[Cryptography] Techniques for malevolent crypto hardware

Perry E. Metzger perry at piermont.com
Sun Sep 8 16:51:17 EDT 2013

On Sun, 8 Sep 2013 15:55:52 -0400 Thor Lancelot Simon
<tls at rek.tjls.com> wrote:
> On Sun, Sep 08, 2013 at 03:22:32PM -0400, Perry E. Metzger wrote:
> > 
> > Ah, now *this* is potentially interesting. Imagine if you have a
> > crypto accelerator that generates its IVs by encrypting
> > information about keys in use using a key an observer might have
> > or could guess from a small search space.
> > 
> > Hadn't even occurred to me since it seems way more blatant than
> > the other sort of leaks I was thinking of, but of course the mere
> > fact that it is blatant doesn't mean that it would never be
> > tried...
> Well, I guess it depends what your definition of "blatant" is.
> Treating the crypto hardware as a black box, it would be freaking
> hard to detect, no?

Ah, but it only needs to be found once to destroy the reputation of a

Inserting bugs into chips (say, random number generators that won't
work well in the face of fabrication processes that alter analog
characteristics of circuits slightly) results in a "could be an
accident" sort of mistake. Altering a chip to insert an encrypted
form of a key into the initialization vectors in use cannot be
explained away that way.

You may say "but how would you find that?". However, I've worked
in recent years with people who decap chips, photograph the surface
and reconstruct the circuits on a pretty routine basis -- tearing
apart secure hardware for fun and profit is their specialty. Even
when this process destructively eliminates in-RAM programming,
usually weaknesses such as power glitching attacks are discovered by
the examination of the "dead" system on the autopsy table and can
then be used with live hardware.

Now that it has been revealed that the NSA has either found or
arranged for bugs in several chips, I would presume that some of
these people are gearing up for major teardowns. Not all
such teardowns will happen in the open community, of course -- I'd
expect that even now there are folks in government labs around the
world readying their samples, their probe stations and their etchant
baths. Hopefully the guys in the open community will let us know
what's bad before the other folks start exploiting our hardware
silently, as I suspect the NSA is not going to send out a warning.

> I also wonder -- again, not entirely my own idea, my whiteboard
> partner can speak up for himself if he wants to -- about whether
> we're going to make ourselves better or worse off by rushing to the
> "safety" of PFS ciphersuites, which, with their reliance on DH, in
> the absence of good RNGs may make it *easier* for the adversary to
> recover our eventual symmetric-cipher keys, rather than harder!

I'll repeat the same observation I've made a lot: Dorothy Denning's
description of the Clipper chip key insertion ceremony described the
keys as being generated deterministically using an iterated block
cipher. I can't find the reference, but I'm pretty sure that when she
was asked why, the rationale was that an iterated block cipher can be
audited, and a hardware randomness source cannot.

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list