[cryptography] Stealthy Dopant-Level Hardware Trojans
http://people.umass.edu/gbecker/BeckerChes13.pdf Stealthy Dopant-Level Hardware Trojans ? Georg T. Becker1 , Francesco Regazzoni2 , Christof Paar1,3 , and Wayne P. Burleson1 1University of Massachusetts Amherst, USA 2TU Delft, The Netherlands and ALaRI - University of Lugano, Switzerland 3Horst ortz Institut for IT-Security, Ruhr-Universiat Bochum, Germany Abstract. In recent years, hardware Trojans have drawn the attention of governments and industry as well as the scientific community. One of the main concerns is that integrated circuits, e.g., for military or critical infrastructure applications, could be maliciously manipulated during the manufacturing process, which often takes place abroad. However, since there have been no reported hardware Trojans in practice yet, little is known about how such a Trojan would look like, and how dicult it would be in practice to implement one. In this paper we propose an extremely stealthy approach for implementing hardware Trojans below the gate level, and we evaluate their impact on the security of the target device. Instead of adding additional circuitry to the target design, we insert our hardware Trojans by changing the dopant polarity of existing transistors. Since the modified circuit appears legitimate on all wiring layers (including all metal and polysilicon), our family of Trojans is resistant to most detection techniques, including fine-grain optical inspection and checking against golden chips. We demonstrate the ectiveness of our approach by inserting Trojans into two designs | a digital post-processing derived from Intel's cryptographically secure RNG design used in the Ivy Bridge processors and a side-channel resistant SBox implementation and by exploring their detectability and their ects on security. Keywords: Hardware Trojans, malicious hardware, layout modifications, Trojan side-channel signature.asc Description: Digital signature ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
[cryptography] motivation, research ethics organizational criminality (Re: Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?)
I suspect there may be some positive correlation between brilliant minds and consideration of human rights ability to think independently and critically including in the area of uncritical acceptance authoritarian dictates. We're not talking about random grunt - we're talking about gifted end of PhD mathematicians or equivalent to be much use to NSA for surrepticiously cracking or backdooring ciphers in the face of public analysis. (Well the DRBG one was pretty ham-fisted, but maybe they have some better ones we hvent found yet, or at least tried). Take a look eg at this washington monthly article, there is a history of top US universities having to divest themselves of direct involvment with classified research due to protestations of their academic staff about the ethical considerations. http://www.washingtonmonthly.com/ten-miles-square/2013/09/does_classified_research_corru046860.php “In the 1960s students at MIT protested strongly against having a classified research laboratory on the campus and MIT said we will divest it, so it won’t be part of MIT anymore,” said Leslie. “It still exists in Cambridge, but it’s not officially connected.” Leslie also points to Stanford, where they made the decision for their Stanford Research Institute to disaffiliate and become an independent non-profit. Psychopaths are a minority, and people on the top end of crypto/maths skills are sought after enough to easily move jobs even in a down market - so the must collect pay-check argument seems unlikely. So I stand by my argument that they probably scored an own goal on the retention and motivation front. I think for the majority of people - they wont like to go to work, or will feel demotivated, feeling the world is sneering at their employer as a quasi-criminal org. Adam On Tue, Sep 10, 2013 at 11:05:58PM +0200, David D wrote: Quote, You've got to think (NSA claims to be the biggest employer of mathematicians) that seeing the illegal activities the US has been getting up to with the fruits of their labour that they may have a mathematician retention or motivation problem on their hands. You mean like the principled mathematicians working on cluster bombs, drones, and other cool shit? Everyone at the NSA knows exactly what they are doing. I suspect, like most that suck off the military-industrial complex tit, there is surprising low turnover. Paychecks only go so far with the principled, but spineless will collect a check forever and do whatever it takes to keep it coming. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?
