Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday November 13 2017, @12:31AM   Printer-friendly
from the standardizing-the-bugs dept.

Submitted via IRC for soycow1984

Recent academic work focused on weak cryptographic protections in the implementation of the IEEE P1735 standard has been escalated to an alert published Friday by the Department of Homeland Security.

DHS' US-CERT warned the IEEE P1735 standard for encrypting electronic-design intellectual property and the management of access rights for such IP is flawed.

"In the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP," US-CERT said in its alert, citing researchers that found the flaw. "Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts."

The Institute of Electrical and Electronics Engineers (IEEE) P1735 standard flaw was first reported by a team of University of Florida researchers. In September, the researchers released a paper titled Standardizing Bad Cryptographic Practice (PDF).

In all, seven CVE IDs are assigned to the flaw and document the weakness in the P1735 standard.

Source: https://threatpost.com/us-cert-warns-of-crypto-bugs-in-ieee-standard/128784/


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 4, Insightful) by c0lo on Monday November 13 2017, @12:56AM (2 children)

    by c0lo (156) on Monday November 13 2017, @12:56AM (#596024)

    Since it's about encryption of Imaginary Property, the crypto weakness is a feature.
    Those academics in their ivory towers, they never get the mindset of engineers.

    (grin)

    • (Score: 3, Interesting) by FatPhil on Monday November 13 2017, @02:26PM (1 child)

      by FatPhil (863) <reversethis-{if.fdsa} {ta} {tnelyos-cp}> on Monday November 13 2017, @02:26PM (#596194) Homepage
      Encryption doesn't care what it's encrypting. The entire concept of domain-specific encryption seems like wrong-think. IP is just data, encrypt it as you would encrypt data.

      So why does it exist? Shall we get cynical? Is it perhaps to simply provide a veneer of acceptability around a proprietory file format (like MS's Office Open XML)?

      Were that to be the case, then you might find that "The flawed standard has been adopted by EDA vendors such as Synopsys and its Synplify Premier tool, according to researchers", and that the chair of the working group behind the standard was a certain Dave Graubart, "whose experience includes Synopsys, EDA Consortium, and Synplicity". Coincidence? Wanna buy a bridge?
      --
      Life is a precious commodity. A wise investor would get rid of it when it has the highest value.
      • (Score: 2) by c0lo on Monday November 13 2017, @02:48PM

        by c0lo (156) on Monday November 13 2017, @02:48PM (#596202)

        Encryption doesn't care what it's encrypting.

        Devil's advocate: security always involve trade-offs.

        Shall we get cynical?

        The more, the merrier (grin)

        Coincidence? Wanna buy a bridge?

        Nope. But the news about "it's not even a feature, is stupidity and greed" sounds as good ones to me ears.

  • (Score: 0) by Anonymous Coward on Monday November 13 2017, @12:58AM (1 child)

    by Anonymous Coward on Monday November 13 2017, @12:58AM (#596025)

    But am please that the 'intellectual' part doesn't extend to the encryption methodology, but leads me to question the value of the property contained.

    • (Score: 2) by bob_super on Monday November 13 2017, @08:32PM

      by bob_super (1357) on Monday November 13 2017, @08:32PM (#596436)

      > leads me to question the value of the property contained.

      Lots of tech companies use this to distribute their designs to customers, without giving away the source code (RTL in my case).
      If people start to design in those features, without paying the company which invested hundreds or thousands of man-hours to generate and verify the code, then the whole chip industry will take a major hit.
      I don't like having to pay IP fees or royalties, but re-inventing the wheel isn't how I generate sales. If the people providing the wheels fold because they can't trust, or if they make my life twice as hard because they have to protect their income, then I lose time and money.

  • (Score: 4, Informative) by frojack on Monday November 13 2017, @01:10AM

    by frojack (1554) Subscriber Badge on Monday November 13 2017, @01:10AM (#596029) Journal

    The most common use of this standard is to encrypt design documents of SoC Designs,
    So any processors, radios, GPUs have probably already had their designs stolen.

    Apparently DHS didn't get the memo from the NSA about keep mum about this weakness.

    --
    No, you are mistaken. I've always had this sig.
  • (Score: 3, Informative) by Anonymous Coward on Monday November 13 2017, @04:22AM

    by Anonymous Coward on Monday November 13 2017, @04:22AM (#596060)

    DHS' US-CERT warned the IEEE P1735 standard ...

    The Institute of Electrical and Electronics Engineers (IEEE) P1735 standard ...

    ... document the weakness in the P1735 standard.

    OK, the error is in the source articles, but there is no such thing as the "(IEEE) P1735 standard". The "P" means proposal, i.e., that the document in question is not yet a standard under the IEEE process.

    They do seem to be talking about an actual published IEEE standard, though, which can be correctly referred to as IEEE 1735-2014 (note the lack of a "P" and the addition of the publication year), possibly including its technical corrigendum (Cor 1-2015).

(1)