[XCSSA] finger computer

[xcssa@xcssa.org]

On 9/12/06, xcssa-admin@xcssa.org <xcssa-admin@xcssa.org> wrote:
> Could go with something like http://www.projectblackdog.com/product.html

Neat, but it looks like there's no screen on it.

One of the big problems with security is having to trust the host.
Without a seperate output and input device, the trust perimeter
as to include the PC...

For example, take smart cards.  Yes, they can do crypto operations,
but you have no idea what data they're performing it on.  If you're doing
digital signatures, the PC can send it whatever it wants, and your
smart card signs it.  There's lots of very sophisticated cryptanalytic
attacks that you can do, given an "oracle" like a smart card,
unless the designers have been _very_ careful.

For example, if you get all the prime numbers up to some limit B
signed using raw RSA, then you can create a signature on any
B-smooth composite (i.e. a composite number with all factors less
than or equal to B), by simple modular arithmetic.

Let sign(x, k, n) be x^k mod n,
Let y = u*v
Then sign(y, k, n) = sign(u, k, n) * sign(v, k, n) mod n

There are many, many types of things like this.
The best advice I have heard for non-experts is to run
everything user-supplied through a one-way function
(e.g. SHA-256) before using it.  It may be good
engineering even for experts, because new
mathematical attacks are being discovered all
the time.
-- 
"If you're not part of the solution, you're part of the precipitate."
Unix "guru" for rent or hire -><- http://www.lightconsulting.com/~travis/
GPG fingerprint: 9D3F 395A DAC5 5CCC 9066  151D 0A6B 4098 0C55 1484