[rocqua]

It is very much news to me that key-recovery from the TPM is not supposed to be that hard.

If that is the case, how does it strengthen a PIN? Any attacker wanting to find a decryption key could simply extract the key, and then brute-force the PIN outside of the TPM constraints, can't they?

[nextgens]

The PIN isn't required if you decap the TPM.

[HelloNurse]

Decapping doesn't count as a "basic hardware attack".

[nextgens]

https://en.wikipedia.org/wiki/FIPS_140-2#Level_2

It definitely does when there is no attempt made at protecting against it. L2 means "tamper evidence", you need L3 for things to start to be designed to prevent it from being "basic".

SGX is L3, you'll be hard pressed to find a TPM that does better than L2.

Phrasing it another way: Even if you don't have the skills/equipment to do it. How much do you think it costs to get someone to do it for you? How reproducible is that process? Why are we assuming it's hard?

[R0b0t1]

I'm pretty sure their benchmark for hard is needing to take the device apart and do surgery on it. To me, that is what I would qualify as hard despite knowing how to do it, it's hard by way of being annoying.

Yes, I'd like more security, but it's not bad.

[m0zg]

For the NSA it does. :-)

[Avamander]

If the NSA is in your threat model, you've lost the game.

[wolfgke]

> If the NSA is in your threat model, you've lost the game.

For example for cryptographic primitives, if you didn't include the NSA in your threat model, you did something deeply wrong in your modelling.

[jonathanstrange]

However, regarding cryptography, the NSA's cryptographic expertise and resources are secret, so it's very hard to include them in a threat model.

They could know more than civilian cryptographers, have new direct attacks that we don't know yet, e.g. algebraic attacks and specialized hardware to solve gigantic systems of equations. Or, they could have a working quantum computer with many qbits. We don't know, do we?