Twitter | Pretraživanje | |
Charles Guillemet
CTO . Cryptography, (Hardware) Security research. Interested in Tech, Security, Cryptography, Blockchain. Built the Donjon ()
630
Tweetovi
265
Pratim
2.690
Osobe koje vas prate
Tweetovi
Charles Guillemet proslijedio/la je tweet
Nicolas Krassas 3. velj
TeamViewer stored user passwords encrypted, not hashed, and the key is now public
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet proslijedio/la je tweet
Ryan Hurst 2. velj
Odgovor korisniku/ci @cybergibbons
I do like that Trezor is all OSS (primary value IMHO) but in practice I believe it has limited value. The Ledger “smart card pattern” vs “using generic processors” brings a lot of value when assessing against associated threat models.
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 2. velj
Odgovor korisniku/ci @cybergibbons
Glitching is a low potential attacker threat. Secure Elements embedd hardware glitching detectors which trivially detect power glitches. They use internal clock, avoiding clock glitching. But, they have to protect against many other threats such as EMFI, Laser FI, SCA...
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 2. velj
Odgovor korisniku/ci @cybergibbons
If I remember correctly, the "bounty seed" is stored in the device, encrypted with a user given passphrase... So, you're given 1 BTC to break an encryption algorithm 🤔
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet proslijedio/la je tweet
Aleksei 2. velj
I am starting a blog. First post is about the StarkWare Hash Challenge
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 1. velj
Odgovor korisniku/ci @slush
I was talking about common criteria, which is clearly the most serious certification scheme. For the rest, manufacturers keep their know-how secret mostly to keep their competitive advantage
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 1. velj
Odgovor korisniku/ci @slush @Bitcoin2020 @satoshilabs
I agree that more transparency in hardware would benefit to the industry. But for now, proprietary secure elements are the best option in terms of security. I'm looking forward your talk at Bitcoin 2020!
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 1. velj
Odgovor korisniku/ci @slush
The 'how' is indeed confidential. The threat model and the attacks against which these certified chips protect is public. Consumers can have guarantees that a 3rd party lab assessed this resistance. In particular, it's (at least) extremely difficult to extract secret from them
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 1. velj
Odgovor korisniku/ci @COLDCARDwallet @slush @Mandrik
Yes, STM32 MCU datasheet is public, but no one (except ST) knows what is exactly inside the chip... There is even some undocumented low level software in the chip... at least the one used to dump the flash content ;) It's impossible to have guarantees on what's running in it
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 1. velj
Odgovor korisniku/ci @slush @Mandrik @COLDCARDwallet
I'd say Atecc chips are almost as open as STM32 (datasheet is public, implementation of the circuit is not), especially if you don't use the crypto stack Btw, these Atecc chips are not certified, so without a 3rd party audit, security of these chips is mostly the vendor's claim
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 1. velj
Odgovor korisniku/ci @slush
I don't think 30 years spent in defining and improving a security evaluation and certification scheme can be qualified as "security theater"... Typically, secure element include countermeasures against physical attacks like glitching (which is the most basic)
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 31. sij
Odgovor korisniku/ci @P3b7_
Exchanges agree with that :)
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 31. sij
Still, it's more secure to HODL with a Hardware wallet rather than in an exchange Considering an attacker w/ a physical access to the Trezor, a STRONG passphrase mitigates the attack An attacker with simply a malware on your PC/mobile would get your exchange creds in 1 min...
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 31. sij
Odgovor korisniku/ci @esiattorney
Yes, it's a mitigation, rather than a fix...
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 31. sij
"We responsibly disclosed the full details of this attack to the Trezor team [...]. We are going public with this vulnerability disclosure now so that the crypto community can protect themselves before a fix is released by the Trezor team." The attack is not fixable, so ...
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet 31. sij
Odgovor korisniku/ci @julianor @DonjonLedger
To my knowledge, has not been contacted by Kraken security lab... :/
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet proslijedio/la je tweet
Ledger Donjon 31. sij
Odgovor korisniku/ci @DonjonLedger
2/2. The attack is indeed feasible with a low-cost hardware. We built our own card to ensure this. With a few additional efforts you might be able to dump the WHOLE chip in less than 1 minute
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet proslijedio/la je tweet
Ledger Donjon 31. sij
1/2. Congrats for contributing to secure the ecosystem! Your attack is very close to the one we implemented a year ago As the attack is not fixable, we preferred not sharing the details to avoid exploitation on the field.
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet proslijedio/la je tweet
Ledger 31. sij
Odgovor korisniku/ci @Trezor
Thanks for joining the cause! 🙏
Reply Retweet Označi sa "sviđa mi se"
Charles Guillemet proslijedio/la je tweet
Ledger 31. sij
Let’s take back control, for real! On the day of the , we empower people to take control and experience the . Learn more:
Reply Retweet Označi sa "sviđa mi se"