Linux-based wireless mesh suite adds crypto engine support

Jonathan Thornburg jthorn at aei.mpg.de
Thu Sep 30 07:20:08 EDT 2004


On Mon, 27 Sep 2004, Bill Stewart wrote:
[[about the Via crypto sets]]
> The hard part is trust - Cryptography Research did a study last year
> about the quality of the random number generator, and found that you
> get about 0.75 bits of entropy per output bit, or 0.99 if you do
> Von Neumann whitening, so it's fine for feeding your crypto-based whitener.
> 
> But their report indicates that they were mainly working from
> design documentation and testing actual equipment,
> so their tests doesn't show what the RNG does if you execute
>          SET MSR UNDOCUMENTED_EVIL_WIRETAP_MODE
> first, much less what happens to the AES keying info or IVs.

UNDOCUMENTED_EVIL_WIRETAP_MODE can be just about impossible to spot
without full design oversight.  Even for a 3DES chip, where supposedly
you can use deterministic test vectors to verify things, the following
scheme due to Henry Spencer embeds an almost-impossible-to-spot-in-practice
backdoor:

(N.b. the original URL is now dead, but google on the quoted phrase
      "GOTCHA, YOU OPEN-SOURCE WEENIES -- NSA RULES!" found two other
      archived copies)

  ## http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/09/msg00240.html
       _________________________________________________________________
     
     [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread
     Index]
     
  Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet
       _________________________________________________________________
     
       * To: Linux IPsec <linux-ipsec at clinet.fi>
       * Subject: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES
         protected 100Mbit Ethernet
       * From: Henry Spencer <henry at spsystems.net>
       * From: linux-ipsec at clinet.fi
       * Date: Thu, 16 Sep 1999 10:48:52 -0400 (EDT)
       * In-Reply-To: <199909161411.KAA02388 at tonga.xedia.com>
       * Reply-To: linux-ipsec at clinet.fi
       * Sender: owner-linux-ipsec-local at sandelman.ottawa.on.ca
       _________________________________________________________________
     
  William H Geiger writes:
  > I don't know if you still follow the CP list but we have
  > been having a long debate on the trustworthiness of Intel
  > hardware, especially their RNG...
  
  At first I thought this was pretty much a non-issue here.  The problem
  with the RNG is that it's so hard to decide whether its output is "really"
  random.  But 3DES is a deterministic transform which can be tested against
  other implementations, so you can easily establish whether the chip is
  really doing 3DES or not.
  
  Alas, then I got to thinking.  Suppose one built a 3DES accelerator chip
  so that, if and only if:
  
  (a) the chip is doing near-continuous encryptions at high speed, and
  (b) the keys are changing every packet or two, and
  (c) the chip detects -- via a simple mechanism like a little hash table --
          a key which has appeared before, recently, and
  (d) this key has not been marked "compromised" in the hash table, and
  (e) an internal 16-bit packet counter is all-1s,
  
  then
  
  (!) mark the key compromised in the hash table, XOR the key with the
  string "GOTCHA, YOU OPEN-SOURCE WEENIES -- NSA RULES!", prefix it with a
  random-looking constant bit pattern, and sprinkle the resulting bits into
  the encrypted data, in a haphazard but deterministic pattern.
  
  This is, of course, an encryption error.  But rules (a)-(e) make it
  essentially irreproducible, so it won't happen a second time (and will be
  quite difficult to reproduce even in a test setup).  Almost certainly it
  will get written off as a random error, and the affected packet will be
  re-processed correctly and re-sent, and all will be well.
  
  Except that an eavesdropper on the high-speed wire just looks for the
  constant bit pattern in the right places in a packet, and (almost) every
  time he sees it, he's nabbed an encryption key.
  
  There's no limit to the complexity that can be added -- especially if
  you're willing to consider active wiretapping, with the chip going into
  this mode only if it sees (say) an ICMP ping with the right data in it --
  to defeat attempts to find this sort of thing on the test bench.
  
  I fear I agree with William; nothing short of peer review of the hardware
  design makes such a device trustworthy.
  
                                                            Henry Spencer
                                                         henry at spsystems.net
                                                       (henry at zoo.toronto.edu)
  
  
  -
  This is the linux-ipsec-local at sandelman.ottawa.on.ca mailing list. It is a
  restrict-Post filtered version of linux-ipsec at clinet.fi.
       _________________________________________________________________
     
     Follow-Ups:
       * Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected
         100Mbit Ethernet
         
       * From: Richard Guy Briggs
         <rgb at conscoop.ottawa.on.ca>linux-ipsec at clinet.fi
         
     References:
       * Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected
         100Mbit Ethernet
         
       * From: Paul Koning <pkoning at xedia.com>linux-ipsec at clinet.fi
       _________________________________________________________________
     
       * Prev by Date: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES
         protected 100Mbit Ethernet
       * Next by Date: linux-ipsec: IP Sec w/ dynamic IP addresses ?
       * Prev by thread: Re: linux-ipsec: Intel IPSEC accelerator gives
         3DES protected 100Mbit Ethernet
       * Next by thread: Re: linux-ipsec: Intel IPSEC accelerator gives
         3DES protected 100Mbit Ethernet
       * Index(es):
            + Main
            + Thread

-- 
-- Jonathan Thornburg <jthorn at aei.mpg.de>      
   Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
   Golm, Germany, "Old Europe"     http://www.aei.mpg.de/~jthorn/home.html      
   "Washing one's hands of the conflict between the powerful and the
    powerless means to side with the powerful, not to be neutral."
                                      -- quote by Freire / poster by Oxfam


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list