>In principle, I support Mr. Sleevi's position, practically I lean toward Mr.
>Thayer's and Mr. Hollebeek's position.
I probably support at least one of those, if I can figure out who's been
quoted as saying what.
>Sitting on my desk are not less than 3 reference designs. At least two of
>them have decent hardware RNG capabilities.
My code runs on a lot (and I mean a *lot*) of embedded, virtually none of
which has hardware RNGs. Or an OS, for that matter, at least in the sense of
something Unix-like. However, in all cases the RNG system is pretty secure,
you preload a fixed seed at manufacture and then get just enough changing data
to ensure non-repeating values (almost every RTOS has this, e.g. VxWorks has
the very useful taskRegsGet() for which the docs tell you "self-examination is
not advisable as results are unpredictable", which is perfect).
In all of these cases, the device is going to be a safer place to generate
keys than the CA, in particular because (a) the CA is another embedded
controller somewhere so probably no better than the target device and (b)
there's no easy way to get the key securely from the CA to the device.
However, there's also an awful lot of IoS out there that uses shared private
keys (thus the term "the lesser-known public key" that was used at one
software house some years ago). OTOH those devices are also going to be
running decade-old unpatched kernels with every service turned on (also years-
old binaries), XSS, hardcoded admin passwords, and all the other stuff that
makes the IoS such a joy for attackers. So in that case I think a less-then-
good private key would be the least of your worries.
So the bits we need to worry about are what falls between "full of security
holes anyway" and "things done right". What is that, and does it matter if
the private keys aren't perfect?
Peter.
>Unfortunately, the PKCS#12 format, as supported by UAs and Operating Systems
>is not a great candidate for the role of carrying keys anymore. You can see
>my blog post on this topic here: http://unmitigatedrisk.com/?p=543
It's even worse than that, I use it as my teaching example of now not to
design a crypto standard:
https://www.cs.auckland.ac.nz/~pgut001/pubs/pfx.html
In other words its main function is as a broad-spectrum antipattern that you
can use for teaching purposes.
>The core issue is the use of old cryptographic primitives that barely live up
>to the equivalent cryptographic strengths of keys in use today. The offline
>nature of the protection involved also enables an attacker to grind any value
>used as the password as well.
That, and about five hundred other issues. An easier solution would be to use
PKCS #15, which dates from roughly the same time as #12 but doesn't have any
of those problems (PKCS #12 only exists because it was a political compromise
created to appease Microsoft, who really, really wanted everyone to use their
PFX design).
Peter.