[NOISE] Cable-TV-Piracy-Punks
Dave Emery
die at pig.die.com
Sun Mar 31 03:42:45 PST 1996
>
>
> .pm writes:
> Why not? If the card knows its own key, then someone else can probably
> get the key out by some nasty mechanism.
>
>
One of the earliest breaks of the Videocipher II analog satellite
descrambler back in 1986 was based on twidling with the timing and
electrical characteristics of the chip clock on the supposedly
tamperproof TMS 7000 crypto microprocessor until it stared to misexecute
instructions. By chance, some PROM code that allowed reading the secret
seed keys used by each individual box to decode master keying messages
addressed to it happened to be a few instructions after some other code
normally accessible by issuing commands to the chip. One kept issuing
those commands while corrupting the clock until the chip misexecuted the
branch at the end of the public code and fell into the otherwise
inaccessible code that allowed access to the seed keys.
So yes, this has already been done in one real case of
cryptosystem defeat. For a while, it was the standard method of
obtaining seed keys from VC-II boards.
Later versions of the ROM code removed that vulnerability.
Dave
More information about the cypherpunks-legacy
mailing list