[Cryptography] [FORGED] Attackers will always win, and it's getting worse!

[Peter Gutmann]

Henry Baker <hbaker1 at pipeline.com> writes:

>User crypto software (the "attacked") has to run in such a way that:
>a.  It produces the correct answer; and
>b.  It does NOT LEAK SECRET INFORMATION through side-channels -- e.g., 
>    timing/power/etc.

However, in virtually all situations a >>> b.  In fact, in most cases you 
can safely ignore b, because such an attack is impossible/impractical/too 
expensive/far easier attacks exist/etc.

In addition, even where b is a concern, it's often far easier to do the 
crypto in whatever way is the most efficient and then deal with side-
channels through shielding, power supply decoupling, etc.

OTOH you really do need to worry about a.  Look at the number of 0days and 
other subversion mechanisms used by TLAs that have leaked in the last couple 
of years.  Making sure your code has no holes in it is a far more serious 
issue than side channels.

>Any thoughts on how to better engineer side-channel-secure systems?

That's asking the wrong question.  Well, unless it's a gedanken-experiment 
style question to see what people will come up with.  The real question is, 
which attack vectors are being exploited the most, and how do we deal with 
those?

Incidentally, we already know how to make secure systems that are pretty
side-channel-attack resistant.  There's a twenty-year-old HSM, IBM's 4758, 
that was resistant to pretty much all of the side-channel attacks that came 
along after it was developed, not because the developers were magically 
aware of them but because they used good engineering practice, power supply 
decoupling, filtering, etc.

The 4758 was attacked by the Cambridge folks, not via any side channels but
through a basic software flaw in the CCA firmware.  You don't need to bother
with b when a will always get you in.

Peter.