Cryptography Alone Is Not Enough

Cryptocurrency from an attackers perspective means one thing: you can steal data that literally is money. A multitude of methods to prevent theft or at least make it harder have been developed over the years – several generations of hardware wallets, paper wallets, various elaborate cold storage systems etc. pp.. 2FA tokens for remote system access and similar devices are very similar in their properties. But they all have one weakness: if an attacker gains physical possession, the security margin shrinks – often too far. Even if an attacker can not reverse engineer the secrets out of access tokens or hardware wallets, he can manipulate the computing devices you use them with, gain valuable information through surveillance or trick you into doing stupid stuff. So the necessary protection envelope is bigger than you may think. This talk will take a look at how real-world attacks against offline and online devices are carried out these days, discuss how to develop an adequate threat model for your needs, explain some basics (like the difference between "tamper evident" and "tamper resistant") as well as typical pitfalls in this game. Finally we will show some new developments that make it easier to achieve better protection in various circumstances.

#hcpp19 #optout #paralelnipolis #instituteofcryptoanarchy