I have been looking at this proposal as well and it certainly has potential to make a comeback and be an actual standard, I wonder what the openpgp authors have to say, fabio, did you forward this to the openpgp list by any chance? Jurre 2013/9/11 Lodewijk andré de la porte l...@odewijk.nl 2013/9/10 David D da...@7tele.com Quote, You've got to think (NSA claims to be the biggest employer of mathematicians) that seeing the illegal activities the US has been getting up to with the fruits of their labour that they may have a mathematician retention or motivation problem on their hands. You mean like the principled mathematicians working on cluster bombs, drones, and other cool shit? Everyone at the NSA knows exactly what they are doing. I suspect, like most that suck off the military-industrial complex tit, there is surprising low turnover. Paychecks only go so far with the principled, but spineless will collect a check forever and do whatever it takes to keep it coming. It's just a cool way to work with smart people on difficult problems while helping the nation. I think you underestimate how much these Americans think they're genuinely helping the nation. Their point isn't violating human rights, it's protecting human beings. It's a bit like the three laws system in Asimo's books, the only logical way to protect the civilians against themselves is to prevent them from thinking and communicating freely. It's only logical to take their freedoms to make them safe. I suspect the 'idealistic madmen' actually is a minority. The rest is simply indifferent to what happens as long as they can do groundbreaking research. Analysts are actually on the job and the job itself has its ethical considerations, so that's a different story. Like police really. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] motivation, research ethics organizational criminality (Re: Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?)
Applying one's beliefs to another can be a fatal mistake as people truly do think, feel, and act differently based on various factors. I agree that there are people who will drop one opportunity and pick up something else quickly.If you are one of these people, then think back to every job/project you ever worked and ponder the handful of people you would consider stellar minds/performers.How many are still at the old jobs? From my experience there are always a small handful of stellar people that really drive an organization and some do leave, but many stay in the less than optimal situations out of fear of the unknown, comfort, money, hope, etc. The power of group think should also not be discounted.Using your presented example of MIT in the 1960s, what was the consensus opinion in the society during the 1960's of those aged 18-24? The MIT mention was part of the larger article and no source was provided with details of the protests, but the article you presented does discuss the recent objections of the APL program by the Political Science dept. It seems reasonable that the Political Science dept would object, but where are the objections from the (real) Sciences depts? Academia is fortunate to have many different viewpoints in one place, but I suspect the NSA is not so fortunate. As to the NSA directly, how many liberty minded people 1) Apply for a job at the NSA 2) Make it through the Security Clearance process 3) Overcome the NSA group think once hired?I can plainly state that I and everyone of my associates fail all 3 immediately.What type of person actually applies for a job at the NSA/CIA/FBI? There may be the percentage that are young/naïve/moldable that are picked up fresh out of school, but I suspect most know exactly where they are going to work. It is my opinion that if you want to stop the NSA by focusing on those who might still have a sliver of humanity remaining one would want to: 1. Make working at the NSA a series of scarlet letters. 2. Make their existing and future work useless. 3. Make their ideas/opinions unheard or highly suspect. 4. Provide opportunities in the private sector/open source that provide gainful employment. 5. Exposing those responsible for sabotage. Think: e-mail dumps, more leaks, etc. Many in the above list are already in play... -Original Message- From: Adam Back [mailto:a...@cypherspace.org] Sent: Friday, September 13, 2013 2:10 PM To: David D Cc: cryptography@randombit.net; Adam Back Subject: motivation, research ethics organizational criminality (Re: [cryptography] Forward Secrecy Extensions for OpenPGP: Is this still a good proposal?) I suspect there may be some positive correlation between brilliant minds and consideration of human rights ability to think independently and critically including in the area of uncritical acceptance authoritarian dictates. We're not talking about random grunt - we're talking about gifted end of PhD mathematicians or equivalent to be much use to NSA for surrepticiously cracking or backdooring ciphers in the face of public analysis. (Well the DRBG one was pretty ham-fisted, but maybe they have some better ones we hvent found yet, or at least tried). Take a look eg at this washington monthly article, there is a history of top US universities having to divest themselves of direct involvment with classified research due to protestations of their academic staff about the ethical considerations. http://www.washingtonmonthly.com/ten-miles-square/2013/09/does_classified_research_corru046860.php “In the 1960s students at MIT protested strongly against having a classified research laboratory on the campus and MIT said we will divest it, so it won’t be part of MIT anymore,” said Leslie. “It still exists in Cambridge, but it’s not officially connected.” Leslie also points to Stanford, where they made the decision for their Stanford Research Institute to disaffiliate and become an independent non-profit. Psychopaths are a minority, and people on the top end of crypto/maths skills are sought after enough to easily move jobs even in a down market - so the must collect pay-check argument seems unlikely. So I stand by my argument that they probably scored an own goal on the retention and motivation front. I think for the majority of people - they wont like to go to work, or will feel demotivated, feeling the world is sneering at their employer as a quasi-criminal org. Adam On Tue, Sep 10, 2013 at 11:05:58PM +0200, David D wrote: Quote, You've got to think (NSA claims to be the biggest employer of mathematicians) that seeing the illegal activities the US has been getting up to with the fruits of their labour that they may have a mathematician retention or motivation problem on their hands. You mean like the principled mathematicians working on cluster bombs, drones, and other cool shit?
