[Cryptography] On Security Architecture, The Panopticon, And "The Law"
Jerry Leichter
leichter at lrw.com
Fri Dec 27 11:19:08 EST 2013
On Dec 26, 2013, at 2:13 PM, Jonathan Thornburg <jthorn at astro.indiana.edu> wrote:
> [[a hardware AES accelerator can't be backdoored because it's deterministic, so it will have to leak the key - which is hard]]
>
> Henry Spencer posted the classic key-leaking attack against a hardware
> encryptor way back in 1999. If our Esteemed Moderator will permit it,
> I'd like to repost Henry's message here. Alas the original list-archive
> url is now dead. [Every 65K encryptions, the key gets leaked at the expense of damaging the data sent. The receiver will assume the data was damaged in transit and simply retry.]
Hardware these days is *extremely* reliable. (Those of us who've been around long enough remember such things as the recorded message you'd call before going down to the computer center - back when there were such things - to check on whether the machine was running; otherwise, why waste your time.)
If one in 65K packets were undecodeable, someone would notice very quickly. Some users don't monitor the quality of their network connections, but many do. There's no way this could masquerade as bit errors on the underlying connection: The undetected (by lower-level hardware/code) error rate is in the 1 in billions range.
Sure, you can play with the numbers of Spencer's attack. But you can't get around a hard tradeoff the attacker faces: If he damages more than a very tiny fraction of packets, he'll be noticed by someone, and fairly quickly. But that fraction is so tiny that the chances of picking up anything "juicy" makes the attack pointless.
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20131227/8a79a9ad/attachment.bin>
More information about the cryptography
mailing list