[HN Gopher] Trust dies in darkness: Shedding light on Samsung's ... ___________________________________________________________________ Trust dies in darkness: Shedding light on Samsung's TrustZone Keymaster design [pdf] Author : zdw Score : 125 points Date : 2022-03-04 14:50 UTC (8 hours ago) (HTM) web link (eprint.iacr.org) (TXT) w3m dump (eprint.iacr.org) | no_time wrote: | ~10 years ago: How horrible. Sad to see such security holes being | found in our devices. | | Now: Nice. I wonder what kind of DRM/Anti-user feature will this | break. I hope it never gets patched. | lxgr wrote: | Would you consider WebAuthN platform credentials and securing | payment credentials "anti-user"? | | DRM is just one application. | no_time wrote: | No. That's the least bad use case out of the bunch. If it | stays as an option and/or the issuing organization provides | the token, it's a benefit. | | As a password replacement, whole concept rubs me the wrong | way though. Just let me make a god damn backup. "just buy 2 | tokens lol" is such a shitty solution. | | I strongly prefer STANDARDIZED totp. | lxgr wrote: | As far as I'm aware, there's nothing in either the WebAuthN | or the FIDO/CTAP specifications forbidding back-up-able | (i.e. clonable) credentials. | | Apple is even explicitly planning to offer something like | this for their platform authenticator implementation on iOS | and macOS, although I'm not sure it's been finalized | whether and how that fact will be exposed to applications. | | I'm not sure either is a good idea though, to be honest: | The line between enabling credential/authenticator backups | and enabling "credential skimming" is very fine. | danuker wrote: | Cute title! Security through obscurity falls apart when brought | to the spotlight. Which is why I don't trust platforms mentioning | "Trust". | | They are not built for the consumer anyway, but through subsidies | of a misguided copyright industry seeking to inflict DRM. | jimmySixDOF wrote: | Just so you know, the title is a play on "Democracy Dies in | Darkness" which is the Washington Post newspaper's motto | unixbane wrote: | which both get ignored by means of the hyperbole filter | jessaustin wrote: | It's more of a mission statement than a motto, anyway. | motohagiography wrote: | This is vindicating. I suspect the vulnerabilities were caused by | a requirement to align with the Global Platform specification | they mention in their references. Not sure that it prescribes | AES-GCM, but I remember it being a bit janky at the time as they | were trying to adapt protocols from smart card secure elements to | mobile phones in a way that preserved compatability. | | The dodgy issue was that counters on slow low power card based | secure elements were designed to depend on tamper proof hardware | and had a small moving window, whereas in software, I'd speculate | they needed something like GCM to maintain protocol backward | compatability with some additional assurance in software. Modern | protocols would just use ECC with a totally different protocol, | but to maintain compatability for payments and global platform, | you needed a symmetric protocol, and GCM was the best they could | do. | | It's vindicating because when I worked on a related TZ problem | almost 10y ago, the authors of this paper were the precise threat | actor I proposed in the design discussions. | upofadown wrote: | >Modern protocols would just use ECC with a totally different | protocol, ... | | Do you mean something with initialization vector reuse | resistance? Because that seems to be the problem here... | api wrote: | This was obviously built by someone lacking even a basic | understanding of how to use cryptographic primitives. It's not | that hard to use an AEAD cipher construction properly. Nonce | stands for number used once. | JCWasmx86 wrote: | It is good for the freedom of the user, that the user it is | able to access everything in the TrustZone. | SkittyDog wrote: | Interesting thing about the term "nonce"... that etymology is | not entirely accurate. It's not quite a false etymology, but it | is a sort of a "backronym" kinda thing. | | In linguistics, the term "nonce word" describes a term invented | for a specific occasion/purpose where you have a need for a | term that isn't met by existing language: | https://en.m.wikipedia.org/wiki/Nonce_word | | So the cryptographic term "nonce" was a reference to the | existing linguistic terminology, which IIRC goes back pretty | far, maybe into Old English. | | I don't know exactly when/how the "number once" thing came | about, but it's definitely become a valid definition in its own | right... And a very useful mnemonic, as you pointed out. | mschuster91 wrote: | Does this also impact Android's FDE layer when used with a | reasonably-strong password, or does the FDE layer rely purely on | userspace password-driven key derivation? | | And additionally, interesting that the authors were able to | conduct this research. IIRC, on Samsung devices rooting requires | blowing the "Knox" fuse as part of the process, which should have | bricked the TrustZone part. | codedokode wrote: | This "TrustZone" looks like a user-hostile feature which was | invented for convenience of placing difficult to detect | backdoors. | lxgr wrote: | No, it's mainly a cheaper way to get some level of trusted | computing and/or hardened credential storage on ARM-based | mobile devices. | | Like with all such platforms, it can be used for good and evil | (from the device owner's perspective), and its aptitude for | enabling hard-to-detect backdoors or spyware depends entirely | on how powerful the interfaces to the main user computing | platform are. ___________________________________________________________________ (page generated 2022-03-04 23:00 UTC)