Re: [cryptography] Preserve us from poorly described/implemented crypto
On Tue, Jun 07, 2011 at 05:18:42PM -0400, Steven Bellovin wrote: Remember how well the original IBM PC clicky keyboard went over (I think I'm the only person in the US who actually liked it - veryone gave me theirs after upgrading to the newer lightweight and silent ones) Im typing on a large, heavy, clicky IBM keyboard right now... I stocked up on Model M SpaceSavers and full-size Model M's some 15 years ago. Have moved to Cherry MX (not blues, SteelSeries) gold crosspoints only a few weeks ago. -- Eugen* Leitl a href=http://leitl.org;leitl/a http://leitl.org __ ICBM: 48.07100, 11.36820 http://www.ativel.com http://postbiota.org 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Preserve us from poorly described/implemented crypto
On 6/06/11 11:57 AM, David G. Koontz wrote: On 5/06/11 6:26 PM, Peter Gutmann wrote: That's the thing, you have to consider the threat model: If anyone's really that desperately interested in watching your tweets about what your cat's doing as you type them then there are far easier attack channels than going through the crypto. It's a consumer-grade keyboard, not military-crypto hardware, chances are it'll use something like AES in CTR mode with an all-zero IV on startup, so all you need to do is force a disassociate, it'll reuse the keystream, and you can recover everything with an XOR. There are other ways to deny effectiveness. If the fixed keys are generated from things knowable during Bluetooth device negotiation the security would be illusory. If that security were dependent on an external security factor but otherwise based on knowable elements you'd have key escrow. It's hard to imagine as Peter said there'd be any great interest in cryptanalytic attacks on keyboard communications. You could counter the threat by using your laptop's built-in keyboard. It sounds like a marketing gimmick, and could be considered a mild form of snake oil - the threat hasn't been defined, nor the effectiveness of the countermeasure proven. A tick box item to show sincerity without demonstrating dedication. Maybe it is intended just as a slight hurdle to stop the kid brother listening in to big sister's sex chat with her b/f. Or office level snooping. As such, it's welcome. It means that anyone who does succeed has gone to special efforts to do this .. which leaves some tracks. There are the military / national security guys. And then there are the rest of us. For the rest of society, some simple opportunistic fix is often all that is needed to knock out 99.9% of the opportunistic attacks. As practically all of our threats are opportunistic, this is pretty much the top priority for society at large. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Preserve us from poorly described/implemented crypto
TEMPEST. I'd like keyboards with counter-measures (emanation of noise clicks) or shielding to be on the market, and built-in for laptops. I wonder whether touch-screen smartphones give off any useful RF emanations regarding touches, drags, screen contents. Anyways, I'm getting out of topic... Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Preserve us from poorly described/implemented crypto
On Tue, 7 Jun 2011, Nico Williams wrote: TEMPEST. I'd like keyboards with counter-measures (emanation of noise clicks) or shielding to be on the market, and built-in for laptops. Remember how well the original IBM PC clicky keyboard went over (I think I'm the only person in the US who actually liked it - veryone gave me theirs after upgrading to the newer lightweight and silent ones): the user experience will always end up with a back seat when it's time to do the actual work in front of the screen. I wonder whether touch-screen smartphones give off any useful RF emanations regarding touches, drags, screen contents. I haven't done a lot of serious work there, but I did look once at an LG Optimus V out of idle curiosity: I don't think it would be very difficult to map many of it's leaky signals. Same for all smartphones in general. //Alif -- I hate Missouri. Land of the free, home of the perjuriously deranged. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Preserve us from poorly described/implemented crypto
On Tue, Jun 7, 2011 at 2:01 PM, J.A. Terranson me...@mfn.org wrote: On Tue, 7 Jun 2011, Nico Williams wrote: TEMPEST. I'd like keyboards with counter-measures (emanation of noise clicks) or shielding to be on the market, and built-in for laptops. Remember how well the original IBM PC clicky keyboard went over (I think I'm the only person in the US who actually liked it - veryone gave me theirs after upgrading to the newer lightweight and silent ones): the user experience will always end up with a back seat when it's time to do the actual work in front of the screen. Right, I want my ergo, so it can't just be a tank of a keyboard. I wonder whether touch-screen smartphones give off any useful RF emanations regarding touches, drags, screen contents. I haven't done a lot of serious work there, but I did look once at an LG Optimus V out of idle curiosity: I don't think it would be very difficult to map many of it's leaky signals. Same for all smartphones in general. My expectation is that smartphones leak plenty -- probably not enough to interfere with avionics, but enough that folks nearby could capture inputs, and probably outputs as well. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Preserve us from poorly described/implemented crypto
On 06/07/2011 02:01 PM, J.A. Terranson wrote: On Tue, 7 Jun 2011, Nico Williams wrote: TEMPEST. I'd like keyboards with counter-measures (emanation of noise clicks) or shielding to be on the market, and built-in for laptops. Remember how well the original IBM PC clicky keyboard went over (I think I'm the only person in the US who actually liked it - veryone gave me theirs after upgrading to the newer lightweight and silent ones): IBM was a typewriter company for most of the 20th century and consequently had a lot of research invested in the keyboards. Those of us who used other IBM keyboards before the PC saw it as a lighter-weight version of the mainframe terminal keyboards. I liked it. Years later I found a place to buy a similar bucking spring model online and did, but it didn't last very long. the user experience will always end up with a back seat when it's time to do the actual work in front of the screen. I dunno. Seems like more often than not these days it's security taking a back seat to the user experience. For example, Mozilla is removing the status bar and the SSL lock icon along with it. A perfect opportunity for a phishing site to paint one of their own. Now they're talking about removing the address bar too. With every pixel valuable on mobile displays, browsers want to dedicate the whole frame to the page itself. Consequently, there is no chrome with which to communicate security information out-of-band, i.e., not under the control of the web page. I haven't done a lot of serious work there, but I did look once at an LG Optimus V out of idle curiosity: I don't think it would be very difficult to map many of it's leaky signals. Same for all smartphones in general. What would be interesting would be to substitute an image on the page with a one that flickered at a known rate. Then maybe try one that flickered at a rate determined by idle CPU capacity or other side channels. It'd be interesting to see what kind of data rate you could obtain for exfiltration. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Preserve us from poorly described/implemented crypto
