[Cryptography] Hardware Trojan Protection

Eugen Leitl eugen@leitl.org
Wed Sep 25 05:18:08 PDT 2013


----- Forwarded message from Bill Frantz <frantz@pwpconsult.com> -----

Date: Tue, 24 Sep 2013 13:36:13 -0700
From: Bill Frantz <frantz@pwpconsult.com>
To: cryptography@metzdowd.com
Subject: [Cryptography] Hardware Trojan Protection
X-Mailer: Mailsmith 2.3.1 (422)

On 9/22/13 at 6:07 PM, leichter@lrw.com (Jerry Leichter) wrote in
another thread:

> Still, it raises the question:  If you can't trust your
> microprocessor chips, what do you do?  One possible answer:  Build
> yourself a processor out of MSI chips.  We used to do that, not so
> long ago, and got respectable performance (if not, perhaps, on
> anything like today's scale).  An MSI chip doesn't have enough
> intrinsic computation to provide much of a hook for an attack.  Oh,
> sure, the hardware could be spiked - but to do *what*?  Any given
> type of MSI chip could go into many different points of many
> different circuit topologies, and won't see enough of the data to
> do much anyway.  There may be some interface issues:  This stuff
> might not be fast enough to deal with modern memory chips.  (How
> would you attack a memory chip?  Certainly possible if you're make
> a targeted attack - you can slip in a small processor in the design
> to do all kinds of nasty things.  But commercial of the shelf
> memory chips are built right up to the edge of what we can make, so
> you can't change a
> ll that much.)
> 
> Some stuff is probably just impossible with this level of
> technology.  I doubt you can build a Gig-E Ethernet interface
> without large-scale integration.  You can certainly do the original
> 10 Mb/sec - after all, people did!  I have no idea if you could get
> to 100 Mb/sec.
> 
> Do people still make bit-slice chips?  Are they at a low-enough
> level to not be a plausible attack vector?
> 
> You could certainly build a respectable mail server this way -
> though it's probably not doing 2048-bit RSA at a usable speed.
> 
> We've been talking about crypto (math) and coding (software).
> Frankly, I, personally, have no need to worry about someone
> attacking my hardware, and that's probably true of most people.
> But it's *not* true of everyone.  So thinking about how to build
> "harder to attack" hardware is probably worth the effort.

You might get a reasonable level of protection implementing the core
of the crypto operations in a hardware security module (HSM) using
Field Programmable Gate Arrays (FPGA) or Complex Programmable Logic
Device (CPLD). There is an open source set of tools for programming
these beasts based on Python called MyHDL <www.myhdl.org>. The EFF DES
cracker may have some useful ideas too.

The largest of these devices are also pressing the current chip
limits. There isn't a lot of extra space for Trojans. In addition,
knowing what to look at is somewhat difficult if pin assignments etc
are changed from chip to chip at random.

As with any system, there are tool chain issues. Open source helps,
but there is always the Key Thompson attack. The best solution I can
think of is to audit the output. Look very carefully at the output of
the tool chain, and at the final piece that loads the configuration
data into the device.

Cheers - Bill

---------------------------------------------------------------------------
Bill Frantz        |"Web security is like medicine - trying to do good
for
408-356-8506       |an evolved body of kludges" - Mark Miller
www.pwpconsult.com |

_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://cpunks.org/pipermail/cypherpunks/attachments/20130925/f832cae6/attachment.sig>


More information about the cypherpunks mailing list