Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 17 submissions in the queue.
posted by Fnord666 on Monday November 13, @12:31AM   Printer-friendly
from the standardizing-the-bugs dept.

Submitted via IRC for soycow1984

Recent academic work focused on weak cryptographic protections in the implementation of the IEEE P1735 standard has been escalated to an alert published Friday by the Department of Homeland Security.

DHS' US-CERT warned the IEEE P1735 standard for encrypting electronic-design intellectual property and the management of access rights for such IP is flawed.

"In the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP," US-CERT said in its alert, citing researchers that found the flaw. "Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts."

The Institute of Electrical and Electronics Engineers (IEEE) P1735 standard flaw was first reported by a team of University of Florida researchers. In September, the researchers released a paper titled Standardizing Bad Cryptographic Practice (PDF).

In all, seven CVE IDs are assigned to the flaw and document the weakness in the P1735 standard.

Source: https://threatpost.com/us-cert-warns-of-crypto-bugs-in-ieee-standard/128784/


Original Submission

Display Options Threshold/Breakthrough

Reply to Article

Mark All as Read

Mark All as Unread

The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Insightful) by c0lo on Monday November 13, @12:56AM (2 children)

    by c0lo (156) Subscriber Badge on Monday November 13, @12:56AM (#596024)

    Since it's about encryption of Imaginary Property, the crypto weakness is a feature.
    Those academics in their ivory towers, they never get the mindset of engineers.

    (grin)

    • (Score: 3, Interesting) by FatPhil on Monday November 13, @02:26PM (1 child)

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday November 13, @02:26PM (#596194) Homepage
      Encryption doesn't care what it's encrypting. The entire concept of domain-specific encryption seems like wrong-think. IP is just data, encrypt it as you would encrypt data.

      So why does it exist? Shall we get cynical? Is it perhaps to simply provide a veneer of acceptability around a proprietory file format (like MS's Office Open XML)?

      Were that to be the case, then you might find that "The flawed standard has been adopted by EDA vendors such as Synopsys and its Synplify Premier tool, according to researchers", and that the chair of the working group behind the standard was a certain Dave Graubart, "whose experience includes Synopsys, EDA Consortium, and Synplicity". Coincidence? Wanna buy a bridge?
      --
      I was worried about my command. I was the scientist of the Holy Ghost.
      • (Score: 2) by c0lo on Monday November 13, @02:48PM

        by c0lo (156) Subscriber Badge on Monday November 13, @02:48PM (#596202)

        Encryption doesn't care what it's encrypting.

        Devil's advocate: security always involve trade-offs.

        Shall we get cynical?

        The more, the merrier (grin)

        Coincidence? Wanna buy a bridge?

        Nope. But the news about "it's not even a feature, is stupidity and greed" sounds as good ones to me ears.

  • (Score: 0) by Anonymous Coward on Monday November 13, @12:58AM (1 child)

    by Anonymous Coward on Monday November 13, @12:58AM (#596025)

    But am please that the 'intellectual' part doesn't extend to the encryption methodology, but leads me to question the value of the property contained.

    • (Score: 2) by bob_super on Monday November 13, @08:32PM

      by bob_super (1357) on Monday November 13, @08:32PM (#596436)

      > leads me to question the value of the property contained.

      Lots of tech companies use this to distribute their designs to customers, without giving away the source code (RTL in my case).
      If people start to design in those features, without paying the company which invested hundreds or thousands of man-hours to generate and verify the code, then the whole chip industry will take a major hit.
      I don't like having to pay IP fees or royalties, but re-inventing the wheel isn't how I generate sales. If the people providing the wheels fold because they can't trust, or if they make my life twice as hard because they have to protect their income, then I lose time and money.

  • (Score: 4, Informative) by frojack on Monday November 13, @01:10AM

    by frojack (1554) Subscriber Badge on Monday November 13, @01:10AM (#596029) Journal

    The most common use of this standard is to encrypt design documents of SoC Designs,
    So any processors, radios, GPUs have probably already had their designs stolen.

    Apparently DHS didn't get the memo from the NSA about keep mum about this weakness.

    --
    No, you are mistaken. I've always had this sig.
  • (Score: 3, Informative) by Anonymous Coward on Monday November 13, @04:22AM

    by Anonymous Coward on Monday November 13, @04:22AM (#596060)

    DHS' US-CERT warned the IEEE P1735 standard ...

    The Institute of Electrical and Electronics Engineers (IEEE) P1735 standard ...

    ... document the weakness in the P1735 standard.

    OK, the error is in the source articles, but there is no such thing as the "(IEEE) P1735 standard". The "P" means proposal, i.e., that the document in question is not yet a standard under the IEEE process.

    They do seem to be talking about an actual published IEEE standard, though, which can be correctly referred to as IEEE 1735-2014 (note the lack of a "P" and the addition of the publication year), possibly including its technical corrigendum (Cor 1-2015).

(1)