The FBI did not ask for a 'Golden Key'

Story: Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide openTotal Replies: 3
Author Content
dotmatrix

Aug 11, 2016
6:57 PM EDT
There was never a request from the FBI... anywhere, actually or implicitly, for a 'Golden Cryptographic Key' in order to 'backdoor' the iPhone.

This MS snafu is more akin to the Github user snafu...

http://www.theregister.co.uk/2013/01/25/github_ssh_key_snafu/
DrGeoffrey

Aug 11, 2016
8:31 PM EDT
That led to this leak. Except perhaps for the original instruction from the U.S. government to insert back doors in the first place.
dotmatrix

Aug 12, 2016
9:09 AM EDT
>That led to this leak.

It's unclear what you mean.

You really need to read the original hack to understand what is claimed.

https://rol.im/securegoldenkeyboot/

I found it easier to copy and paste the text from the foobarred weird and silly web site than to read it on the page itself... a web site which screams "I'm a child and live in my grandma's basement"

The Ars article is actually quite wrong... and/or misleading. The actual problem has nothing at to do with crypto. The Secure Boot apparently works through a policy system which applies signed or unsigned policies at particular times during boot... The 'golden key' referred to in the hack write-up is not crypto... it is, in fact, the ability to turn off secure boot on some devices.

hack write-up wrote:The "supplemental" policy does NOT contain a DeviceID. And, because they were meant to be merged into a base policy, they don't contain any BCD rules either, which means that if they are loaded, you can enable testsigning.


It's the testsigning mode that allows Secure Boot to be turned off. If Microsoft didn't allow Secure Boot to be turned off, then the 'hack' would not work. So, the hack write-up is reversed logic to make a dig at the FBI...

hack write-up wrote: backdoor, which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!


The correct statement is the reverse of the above.

hack write-up, changed for forward logic wrote: backdoor, which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!


>Except perhaps for the original instruction from the U.S. government to insert back doors in the first place.

There has always been an 'understanding' that the US government and law enforcement in general would prefer to have control over who has 'encryption' technologies as well as control the 'how' and 'why' it is used. This is a perfectly good thing for a government to seek, since encryption can and has been and will be used by criminals both foreign and domestic to carry out and hide crimes including but limited to terrorist attacks on US citizens.

It's good to remember that there is no actual difference between trusting a corporation to do 'encryption right' and trusting the government with the same. The only way for someone to do 'encryption right' is to use his/her own keys and maintain those keys in as secure way as possible without using any third party for creation, storage, or retrieval of the private key.

***
  • If you trust a corporation with your crypto needs, you are not in control.
  • If you trust the government with your crypto needs, you are not in control.
  • If you use a proprietary OS or software to create, store, or retrieve the private keys you are not in control.
  • If you allow your original data to be encrypted with multiple keys, you are not in control.


Any corporation can be compelled through a secret order to either hand over the keys or be forced through secret order to compromise your data. Thus Apple's stance and others in support of Apple's stance is at best a side show and smoke screen. The general public doesn't know and wouldn't know and couldn't know if there is already some government 'backdoor' in many of these so called secure platforms.
CFWhitman

Aug 15, 2016
3:44 PM EDT
To me, this doesn't look like it has anything to do with the government. It looks like Microsoft engineers found it a hassle to debug systems with Secure Boot enabled, so they built in a way to disable it during their testing. Then they could just re-enable it when they were ready. With x86 devices, there was an official way to disable Secure Boot, so this wouldn't be necessary with them, but someone at Microsoft got the bright idea to make it so you could not disable it on ARM devices (the option to disable it would be much too non-hostile), so they hid the way to disable it. Someone discovered what was hidden.

One interesting point would be that if this also exists in x86 systems, it would probably indicate that Microsoft originally intended there to be no official way to turn off Secure Boot for those devices either, but changed their minds when people started pointing out the issues (like not even being able to install an old version of Windows).

Look for Microsoft to possibly remove the option to disable Secure Boot when they stop supporting 7, the last Microsoft operating system to require the ability to turn it off. Of course, they will continue to need a way to turn it off during development.

Posting in this forum is limited to members of the group: [ForumMods, SITEADMINS, MEMBERS.]

Becoming a member of LXer is easy and free. Join Us!