On Thu, Dec 12, 2013 at 08:04:00AM -0800, Steve Weis wrote:
On Dec 12, 2013 6:08 AM, "coderman" <coderman@gmail.com> wrote:
i see your skepticism, and i raise you a retort! ;)
i even have a list of candidates you can experiment with to confirm Intel Ivy Bridge as best fit. [0]
I think this is a weak guess.
In reply to Declan tweeting about this discussion (shame on you, Declan, if you're reading this and trying to take the discussion to the public), Kevin Poulsen points out https://twitter.com/kpoulsen/status/411226939547222016 that the Times' comment on this redaction appears to imply that the redacted text names two chips: http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campai... Large Internet companies use dedicated hardware to scramble traffic before it is sent. In 2013, the agency planned to be able to decode traffic that was encoded by one of these two encryption chips, either by working with the manufacturers of the chips to insert back doors or by exploiting a security flaw in the chips' design.
The document is talking about FY2013. IVB already shipped in 2012. I'd guess it was fabricated for testing in 2009-2010 and designed for a few years prior.
What enablement would be "complete" in 2013 for something that has been on the market a year and is already being phased out?
VPN gear lasts in the field for 2-5 years post roll-out. Design wins into large provider's hardware will often see the same chip being manufactured for 2-5 years after it ceases being available at retail. (ark.intel.com has an "embedded option available?" field to denote the chips they support this for.) "Complete Enablement" is jargon with a specific meaning. I'm not certain I understand it, but I *think* it means "we have plaintext access on any targeted session". I don't think it means "we can get plaintext for an arbitrary previously recorded session" and I don't think it means "we automatically get plaintext for every session we can hear". Suppose a NSA chip backdoor receives its triggering command by a specific sequence of TCP retransmits (dropped packets) and after being triggered, leaks the key by varying the timing or ordering of outbound packets. By my reading, this would count as "complete enablement" even though a session which was not triggered would not be eavesdroppable. To specifically respond to your point, "Complete enablement" is also time dependent. Productionizing a timing side channel attack could result in complete enablement only for new flows and would still be complete even though there was no enablement before the attack was available.
By 2013, Intel had already started shipping Haswell. They did launch new IVB E5v2 Xeon server processors this fall, but future CPUs will be Haswell and Broadwell.
Intel already has the next, next generation Skylake with SGX fabricated for testing.
I still think the document is talking about a dedicated crypto chip for VPN and SSL acceleration devices, just like it says.
Especially taking the NYT commentary into account, I'm even more convinced you're right. "Intel and AMD" is about the right length... -andy