[mappu]

> if an attacker has unencumbered access to one’s device, all security goes flying out the window

This is rapidly starting to become less true - full disk encryption is everywhere, backed by hardware TPMs; the Lockdown LSM prevents root from owing the boot chain; devices with soldered RAM are functionally immune to cold boot attacks.

There are still things an attacker can do - put a hardware keylogger on the keyboard wires, a skimmer on the fingerprint reader - but that requires future input from the victim. It is feasible today to defend against a physical attacker if you have the right hardware upfront and don't use it after the attack.

[userbinator]

This is rapidly starting to become less true

Unfortunately, both for right-to-repair and actually owning the hardware you bought.

[gruez]

TPMs don't impede your ability to repair anything. Soldered ram is a hassle, but it's not any more malicious than soldered CPUs. It's a design choice, and tradeoffs had to be made.

[mappu]

> TPMs don't impede your ability to repair anything

There are some stories like this: https://www.vice.com/en_us/article/akw558/apples-t2-security...

It's suggested that many such devices might be stolen. But there will also be devices where the user forgot to wipe their data (or didn't know how); or devices that are only just damaged enough that you can't wipe the user data.

Probably an official Apple store can refurbish them somehow, but that is the NOBUS / EARN IT argument.

[p_l]

Well, that's more an explicit T2 issue that goes beyond what is known as "industry standard" TPM. Apple just hates you a (big) bit extra.

[p1necone]

This kind of stuff shouldn't really theoretically have to affect repairability, but Apple seems to go out of their way to make sure that as much as possible gets bricked when you replace things.

[AshamedCaptain]

Full disk encryption is still be broken, given a decade or 3. You might care about that risk or not, but the fact is still there.

The point still is that if the attacker has unencumbered access to your device then indeed _further_ use of the device is unrecommended to say the least. It doesn't matter if you had or did not have full disk encryption. It does not matter if you had or did not have Thunderbolt.

An extremely low tech solution would be to place a smallish and tactically hidden camera on the chassis, you don't even need the screwdriver for that. And it just happens all the time on ATMs and I'd bet that like on ATMs it would fool a shitton of people.

And this story is precisely about the type of attack that "requires further user input" -- what would be the point of requiring Thunderbolt at all in the first place if you already have the system in pieces?

[xoa]

> Full disk encryption is still be broken, given a decade or 3.

What? FDE is all symmetric crypto, long since 256-bit, and I think all AES. AES is extremely well understood, and the threat scenario for FDE is also purely cold attacks so even any side channels are irrelevant. I've never seen any feasible attack suggested even in principle, so I'm curious what you have in mind in 10-30 years. If you're thinking "quantum computers", you've gotten confused. Against symmetric keys those only provide at best square root(n) speed up via Grover's Algorithm, essentially halving the key size space. But 128-bit is still infeasible to search, and it'd be trivial to counter anyway by doubling the key length. It's only against current asymmetric cryptosystems that Shor's Algorithm can apply in principle (if if Big-If an actual scalable general purpose QC can actually be built).

[AshamedCaptain]

I simply measured the time it took from the introduction of DES to when it was no longer "recommended" and substracted the years since AES was standarized, then added a decade of margin of error.

It does not sound to me far fetched to think that AES will be similarly "unrecommended" in such amount of time even if there is absolutely no evidence right now.

[xoa]

Oh, so you just made it up out of whole cloth with zero understanding of the actual math? I guess that answers my question then.

[AshamedCaptain]

Seriously? Are you saying you expect something encrypted with AES _today_ to remain inaccessible _for the next 3 decades_? I'd have a hard time finding anyone even remotely claiming that. How many crypto recommendations from 30 years ago are still not entirely 'questionable' today? 50 years? AES as a recommendation is not even half that old. The algorithm may survive with changes; but the actual encrypted data, I would not bet on it.

If you have anything that claims that AES is different enough to warrant this extra optimism, I would love to have a look.

[xoa]

>Seriously? Are you saying you expect something encrypted with AES _today_ to remain inaccessible _for the next 3 decades_?

