[146845] in cryptography@c2.net mail archive
Re: [Cryptography] Techniques for malevolent crypto hardware (Re:
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Sun Sep 8 15:19:02 2013
X-Original-To: cryptography@metzdowd.com
Resent-From: Thor Lancelot Simon <tls@rek.tjls.com>
Resent-To: cryptography@metzdowd.com
Date: Sun, 8 Sep 2013 15:10:45 -0400
From: Thor Lancelot Simon <tls@rek.tjls.com>
To: "Perry E. Metzger" <perry@piermont.com>
In-Reply-To: <20130908143426.5d71ebd7@jabberwock.cb.piermont.com>
Cc: Ray Dillinger <bear@sonic.net>, cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sun, Sep 08, 2013 at 02:34:26PM -0400, Perry E. Metzger wrote:
>
> Any other thoughts on how one could sabotage hardware? An exhaustive
> list is interesting, if only because it gives us information on what
> to look for in hardware that may have been tweaked at NSA request.
I'd go for leaking symmetric cipher key bits into exposed RNG output:
nonces, explicit IVs, and the like. Crypto hardware with "macro" or
"record" operations (ESP or TLS record/packet handling as a single
operation; TLS or IKE handshake, etc.) offers ample opportunities for
this, but surely it could be arranged even with simpler hardware that
just happens to accellerate both, let's say, AES and random number
generation.
Thor
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
