----- Forwarded message from "Perry E. Metzger" ----- Date: Sun, 8 Sep 2013 14:34:26 -0400 From: "Perry E. Metzger" To: Ray Dillinger Cc: cryptography@metzdowd.com Subject: [Cryptography] Techniques for malevolent crypto hardware (Re: Suite B after today's news) X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.20; x86_64-apple-darwin12.4.0) On Sat, 07 Sep 2013 19:19:09 -0700 Ray Dillinger wrote:

Given some of the things in the Snowden files, I think it has become the case that one ought not trust any mass-produced crypto hardware.

Yes and no. There are limits to what such hardware can do. If such hardware fails to implement a symmetric algorithm correctly, that failure will be entirely obvious since interoperation will fail immediately. If it uses bad random numbers, that failure will be subtle. The most obvious implementation defects are bad RNGs and bad protection against timing analysis. One might also add side channels to leak information. Obvious side channels for malevolent hardware are radio frequency interference (if you can deploy listening equipment in the same colo this might be quite a practical way to extract information) and timing channels (not only in the sense of failure to protect against timing analysis but also in the sense of using inter-event delays to encode information like keys). I think that in most applications power consumption side channels are probably not that interesting (smart cards etc. being an exception) but I'm prepared to be proven wrong. Any other thoughts on how one could sabotage hardware? An exhaustive list is interesting, if only because it gives us information on what to look for in hardware that may have been tweaked at NSA request.

Given good open-source software, an FPGA implementation would provide greater assurance of security.

I wonder, though, if one could add secret layers to FPGAs to leak interesting information in some manner. It seems unlikely, but I might simply not be creative enough in thinking about it. Perry -- Perry E. Metzger perry@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5