bram (bram@gawth.com)
Mon, 30 Mar 1998 20:22:19 -0800 (PST)
I got one of the ibuttons too. Just from the demos, I have some serious
reservations about it.
First of all, the first thing you do in the demos at JavaOne was enter
your real name and phone number. While that might night be inherent to the
way the iButton works, it shows a serious lack of understanding of the
meaning of identity on the part of people making the demos.
Then there's the matter of the ring not knowing what it's plugged into -
at some point it has to download and run software, how does it know when
the machine it's plugged into has that authorization? DOS attacks on rings
are funny now, but wouldn't be if they were ever put into serious
production. Downloading software once and never again would work, but even
then the ring has no way of knowing if the device it's plugged into has
authorization to send it messages to encrypt. Further, it doesn't seem to
keep a permanent record of all things that it's encrypted.
More fundamentally, I question the judgement of trying to use a product
with a widely-distributed development kit for crypto purposes. It would be
far too easy to take a ring someone else had developed and modify it
slightly to have a back door, then swap it for someone's ring before they
even opened it. Security is only as strong as it's weakest link, and
there's no point in bothering with serious crypto if there's a hole that
big.
Many of the above problems are reasonably fixable, but I didn't see any
evidence that the people doing work on the iButton are even aware of them.
I'm actually quite excited about small specialized cryptographic devices,
and view them as being essential for widespread use of strong cryptography
in many applications, but I think these devices should be regarded as
specialized dongles with specific well-defined interfaces, not
general-purpose computers in a fancy little box.
-Bram
The following archive was created by hippie-mail 7.98617-22 on Fri Aug 21 1998 - 17:16:24 ADT