It seems to me that there are a couple of weaknesses. 1) since the data on the platters is not encrypted, just swap the drive electronics and bypass the system 2) it looks like the system is vulnerable to a chosen plaintext attack on SHA1 since the key & challenge are the same length and XOR'd together.
You would need to replace the drive with a test rig that sent chosen challenges & recorded the responses from the CPU.
Since this would not entail using the drive (you are attacking the key stored in the CPU), you would be sure of solving the problem before the MTBF of the drive caused a problem.
I think that they would have been smarter to just concatenate the key with the challenge before hashing, which woud have provided more defense against the chosen plaintext attack.
>If Apple at any time decides to shut down their iTunes devision all the music and videos you "bought" are now useless. Not true, the keys on your computer will still allow the Music/Video/Whatever to be played. What will change, is that you will not be able to authorize a new computer. You would need to be careful about backing up the key files, and be wary about upgrading your copy of iTunes (though if Apple dropped iTunes, it is unlikely they would bother releasing a new version).
Take a look at "onion" routing protocols and a product/network called "freedom" from ZKS (Zero Knowledge Systems) . Although, as I recall the freedom network was not a commercial success. I think parts of the infrastructure were released as open source before it was discontinued. Their current offerings seem to be built on parts of the original "freedom" system.
Slashdot Mirror
AIRC, The Fortify folks sell tools that do security auditing (static analysis) of Java code. So my money is on observers bias.
Not paying much attention to the Web Services arena, are these some of the most popular Java projects?
- ash
It seems to me that there are a couple of weaknesses.
1) since the data on the platters is not encrypted, just swap the drive electronics and bypass the system
2) it looks like the system is vulnerable to a chosen plaintext attack on SHA1 since the key & challenge are the same length and XOR'd together.
You would need to replace the drive with a test rig that sent chosen challenges & recorded the responses from the CPU.
Since this would not entail using the drive (you are attacking the key stored in the CPU), you would be sure of solving the problem before the MTBF of the drive caused a problem.
I think that they would have been smarter to just concatenate the key with the challenge before hashing, which woud have provided more defense against
the chosen plaintext attack.
- ash
>If Apple at any time decides to shut down their iTunes devision all the music and videos you "bought" are now useless.
Not true, the keys on your computer will still allow the Music/Video/Whatever to be played. What will change, is that you will not be able to authorize a new computer.
You would need to be careful about backing up the key files, and be wary about upgrading your copy of iTunes (though if Apple dropped iTunes, it is unlikely they would bother releasing a new version).
Take a look at "onion" routing protocols and a product/network called "freedom" from ZKS (Zero Knowledge Systems) . Although, as I recall the freedom network was not a commercial success. I think parts of the infrastructure were released as open source before it was discontinued. Their current offerings seem to be built on parts of the original "freedom" system.