Submitted via IRC for soycow1984
Recent academic work focused on weak cryptographic protections in the implementation of the IEEE P1735 standard has been escalated to an alert published Friday by the Department of Homeland Security.
DHS' US-CERT warned the IEEE P1735 standard for encrypting electronic-design intellectual property and the management of access rights for such IP is flawed.
"In the most egregious cases, enable attack vectors that allow recovery of the entire underlying plaintext IP," US-CERT said in its alert, citing researchers that found the flaw. "Implementations of IEEE P1735 may be weak to cryptographic attacks that allow an attacker to obtain plaintext intellectual property without the key, among other impacts."
The Institute of Electrical and Electronics Engineers (IEEE) P1735 standard flaw was first reported by a team of University of Florida researchers. In September, the researchers released a paper titled Standardizing Bad Cryptographic Practice (PDF).
In all, seven CVE IDs are assigned to the flaw and document the weakness in the P1735 standard.
Source: https://threatpost.com/us-cert-warns-of-crypto-bugs-in-ieee-standard/128784/
(Score: 4, Insightful) by c0lo on Monday November 13 2017, @12:56AM (2 children)
Since it's about encryption of Imaginary Property, the crypto weakness is a feature.
Those academics in their ivory towers, they never get the mindset of engineers.
(grin)
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 3, Interesting) by FatPhil on Monday November 13 2017, @02:26PM (1 child)
So why does it exist? Shall we get cynical? Is it perhaps to simply provide a veneer of acceptability around a proprietory file format (like MS's Office Open XML)?
Were that to be the case, then you might find that "The flawed standard has been adopted by EDA vendors such as Synopsys and its Synplify Premier tool, according to researchers", and that the chair of the working group behind the standard was a certain Dave Graubart, "whose experience includes Synopsys, EDA Consortium, and Synplicity". Coincidence? Wanna buy a bridge?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by c0lo on Monday November 13 2017, @02:48PM
Devil's advocate: security always involve trade-offs.
The more, the merrier (grin)
Nope. But the news about "it's not even a feature, is stupidity and greed" sounds as good ones to me ears.
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 0) by Anonymous Coward on Monday November 13 2017, @12:58AM (1 child)
But am please that the 'intellectual' part doesn't extend to the encryption methodology, but leads me to question the value of the property contained.
(Score: 2) by bob_super on Monday November 13 2017, @08:32PM
> leads me to question the value of the property contained.
Lots of tech companies use this to distribute their designs to customers, without giving away the source code (RTL in my case).
If people start to design in those features, without paying the company which invested hundreds or thousands of man-hours to generate and verify the code, then the whole chip industry will take a major hit.
I don't like having to pay IP fees or royalties, but re-inventing the wheel isn't how I generate sales. If the people providing the wheels fold because they can't trust, or if they make my life twice as hard because they have to protect their income, then I lose time and money.
(Score: 4, Informative) by frojack on Monday November 13 2017, @01:10AM
The most common use of this standard is to encrypt design documents of SoC Designs,
So any processors, radios, GPUs have probably already had their designs stolen.
Apparently DHS didn't get the memo from the NSA about keep mum about this weakness.
No, you are mistaken. I've always had this sig.
(Score: 3, Informative) by Anonymous Coward on Monday November 13 2017, @04:22AM
OK, the error is in the source articles, but there is no such thing as the "(IEEE) P1735 standard". The "P" means proposal, i.e., that the document in question is not yet a standard under the IEEE process.
They do seem to be talking about an actual published IEEE standard, though, which can be correctly referred to as IEEE 1735-2014 (note the lack of a "P" and the addition of the publication year), possibly including its technical corrigendum (Cor 1-2015).