds like a marketing
> gimmick, and could be considered a mild form of snake oil - the threat
> hasn't been defined, nor the effectiveness of the countermeasure proven. A
> tick box item to show sincerity without demonstrating dedication.
Maybe it is intended just as a slight hurdle to stop the kid brother
listening in to big sister's sex chat with her b/f. Or office level
As such, it's welcome. It means that anyone who does succeed has gone
to special efforts to do this .. which leaves some tracks.
There are the military / national security guys. And then there are the
rest of us. For the rest of society, some simple opportunistic fix is
often all that is needed to knock out 99.9% of the opportunistic
attacks. As practically all of our threats are opportunistic, this is
pretty much the top priority for society at large.
More information about the cryptography