Yes, seriously. In fact to be clear (since you edited your time down to a mere 30 years) I fully expect something encrypted with 256-bit full AES today to remain inaccessible for all of foreseeable human existence [1]. I mean, it's hard to even really know where to begin here because it's not clear you've so much as looked at a wikipedia page on this before, and really don't grasp how non-linear improvements have been. DES is your cited milestone, but the primary weakness of it was simply that it had a 56-bit key. That's a mere 72 thousand trillion. A 256-bit key isn't "~4.6 times as hard" though, it's "the number atoms in the entire galaxy times as hard". 2^256 is around the lower bound of the estimated number of atoms in the entire universe. A 512-bit key is something like "an entire universe of atoms for every single atom in the universe". These are non-intuitively big numbers.

The algebraic framework of AES is pretty straight forward, and decades better knowledge went into it. But mainly it's that non-linear advances in computing meant that by the end of the 90s tech had caught up with and surpassed what was needed for the kind of keys necessary to make brute force utterly impossible with margin to spare, by anything within the known laws of physics. There have been academic attacks which mildly reduce full AES below brute force, but they simply don't matter at all in practice. 2^254 is better than 2^256, but still impossible. I already cited quantum computers, there we have the math to show that if a fully scalable general purpose one could ever be made it'd allow a quadratic speedup. And against a 128-bit it'd drop it to less than 2^64 and that'd be fairly trivial. But everything modern moved over to 256-bit keys ages ago (FileVault 2 for example was 9 years ago and it was not remotely the first) and it'd be relatively trivial to double keys again at this point if anyone was really concerned.

Side channel attacks are a real issue too for many purposes. But FDE is an exception, since it exclusively is for defending data at rest. That simply nullifies an entire range of tricky implementation issues for this threat model.

Again seriously: you can't just do linear historical extrapolation without at least knowing a bit of why those things went that way and what the foundations are. It's like you being surprised I'd expect algebra or calculus to remain relevant "for the next 3 decades".

>I'd have a hard time finding anyone even remotely claiming that.

Would you now? Here, let me help by starting you off with this guy named Bruce Schneier [2]:

>There is a significant difference between an academic break of a cipher and a break that will allow someone to read encrypted traffic. (Imagine an attack against Rijndael that requires 2^100 steps. That is an academic break of the cipher, even though it is a completely useless result to anyone trying to read encrypted traffic.) I believe that within the next five years someone will discover an academic attack against Rijndael. I do not believe that anyone will ever discover an attack that will allow someone to read Rijndael traffic. So while I have serious academic reservations about Rijndael, I do not have any engineering reservations about Rijndael.

If my expectation is wrong, well at least I can't be ashamed of the company I'd be in.

----

1: Maybe it's possible to brute force 128-bits if we convert the entire solar system into a Matrioshka brain or something like that, I haven't crunched the math. But that's far enough out into transcendent territory that I don't think it's relevant to any data in existence today.

2: https://web.archive.org/web/20090201005720/http://www.schnei...

EDIT TO YOUR EDIT:

>If you have anything that claims that AES is different enough to warrant this extra optimism, I would love to have a look.

Literally any intro to this topic at all that you'd find as in the first few results of going to your search engine of choice and typing "advanced encryption standard". This isn't some niche weird thing. You going "well DES was made obsolete by advances in computing power in the 90s which means AES will be too in a few decades" is the weird thing.

EDIT 2:

Also at some point here we're going to get HN rate limited on replies, discussion on HN isn't intended to support very long chains. I don't know if we'll be able to say anything else, so I'd just leave with really encouraging you to skim through a few intro to modern cryptography pieces, and/or look at the math itself. It's interesting stuff and obviously under girds much of the modern world. In fact the entire history of cryptography leading to this point is really fascinating, what kind of secret message systems people used over millennia and how developing mathematics and computers have fundamentally systematized and changed the nature of it.

[fomine3]

I still doubt about how TPM is durable against attackers.