A comparison of cryptographic keycards
A comparison of cryptographic keycards
Posted Oct 17, 2017 19:21 UTC (Tue) by davidstrauss (guest, #85867)Parent article: A comparison of cryptographic keycards
This feels like a cheap shot to me. Closed-source software does not inherently rely on security through obscurity (or anything that "basically amounts" to such). Yubico may simply have decided to go proprietary for commercial reasons. Is there any evidence the YubiKey 4 relies on obscurity for serving its function?
Closed-source designs are certainly harder to publicly audit, but that is not the same as relying on the obscurity for functional purposes. Even organizations using closed-source approaches have employees resign, employees get fired, or their code leak. Security through obscurity is just bad design, regardless of how intentionally public the code is.
A comparison of cryptographic keycards
Posted Oct 17, 2017 22:06 UTC (Tue)
by anarcat (subscriber, #66354)
[Link] (2 responses)
Posted Oct 17, 2017 22:06 UTC (Tue) by anarcat (subscriber, #66354) [Link] (2 responses)
This feels like a cheap shot to me. Closed-source software does not inherently rely on security through obscurity (or anything that "basically amounts" to such). Yubico may simply have decided to go proprietary for commercial reasons. Is there any evidence the YubiKey 4 relies on obscurity for serving its function?It is true that a lot of Yubico's decision is based on commercial incentives: the providers they could find require NDAs and so on. My argument is that this very fact constitutes "obscurity" and is often presented by vendors (not necessarily Yubico) as a feature. But even Yubico actually makes the argument that there is security in closed source software:
In fact, the attacker’s job becomes much easier as the code to attack is fully known and the attacker owns the hardware freely. Without any built-in security countermeasures, the attacker can fully profile the behavior in a way that is impossible with a secure chip.Compare this argument with the one presented by researchers quoted in the article... But your main point is that my metaphor is going too far, maybe:
Closed-source designs are certainly harder to publicly audit, but that is not the same as relying on the obscurity for functional purposes. Even organizations using closed-source approaches have employees resign, employees get fired, or their code leak. Security through obscurity is just bad design, regardless of how intentionally public the code is.I concede that I may have pushed the metaphor a little far and went beyond the usual definition of "security through obscurity". But to my defense, I was merely asking a question, which I could rephrase as: is there really inherent merit in closed designs themselves? It seems we are in agreement that the answer is "no". As to how exactly those "secure chips" implement their "security" is really the question here, and since we can't tell, because it's a closed design, my conclusion is that we can't fundamentally trust those devices. And I think ROCA or RSA (the company) both give overwhelming evidence supporting my conclusion.
A comparison of cryptographic keycards
Posted Oct 17, 2017 23:44 UTC (Tue)
by davidstrauss (guest, #85867)
[Link] (1 responses)
Posted Oct 17, 2017 23:44 UTC (Tue) by davidstrauss (guest, #85867) [Link] (1 responses)
While I don't think either of us would agree with their argument, saying that there is security value in keeping source closed is not the same as *relying* on the closed source as part of the security design. I'm not sure they believe their own argument, anyway; the statement seemed like a PR-friendly way to justify choosing a closed-source model when they were under heat for the switch.
Also, while I mostly use FOSS myself and believe in organizational transparency, I'm not about to publish the DNS names and IP addresses for my company's infrastructure. Yet, that is still different from relying on the secrecy of that information.
In my understanding, security through obscurity requires that a leak of the architecture or source code leads to trivial compromise.
> I was merely asking a question, which I could rephrase as: is there really inherent merit in closed designs themselves? It seems we are in agreement that the answer is "no".
It's a totally fair question, and I do think we agree. What concerned me is that it was asked in a loaded way, presuming that Yubico employs obscurity as part of their fundamental security design. Their closed design makes it hard to know, but, to me, it's the difference between (1) some wariness about choosing them versus (2) seeing their product as useless. Maybe the inability to audit means we should cautiously assume #2, but I would still not suggest their guilt on that alone.
By the way, I thought your article was great overall. I own pretty much every major crypto option supported by Linux and the major FOSS smart card systems (both PKCS#11 and GPG), and I agree that it's difficult to find good options.
A comparison of cryptographic keycards
Posted Oct 18, 2017 8:59 UTC (Wed)
by jani (subscriber, #74547)
[Link]
Posted Oct 18, 2017 8:59 UTC (Wed) by jani (subscriber, #74547) [Link]
Disclaimer: I used to develop smart card operating systems for a living, but it's been a while.