keys – WindowsTechs.com

Improvements in Brute Force Attacks

Posted on March 17, 2025 by Bruce Schneier

New paper: “GPU Assisted Brute Force Cryptanalysis of GPRS, GSM, RFID, and TETRA: Brute Force Cryptanalysis of KASUMI, SPECK, and TEA3.”

Abstract: Key lengths in symmetric cryptography are determined with respect to the brute force attacks with current technology. While nowadays at least 128-bit keys are recommended, there are many standards and real-world applications that use shorter keys. In order to estimate the actual threat imposed by using those short keys, precise estimates for attacks are crucial.

In this work we provide optimized implementations of several widely used algorithms on GPUs, leading to interesting insights on the cost of brute force attacks on several real-word applications…

Continue reading Improvements in Brute Force Attacks→

Compromising the Secure Boot Process

Posted on July 26, 2024 by Bruce Schneier

This isn’t good:

On Thursday, researchers from security firm Binarly revealed that Secure Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022. In a public GitHub repository committed in December of that year, someone working for multiple US-based device manufacturers published what’s known as a platform key, the cryptographic key that forms the root-of-trust anchor between the hardware device and the firmware that runs on it. The repository was located at https://github.com/raywu-aaeon/Ryzen2000_4000.git, and it’s not clear when it was taken down…

Continue reading Compromising the Secure Boot Process→

Recovering Public Keys from Signatures

Posted on June 20, 2024 by Bruce Schneier

Interesting summary of various ways to derive the public key from digitally signed files.
Normally, with a signature scheme, you have the public key and want to know whether a given signature is valid. But what if we instead have a message and a signat… Continue reading Recovering Public Keys from Signatures→

Beating Bitlocker in 43 seconds

Posted on February 7, 2024 by Adam Fabio

How long does it take to steal your Bitlocker keys? Try 43 seconds, using less than $10 in hardware. Encrypting your hard drive is good security. If you’re running Windows, …read more Continue reading Beating Bitlocker in 43 seconds→

Digital Car Keys Are Coming

Posted on November 28, 2023 by Bruce Schneier

Soon we will be able to unlock and start our cars from our phones. Let’s hope people are thinking about security.
Continue reading Digital Car Keys Are Coming→

Cryptocurrency Startup Loses Encryption Key for Electronic Wallet

Posted on September 6, 2023 by Bruce Schneier

The cryptocurrency fintech startup Prime Trust lost the encryption key to its hardware wallet—and the recovery key—and therefore $38.9 million. It is now in bankruptcy.
I can’t understand why anyone thinks these technologies are a goo… Continue reading Cryptocurrency Startup Loses Encryption Key for Electronic Wallet→

Cryptographic Flaw in Libbitcoin Explorer Cryptocurrency Wallet

Posted on August 10, 2023 by Bruce Schneier

Cryptographic flaws still matter. Here’s a flaw in the random-number generator used to create private keys. The seed has only 32 bits of entropy.
Seems like this flaw is being exploited in the wild.
EDITED TO ADD (8/14): A good explainer.
Continue reading Cryptographic Flaw in Libbitcoin Explorer Cryptocurrency Wallet→

Microsoft Signing Key Stolen by Chinese

Posted on August 7, 2023 by Bruce Schneier

A bunch of networks, including US Government networks, have been hacked by the Chinese. The hackers used forged authentication tokens to access user email, using a stolen Microsoft Azure account consumer signing key. Congress wants answers. The phrase “negligent security practices” is being tossed about—and with good reason. Master signing keys are not supposed to be left around, waiting to be stolen.

Actually, two things went badly wrong here. The first is that Azure accepted an expired signing key, implying a vulnerability in whatever is supposed to check key validity. The second is that this key was supposed to remain in the the system’s Hardware Security Module—and not be in software. This implies a really serious breach of good security practice. The fact that Microsoft has not been forthcoming about the details of what happened tell me that the details are really bad…

Continue reading Microsoft Signing Key Stolen by Chinese→

Power LED Side-Channel Attack

Posted on June 19, 2023 by Bruce Schneier

This is a clever new side-channel attack:

The first attack uses an Internet-connected surveillance camera to take a high-speed video of the power LED on a smart card reader—or of an attached peripheral device—during cryptographic operations. This technique allowed the researchers to pull a 256-bit ECDSA key off the same government-approved smart card used in Minerva. The other allowed the researchers to recover the private SIKE key of a Samsung Galaxy S8 phone by training the camera of an iPhone 13 on the power LED of a USB speaker connected to the handset, in a similar way to how Hertzbleed pulled SIKE keys off Intel and AMD CPUs…

Continue reading Power LED Side-Channel Attack→

Leaked Signing Keys Are Being Used to Sign Malware

Posted on December 8, 2022 by Bruce Schneier

A bunch of Android OEM signing keys have been leaked or stolen, and they are actively being used to sign malware.

Łukasz Siewierski, a member of Google’s Android Security Team, has a post on the Android Partner Vulnerability Initiative (AVPI) issue tracker detailing leaked platform certificate keys that are actively being used to sign malware. The post is just a list of the keys, but running each one through APKMirror or Google’s VirusTotal site will put names to some of the compromised keys: Samsung, LG, and Mediatek are the heavy hitters on the list of leaked keys, along with some smaller OEMs like …

Continue reading Leaked Signing Keys Are Being Used to Sign Malware→