tillitis-key1 VS untwister

Having a look at their documented threat model: https://github.com/tillitis/tillitis-key1/blob/main/doc/thre...

I love this particular detail, listed under Assumptions:

> The end user is not an attacker. The end user at least doesn't knowingly aid the attacker in attacks on their device.

I love this, it's exactly what I want from a HSM device. However, sadly, most vendors today deploy TPMs in such a way that the end-user is an attacker (see: Google SafetyNet) - and the TKey is kinda incompatible with that, I suppose.

I'm not sure if they are publicly available yet by tillitis may be what you're looking for.

No, not yet. Physical attacks are out of scope for the TKey1, even if we have some mechanisms in play which try to extend the time and effort required to perform a successful evil maid-attack extracting the Unique Device Secret (UDS). See the threat model for the release:

https://github.com/tillitis/tillitis-key1/blob/main/doc/thre...

The current casing is fairly tamper evident (it will break), but we do not yet use real, tamper evident sealing. We are looking at tamper sealing for future versions. And ways to further protect against physical attacks.

Mullvad VPN has announced that they are working on the "Tillitis"[1] key and it looks like it's releasing pretty soon (2023-03-23).

From the website:

>The TKey™ is a new kind of USB security key inspired by measured boot and DICE.

>TKey™s design encourages developers to experiment with new security key applications and models in a way that makes adoption easier and less risky forend-users.

>TKey™ is and always will be open source hardware and software. Schematics, PCB design and FPGA design source as well as all software source code can be found on GitHub.

[1]: https://www.tillitis.se/ -- also "tillit" is Swedish for "trust"

Given a suitable app, the Tillitis Key 1 works as a RNG. I have written a first version, and will release one in the public app repository in a week or so.

https://github.com/tillitis/tillitis-key1

https://github.com/tillitis/tillitis-key1-apps

No, the integrity is within the device. You load the small (64k) apps onto the key and the content of the apps with the unique key for the device can be used by the app to perform cryptography and their integrity can be audited. This is similar to JavaCard with cryptographic integrity of the applets. Read more at: https://github.com/tillitis/tillitis-key1/blob/main/doc/syst...

You are correct. However, history teaches us important lessons.

Back in the old days when cryptography was a weird concept nobody understood, we had the Linear Congruential Generator (LCG)[1] to generate pseudo random numbers. It looked random, so we used it.

Then some egghead said "give me a few outputs of your LCG and I can reverse it back to a seed"[2]. Oh damn! What do we do? The obvious solution: Reseed the RNG before you use it.

Then another egghead said "I've invented Mersenne Twister (MT). It is faster and more secure"[3]. So we switched to that. No need to reseed the RNG anymore!

But then someone said "We have broken MT. Take some numbers. Give it to this app, and it will give you the seed"[4]. And so we started to reseed the RNG again.

Today it is hash-chaining, XOR-shift and improved linear-feedback shift register algorithms.

Do you want to put your money on that we have now reached bug-free well-enough PRNGs that we no longer have fiddle with reseeding? It is a dangerous gamble. More than anything I wish we were clever enough to create robust, correctness proven and high-performance PRNGs so we could stop all this nonsense - but alas, here we are.

[1] https://academic.oup.com/comjnl/article/1/2/83/425243

[2] https://en.wikipedia.org/wiki/Marsaglia%27s_theorem

[3] http://www.math.sci.hiroshima-u.ac.jp/m-mat/MT/ARTICLES/mt.p...

[4] https://github.com/altf4/untwister