[Cryptography] AES [was NSA and cryptanalysis]

Perry E. Metzger perry at piermont.com
Mon Sep 16 18:39:16 EDT 2013

On Mon, 16 Sep 2013 11:54:13 -1000 Tim Newsham
<tim.newsham at gmail.com> wrote:
> - A backdoor that leaks cryptographic secrets
> consider for example applications using an intel chip with
> hardware-assist for AES. You're feeding your AES keys
> directly into the cpu. Any attacker controlling the cpu has
> direct access and doesn't have to do any fancy pattern matching
> to discover the keys. Now if that CPU had a way to export
> some or all of the bits through some channel that would also
> be passively observable, the attacker could pull off an offline
> passive attack.
> What about RNG output? What if some bits were redundantly
> encoded in some of the RNG output bits which where then
> used directly for tcp initial sequence numbers?
> Such a backdoor would be feasible.

It might be feasible in theory (and see the Illinois Malicious
Processor as an example) but I think it would be hard to pull off
well -- too hard to account for changes in future code, too hard to
avoid detection of what you've done.

On the other hand, we know from the press reports that several
hardware crypto accelerators have been either backdoored or
exploited. In those, leaking key material to observers in things like
IVs or choices of nonces might be quite feasible. Such devices are
built to be tamper resistant so no one will even notice if you add
features to try to conceal the "extra functionality" of the device.

For the Intel chips, I suspect that if they've been gimmicked, it
will be more subtle, like a skew in the RNG that could be explained
away as a manufacturing or design error. That said, things like the
IMP do give one pause. And *that* said, if you're willing to go as
far as what the IMP does, you no longer need to simply try to leak
information via the RNG or other crypto hardware, you can do far far

(For those not familiar with the Illinois Malicious Processor:

Perry E. Metzger		perry at piermont.com

More information about the cryptography mailing list