← Back to context

Comment by jll29

3 days ago

Given with yesterday's article on here about the issues of PGP, it looks like all software encryption short of a one-time pad are decorative.

I like the idea of a key part of the the CPU (comment below); does anyone know why Intel/ARM/AMD have not picked up this IBM feature?

17 comments

jll29

Reply
tptacek  2 days ago

The logic you're using here is: if PGP is unsafe, all cryptography must be unsafe too? No, that doesn't hold, at all.

Retr0id  3 days ago

Protecting secrets via hardware is always "decorative" in some sense, the question is just how much time+work it takes to extract them (and probability of destroying the secrets/device in the process). (outside of things like QKD)

But for software systems under a software threat model, bug-free implementations are possible, in theory at least.

  • rossjudson  2 days ago

    This is a reasonable take.

    Perfect security isn't a thing. Hardware/Software engineers are in the business of making compromise harder, but eyes are wide open about "perfection".

    Confidential Computing is evolving, and it's steadily gotten much more difficult to bypass the security properties.

  • pjc50  3 days ago

    I don't follow this - the software must necessarily run on some hardware, so while the software may be provably secure that doesn't help if an attacker can just pull key material off the bus?

dist-epoch  3 days ago

What do you mean exactly? Both AMD/Intel have signed firmware, and both support hardware attestation, where they sign what they see with an AMD/Intel key and you can later check that signature. This is the basis of confidential VMs, where not even the machine physical owner can tamper with the VM in an undetectable way.

  • evan_a_a  3 days ago

    I have bad news on that front.

    https://tee.fail/

    • fc417fc802  2 days ago

      > While the data itself is encrypted, notice how the values written by the first and third operation are the same.

      The fact that Intel and AMD both went with ECB leaves me with mild disbelief. I realize wrangling IVs in that scenario is difficult but that's hardly an excuse to release a product that they knew full well was fundamentally broken. The insecurity of ECB for this sort of task has been common knowledge for at least 2 decades.

      4 replies →

    • lxgr  3 days ago

      Yes, trusted computing is empirically hard, but I haven't heard solid arguments either way on whether it's actually infeasible.

lxgr  3 days ago

What article?

In any case, I'm curious to hear your argument for how "PGP has some implementation problems" (unsurprising to most people that have dared to look at its internals even briefly) implies "all non-information-theoretic cryptography is futile".

maqp  2 days ago

Except 99% of one-time pad implementations fail in at least one criteria:

* Using CSPRNGs instead of HWRNGs to generate the pads,

* Try to make it usable and share short entropy and reinvent stream ciphers,

* Share that short entropy over Diffie-Hellman RSA,

* Fail to use unconditionally secure message authentication,

* Re-use pads,

* Forget to overwrite pads,

* Fail to distribute pads off-band via sneakernet or dead drops or QKD.

OTP is also usually the first time someone dabbles in creating cryptographic code so the implementations are full of footguns.