A risk with using MD5 for software package fingerprinting
David Honig
dahonig at home.com
Mon Jan 28 10:48:46 EST 2002
At 02:27 AM 1/28/02 -0800, John Gilmore wrote:
I have done enough years of chip testing AND architectural
>validation to know how few of the infinitely many combinations of
>instructions or bus cycles are actually tested to make sure that
>somebody didn't intentionally make *one* combination do something
>interesting. Even if you trust your processor, didn't the NSA pay the
>Taiwanese designer of your RAM chips to replace particular stored code
>sequences with other interesting ones, one time out of a hundred, when
>fetched?
Nice piece. When I was writing Verilog for Blowfish and IDEA, we
got interested in how to verify that the chip did what the code described.
Esp. because you hand over your output to other internal groups who transform
it into other forms (e.g., standard cell netlist, then GDSII masks, etc.)
We were thinking about using reverse-engineering services who could
strip, image, and reconstruct a netlist, to confirm that the logic
did what it was supposed to (and in our case, nothing else). The equivalent
of reverse-compiling from assembler --or microcode! We never got that far,
though.
dh
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list