Linux-based wireless mesh suite adds crypto engine support
Jonathan Thornburg
jthorn at aei.mpg.de
Thu Sep 30 07:20:08 EDT 2004
On Mon, 27 Sep 2004, Bill Stewart wrote:
[[about the Via crypto sets]]
> The hard part is trust - Cryptography Research did a study last year
> about the quality of the random number generator, and found that you
> get about 0.75 bits of entropy per output bit, or 0.99 if you do
> Von Neumann whitening, so it's fine for feeding your crypto-based whitener.
>
> But their report indicates that they were mainly working from
> design documentation and testing actual equipment,
> so their tests doesn't show what the RNG does if you execute
> SET MSR UNDOCUMENTED_EVIL_WIRETAP_MODE
> first, much less what happens to the AES keying info or IVs.
UNDOCUMENTED_EVIL_WIRETAP_MODE can be just about impossible to spot
without full design oversight. Even for a 3DES chip, where supposedly
you can use deterministic test vectors to verify things, the following
scheme due to Henry Spencer embeds an almost-impossible-to-spot-in-practice
backdoor:
(N.b. the original URL is now dead, but google on the quoted phrase
"GOTCHA, YOU OPEN-SOURCE WEENIES -- NSA RULES!" found two other
archived copies)
## http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/09/msg00240.html
_________________________________________________________________
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread
Index]
Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet
_________________________________________________________________
* To: Linux IPsec <linux-ipsec at clinet.fi>
* Subject: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES
protected 100Mbit Ethernet
* From: Henry Spencer <henry at spsystems.net>
* From: linux-ipsec at clinet.fi
* Date: Thu, 16 Sep 1999 10:48:52 -0400 (EDT)
* In-Reply-To: <199909161411.KAA02388 at tonga.xedia.com>
* Reply-To: linux-ipsec at clinet.fi
* Sender: owner-linux-ipsec-local at sandelman.ottawa.on.ca
_________________________________________________________________
William H Geiger writes:
> I don't know if you still follow the CP list but we have
> been having a long debate on the trustworthiness of Intel
> hardware, especially their RNG...
At first I thought this was pretty much a non-issue here. The problem
with the RNG is that it's so hard to decide whether its output is "really"
random. But 3DES is a deterministic transform which can be tested against
other implementations, so you can easily establish whether the chip is
really doing 3DES or not.
Alas, then I got to thinking. Suppose one built a 3DES accelerator chip
so that, if and only if:
(a) the chip is doing near-continuous encryptions at high speed, and
(b) the keys are changing every packet or two, and
(c) the chip detects -- via a simple mechanism like a little hash table --
a key which has appeared before, recently, and
(d) this key has not been marked "compromised" in the hash table, and
(e) an internal 16-bit packet counter is all-1s,
then
(!) mark the key compromised in the hash table, XOR the key with the
string "GOTCHA, YOU OPEN-SOURCE WEENIES -- NSA RULES!", prefix it with a
random-looking constant bit pattern, and sprinkle the resulting bits into
the encrypted data, in a haphazard but deterministic pattern.
This is, of course, an encryption error. But rules (a)-(e) make it
essentially irreproducible, so it won't happen a second time (and will be
quite difficult to reproduce even in a test setup). Almost certainly it
will get written off as a random error, and the affected packet will be
re-processed correctly and re-sent, and all will be well.
Except that an eavesdropper on the high-speed wire just looks for the
constant bit pattern in the right places in a packet, and (almost) every
time he sees it, he's nabbed an encryption key.
There's no limit to the complexity that can be added -- especially if
you're willing to consider active wiretapping, with the chip going into
this mode only if it sees (say) an ICMP ping with the right data in it --
to defeat attempts to find this sort of thing on the test bench.
I fear I agree with William; nothing short of peer review of the hardware
design makes such a device trustworthy.
Henry Spencer
henry at spsystems.net
(henry at zoo.toronto.edu)
-
This is the linux-ipsec-local at sandelman.ottawa.on.ca mailing list. It is a
restrict-Post filtered version of linux-ipsec at clinet.fi.
_________________________________________________________________
Follow-Ups:
* Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected
100Mbit Ethernet
* From: Richard Guy Briggs
<rgb at conscoop.ottawa.on.ca>linux-ipsec at clinet.fi
References:
* Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected
100Mbit Ethernet
* From: Paul Koning <pkoning at xedia.com>linux-ipsec at clinet.fi
_________________________________________________________________
* Prev by Date: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES
protected 100Mbit Ethernet
* Next by Date: linux-ipsec: IP Sec w/ dynamic IP addresses ?
* Prev by thread: Re: linux-ipsec: Intel IPSEC accelerator gives
3DES protected 100Mbit Ethernet
* Next by thread: Re: linux-ipsec: Intel IPSEC accelerator gives
3DES protected 100Mbit Ethernet
* Index(es):
+ Main
+ Thread
--
-- Jonathan Thornburg <jthorn at aei.mpg.de>
Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut),
Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html
"Washing one's hands of the conflict between the powerful and the
powerless means to side with the powerful, not to be neutral."
-- quote by Freire / poster by Oxfam
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list