Thierry Moreau <[EMAIL PROTECTED]> writes: >I find the question should be refined.
It could if there was a large enough repondent base to draw samples from :-). This is one of those surveys that can never be done because no vendor will publicly talk to you about security measures in their embedded systems. In fact none of the people/organisations I queried about this fitted into any of the proposed categories, it was all embedded devices, typically SCADA systems, home automation, consumer electronics, that sort of thing, so it was really a single category which was "Embedded systems". Given the string of attacks on crypto in embedded devices (XBox, iPhone, iOpener, Wii, some not-yet-published ones on HDCP devices :-), etc) this is by far the most at-risk category because there's a huge incentive to attack them, the result affects tens/hundreds of millions of devices, and the attacks are immediately and widely actively exploited (modchips/device unlocking/etc, an important difference between this and academic proof-of-concept attacks), so this is the one where I'd expect the vendors to care most. >Also, for organizations mandated to comply with IT security >certification/guidelines/best-practice, a risk analysis is performed to >keep the auditor at bay, in which SCA protection has very little chance >of even merely being mentioned. How can the SCA protection mechanism fit >the risk analysis discipline? I.e., is it possible to even define SCA >protection in a way that might trigger interest from security >consultants or their clients? Actually that's a special case, or more generally having certification/ auditing requirements (which a private-email responder also mentioned) is a special case in that the risk analysis is now "if I don't do this I don't get sign-off" rather than "it makes good security sense to do this so we'll do it". In the immortal words of the Bastard Operator from Hell, when you have the audit/certification gun pointed at someone's head you can pretty much "[get them to] to run naked across campus with a power-cord rammed up [their] backside" and they'd do it not because they thought it was a terribly good idea but because they had a gun pointed at their head. An associated problem with this is that if vendors are motivated solely by checkbox requirements then they'll often ship the product in a non-approved mode (coughFIPS140cough) to reduce manufacturing or support costs/increase performance/increase ease of use/whatever. It's a nasty catch-22, hold a gun to someone's head and they'll only do what you tell them for as long as the gun is applied. Getting back to the SCADA/home automation/consumer electronics embedded market, the only certification that applies is the likes of FCC Class B, ROHS, CE, and UL. This is why I was interested in finding cases (or counterexamples) of informed-consent use of SCA countermeasures, because in the general embedded-systems case vendor cost/benefit analysis is the only deciding factor on whether it gets used or not, and vendors seem to be deciding (from my own experience and some private-email replies) that it's not worth it. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]