Michael Nelson wrote:
Noon Silk wrote:
From:
http://blog.cryptographyengineering.com/2012/06/bad-couple-of-years-for-cryptographic.html
"Here's the postage stamp version: due to a perfect storm of (subtle,
but not novel) cryptographic flaws, an attacker can extract sensitive
keys from several popular cryptographic token devices.
That "postage stamp" summary is incorrect. You can't extract keys from
the devices. Suppose you have a key (or other small datum) encrypted in
a blob outside the device. Then you can use the device to figure out the
plain key.
You may believe the attack not serious, but since the encrypted blob is
intended to be decrypted by the device, and used by the device, and
maybe for sensitive operations ...
The very purpose of encrypted blobs for sensitive keys is to make key
backup and key distribution convenient over not-so-secure storage
arrangements and networks. The attack challenges the effectiveness of
encryption for sensitive keys.
--
- Thierry Moreau
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