On Jun 7, 2011, at 3:01 30PM, J.A. Terranson wrote: On Tue, 7 Jun 2011, Nico Williams wrote: TEMPEST. I'd like keyboards with counter-measures (emanation of noise clicks) or shielding to be on the market, and built-in for laptops. Remember how well the original IBM PC clicky keyboard went over (I think I'm the only person in the US who actually liked it - veryone gave me theirs after upgrading to the newer lightweight and silent ones) Im typing on a large, heavy, clicky IBM keyboard right now... --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Preserve us from poorly described/implemented crypto
Steven Bellovin s...@cs.columbia.edu writes: Im typing on a large, heavy, clicky IBM keyboard right now... I have a 15-year-old one that's still going strong (not a buckling-spring one, which I was never that much of a fan of, but a keyswitch one), but I'm not sure what I'd do if this one ever failed [0]. Wietse Venema keeps a stack of IBM keyboards above his desk so he has a spare if a current one fails. Peter. [0] Yes, I know you can still get third-party ones, but they're a pain to get internationally, and I'm not sure if they're as good as the originals. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Preserve us from poorly described/implemented crypto
On 5/06/11 6:26 PM, Peter Gutmann wrote: That's the thing, you have to consider the threat model: If anyone's really that desperately interested in watching your tweets about what your cat's doing as you type them then there are far easier attack channels than going through the crypto. It's a consumer-grade keyboard, not military-crypto hardware, chances are it'll use something like AES in CTR mode with an all-zero IV on startup, so all you need to do is force a disassociate, it'll reuse the keystream, and you can recover everything with an XOR. There are other ways to deny effectiveness. If the fixed keys are generated from things knowable during Bluetooth device negotiation the security would be illusory. If that security were dependent on an external security factor but otherwise based on knowable elements you'd have key escrow. It's hard to imagine as Peter said there'd be any great interest in cryptanalytic attacks on keyboard communications. You could counter the threat by using your laptop's built-in keyboard. It sounds like a marketing gimmick, and could be considered a mild form of snake oil - the threat hasn't been defined, nor the effectiveness of the countermeasure proven. A tick box item to show sincerity without demonstrating dedication. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Preserve us from poorly described/implemented crypto
On 06/05/2011 08:57 PM, David G. Koontz wrote: On 5/06/11 6:26 PM, Peter Gutmann wrote: That's the thing, you have to consider the threat model: If anyone's really that desperately interested in watching your tweets about what your cat's doing as you type them then there are far easier attack channels than going through the crypto. Come on. There are people in tall glass buildings that will be using this keyboard to enter passwords that manage accounts containing millions of dollars on a regular basis. And there's a very high practical limit on the gain of the antenna that could be aimed directly at them from an office on the same floor across the street. It's a consumer-grade keyboard, not military-crypto hardware, chances are The military uses tons of off-the-shelf stuff like everybody else. it'll use something like AES in CTR mode with an all-zero IV on startup, so all you need to do is force a disassociate, it'll reuse the keystream, and you can recover everything with an XOR. Microsoft has some very capable crypto people working for them. But who knows to what extent they were able to influence the design process for this thing? There are other ways to deny effectiveness. If the fixed keys are generated from things knowable during Bluetooth device negotiation the security would be illusory. It could perform a Diffie-Hellman key exchange, which would convert the passive eavesdropping attack into an active MitM requirement. Or it could reassociate only under direct user control (hopefully long before the adversary began monitoring). But again, who knows how it really works until it's described by someone (preferably Microsoft). If that security were dependent on an external security factor but otherwise based on knowable elements you'd have key escrow. Or if the system has major PRNG weaknesses it has de facto key escrow, at least to the parties that know the chip design, i.e., Microsoft and China. It's hard to imagine as Peter said there'd be any great interest in cryptanalytic attacks on keyboard communications. I don't agree. There have been a lot of interesting research on Bluetooth security and keyboard sniffing (both wired and wireless). There was a case years back where the FBI broke into a suspects house twice to install and recover a keyboard tap (to get his PGP passphrase). A human operation that risky would definitely motivate interest. Interestingly, there's been no mention of that technique being needed lately. On the defense side, the agencies that are experienced at looking at signals also have the mission of protecting the US government itself. Surely they realize it's impractical to keep every off-the-shelf keyboard out of every marginally sensitive location. Check this out: http://www.spi.dod.mil/liposeFAQ.htm Someone please tell them they ought to require HTTPS for this kind of download. You could counter the threat by using your laptop's built-in keyboard. Or a wired one. Maybe. It sounds like a marketing gimmick, and could be considered a mild form of snake oil - the threat hasn't been defined, nor the effectiveness of the countermeasure proven. A tick box item to show sincerity without demonstrating dedication. I consider the threat to be real. I'm willing to use a wireless mouse, but not a wireless keyboard, that's where I currently draw the line. I think it's too early to call this snake oil. I'd consider using it keyboard once the protocol is documented. - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
