almost as bad as sony's get random number function on the PS3.
Yup, confirmed: the ROCA guys deliberately obfuscated their vulnerable key test (and made it slower). This is sad.https://github.com/crocs-muni/roca/issues/39 …
-
-
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
-
It's not malicious, it's just dumb. They think decimal bitsets are going to slow down people trying to understand the code before CCS.
-
It took me 5 minutes to deobfuscate that stuff; now I have crypto nerd friends trying to guess their method anyway, which is the fun part ;)
- Show replies
New conversation -
-
-
Its a "fingerprint", which is heuristic and (imo) doesnt reveal anything about the particular weakness; see,https://twitter.com/mongobug/status/920322434791821312 …
-
It's not a heuristic, it's a strict check. It detects 100% of Infineon keys and has a tiny false positive rate for non-Infineon keys.
- Show replies
New conversation -
-
-
Security through obscurity is definitely not useless, like you mention in the comments.
-
Obviously reliance on obscurity is a bad idea, but your assumption that reversing all types of obfuscation is trivial is simply false.
- Show replies
New conversation -
-
-
Thanks a lot! I made a tool to easily extract the SRK to check it using your script: https://blog.habets.se/2017/10/Is-my-TPM-affected-by-the-Infineon-disaster.html …
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
-
Show additional replies, including those that may contain offensive content
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.