[Gnuk-users] Security of NeuG?

Sun Feb 22 00:34:19 UTC 2015

On Thu 2015-02-19 06:47:42 -0500, NIIBE Yutaka wrote:
> My point is that it is not needed to encrypt on the device side, even
> if the USB communication could be tapped.
>
> The exact random bytes is not needed for host PC.  If someone cares
> possible attack of wire tapping, I think that it would be OK just
> adding some filter.
>
>                                  [SECRET]
>                                      |           /------\
>                                      |           |      |
>                                      V           V      |
>  [USB Device] -- random byte -->  <Secure Keyed Hash> --/
>                                          |
>                                another random stream
>                                          |
> 					 V
>                                      [KERNEL]
>
> Administrator could replace the SECRET periodically.
>
> People can use NeuG standalone device in this way.

I'd be less concerned with the tapping attack that Jonathan describes,
than with someone using a machine-in-the-middle attack to actually feed
you data that isn't the random stream you expect at all.

Using a symmetric-key cipher that provides integrity protection as well
(e.g. any of the common AEAD modes) would provide not only
confidentiality but also assurance that the stream hasn't been tampered
with.

I'm not saying it's a high-priority issue, but it's worth considering.
Otherwise an attacker who replaces your USB stick could just feed you
all-zeros and you're left with the in-software CSPRNG (your diagram
above) and no seed entropy.

        --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/gnuk-users/attachments/20150221/67edf672/attachment.sig>