Linux-based wireless mesh suite adds crypto engine support

Bill Stewart bill.stewart at
Thu Sep 30 16:43:10 EDT 2004

Peter Gutmann wrote:
 > Tinfoil-hat mode.
Agreed, but some people want to be thorough, or pedantic, or paranoid.

At 04:20 AM 9/30/2004, Jonathan Thornburg wrote:
>UNDOCUMENTED_EVIL_WIRETAP_MODE can be just about impossible to spot
>without full design oversight.  Even for a 3DES chip, where supposedly
>you can use deterministic test vectors to verify things, the following
>scheme due to Henry Spencer embeds an 
>almost-impossible-to-spot-in-practice backdoor:

A somewhat simpler backdoor could be used in block chaining modes.
Occasionally output the data you're leaking instead of one or a few blocks
of cyphertext, and the CBC will glitch on it and then resync a few blocks 
in many environments the application layer will correct for it,
e.g. IPSEC will lose a few packets, TCP will timeout and retransmit,
and 3 seconds later it's as if nothing happened except that
the private keypart has been leaked for the passive eavesdropper.

Bill Stewart  bill.stewart at 

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at

More information about the cryptography mailing list