[Cryptography] Techniques for malevolent crypto hardware

Perry E. Metzger perry at piermont.com
Sun Sep 8 15:22:32 EDT 2013

On Sun, 8 Sep 2013 15:10:45 -0400 Thor Lancelot Simon <tls at panix.com>
> On Sun, Sep 08, 2013 at 02:34:26PM -0400, Perry E. Metzger wrote:
> > 
> > Any other thoughts on how one could sabotage hardware? An
> > exhaustive list is interesting, if only because it gives us
> > information on what to look for in hardware that may have been
> > tweaked at NSA request.
> I'd go for leaking symmetric cipher key bits into exposed RNG
> output: nonces, explicit IVs, and the like.  Crypto hardware with
> "macro" or "record" operations (ESP or TLS record/packet handling
> as a single operation; TLS or IKE handshake, etc.) offers ample
> opportunities for this, but surely it could be arranged even with
> simpler hardware that just happens to accellerate both, let's say,
> AES and random number generation.

Ah, now *this* is potentially interesting. Imagine if you have a
crypto accelerator that generates its IVs by encrypting information
about keys in use using a key an observer might have or could guess
from a small search space.

Hadn't even occurred to me since it seems way more blatant than
the other sort of leaks I was thinking of, but of course the mere
fact that it is blatant doesn't mean that it would never be tried...

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list