[146977] in cryptography@c2.net mail archive
Re: [Cryptography] Techniques for malevolent crypto hardware
daemon@ATHENA.MIT.EDU (Perry E. Metzger)
Tue Sep 10 15:17:07 2013
X-Original-To: cryptography@metzdowd.com
Date: Tue, 10 Sep 2013 15:16:59 -0400
From: "Perry E. Metzger" <perry@piermont.com>
To: "Perry E. Metzger" <perry@piermont.com>
In-Reply-To: <20130908152232.38716273@jabberwock.cb.piermont.com>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Sun, 8 Sep 2013 15:22:32 -0400 "Perry E. Metzger"
<perry@piermont.com> wrote:
> Ah, now *this* is potentially interesting. Imagine if you have a
> crypto accelerator that generates its IVs by encrypting information
> about keys in use using a key an observer might have or could guess
> from a small search space.
Oh, and of course, if you're doing a DSA style algorithm, you can
leak information in your choice of random nonce. This is yet more
reason to force protocols to use nonces that are deterministic based
on context, and to enforce that.
Perry
--
Perry E. Metzger perry@piermont.com
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography