Tamperproof devices and backdoors
Hadmut Danisch
hadmut at danisch.de
Fri May 25 16:37:51 EDT 2001
On Fri, May 25, 2001 at 09:34:20AM +0800, Enzo Michelangeli wrote:
> On another mailing list, someone posted an interesting question: how to
> ascertain that a tamperproof device (e.g., a smartcard) contains no hidden
> backdoors?
The question is not precise enough to be answered.
The term "tamperproof device" covers a too wide range of devices.
Define precisely what kind of tamperproofness you are discussing,
e.g.
- Tamper detection only: Device allows to be analyzing and
all contained data to be read out, but someone is able to detect
that this device was opened. This appears to be rather some kind
of physical seal than a cryptographical protection. Think about
a plain paper envelope sealed with wax. It doesn't protect
the letter to be read, but it allows the detection that it was
opened.
- Protection of data only: Imagine some device, which keeps the
mechanism completely intact and inspectable, but erases all
data (e.g. a cryptographic key).
- Protection of mechanism: A device with selfdestruction, leaving
itself uninspectable.
> By definition, anything open to inspection is not tamperproof. Of
> course, one can ask the manufacturer to disclose the design, but there is no
> way of verifying that the actual device really implements the design that
> was disclosed, because the act of inspecting its innards could remove the
> backdoor, and also the code thet implement the removal itself.
>
> Any idea, besides relying on the manufacturer's reputation?
What about this: Assuring some probability similar to blind
signatures. Assume someone is selling tamperproof devices of the
second kind (see above). You buy 1,000, randomly select one of them
to be used, and open/analyze the other 999 for hidden trapdoors in the
mechanism. You might find that these 999 devices are just a plain
and simple implementation of any blockcipher. Probability that the
chosen one differs is 0.1%.
You could also have some kind of "transparent device", which allows
you to see every detail of the mechanism, but not the data (key etc.)
currently stored or under computation.
Hadmut
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list