[zokier]

The key is transferred only on the initial connection, after that a challenge/response mechanism is used. So from UX point of view it achieves similar TOFU, even if the technical details vary a bit. Sure, its bit worse but it is still very much trust on first use.

[redactions]

After the device is connected, use looks like a key consistency aware system like an ssh client. It is as you note very different in the first protocol run.

To extract the device secret value, an attacker needs to connect the target device to an attacker device. As you note, the thunderbolt device leaks the secret value over the untrusted channel. Impersonation of that device after that moment is trivial as a result.

The entire cryptographic protocol is broken from the start.

[zokier]

> To extract the device secret value, an attacker needs to connect the target device to an attacker device. As you note, the thunderbolt device leaks the secret value over the untrusted channel.

If victin device is connected to attacker host, then only responses to challenges are potentially leaked. That might allow active mitm, but not cloning the key. That's the whole reason TFA needed to go poking around in flash to get the keys.

Not saying that TB is the best security protocol in the universe, but as far as I can tell the vulnerabilities exposed here are mostly implementation flaws rather than protocol level issues.

[redactions]

ssh uses asymmetric keys and the cache on the client has a three tuple (host,ip,public key) which allows a client to notice a difference in any of the three elements. By comparison, Thunderbolt leaks the entire secret as the first step and subsequent steps use derived values. ssh is secure if the key doesn't change and isn't compromised through other means. Thunderbolt is not secure and it fails under a passive surveillance adversary, it also fails for active adversaries.

I take your point that subsequent secret use in the n+1 protocol run isn't as bad as the very first run, and as you note, that probably doesn't matter in the face of an active attacker.

If Thunderbolt had used asymmetric cryptography, I would probably agree with you that the protocol has the same semantics as ssh. The reason that I disagree is that it appears to have the same semantics for the user interface but the underlying protocol differences are what make the protocol unsuitable for use. It's at least part of why Intel has now retired Security Levels and is leaning so strongly on kDMA. Security Levels as a protocol is simply not cryptographically secure for any meaningful definition of secure as the first step exposes the base secret value.

Note: the attack doesn't require the use of a flash clip, that's just a simple way to demonstrate device specific state extraction.