[146899] in cryptography@c2.net mail archive
Re: [Cryptography] Points of compromise
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Mon Sep 9 09:04:17 2013
X-Original-To: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
In-Reply-To: <CAMm+Lwgo6kY_D875X7r9dzt0W9V0G2cGwFH0pko9NeseR7AfqQ@mail.gmail.com>
Date: Mon, 9 Sep 2013 06:44:42 -0400
To: Phillip Hallam-Baker <hallam@gmail.com>
Cc: "cryptography@metzdowd.com" <cryptography@metzdowd.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sep 8, 2013, at 1:53 PM, Phillip Hallam-Baker wrote:
> I was asked to provide a list of potential points of compromise by a concerned party. I list the following so far as possible/likely:
It's not clear to me what kinds of compromises you're considering. You've produced a list of a number of possibilities, but not even mentioned whole classes of them - e.g., back doors in ECC.
I've expanded, however, on one element of your list.
> 2) Covert channel in Cryptographic accelerator hardware.
>
> It is possible that cryptographic accelerators have covert channels leaking the private key through TLS (packet alignment, field ordering, timing, etc.) or in key generation (kleptography of the RSA modulus a la Motti Young).
There are two sides to a compromise in accelerator hardware: Grabbing the information, and exfiltrating it. The examples you give - and much discussion, because its fun to consider such stuff - look at clever ways to exfiltrate stolen information along with the data it refers to.
However, to a patient attacker with large resources, a different approach is easier: Have the planted hardware gather up keys and exfiltrate them when it can. The attacker builds up a large database of possible keys - many millions, even billions, of keys - but still even an exhaustive search against that database is many orders of magnitude easier than an exhaustive search on an entire keyspace, and quite plausible - consider Venona. In addition, the database can be searched intelligently based on spatial/temporal/organizational "closeness" to the message being attacked.
An attack of this sort means you need local memory in the device - pretty cheap these days, though of course it depends on the device - and some way of exfiltrating that data later. There are many ways one might do that, from the high tech (when asked to encrypt a message with a particular key, or bound to a particular target, instead encrypt - with some other key - and send - to some other target - the data to be exfiltrated) to low (pay someone with physical access to plug a USB stick into the device periodically).
-- Jerry
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography