From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from pigeon.gentoo.org ([208.92.234.80] helo=lists.gentoo.org) by finch.gentoo.org with esmtp (Exim 4.60) (envelope-from ) id 1Nuxwa-0003fH-Oe for garchives@archives.gentoo.org; Fri, 26 Mar 2010 01:02:36 +0000 Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id D79C8E095D for ; Fri, 26 Mar 2010 01:02:35 +0000 (UTC) Received: from flounder.pepperfish.net (flounder.pepperfish.net [87.237.62.181]) by pigeon.gentoo.org (Postfix) with ESMTP id 51D9EE07FE for ; Fri, 26 Mar 2010 00:36:12 +0000 (UTC) Received: from cpc2-asht1-0-0-cust798.manc.cable.ntl.com ([80.5.55.31] helo=master) by flounder.pepperfish.net with esmtpsa (Exim 4.69 #1 (Debian)) id 1NuxWU-0001lJ-2k for ; Fri, 26 Mar 2010 00:35:38 +0000 Received: from trite.i.flarn.net ([10.19.3.100] helo=trite.i.flarn.net.i.flarn.net) by master with esmtp (Exim 4.69) (envelope-from ) id 1NuxX1-0006pv-EN for gentoo-hardened@lists.gentoo.org; Fri, 26 Mar 2010 00:36:11 +0000 Date: Fri, 26 Mar 2010 00:36:10 +0000 From: Rob Kendrick To: gentoo-hardened@lists.gentoo.org Subject: Re: [gentoo-hardened] Bought an "entropy-key" - very happy Message-ID: <20100326003610.3116cbde@trite.i.flarn.net.i.flarn.net> In-Reply-To: <4BABC9BC.5961.1699834F@pageexec.freemail.hu> References: <4BABB06F.5232.1636AE96@pageexec.freemail.hu> <20100325201208.2d213cad@trite.i.flarn.net.i.flarn.net> <4BABC9BC.5961.1699834F@pageexec.freemail.hu> X-Mailer: Claws Mail 3.7.2 (GTK+ 2.18.3; x86_64-pc-linux-gnu) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-hardened@lists.gentoo.org Reply-to: gentoo-hardened@lists.gentoo.org Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-Archives-Salt: da027b35-a4ac-47d8-a524-05fbdf4a2d4a X-Archives-Hash: ebd0d6f2ac446cef18040936e25e7abb On Thu, 25 Mar 2010 21:38:20 +0200 pageexec@freemail.hu wrote: > > That somebody with a few probes and a 50 quid USB logic analyser > > can't capture the entropy that was delivered to the system. (One > > of the target markets is installation in shared co-location > > facilities.) > > do they also protect against impersonation? from your other answers > i infer that there's some (mutual?) authentication between the device > and the kernel, so it should be possible ;). Yes. There's a shared secret printed on a security card in the box that in written into some one-time-programmable memory in the device. You then use this key to generate another key, which is then stored on the machine, and used to generate session keys. (ie, the master key on the security card is never stored on the machine, so even if your machine is compromised, you can still use the device safely elsewhere.) B.