In class we have been discussing asymmetric cryptography and the importance of digital signatures to prove who the person sending a message. Texas Instrument uses RSA digital signatures to authenticate any updates to the operating systems on their calculators. Since their signing keys are two short (512-bits) a community of hackers were able to factor the moduli and publish the private keys. Although TI sent out a DMCA notice to the community of hackers to take down the keys from the public websites, it is too late now. Too many people know what they are.
In the case of this event TI felt that there was no obvious financial incentive for cracking their private key. However they should have expected that if they used too-short keys that their cryptography would be broken. There are hackers out there that do it just for the fun of it, even if there is no incentive. A consequence of this may be that customers will be more skeptical when downloading updates for their calculators.
Although this event will not affect the copyrights held by TI, they should change their signing keys to be longer so that an event like this does not occur again. This event shows that RSA 512-bit keys are too short and ineffective. Any company that does not want their cryptography to be broken should not use one.
Source: http://www.schneier.com/blog/archives/2009/09/texas_instrumen.html
Posts
I think the most important part of this article does not necessarily revolve around the fact that TI didn't use a long enough bit for their signing keys. Rather, I think the focus here should be that, even if there is not a monetary incentive, their is always a chance for you to be hacked. This is due to the fact that some hackers simply see it as a challenge, and want to prove that they are able to do it. Therefore, even if we do not see a purpose, we always need to maintain our security so that hackers do not access or corrupt our information.
ReplyDeleteThe fact that individuals are attempting to infiltrate the operating system on my calculator is not terribly scary. (Come to think of it, I have had the same calculator since sophomore year of high school and never once had my operating system updated.) I feel the larger issue at hand here is that people are (as I am sure they have been for a while) attempting to gain access not only to computers, but also their countless peripherals. While a calculator seems like a fairly insignificant attachment, one can almost assume people are attempting to gain access to more personal accessories, for example cell phones, ipods, etc. (perhaps someone is even as bold as to take a stab at digital cameras). This article does cause one to question the authenticity of updates for peripherals.
ReplyDeleteDuly noted JMS; however, how do you know that there is no monetary incentives for cracking the keys. Consider this situation. Canon, a competitor of Texas Instruments hires hackers in order to tarnish the TI brand name. As a result of the private keys getting out, people decide that they do not want to buy TI calculators. Instead these weary customers decide to purchase Canon calculators and thus, increase sales for Canon’s calculator division.
ReplyDeleteWhen it comes to security analysis and taking precaution against ALL potential threats competition should never be underestimated.
I doubt that Texas Instruments would purposefully make the keys less secure. So far, we have only focused on computers and the internet for data encryption, but those are no longer only means of communicating data. Although peripherals have advanced considerably, they still do not have the computing power of a laptop (think how long it takes the TI-83 to draw a graph).
ReplyDeleteThere has to be a balance between performance and security in developing these keys.
Nevertheless, it does make me wonder how good the encryption is for just about everything I own that connects via USB. Is cryptography catching up to these devices too?
I doubt that Texas Instruments would purposefully make the keys less secure. So far, we have only focused on computers and the internet for data encryption, but those are no longer only means of communicating data. Although peripherals have advanced considerably, they still do not have the computing power of a laptop (think how long it takes the TI-83 to draw a graph).
ReplyDeleteThere has to be a balance between performance and security in developing these keys.
Nevertheless, it does make me wonder how good the encryption is for just about everything I own that connects via USB. Is cryptography catching up to these devices too?
I think JMS makes a good point. The challenge of hacking rather than any sort of monetary incentive is obviously what drives people in this case. I do recognize the possibility that a competitor such as canon could see a monetary incentive in this sort of thing, however, it seems rather far fetched. Instead, I think it highlights another threat looming in the computer world and is just another reason for why individuals and companies must be cautious and secure in their technological activities.
ReplyDeleteI am very surprised that a company as reputable as Texas Instruments did not think to use longer signing keys on their products. Hackers are able to break much stronger encryptions than a 512-bit key. It would seem only logical that T.I. create longer better keys for their authentication. However, I suppose T.I. realizes that the damage the hackers can do with this information is very limited, and since the updates are free T.I. would lose virtually nothing.
ReplyDelete