Tamperproof devices and backdoors

Hadmut Danisch hadmut at danisch.de
Fri May 25 16:37:51 EDT 2001


On Fri, May 25, 2001 at 09:34:20AM +0800, Enzo Michelangeli wrote:
> On another mailing list, someone posted an interesting question: how to
> ascertain that a tamperproof device (e.g., a smartcard) contains no hidden
> backdoors?


The question is not precise enough to be answered.
The term "tamperproof device" covers a too wide range of devices.

Define precisely what kind of tamperproofness you are discussing,
e.g.

- Tamper detection only: Device allows to be analyzing and
  all contained data to be read out, but someone is able to detect
  that this device was opened. This appears to be rather some kind
  of physical seal than a cryptographical protection. Think about
  a plain paper envelope sealed with wax. It doesn't protect
  the letter to be read, but it allows the detection that it was 
  opened.

- Protection of data only: Imagine some device, which keeps the
  mechanism completely intact and inspectable, but erases all
  data (e.g. a cryptographic key). 

- Protection of mechanism: A device with selfdestruction, leaving
  itself uninspectable. 



> By definition, anything open to inspection is not tamperproof. Of
> course, one can ask the manufacturer to disclose the design, but there is no
> way of verifying that the actual device really implements the design that
> was disclosed, because the act of inspecting its innards could remove the
> backdoor, and also the code thet implement the removal itself.
> 
> Any idea, besides relying on the manufacturer's reputation?


What about this: Assuring some probability similar to blind
signatures. Assume someone is selling tamperproof devices of the
second kind (see above). You buy 1,000, randomly select one of them
to be used, and open/analyze the other 999 for hidden trapdoors in the
mechanism. You might find that these 999 devices are just a plain 
and simple implementation of any blockcipher. Probability that the
chosen one differs is 0.1%. 


You could also have some kind of "transparent device", which allows
you to see every detail of the mechanism, but not the data (key etc.)
currently stored or under computation.


Hadmut









---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com




More information about the cryptography mailing list