[Cryptography] On Security Architecture, The Panopticon, And "The Law"
Jonathan Thornburg
jthorn at astro.indiana.edu
Thu Dec 26 14:13:54 EST 2013
On Thu, 26 Dec 2013, Jerry Leichter wrote:
[[a hardware AES accelerator can't be backdoored because it's deterministic]]
> Interestingly, the same arguments apply to hardware AES accelerators.
> The fundamental difference here from hardware RNG's is that every
> operation is deterministic and has results that can be readily
> verified - and by their nature, are effectively *being* verified
> during normal operation. This channels plausible attacks in one
> direction: Leaking keys. And it's not easy to come up with a good
> way to do that undetectably. (At least *I* haven't come up with a
> mechanism. The best I can think of on contemporary CPU's is for
> the system management subsystem to use its private access to the
> Ethernet to sneak out some extra packets. But how long can you do
> this without someone noticing? There are all kinds of normal
> operations that look closely at network traffic. If you have an
> idea for a better attack, I'd like to know about it.)
Henry Spencer posted the classic key-leaking attack against a hardware
encryptor way back in 1999. If our Esteemed Moderator will permit it,
I'd like to repost Henry's message here. Alas the original list-archive
url is now dead.
--- begin Henry Spencer repost ---
## http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/09/msg00240.html
_________________________________________________________________
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread
Index]
Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet
_________________________________________________________________
* To: Linux IPsec <linux-ipsec at clinet.fi>
* Subject: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES
protected 100Mbit Ethernet
* From: Henry Spencer <henry at spsystems.net>
* From: linux-ipsec at clinet.fi
* Date: Thu, 16 Sep 1999 10:48:52 -0400 (EDT)
* In-Reply-To: <199909161411.KAA02388 at tonga.xedia.com>
* Reply-To: linux-ipsec at clinet.fi
* Sender: owner-linux-ipsec-local at sandelman.ottawa.on.ca
_________________________________________________________________
William H Geiger writes:
> I don't know if you still follow the CP list but we have
> been having a long debate on the trustworthiness of Intel
> hardware, especially their RNG...
At first I thought this was pretty much a non-issue here. The problem
with the RNG is that it's so hard to decide whether its output is "really"
random. But 3DES is a deterministic transform which can be tested against
other implementations, so you can easily establish whether the chip is
really doing 3DES or not.
Alas, then I got to thinking. Suppose one built a 3DES accelerator chip
so that, if and only if:
(a) the chip is doing near-continuous encryptions at high speed, and
(b) the keys are changing every packet or two, and
(c) the chip detects -- via a simple mechanism like a little hash table --
a key which has appeared before, recently, and
(d) this key has not been marked "compromised" in the hash table, and
(e) an internal 16-bit packet counter is all-1s,
then
(!) mark the key compromised in the hash table, XOR the key with the
string "GOTCHA, YOU OPEN-SOURCE WEENIES -- NSA RULES!", prefix it with a
random-looking constant bit pattern, and sprinkle the resulting bits into
the encrypted data, in a haphazard but deterministic pattern.
This is, of course, an encryption error. But rules (a)-(e) make it
essentially irreproducible, so it won't happen a second time (and will be
quite difficult to reproduce even in a test setup). Almost certainly it
will get written off as a random error, and the affected packet will be
re-processed correctly and re-sent, and all will be well.
Except that an eavesdropper on the high-speed wire just looks for the
constant bit pattern in the right places in a packet, and (almost) every
time he sees it, he's nabbed an encryption key.
There's no limit to the complexity that can be added -- especially if
you're willing to consider active wiretapping, with the chip going into
this mode only if it sees (say) an ICMP ping with the right data in it --
to defeat attempts to find this sort of thing on the test bench.
I fear I agree with William; nothing short of peer review of the hardware
design makes such a device trustworthy.
Henry Spencer
henry at spsystems.net
(henry at zoo.toronto.edu)
-
This is the linux-ipsec-local at sandelman.ottawa.on.ca mailing list. It is a
restrict-Post filtered version of linux-ipsec at clinet.fi.
_________________________________________________________________
Follow-Ups:
* Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected
100Mbit Ethernet
* From: Richard Guy Briggs
<rgb at conscoop.ottawa.on.ca>linux-ipsec at clinet.fi
References:
* Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected
100Mbit Ethernet
* From: Paul Koning <pkoning at xedia.com>linux-ipsec at clinet.fi
_________________________________________________________________
* Prev by Date: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES
protected 100Mbit Ethernet
* Next by Date: linux-ipsec: IP Sec w/ dynamic IP addresses ?
* Prev by thread: Re: linux-ipsec: Intel IPSEC accelerator gives
3DES protected 100Mbit Ethernet
* Next by thread: Re: linux-ipsec: Intel IPSEC accelerator gives
3DES protected 100Mbit Ethernet
* Index(es):
+ Main
+ Thread
--- end Henry Spencer repost ---
--
-- "Jonathan Thornburg [remove -animal to reply]" <jthorn at astro.indiana-zebra.edu>
Dept of Astronomy & IUCSS, Indiana University, Bloomington, Indiana, USA
"There was of course no way of knowing whether you were being watched
at any given moment. How often, or on what system, the Thought Police
plugged in on any individual wire was guesswork. It was even conceivable
that they watched everybody all the time." -- George Orwell, "1984"
More information about the cryptography
mailing list