[Cryptography] Techniques for malevolent crypto hardware

Perry E. Metzger perry at piermont.com
Sun Sep 8 15:22:32 EDT 2013


On Sun, 8 Sep 2013 15:10:45 -0400 Thor Lancelot Simon <tls at panix.com>
wrote:
> On Sun, Sep 08, 2013 at 02:34:26PM -0400, Perry E. Metzger wrote:
> > 
> > Any other thoughts on how one could sabotage hardware? An
> > exhaustive list is interesting, if only because it gives us
> > information on what to look for in hardware that may have been
> > tweaked at NSA request.
> 
> I'd go for leaking symmetric cipher key bits into exposed RNG
> output: nonces, explicit IVs, and the like.  Crypto hardware with
> "macro" or "record" operations (ESP or TLS record/packet handling
> as a single operation; TLS or IKE handshake, etc.) offers ample
> opportunities for this, but surely it could be arranged even with
> simpler hardware that just happens to accellerate both, let's say,
> AES and random number generation.

Ah, now *this* is potentially interesting. Imagine if you have a
crypto accelerator that generates its IVs by encrypting information
about keys in use using a key an observer might have or could guess
from a small search space.

Hadn't even occurred to me since it seems way more blatant than
the other sort of leaks I was thinking of, but of course the mere
fact that it is blatant doesn't mean that it would never be tried...

Perry
-- 
Perry E. Metzger		perry at piermont.com


More information about the cryptography mailing list