Stories
Slash Boxes
Comments

SoylentNews is people

US-CERT Warns of Crypto Bugs in IEEE Standard

posted by Fnord666 on Monday November 13 2017, @12:31AM   Printer-friendly
from the standardizing-the-bugs dept.

MrPlow writes:

Submitted via IRC for soycow1984

Recent academic work focused on weak cryptographic protections in the implementation of the IEEE P1735 standard has been escalated to an alert published Friday by the Department of Homeland Security.

DHS' US-CERT warned the IEEE P1735 standard for encrypting electronic-design intellectual property and the management of access rights for such IP is flawed.

"In the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP," US-CERT said in its alert, citing researchers that found the flaw. "Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts."

The Institute of Electrical and Electronics Engineers (IEEE) P1735 standard flaw was first reported by a team of University of Florida researchers. In September, the researchers released a paper titled Standardizing Bad Cryptographic Practice (PDF).

In all, seven CVE IDs are assigned to the flaw and document the weakness in the P1735 standard.

Source: https://threatpost.com/us-cert-warns-of-crypto-bugs-in-ieee-standard/128784/

Original Submission

 
This discussion has been archived. No new comments can be posted.
US-CERT Warns of Crypto Bugs in IEEE Standard | Log In/Create an Account | Top | 7 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by FatPhil on Monday November 13 2017, @02:26PM (1 child)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Monday November 13 2017, @02:26PM (#596194) Homepage
    Encryption doesn't care what it's encrypting. The entire concept of domain-specific encryption seems like wrong-think. IP is just data, encrypt it as you would encrypt data.

    So why does it exist? Shall we get cynical? Is it perhaps to simply provide a veneer of acceptability around a proprietory file format (like MS's Office Open XML)?

    Were that to be the case, then you might find that "The flawed standard has been adopted by EDA vendors such as Synopsys and its Synplify Premier tool, according to researchers", and that the chair of the working group behind the standard was a certain Dave Graubart, "whose experience includes Synopsys, EDA Consortium, and Synplicity". Coincidence? Wanna buy a bridge?
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 2) by c0lo on Monday November 13 2017, @02:48PM

    by c0lo (156) Subscriber Badge on Monday November 13 2017, @02:48PM (#596202) Journal

    Encryption doesn't care what it's encrypting.

    Devil's advocate: security always involve trade-offs.

    Shall we get cynical?

    The more, the merrier (grin)

    Coincidence? Wanna buy a bridge?

    Nope. But the news about "it's not even a feature, is stupidity and greed" sounds as good ones to me ears.

    --
    https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford