Linux-based wireless mesh suite adds crypto engine support
Bill Stewart
bill.stewart at pobox.com
Thu Sep 30 16:43:10 EDT 2004
Peter Gutmann wrote:
> Tinfoil-hat mode.
Agreed, but some people want to be thorough, or pedantic, or paranoid.
At 04:20 AM 9/30/2004, Jonathan Thornburg wrote:
>UNDOCUMENTED_EVIL_WIRETAP_MODE can be just about impossible to spot
>without full design oversight. Even for a 3DES chip, where supposedly
>you can use deterministic test vectors to verify things, the following
>scheme due to Henry Spencer embeds an
>almost-impossible-to-spot-in-practice backdoor:
A somewhat simpler backdoor could be used in block chaining modes.
Occasionally output the data you're leaking instead of one or a few blocks
of cyphertext, and the CBC will glitch on it and then resync a few blocks
later;
in many environments the application layer will correct for it,
e.g. IPSEC will lose a few packets, TCP will timeout and retransmit,
and 3 seconds later it's as if nothing happened except that
the private keypart has been leaked for the passive eavesdropper.
Bill Stewart bill.stewart at pobox.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list