zlacker

[parent] [thread] 4 comments
1. blibbl+(OP)[view] [source] 2023-07-27 10:14:00
surely if they're successful they'll create a market for ripping the keys out of TPMs and selling them?

at which point you could attest any environment you wish, across as many machines as you want

a nice side hustle for bored university students with access to the equipment needed

(currently this doesn't happen as the TPM keys are essentially worthless)

replies(1): >>wizee+P8
2. wizee+P8[view] [source] 2023-07-27 11:28:29
>>blibbl+(OP)
Such keys sold in large numbers could be detected and blacklisted though.
replies(3): >>blibbl+pb >>kevinc+OI >>rolph+bb1
◧◩
3. blibbl+pb[view] [source] [discussion] 2023-07-27 11:51:05
>>wizee+P8
which will increases demand for keys, and will encourage increased economies of scale of extracting them

would I pay $500 for a TPM key I can use to "attest" my hacked version of Chromium that removes ads? hell yes

would cheaters pay $500 for a TPM key to bypass valorant anti-cheat? hell yes (they do already)

would spammers pay $500 to spam Google?

and so on

ultimately attestation to control the user (vs. protect them) sows the seeds of its own demise

◧◩
4. kevinc+OI[view] [source] [discussion] 2023-07-27 14:31:31
>>wizee+P8
IIRC these keys are often produced in batches to help protect anonymity so revoking them may have undesirable impact on the bystanders who happen to have a key in the same batch.

So if we could reliably extract keys it may be enough to break this. (or force TPM makers to have per-device keys instead of per-batch keys)

◧◩
5. rolph+bb1[view] [source] [discussion] 2023-07-27 16:21:45
>>wizee+P8
thats advantageous in the context of key spraying attacks, aiming to get as many possible keys blacklisted as forgeries, leading to large scale key losses.

you dont have to know any keys just the structure of a valid key, then make things up according to spec

[go to top]