TPM Crytography Cracked

February 9, 2010 by Mike Szczys 36 Comments

Trusted Platform Module based cryptography protects your secrets as well as your government’s secrets. Well, it used to. [Christopher Tarnovsky] figured out how to defeat the hardware by spying on its communications. This requires physical access so it’s not quite as bad as it sounds, but this does reach beyond TPM to many of the security chips made by Infineon. This includes peripheral security chips for Xbox 360 and some chips used in cell phones and satellite TV.

[Christopher] revealed his hack during his presentation at Black Hat 2010. The method is wicked-hard, involving removal of the chip’s case and top layer, then tapping into a data bus to get at unencrypted data. The chip still has some tricks up its sleeve and includes firmware traps that keep a look out for this type of attack, shutting down if it’s detected. Infineon commented that they knew this was possible but regard it as a low threat due to the high skill level necessary for success.

[Thanks Greg]

The Underhanded Hardware Challenge

August 21, 2008 by Eliot 7 Comments

The Polytechnic Institute of NYU is hosting an interesting embedded systems contest. They’ve constructed a solid state cryptographic device that uses a 128-bit private key. Contestants will be tasked with designing and implementing several trojans into the system that will undermine the security. The system is built on a Digilent BASYS Spartan-3 FPGA board. The trojans could do a wide variety of things: transmitting unencrypted, storing and transmitting previously entered plain text, or just shutting down the system entirely. The modified devices still need to pass the factory testing procedure though, which will measure power consumption, code size, and function. After a qualification round, participants will be given the necessary hardware to compete.

[via NYC Resistor (Happy Birthday!)]

Google Releases KeyCzar

August 12, 2008 by Caleb Kraft 9 Comments

Google has released keyCzar, a cryptographic toolkit that supports encryption and authentication for both symmetric and public-key algorithms.

Cryptography is a common problem area for web programmers. keyCzar aims to help alleviate some of the issues by supplying safe defaults, tagging versions, and a simple interface.

[via Zero Day]

Bruce Schneier’s Opinion On Everything

May 14, 2008 by Eliot 2 Comments

Honestly, we were originally sent this Q&A with famed cryptographer [Bruce Schneier] as a restaurant recommendation (112 Eatery, Minneapolis). Posted last fall on NYTimes’ Freakonomics blog it covers [Bruce]’s opinion on nearly everything. Here are a few items in particular that really stuck out to us:

The most immediate threat to the average person is crime – in particular, fraud. And as I said before, even if you don’t store that data on your computer, someone else has it on theirs. But the long-term threat of loss of privacy is much greater, because it has the potential to change society for the worse.

What you’re really asking me is about the security. No one steals credit card numbers one-by-one, by eavesdropping on the Internet connection. They’re all stolen in blocks of a million by hacking the back-end database. It doesn’t matter if you bought something over the Internet, by phone, by mail, or in person – you’re equally vulnerable.

We already knew he doesn’t secure his WiFi (neither do we) and you’ll find many other interesting discussions in the article. If you want Bruce Schneier facts though, you’ll have to look elsewhere.