[Cryptography] Techniques for malevolent crypto hardware
Thor Lancelot Simon
tls at rek.tjls.com
Sun Sep 8 15:55:52 EDT 2013
On Sun, Sep 08, 2013 at 03:22:32PM -0400, Perry E. Metzger wrote:
> Ah, now *this* is potentially interesting. Imagine if you have a
> crypto accelerator that generates its IVs by encrypting information
> about keys in use using a key an observer might have or could guess
> from a small search space.
> Hadn't even occurred to me since it seems way more blatant than
> the other sort of leaks I was thinking of, but of course the mere
> fact that it is blatant doesn't mean that it would never be tried...
Well, I guess it depends what your definition of "blatant" is. Treating
the crypto hardware as a black box, it would be freaking hard to detect,
no? And not so easy even if you're willing to go at the thing at the
gate level. You could end up forced to examine everything attached to
any of your crypto chip's I/Os, too, and it goes rapidly downhill from
When we build protocols that have data elements we *expect* to be random,
and rely on cryptographic primitives whose outputs we expect to be
indistinguishable from random, we kind of set ourselves up for this
type of attack.
Not that I see an easy way not to.
I also wonder -- again, not entirely my own idea, my whiteboard partner
can speak up for himself if he wants to -- about whether we're going
to make ourselves better or worse off by rushing to the "safety" of
PFS ciphersuites, which, with their reliance on DH, in the absence of
good RNGs may make it *easier* for the adversary to recover our eventual
symmetric-cipher keys, rather than harder!
More information about the cryptography