lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4ef5fec60802221053y1a89c18epe195e7cc121660d8@mail.gmail.com>
Date: Fri, 22 Feb 2008 10:53:55 -0800
From: coderman <coderman@...il.com>
To: "Michael Holstein" <michael.holstein@...ohio.edu>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: round and round they go,
	keys in ram are ripe for picking...

On Fri, Feb 22, 2008 at 10:05 AM, Michael Holstein
<michael.holstein@...ohio.edu> wrote:
> ...
>  FIPS 140-1 [http://www.itl.nist.gov/fipspubs/fip140-1.htm] addresses this.
>  ...
>     * The contents of the module shall be completely contained within a
>       tamper detection envelope...
>     * The module shall contain tamper response and zeroization
>       circuitry. ...
>     * The module shall either include environmental failure protection
>       (EFP) features or undergo environmental failure testing (EFT) ..

i'm fond of tamper resistant / evident packaging, but this is usually
applied to persistent key storage rather than working system memory.
works well for authentication tokens and such, even if these methods
can also be bypassed with some effort.
(see http://flylogic.net/ and their disassemblies at http://flylogic.net/blog )

tamper resistant cases are bit more fun, like the blackbox [0] pelican
padlock'ed with zeroization / panic button.  however, after reading
this paper, it appears that secure overwrite of all key scrubbed
memory and other sensitive locations would be preferable to simple
power off, even if the case is a pain to open...

a fun attack, to be sure.


0. DefCon 13 black box challenge
http://blog.makezine.com/archive/2005/07/_defcon_the_jan.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