On Mon, 27 Sep 2004, Bill Stewart wrote: [[about the Via crypto sets]] > The hard part is trust - Cryptography Research did a study last year > about the quality of the random number generator, and found that you > get about 0.75 bits of entropy per output bit, or 0.99 if you do > Von Neumann whitening, so it's fine for feeding your crypto-based whitener. > > But their report indicates that they were mainly working from > design documentation and testing actual equipment, > so their tests doesn't show what the RNG does if you execute > SET MSR UNDOCUMENTED_EVIL_WIRETAP_MODE > first, much less what happens to the AES keying info or IVs.
UNDOCUMENTED_EVIL_WIRETAP_MODE can be just about impossible to spot without full design oversight. Even for a 3DES chip, where supposedly you can use deterministic test vectors to verify things, the following scheme due to Henry Spencer embeds an almost-impossible-to-spot-in-practice backdoor: (N.b. the original URL is now dead, but google on the quoted phrase "GOTCHA, YOU OPEN-SOURCE WEENIES -- NSA RULES!" found two other archived copies) ## http://www.sandelman.ottawa.on.ca/linux-ipsec/html/1999/09/msg00240.html _________________________________________________________________ [Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet _________________________________________________________________ * To: Linux IPsec <[EMAIL PROTECTED]> * Subject: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet * From: Henry Spencer <[EMAIL PROTECTED]> * From: [EMAIL PROTECTED] * Date: Thu, 16 Sep 1999 10:48:52 -0400 (EDT) * In-Reply-To: <[EMAIL PROTECTED]> * Reply-To: [EMAIL PROTECTED] * Sender: [EMAIL PROTECTED] _________________________________________________________________ William H Geiger writes: > I don't know if you still follow the CP list but we have > been having a long debate on the trustworthiness of Intel > hardware, especially their RNG... At first I thought this was pretty much a non-issue here. The problem with the RNG is that it's so hard to decide whether its output is "really" random. But 3DES is a deterministic transform which can be tested against other implementations, so you can easily establish whether the chip is really doing 3DES or not. Alas, then I got to thinking. Suppose one built a 3DES accelerator chip so that, if and only if: (a) the chip is doing near-continuous encryptions at high speed, and (b) the keys are changing every packet or two, and (c) the chip detects -- via a simple mechanism like a little hash table -- a key which has appeared before, recently, and (d) this key has not been marked "compromised" in the hash table, and (e) an internal 16-bit packet counter is all-1s, then (!) mark the key compromised in the hash table, XOR the key with the string "GOTCHA, YOU OPEN-SOURCE WEENIES -- NSA RULES!", prefix it with a random-looking constant bit pattern, and sprinkle the resulting bits into the encrypted data, in a haphazard but deterministic pattern. This is, of course, an encryption error. But rules (a)-(e) make it essentially irreproducible, so it won't happen a second time (and will be quite difficult to reproduce even in a test setup). Almost certainly it will get written off as a random error, and the affected packet will be re-processed correctly and re-sent, and all will be well. Except that an eavesdropper on the high-speed wire just looks for the constant bit pattern in the right places in a packet, and (almost) every time he sees it, he's nabbed an encryption key. There's no limit to the complexity that can be added -- especially if you're willing to consider active wiretapping, with the chip going into this mode only if it sees (say) an ICMP ping with the right data in it -- to defeat attempts to find this sort of thing on the test bench. I fear I agree with William; nothing short of peer review of the hardware design makes such a device trustworthy. Henry Spencer [EMAIL PROTECTED] ([EMAIL PROTECTED]) - This is the [EMAIL PROTECTED] mailing list. It is a restrict-Post filtered version of [EMAIL PROTECTED] _________________________________________________________________ Follow-Ups: * Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet * From: Richard Guy Briggs <[EMAIL PROTECTED]>[EMAIL PROTECTED] References: * Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet * From: Paul Koning <[EMAIL PROTECTED]>[EMAIL PROTECTED] _________________________________________________________________ * Prev by Date: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet * Next by Date: linux-ipsec: IP Sec w/ dynamic IP addresses ? * Prev by thread: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet * Next by thread: Re: linux-ipsec: Intel IPSEC accelerator gives 3DES protected 100Mbit Ethernet * Index(es): + Main + Thread -- -- Jonathan Thornburg <[EMAIL PROTECTED]> Max-Planck-Institut fuer Gravitationsphysik (Albert-Einstein-Institut), Golm, Germany, "Old Europe" http://www.aei.mpg.de/~jthorn/home.html "Washing one's hands of the conflict between the powerful and the powerless means to side with the powerful, not to be neutral." -- quote by Freire / poster by Oxfam --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]