[cryptography] MITM Manipulation of Snowden Documents
It continues to mystify why Greenwald and others crop and redact documents and slides but show them to staff at O Globo, Guardian, Der Spiegel, New York Times, ProPublica, Washington Post and perhaps others yet to be disclosed with bombshell releases (now even Clapper is applauding the Snowden campaign, which stinks of the fix is in on what to release and when). O Globo videos show glimpses of slides which are then further redacted or cropped for release as slides alone. Schneier claims to be working with Greenwald so he is presumably seeing full views of docs and slides. Yet he sustains a steady beat of surprise and outrage, almost as if overly defensive about who knows what. Greenwald has tweeted that there are legal reasons to not show full views nor distribute documents instead only report on them. No answer to a tweet to GG about who set those legal boundaries. This seems to be game the Snowden manipulators are playing with authorities, or at least lawyers are playing with the gov, to toy with and tease the public by hoarding documents, maintaining insider privileges of journalists against outsiders, their readers, and experts who could deconstruct the journo's pallid intepretation. This is a game played also by secret-hoarding governments against their citizens, aided and abetted by duplicitous laws and lawyers. MITM exploitation is what it is whatever they chose to call their privilege protection racket. And not to overlook the singular role of Tor in MITM exploitation. The same distinctive rhetoic is deployed by all of them to wave off suspicions as as if tradecraft. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] MITM Manipulation of Snowden Documents
Plantation mentality. When you live within the box, your points of reference are the box. -Original Message- From: cryptography [mailto:cryptography-boun...@randombit.net] On Behalf Of Randall Webmail Sent: Friday, September 13, 2013 9:11 PM To: Crypto List Subject: Re: [cryptography] MITM Manipulation of Snowden Documents From: John Young j...@pipeline.com To: crypt...@freelists.org, cryptography@randombit.net Sent: Friday, September 13, 2013 11:46:02 AM Subject: [cryptography] MITM Manipulation of Snowden Documents It continues to mystify why Greenwald and others crop and redact documents and slides but show them to staff at O Globo, Guardian, Der Spiegel, New York Times, ProPublica, Washington Post and perhaps others yet to be disclosed with bombshell releases (now even Clapper is applauding the Snowden campaign, which stinks of the fix is in on what to release and when). ... This seems to be game the Snowden manipulators are playing with authorities, or at least lawyers are playing with the gov, to toy with and tease the public by hoarding documents, maintaining insider privileges of journalists against outsiders, their readers, and experts who could deconstruct the journo's pallid intepretation. Your first para claimed mystification, but by the time you get to the fifth paragraph, you've figured it out. Impressive ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography - No virus found in this message. Checked by AVG - www.avg.com Version: 2013.0.3392 / Virus Database: 3222/6656 - Release Date: 09/11/13 ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] MITM Manipulation of Snowden Documents
From: John Young j...@pipeline.com To: crypt...@freelists.org, cryptography@randombit.net Sent: Friday, September 13, 2013 11:46:02 AM Subject: [cryptography] MITM Manipulation of Snowden Documents It continues to mystify why Greenwald and others crop and redact documents and slides but show them to staff at O Globo, Guardian, Der Spiegel, New York Times, ProPublica, Washington Post and perhaps others yet to be disclosed with bombshell releases (now even Clapper is applauding the Snowden campaign, which stinks of the fix is in on what to release and when). ... This seems to be game the Snowden manipulators are playing with authorities, or at least lawyers are playing with the gov, to toy with and tease the public by hoarding documents, maintaining insider privileges of journalists against outsiders, their readers, and experts who could deconstruct the journo's pallid intepretation. Your first para claimed mystification, but by the time you get to the fifth paragraph, you've figured it out. Impressive ... ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] very little is missing for working BTNS in Openswan
