[Cryptography] Techniques for malevolent crypto hardware (Re: Suite B after today's news)

Perry E. Metzger perry at piermont.com
Sun Sep 8 14:34:26 EDT 2013

On Sat, 07 Sep 2013 19:19:09 -0700 Ray Dillinger <bear at sonic.net>
> Given some of the things in the Snowden files, I think it has
> become the case that one ought not trust any mass-produced crypto
> hardware.

Yes and no. There are limits to what such hardware can do. If such
hardware fails to implement a symmetric algorithm correctly, that
failure will be entirely obvious since interoperation will fail
immediately. If it uses bad random numbers, that failure will be

The most obvious implementation defects are bad RNGs and bad
protection against timing analysis.

One might also add side channels to leak information. Obvious side
channels for malevolent hardware are radio frequency interference (if
you can deploy listening equipment in the same colo this might be
quite a practical way to extract information) and timing channels
(not only in the sense of failure to protect against timing analysis
but also in the sense of using inter-event delays to encode
information like keys).

I think that in most applications power consumption side channels are
probably not that interesting (smart cards etc. being an exception)
but I'm prepared to be proven wrong.

Any other thoughts on how one could sabotage hardware? An exhaustive
list is interesting, if only because it gives us information on what
to look for in hardware that may have been tweaked at NSA request.

> Given good open-source software, an FPGA implementation would
> provide greater assurance of security.

I wonder, though, if one could add secret layers to FPGAs to leak
interesting information in some manner. It seems unlikely, but I
might simply not be creative enough in thinking about it.

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list