[Cryptography] God Mode backdoors

Ray Dillinger bear at sonic.net
Fri Aug 17 22:24:50 EDT 2018 


On 08/15/2018 07:09 AM, Henry Baker wrote:
> At 07:52 AM 8/14/2018, Henry Baker wrote:
>> https://www.tomshardware.com/news/x86-hidden-god-mode,37582.html
>>
>> Hacker Finds Hidden 'God Mode' on Old x86 CPUs
>> by Paul Wagenseil August 9, 2018 at 5:06 PM
>>
>> ---
>> Why do we even bother encrypting, when our chips are so corrupt?
>>
> I think it may be *impossible* to build a large modern chip w/o
> backdoors.
> 
> In order to properly *test* a large & complicated chip after it
> comes out of the fab, there needs to be various kinds of extra
> datapaths and control circuitry.


If you really want to do crypto without backdoors, I think you have very
few options, and even fewer practical options.

It is easy to construct a backdoor that is infeasible to ever detect.
The chip may enter the backdoored mode, for example, only when a certain
256-bit value is written to each of three different registers.  It would
be no easier to find that 'magic cookie' than the key of any secure
cipher, and could be a function of the CPUID in order to be unique to
each chip.


1) trust the vendors of these chips to not install backdoors
(increasingly suspect, subject to different pressures for chip fabs
inside and outside the US).  This is the only thing I think most people
are motivated enough to do.

2) play the torturous and failure-prone game of trying to game
probably-insecure hardware into doing probably-secure crypto - there are
ways to do it where the hardware that the chip designer/saboteur expects
to see the plaintext, never actually sees the plaintext, so it can be in
backdoor mode without having the crypto instructions actually betray
secrets.  And you could even obfuscate the XOR by doing it on a
different processor, like your sound card or hard drive controller.  You
might get people to use this application, but only a very few hardcore
people.  And that would put parts all over and be complicated, so you'd
probably screw up implementing it.

3) make or procure an electromechanical machine like a SIGABA which
can't handle public-key crypto at all and absolutely will not handle
large files because it would explode if you tried to run it at those
speeds.  I have a soft spot for those old machines, but NOBODY would do
this.

4) fab your own relatively primitive circuit board using basic (non-CPU)
components and circuit traces anybody can check by eyeball.  The crypto
you can build this way is very limited.  Probably about the same set of
nobody would do this.


				Bear


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20180817/e94259dd/attachment.sig>

More information about the cryptography mailing list