SPECTRE or MELTDOWN Vulnerability


#1

I wonder if Nitrokey will be affected…

The US CHIPoCALYPSE!

Spectre and Meltdown have a huge impact on whole security stucture of enterprises, governments, internet infrastructure security. The problem is much worse than you might think!!!

Since everything is built-up upon a “cryptographic key hierarchy”, beginning with internet routers, switches, firewalls, to AD/LDAP servers, … these keys now are all probably lost and must be revoked.

To illustrate that, let’s have a short look e.g. at UEFI, secure boot process and “chain of trust”, introduced by “WINTEL alliance”:

The ‘security key chain’ goes: Endorsement key (generated by onboard TPM chip) - Attestation Identity Key (AIK) - Microsoft UEFI key - MS signing Attestation Identity Key - Enterprise key - (MS again signing) Enterprise key - Storage Root Key - (MS again signing) Bitlocker Key - …

Multiple boot processes are required in Windows 10 (e.g. after updates) to ensure, that Microsoft UEFI certificates “signed” (are enclosed in) all your own certificates to create the U.S. government backdoor, deeply hidden in your hardware and across all hierarchies. Now you know, why you have to reboot so often during install and after Windows 10 updates!!

Finally, these ‘certificate chains’ (X.509v3) are written back into UEFI tables and into a special internal Intel XEON CPU buffer to be used by new AES-NI hardware encryption for all kinds of encryption: Storage, Routers, VPN, SSL, HTTPS …

Note: Since these MS / U.S. government keys are deeply sticking in Intel XEON processor hardware, it doesn’t play a role, what other OS you install or boot afterwards: Debian/UBUNTU Linux, OpenBSD, … If your software uses Intel AES-NI hardware encryption, all encrypted packets ingoing, outgoing - then automatically contain that U.S. government backdoor!

All these keys now are lost and must be revoked, as happened e.g. with JMicron and Realtek network drivers, as happened in Iran Stuxnet affair. All keys in your UEFI machines in all your switches, routers, that are using X.509v3 “certificates”, will have to be revoked, renewed as well.

It’s important to know, that not only the US NSA backdoor keys have gone lost. So, if you use UEFI “secure boot”, you are not only completely under U.S. control, but also unter control by all kinds of hackers, who now have installed backdoors everywhere in your enterprise network, after the first US (NSA) government master keys were revealed by reading from privileged memory with spectre, meltdown.

But RSA, X.509v3, even has more weaknesses: E.g. when you enclose some other person’s public key in your key and that person then signs back your key. In that case, you can reconstruct the other person’s private key and read all his/her encrypted messages. That attack is called ‘blind signing’.

That happened a few days ago, where from the german lawyer association only mixed up public and private key.

More about RSA security weaknesses: http://eprint.iacr.org/2001/002.pdf

In fact, a PKI infrastructure only is safe, when you can ensure, that this ‘blind signing attack’ can’t happen. You need sources. In Windows and Red Hat Linux sources aren’t included. You can’t build Red Hat binaries from .src.rpm.

Red Hat Linux is expensive; you pay for the US government spying on you!

Interesting: That is dating back to a CIA policy paper from 1996, long before 9/11.

Have fun!

P.S.: Raspberry Pi is not affected, neither by meltdown nor spectre. Perhaps you put very important data on that machine. :wink:


#2

Depends what you mean by saying affected.

(GnuPG) Keys are stored securely in hardware, no matter if RAM can be read by Meltdown/Spectre. That is the whole purpose of such devices and still will be. So it depends on how the keys got there (generated on-device or from local key backup on pc).

Other points may are the same as for every other application/device. If you have specific questions about implications, please let us know.


#3

Our products are not affected because 1) they contain small micro controllers which don’t support branch prediction and speculative execution and 2) no foreign software can be executed on our devices.


#4

Thank you…
Just wanted to make sure…