On Dec 16, 2008, at 12:10 PM, Simon Josefsson wrote:
...I agree with your recommendation to write an AES key to devices at
manufacturing time. However it always comes with costs, including:
1) The cost of improving the manufacture process sufficiently well to
make it unlikely that compromised AES keys are set in the factory.
2) The cost of individualizing each device.
Each of these costs can be high enough that alternative approaches can
be cost-effective. (*) My impression is that the cost and risks in 1)
are often under-estimated, to the point where they can become a
relatively cheap attack vector.
/Simon
(*) In case anyone doubts how the YubiKey works, which I'm affiliated
with, we took the costs in 1) and 2). But they are large costs. We
considered to require users to go through an initial configuration
step
to set the AES key themselves. However, the usability cost in that is
probably higher than 1) and 2).
Configuration at installation seems to be worth considering. It's a
matter of making that as easy as possible. Asking users for the AES
key is not easy - people aren't good at generating, or even entering,
random 128-bit strings. However, you might be able to get them to
push a reset button - or even connect and disconnect the device - a
number of times and use the timing as a source of entropy. For
something like a network interface, it might be reasonable to assume
that an attacker is unlikely to be present at exactly the time of
initial configuration, so simply pulling bits off the wire/out of the
air during initialization isn't unreasonable. In general, given the
assumption that it's easier to keep the initialization environment
reasonably secure than it is the general fielded environment, and that
you can afford much more time during initial configuration than is
likely during normal operation, all kinds of things that are marginal
if used operationally may be workable for initial configuration.
(Also, of course, operational use may be unattended, but in most cases
you can assume that initial configuration is attended.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com