[Cryptography] Techniques for malevolent crypto hardware (Re: Suite B after today's news)

Eugen Leitl eugen at leitl.org
Mon Sep 9 00:04:36 PDT 2013


----- Forwarded message from "Perry E. Metzger" <perry at piermont.com> -----

Date: Sun, 8 Sep 2013 14:34:26 -0400
From: "Perry E. Metzger" <perry at piermont.com>
To: Ray Dillinger <bear at sonic.net>
Cc: cryptography at metzdowd.com
Subject: [Cryptography] Techniques for malevolent crypto hardware (Re: Suite B after today's news)
X-Mailer: Claws Mail 3.9.0 (GTK+ 2.24.20; x86_64-apple-darwin12.4.0)

On Sat, 07 Sep 2013 19:19:09 -0700 Ray Dillinger <bear at sonic.net>
wrote:
> Given some of the things in the Snowden files, I think it has
> become the case that one ought not trust any mass-produced crypto
> hardware.

Yes and no. There are limits to what such hardware can do. If such
hardware fails to implement a symmetric algorithm correctly, that
failure will be entirely obvious since interoperation will fail
immediately. If it uses bad random numbers, that failure will be
subtle.

The most obvious implementation defects are bad RNGs and bad
protection against timing analysis.

One might also add side channels to leak information. Obvious side
channels for malevolent hardware are radio frequency interference (if
you can deploy listening equipment in the same colo this might be
quite a practical way to extract information) and timing channels
(not only in the sense of failure to protect against timing analysis
but also in the sense of using inter-event delays to encode
information like keys).

I think that in most applications power consumption side channels are
probably not that interesting (smart cards etc. being an exception)
but I'm prepared to be proven wrong.

Any other thoughts on how one could sabotage hardware? An exhaustive
list is interesting, if only because it gives us information on what
to look for in hardware that may have been tweaked at NSA request.

> Given good open-source software, an FPGA implementation would
> provide greater assurance of security.

I wonder, though, if one could add secret layers to FPGAs to leak
interesting information in some manner. It seems unlikely, but I
might simply not be creative enough in thinking about it.

Perry
-- 
Perry E. Metzger		perry at piermont.com
_______________________________________________
The cryptography mailing list
cryptography at metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

----- End forwarded message -----
-- 
Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org
______________________________________________________________
ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org
AC894EC5: 38A5 5F46 A4FF 59B8 336B  47EE F46E 3489 AC89 4EC5



More information about the cypherpunks mailing list