On 28/01/11 11:58, Daniel Silverstone wrote: > On Thu, Jan 27, 2011 at 06:49:23PM +0000, Rayservers wrote: > > [Disclaimer: I work for Simtec and worked on the Entropy Key] > >> I had posted about these on this list earlier. I have had 10 of them >> purchased. >> They are waiting for analysis. If anyone on this list has the time and >> expertise >> (both hardware and software), they can have one sent gratis for a full >> analysis >> report to this list. If you carry out a full destructive analysis [the >> innards >> are epoxied], a replacement will be sent. > > If such an analysis is done, we would be very interested in seeing the results > such that we can improve the product if necessary. > >> The web site mentioned that the on board processor running closed source does >> entropy checks before transmitting the data via a secure channel over USB to >> the >> open source driver on Linux. Obviously I am concerned about the closed >> source on >> the micro. > > While the software running on the micro is indeed closed (it's where a lot of > our development effort went) it's not like you could verify that what we told > you was on the micro was indeed on it, since the device is epoxied (for your > security, not ours) and thus you can't change the software on it anyway. We > are being as open and honest about the device as we can, since we understand > the need for transparency where possible. > > I have spoken with the boss and he is prepared to allow me to offer to provide > an Entropy Key unboxed, unepoxied (and thus not run through our full test > suite) as a special developer bare-board option. We could ensure that the > production software is written to the device so that you can verify the board > is operating to spec. Then we can provide a toolchain and example firmware > which demonstrates how to provide a USB serial connection from the micro, how > to power up the generators and an example of reading the random values and > writing them to the USB serial port. This would allow an interested party to > write their own firmware if they do not trust ours. However, since this would > be a special order, there would be delays and potentially costs involved over > and above the retail package, due to the lack of economies of scale.
Hello Daniel, Great to see someone from Simtec on this list and willing to do all that. Price it out and send me an email off list. The delay/wait is unimportant - we may purchase several such custom units - more than one engineer (all geographically scattered so they cannot share) will take a look at it. I had one volunteer on this list - thank you. It is tough getting our own engineers off other projects with tight deadlines. Anyone else? And we are very happy to have found your product, it is reasonably priced, well thought through it seems, and I am even happier to see your explanations on this list. Entropy is the biggest weakness for secure crypto in my opinion. Regarding the firmware - releasing the source to the public, even under a closed license and offering boards like above for any expert to test will be good for confidence in your product. I for one would then want one in every secure phone and computer. And we will be specifying hardware for such. If we improve the firmware we will send you the improvements, and buy the hardware from you obviously. We have enough things to do than compete with you guys. Best, Ray -- Rayservers http://www.rayservers.com/ Zurich: +41 43 5000 728 London: +44 20 30 02 74 72 Panama: +507 832 1846 San Francisco: +1 408 419 1978 USA Toll Free: +1 888 265 5009 10:00 - 24:00 GMT We prefer to be paid in gold Globals™ and silver Isles™ Global Standard™ - Global Settlement Foundation http://www.global-settlement.org/ Our PGP key 0x079CCE10 on http://keyserver.rayservers.com/ _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
