Tamperproof devices and backdoors

dmolnar dmolnar at hcs.harvard.edu
Fri May 25 14:10:59 EDT 2001

> You hint at this in your discussion, but if you were building a
> backdoor into a chip (say a block cipher) you *must* make
> the trigger a *sequence* rather than a single input, since

You're absolutely right. This fact became apparent to me partway through
writing. I tried to work it in but wasn't nearly explicit enough. Thanks
for pointing it out.

> Any device (CPU, NIC, OS) which sees an externally generated stream is
> succeptible.  The next Metallica song could contain a trigger that
> irreversibly
> destroys a certain model MP3 player if its played...

That's why there seems to be a distinction between

	1) backdoors which only need to be activated *once*, then cause
	something awful to happen
		- irreversible destruction of device
		- unauthorized entry (login hack)
		- causing harm (e.g. releasing poison gas, exploding)
	2) backdoors which cause the device to alter functioning; the
	backdoor is only useful if the device continues to be used and
	the backdoor activation is not detected
		- a crypto-module which starts to leak key bits
		- telephone switch which starts to conference call with
		  a special number
		- subliminal channels of all kinds

For 1), the only way out I see is if the "something awful" requires some
other system to accept the device's output (e.g. login program returns
"true") - maybe you can force the device to prove its output matches the
spec. If the "something awful" is completely internal to the device

For 2), maybe you have more chance - it seems plausible that you could
limit the number of bad operations of the box before it must be caught.

An interesting recent paper, by the way, focuses on something related

"Funkspiel Schemes: An Alternative to Conventional Tamper Resistance"

Their idea is that a device should notice when it is being tampered with.
Before the adversary breaks in entirely, it should subtly alter
functioning. The adversary does not observe the state info of the device
as it alters. After this alteration, the adversary will not be able to
distinguish the device from an ordinary unaltered device, even given full
acess to the stateof the device. The legitimate owner of the device,
however, can tell from the output alone that something is wrong.

In this tamperproof testing situation, the "legitimate owner" is the back
door owner. The adversary is the box tester, except more powerful, since
we aren't allowing the box tester to open the box at *all*. The
"device notices it is being tampered with" is just triggering the back

> Not even mentioning the in-field-programmable wireless devices
> coming to a future near you.

Someone - Ian Goldberg, maybe? - once mentioned the "wireless remotely
programmable pacemaker." There's a movie scene waiting to be scripted for
that one...

-David Molnar

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list