On Wed, Dec 11, 2013 at 6:28 PM, Steve Weis <steveweis@gmail.com> wrote:

... Ivy Bridge processors are general purpose x86 CPUs. It doesn't make sense to me to refer to it as an "encryption chip" for "web encryption devices".

"used in Virtual Private Network" == PPTP,IPsec,OpenVPN,etc. "Web encryption devices" == in my interpretation, this is any targeted hardware with the vulnerable chip. it could be a tablet, a desktop, and rack mount server... any of these platforms could speak VPN or Web crypto. TAO/SCS do like to get into the switches though ;)

Do you know of products using IVB processors for SSL offloading or in VPN appliances?

mostly "cloud infrastructure", "software defined data center", and the like: http://www.routeranalysis.com/the-vyatta-cloud-router-story/ http://www.routeranalysis.com/etsi-network-function-virtualization-working-g...

To me, the redacted document sounds like it's referring to a security processor used for SSL offloading. For example, something like a Cavium Nitrox (which I'm not implying is the subject of the document).

back in the day, Sun got tired of the (relatively) slow performance and latency of crypto offloading via bus and simply threw it into the core. you were still offloading crypto, but within the CPU. also note that endpoint compromises sufficient to decrypt VPN or secure web traffic is already present in TAO/CNE's tasking. this effort [CCP_00009] may focus on VPN concentrator / secure web proxy deployments specifically to handle the RDRAND lookup per their private starting counter. previous back doors have also used entropy leakage sufficient to bring a brute force attack into reasonable effort, while still denying third parties a class break of the entropy / keys used. this type of key space search is not done on the ground with portable CNE but instead back at SCS... on a related tangent, the lack of additional disclosures is quite frustrating. this entire conversation would be resolved in a glance if $the_snowden_gatekeepers were acting in the public interest. :/ best regards,