|
|
Subscribe / Log in / New account

LSS: Secure Boot

LSS: Secure Boot

Posted Sep 22, 2012 16:05 UTC (Sat) by mjg59 (subscriber, #23239)
In reply to: LSS: Secure Boot by ballombe
Parent article: LSS: Secure Boot

> So a bug to windows update could be used to upgrade the boot loader to a vulnerable one ?

No.

to post comments

LSS: Secure Boot

Posted Sep 23, 2012 21:21 UTC (Sun) by nix (subscriber, #2304) [Link] (13 responses)

But if Microsoft were penetrated and their key stolen... correction, not if: *when*.

LSS: Secure Boot

Posted Sep 23, 2012 21:37 UTC (Sun) by raven667 (subscriber, #5198) [Link] (4 responses)

I think you underestimate how easy defense is compared to offense when protecting keys. Any individual subroot can be revoked and replaced via a secure update, the root key hardly ever needs to be used and can be kept offline and safe against anything short of a Mission Impossible type attack.

LSS: Secure Boot

Posted Sep 23, 2012 22:32 UTC (Sun) by nix (subscriber, #2304) [Link] (3 responses)

Yeah. Because they'll never make any key management mistakes, there'll be no social engineering, no industrial espionage, no simple burglary -- after all, nobody at all has any reason to want to get hold of a bit of data which could kill huge numbers of Windows boxes at a stroke, no sir.

(Remember, the attackers only have to be lucky once.)

LSS: Secure Boot

Posted Sep 23, 2012 22:46 UTC (Sun) by hummassa (subscriber, #307) [Link] (2 responses)

YES, Please.

People imagining these schemes forget that crypto keys are leaked and recovered all the time IRL. And that if you are not a government, you can always use the wrench method. https://xkcd.com/538/

LSS: Secure Boot

Posted Sep 24, 2012 3:50 UTC (Mon) by raven667 (subscriber, #5198) [Link] (1 responses)

I'm sorry, are you asserting that Verisign and other major entities are leaking their root keys all the time? We're not talking about passwords for your disk encryption, we're talking about real professionally managed CAs. If some vendors signing infrastructure were compromised to sign arbitrary binaries, like the DigiNotar incident, then that subroot can be blacklisted without affecting other vendors. The root has to sign so very few things that it has very little attack surface area.

LSS: Secure Boot

Posted Sep 24, 2012 8:41 UTC (Mon) by nix (subscriber, #2304) [Link]

Several major keys from various CAs have been compromised already: more will come. If this scheme really gets going, these keys will be a *major* target -- do you really imagine that nobody with sufficient resources to get a copy won't try? (Perhaps, if they are sufficiently clever and lucky, they might even arrange to get the *only* copy: that'd be amazingly useful to extort money from MS with, though very hard since I'm sure MS have lots of backups).

LSS: Secure Boot

Posted Sep 24, 2012 0:36 UTC (Mon) by mjg59 (subscriber, #23239) [Link] (2 responses)

If you wanted to attack Windows in the current non-Secure Boot world, the single most valuable thing would be the ability to sign arbitrary code as a valid Windows driver. But, somehow, nobody's managed to get hold of Microsoft's key. Now, to be fair, part of that's because vendor keys have been easier to get hold of (see Stuxnet), but even so having the Microsoft key would be an advantage - if you've got the root then there's no process for revoking existing installations. And yet it hasn't been leaked.

LSS: Secure Boot

Posted Sep 24, 2012 8:41 UTC (Mon) by nix (subscriber, #2304) [Link]

True enough. Still, the paranoid in me sees a billion or so eggs landing in one basket, and thinks 'this is *wrong*, this is *stupid*'.

LSS: Secure Boot

Posted Sep 24, 2012 9:07 UTC (Mon) by hummassa (subscriber, #307) [Link]

> Now, to be fair, part of that's because vendor keys have been easier to get hold of

No, that's not "part of that". s/part of //. The security process stops at the easier way to the threat to get what he wants. Threats can and will leak keys from Microsoft (remember NT4/XP source code?) if that's the easier way of signing device drivers. As vendor keys are currently easier to get hold of, and they do the job just fine (because there are a lot of vendors and IIRC once the keys were revoked another version of Stuxnet signed with another key popped up) the threats don't need to go after MS.

Security = you don't have to outrun the beast, you have to outrun the friend beside you.

LSS: Secure Boot

Posted Sep 24, 2012 1:04 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (4 responses)

All large companies use HSMs (Hardware Security Modules) to sign keys. They are guaranteed to be unhackable in _practice_, and that guarantee is backed by a very large sum that manufacturer would pay you in case of a breach.

LSS: Secure Boot

Posted Sep 24, 2012 8:42 UTC (Mon) by nix (subscriber, #2304) [Link] (3 responses)

So... if MS's key gets compromised and a huge proportion of the world's machines are rendered unbootable... MS gets compensation? That's reassuring.

LSS: Secure Boot

Posted Sep 24, 2012 18:24 UTC (Mon) by Cyberax (✭ supporter ✭, #52523) [Link] (2 responses)

Well, the world's root DNS zone is also signed by a key in a HSM.

LSS: Secure Boot

Posted Sep 25, 2012 8:20 UTC (Tue) by alonz (subscriber, #815) [Link] (1 responses)

Yeah, that sure is reassuring. </sarcasm>

Have you, perhaps, seen this? Or this (as applied to HSM's, considering the incompetence apparent from the first link)? I don't think HSM's are as magic as people expect them to be…

LSS: Secure Boot

Posted Sep 25, 2012 8:29 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

Naw, HSMs are protected against trivial attacks like this. I know for a fact that a certain large HSM from a company which names begins with "T" has an intermediary buffer that holds data after the encryption for a random (and quite significant) amount of time before transmitting it to client.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds