On Mon, Nov 16, 2009 at 11:20:27PM -0500, Jerry Leichter wrote: > I'm not sure that's the right lesson to learn.
I might have, perhaps, phrased it a little better. Regardless of initial planning, TI continued selling devices relying on this particular code signing implementation well past what the original design engineers hopefully expected would be its maximum lifespan. > A system has to be designed to work with available technology. The > TI83 dates back to 1996, and used technology that was old even at > the time: The CPU is a 6MHz Z80. A 512-bit RSA was probably near > the outer limits of what one could expect to use in practice on such > a machine, and at the time, that was quite secure. If this is true, then it makes an interesting case study for the topic of this thread... > Nothing lasts forever, though, and an effective 13 year lifetime > for cryptography in such a low-end product is pretty good. [...] Not such a low-end product, when compared to the bank transaction authenticating crypto we're discussing (I had a TI-83 back when they first came out, and it was far from cheap on a starving student budget). Assume what TI had built was one of these banking crypto devices... they implemented a code signing mechanism so it could be updated in a secure fashion, since they didn't want it to be so disposable... the best code signing mechanism the processor could handle... in 13 years a hobbyist with a few months and basically no budget is able to trojan these devices. This speaks to an inherent lifespan for "low-end" devices anyway, since a time will come when they need better code signing than their processors can handle. If the hobbyist can do it 13 years later for a relatively low-value target (programmable calculators), how about something which has a lot more potential for profit? A decade ago I was working on (relatively) low-budget beowulf distributed compute clusters which easily rivalled the speed of the machine used to crack TI's code signing keys. This was well within the budget of a criminal organization--probably a tiny fraction of what they could have made selling the code signing keys for widely-deployed bank transaction authenticator devices. Maybe calculators are a bad example, but if 3-4 years is all it takes to put the code signing key for an inexpensive device in the hands of criminals, then is it worth the risk (or even expense) to make dedicated banking crypto hardware updateable? -- { IRL(Jeremy_Stanley); PGP(9E8DFF2E4F5995F8FEADDC5829ABF7441FB84657); SMTP(fu...@yuggoth.org); IRC(fu...@irc.yuggoth.org#ccl); ICQ(114362511); AIM(dreadazathoth); YAHOO(crawlingchaoslabs); FINGER(fu...@yuggoth.org); MUD(fu...@katarsis.mudpy.org:6669); WWW(http://fungi.yuggoth.org/); } --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com