Reply to post: Re: Or right if you work for some intelligence agency

Don't trust the Trusted Platform Module – it may leak your VPN server's private key (depending on your configuration)

Michael Wojcik Silver badge

Re: Or right if you work for some intelligence agency

You're multiplying entities needlessly. It's difficult to do constant-time big-number arithmetic correctly, and the dangers of timing side attacks for ECC were not well-documented until relatively recently. Thus it's probable that most or all of these attacks are accidental.

While well-resourced actors are likely capable of subverting the TPM development process at various OEMs, and certainly wouldn't have any qualms about doing so, these are odd backdoors to choose. They'd be better off backdooring the CPRNG, which is undetectable if done correctly. (Or putting in backdoored ECC curves, except there are users who know to insist on using standard ones.)

And as long as those actors know existing implementations are flawed, there's no reason for them to intervene and risk discovery.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022