[Cryptography] AES [was NSA and cryptanalysis]

[Tim Newsham]

> What I think we are worried about here are very widespread
> automated attacks, and they're passive (data is collected and
> then attacks are run offline). All that constrains what attacks
> make sense in this context.

John Kelsey discusses several attacks that might fit this
profile but one he did not consider was:

- A backdoor that leaks cryptographic secrets

consider for example applications using an intel chip with
hardware-assist for AES. You're feeding your AES keys
directly into the cpu. Any attacker controlling the cpu has
direct access and doesn't have to do any fancy pattern matching
to discover the keys. Now if that CPU had a way to export
some or all of the bits through some channel that would also
be passively observable, the attacker could pull off an offline
passive attack.

What about RNG output? What if some bits were redundantly
encoded in some of the RNG output bits which where then
used directly for tcp initial sequence numbers?

Such a backdoor would be feasible.

-- 
Tim Newsham | www.thenewsh.com/~newsham | @newshtwit | thenewsh.blogspot.com