Thread: keys to the Kingdom
View Single Post
  #1 (permalink)  
Old 06-20-2006, 05:56 PM
Austin Lesea
Guest
  
Posts: n/a
Default keys to the Kingdom
Annoyed Crypto Folks,

The latest announcement of "security" is just more than a little annoying:

http://biz.yahoo.com/prnews/060619/sfm036.html?.v=56

In the FIPS 140-2 Standard:

"4.7.6 Key Zeroization

A cryptographic module shall provide methods to zeroize all plaintext
secret and private cryptographic keys and CSPs within the module.
Zeroization of encrypted cryptographic keys and CSPs or keys otherwise
physically or logically protected within an additional embedded
validated module (meeting the requirements of this standard) is not
required.

Documentation shall specify the key zeroization methods employed by a
cryptographic module."

Efuse keys can be read easily by inspection:

http://ieeexplore.ieee.org/iel5/9994...isnumber=32106
(IEEE library user name and password required)

Not that there is anything wrong with a low cost, simple, and useful
security method (look at how many cheap locks get sold that are easily
picked by the average pre-teen). But to imply that this is somehow NIST
approved is a complete joke!

In fact, use of poly efuses are great (now that the foundries have them
as a standard feature).

Just don't go advertising them to be more than they really are: a
convenient way to make it cost at least $5,000 to find the key.

Austin
Reply With Quote