[cryptography] Which encryption chips are compromised?

Thu Dec 12 13:24:37 PST 2013

On Thu, Dec 12, 2013 at 08:04:00AM -0800, Steve Weis wrote:
> On Dec 12, 2013 6:08 AM, "coderman" <coderman at gmail.com> wrote:
> > i see your skepticism, and i raise you a retort! ;)
> >
> > i even have a list of candidates you can experiment with to confirm
> > Intel Ivy Bridge as best fit. [0]
> 
> I think this is a weak guess.

In reply to Declan tweeting about this discussion (shame on you, Declan,
if you're reading this and trying to take the discussion to the public),
Kevin Poulsen points out
https://twitter.com/kpoulsen/status/411226939547222016
that the Times' comment on this redaction appears to imply that the
redacted text names two chips:

http://www.nytimes.com/interactive/2013/09/05/us/documents-reveal-nsa-campaign-against-encryption.html?_r=0

    Large Internet companies use dedicated hardware to scramble traffic
    before it is sent. In 2013, the agency planned to be able to decode
    traffic that was encoded by one of these two encryption chips,
    either by working with the manufacturers of the chips to insert back
    doors or by exploiting a security flaw in the chips' design.

> The document is talking about FY2013.  IVB already shipped in 2012. I'd
> guess it was fabricated for testing in 2009-2010 and designed for a few
> years prior.
> 
> What enablement would be "complete" in 2013 for something that has been on
> the market a year and is already being phased out?

VPN gear lasts in the field for 2-5 years post roll-out.  Design wins
into large provider's hardware will often see the same chip being
manufactured for 2-5 years after it ceases being available at retail.
(ark.intel.com has an "embedded option available?" field to denote the
chips they support this for.)

"Complete Enablement" is jargon with a specific meaning.  I'm not
certain I understand it, but I *think* it means "we have plaintext
access on any targeted session".  I don't think it means "we can get
plaintext for an arbitrary previously recorded session" and I don't
think it means "we automatically get plaintext for every session we can
hear".  Suppose a NSA chip backdoor receives its triggering command by a
specific sequence of TCP retransmits (dropped packets) and after being
triggered, leaks the key by varying the timing or ordering of outbound
packets.  By my reading, this would count as "complete enablement" even
though a session which was not triggered would not be eavesdroppable.

To specifically respond to your point, "Complete enablement" is also
time dependent.  Productionizing a timing side channel attack could
result in complete enablement only for new flows and would still be
complete even though there was no enablement before the attack was
available.

> By 2013, Intel had already started shipping Haswell. They did launch new
> IVB E5v2 Xeon server processors this fall, but future CPUs will be Haswell
> and Broadwell.
> 
> Intel already has the next, next generation Skylake with SGX fabricated for
> testing.
> 
> I still think the document is talking about a dedicated crypto chip for VPN
> and SSL acceleration devices, just like it says.

Especially taking the NYT commentary into account, I'm even more
convinced you're right.  "Intel and AMD" is about the right length...

-andy