While I freely admit that I use a lot of Google services, have an Android phone, and so on... I can't fathom why anyone would think it's a good idea to buy security hardware from an advertising company.
Because it is an extremely high-value target that has proven capable of defending itself from numerous sophisticated attacks, and it has a vested interest in keeping its users and customers secure as well.
Is anyone actually taking this serious? As if all other countries are any better.
Uh, German data protection laws, yadda yadda - they didn't stop the police from raiding several activist non profit organizations a couple of months ago, with no repercussions.
The "US jurisdiction"-line is just tiresome and weak. Show me the country that guards user data that isn't part of 5 eyes and where attempts of the state to gain access to said data is actually penalized.
Because they're paying top dollar to some of the brightest people in security right now?
Because they're a high value target that uses their own products in their fleet?
Because they've shown that they care about security and were willing to step up their game to achieve it?
Because they routinely share their expertise in form of either open source contributions or scientific papers?
It would be difficult, but the one thing I've learned to trust in security is that there's no such thing as a system that can't be broken.
For U2F, the first thing that comes to mind is timing channels, or perhaps building in a radio and letting anyone nearby use the key as if it were theirs.
The existence of a hidden radio should be trivial to confirm - at minimum it would require a battery and an antenna.
If I we're the paranoid type, I'd avoid bluetooth security keys all together. NFC should be fine for use with a mobile phone, and while there are attacks that let you read NFC from a few meters away, if you credibly think you have an adversary who can identify you in public, and has this type of specialized hardware, you're dealing with someone who would have a much easier time just throwing you in the back of a van to extract whatever they wanted out of you.
The second one is (more) interesting, IMHO. The entries on how most of the keys have some defect or other are worth reading, since mostly nobody is looking at this stuff.
The relevant paragraph on Feitian:
Feitian ePass
ASN.1 DER is designed to be a “distinguished” encoding, i.e. there should be a unique serialisation for a given value and all other representations are invalid. As such, numbers are supposed to be encoded minimally, with no leading zeros (unless necessary to make a number positive). Feitian doesn't get that right with this security key: numbers that start with 9 leading zero bits have an invalid zero byte at the beginning. Presumably, numbers starting with 17 zero bits have two invalid zero bytes at the beginning and so on, but I wasn't able to press the button enough times to get such an example. Thus something like one in 256 signatures produced by this security key are invalid.
Also, the final eight bytes of the key handle seem to be superfluous: you can change them to whatever value you like and the security key doesn't care. That is not immediately a problem, but it does beg the question: if they're not being used, what are they?
Lastly, the padding data in USB packets isn't zeroed. However, it's obviously just the previous contents of the transmit buffer, so there's nothing sensitive getting leaked.
I don't think the article is talking about some random third party diddling the devices to install a backdoor. I think it is talking about the manufacturer building in a backdoor.
I don't see anything in the U2F FIDO spec that can prevent that.
We live in an interesting time and place where China could declare war on the democratic countries in the next 5 years...let me explain. China is in a very bad situation where it has accumulated too much debt in its national and local governments, and corporations. Inflation is going through the roof - rent has increased 30% from 2017 in Beijing and other cities, and food costs are going up because of the tariffs. And incomes are declining - top income for tsinghua graduates, the top university in China, has fallen 20% from 2016. There have been various protests from veterans about decreased/stopped pays.
All this will eventually lead to a point where the CCP has to appease its citizens for the crashing economy. Either it will choose to subdue its own people - either with more police state, lockdowns, or jailing, and do so for the next 10-20 years while the bad debts slowly gets resolved (ala Japan), or it will choose to redirect its focus abroad (ala Germany 1930) and starts to aggressively expanding and taking over countries as puppet states (which it is already doing now with various African states and Southeast countries) or use its growing military to attack nearby countries (Taiwan, Vietnam)
That makes the (cyber)defenses against China even more important today. Thus we have US/Australia banning Huawei and ZTE, and Japan is thinking about banning them as well from the network. The free, democratic countries of the world are starting to realize how dangerous giving China backdoors into the networks is.
We need to monitor all our security breaches that exposes us to Chinese cyber espionages, so we can prevent theft of important technologies.
What's the basis on which you decided parent isn't "flaming ideological/nationalistic tribal war" (your words)? So tired of you and dang's selective rule enforcement. Not that the rules themselves aren't good ones, but when you apply them only to some groups but not to others it calls in question why those rules were introduced in the first place.
What you described is more likely to happen in a society where citizens are used to high standards and these standards can't be maintained. Correct me if I'm wrong, but I think most Chinese workers only eat, sleep and work. How would you get them to the point of violent protest? It doesn't matter how bad the inflation gets when you're already at the very bottom.
Western countries are actually starting to imitate that system, because it allows for a somewhat peaceful submission of society at low living standards.
There are zero genuine technical complaints here. Its just a long winded article saying "but China" (implying anything manufactured there could be compromised). That concern, legitimate or not, covers >99% of electronics, including the computer or smartphone these keys are intended to be used with.
Exactly how does a Feitian key differ from a Google one? Where is the SoC produced? How secure is the enclave equivalent and that bit which produces the private key? What is the chain of trust?
I don't trust the UK or US governments, but why on earth would I trust China?
The fact is google are very good as managing security of their supply chain and if you’re worried about China interfering with hardware then I’m wondering where you think your phones, laptops, tv, tablets, IoT fridges are made... they are full of parts from China, almost impossible to check everything inside your laptop - however a single hardware device provided by Google?
The threat model for most people in the advanced protection program is "I'm a human rights activist and a government sent me a phishing link that looked like a Google docs login, and I'm not that careful, so I put my password in it", not "I run a backbone network that Intel agencies would love to tap and they're willing to expend lots of money/risk for that".
28 comments
[ 13.3 ms ] story [ 679 ms ] threadUh, German data protection laws, yadda yadda - they didn't stop the police from raiding several activist non profit organizations a couple of months ago, with no repercussions.
The "US jurisdiction"-line is just tiresome and weak. Show me the country that guards user data that isn't part of 5 eyes and where attempts of the state to gain access to said data is actually penalized.
How exactly do you expect anyone to backdoor these devices?
For U2F, the first thing that comes to mind is timing channels, or perhaps building in a radio and letting anyone nearby use the key as if it were theirs.
If I we're the paranoid type, I'd avoid bluetooth security keys all together. NFC should be fine for use with a mobile phone, and while there are attacks that let you read NFC from a few meters away, if you credibly think you have an adversary who can identify you in public, and has this type of specialized hardware, you're dealing with someone who would have a much easier time just throwing you in the back of a van to extract whatever they wanted out of you.
https://pwnaccelerator.github.io/2018/webusb-yubico-disclosu...
https://www.imperialviolet.org/2017/10/08/securitykeytest.ht...
The second one is (more) interesting, IMHO. The entries on how most of the keys have some defect or other are worth reading, since mostly nobody is looking at this stuff.
The relevant paragraph on Feitian:
Feitian ePass
ASN.1 DER is designed to be a “distinguished” encoding, i.e. there should be a unique serialisation for a given value and all other representations are invalid. As such, numbers are supposed to be encoded minimally, with no leading zeros (unless necessary to make a number positive). Feitian doesn't get that right with this security key: numbers that start with 9 leading zero bits have an invalid zero byte at the beginning. Presumably, numbers starting with 17 zero bits have two invalid zero bytes at the beginning and so on, but I wasn't able to press the button enough times to get such an example. Thus something like one in 256 signatures produced by this security key are invalid.
Also, the final eight bytes of the key handle seem to be superfluous: you can change them to whatever value you like and the security key doesn't care. That is not immediately a problem, but it does beg the question: if they're not being used, what are they?
Lastly, the padding data in USB packets isn't zeroed. However, it's obviously just the previous contents of the transmit buffer, so there's nothing sensitive getting leaked.
I don't see anything in the U2F FIDO spec that can prevent that.
All this will eventually lead to a point where the CCP has to appease its citizens for the crashing economy. Either it will choose to subdue its own people - either with more police state, lockdowns, or jailing, and do so for the next 10-20 years while the bad debts slowly gets resolved (ala Japan), or it will choose to redirect its focus abroad (ala Germany 1930) and starts to aggressively expanding and taking over countries as puppet states (which it is already doing now with various African states and Southeast countries) or use its growing military to attack nearby countries (Taiwan, Vietnam)
That makes the (cyber)defenses against China even more important today. Thus we have US/Australia banning Huawei and ZTE, and Japan is thinking about banning them as well from the network. The free, democratic countries of the world are starting to realize how dangerous giving China backdoors into the networks is.
We need to monitor all our security breaches that exposes us to Chinese cyber espionages, so we can prevent theft of important technologies.
https://news.ycombinator.com/newsguidelines.html
Western countries are actually starting to imitate that system, because it allows for a somewhat peaceful submission of society at low living standards.
Exactly how does a Feitian key differ from a Google one? Where is the SoC produced? How secure is the enclave equivalent and that bit which produces the private key? What is the chain of trust?
I don't trust the UK or US governments, but why on earth would I trust China?
People in the UK are sent directly to a chinese online store which means at that point Google has no control over anything anymore.