On Thu, Sep 12, 2013 at 08:28:56PM -0400, Paul Wouters wrote: Stop making crypto harder! I think you're arguing that active attacks are not a concern. That's probably right today w.r.t. PRISMs. And definitely wrong as to cafe shop wifi. The threat model is the key. If you don't care about active attacks, then you can get BTNS with minimal effort. This is quite true. At least some times we need to care about active attacks. On Thu, 12 Sep 2013, Nico Williams wrote: Note: you don't just want BTNS, you also want RFC5660 -- IPsec channels. You also want to define a channel binding for such channels (this is trivial). This is exactly why BTNS went nowhere. People are trying to combine anonymous IPsec with authenticated IPsec. Years dead-locked in channel binding and channel upgrades. That's why I gave up on BTNS. See also the last bit of my earlier post regarding Opportunistic Encryption. It's hard to know exactly why BTNS failed, but I can think of: - It was decades too late; it (and IPsec channels) should have been there from the word (RFC1825, 1995), and even then it would have been too late to compete with TLS given that the latter required zero kernel code additions while the former required lots. - I only needed it as an optimization for NFS security at a time when few customers really cared about deploying secure NFS because Linux lacked mature support for it. It's hard to justify a bunch of work on multiple OSes for an optimization to something few customers used even if they should have been using it. - Just do it all in user-land has pretty much won. Any user-land protocol you can think of, from TLS, to DJB's MinimaLT, to -heck- even IKE and ESP over UDP, will be easier to implement and deploy than anything that requires matching kernel implementations in multiple OSes. You see this come up *all* the time in Apps WG. People want SCTP, but for various reasons (NAATTTS) they can't, so they resort to putting an entire SCTP or SCTP-like stack in user-land and run it over UDP. Heck, there's entire TCP/IP user-land stacks designed to go faster than any general-purpose OS kernel's TCP/IP stack does. Yeah, this is a variant of the first reason. There's probably other reasons; listing them all might be useful. These three were probably enough to doom the project. The IPsec channel part is not really much more complex than, say, connected UDP sockets. But utter simplicity four years ago was insufficient -- it needed to have been there two decades ago. Nico -- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] no-keyring public
On 25-08-2013 13:38, Alexander Klimov wrote: There was a ECC program from the previous century that worked as you described: the private key was derived solely from the user password. Unfortunately, I cannot recall its name (and I suspect it already vanished from the net since it was not secure due to its use of EC over binary composite field, Weil descent attack), but I guess someone here remembers its name, since at that time it was a rare example of ECC software. The name was Pegwit: http://www.george-barwood.pwp.blueyonder.co.uk/hp/v8/pegwit.htm ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On 09/06/2013 08:27 PM, Jeffrey Walton wrote: Hi All, With all the talk of the NSA poisoning NIST, would it be wise to composite ciphers? (NY Times, Guardian, Dr. Green's blog, et seq). I've been thinking about running a fast inner stream cipher (Salsa20 without a MAC) and wrapping it in AES with an authenticated encryption mode (or CBC mode with {HMAC|CMAC}). I'm aware of, for example, NSA's Fishbowl running IPSec at the network layer (the outer encryption) and then SRTP and the application level (the inner encryption). But I'd like to focus on hardening one cipherstream at one level, and not cross OSI boundaries. I'm also aware of the NSA's lightweight block ciphers (http://eprint.iacr.org/2013/404). I may have been born at night, but it was not last night Just FYI: I spoke to Adi Shamir recently (he is doing a lecture series at Courant), and he said he had looked at SIMON and SPECK and did not see anything wrong with them. Shamir is, of course, a world-renowned cryptanalyst, responsible for breaking FEAL and DES, for example. Has anyone studied the configuration and security properties of a inner stream cipher with an outer block cipher? Jeff ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Compositing Ciphers?
On Fri, Sep 6, 2013 at 5:53 PM, Natanael natanae...@gmail.com wrote: Apparently it's called cascade encryption or cascade encipherment More generally it's known as a product cipher, which underlies things like Feistel Networks which were used to compose algorithms like DES: https://en.wikipedia.org/wiki/Product_cipher If A1 and A2 are secure PRGs, and we encrypt message m under the keystream of A1(k1) ⊕ A2(k2) [where k1 and k2 are unrelated randomly generated keys], the resulting cipher is at least as strong as the strongest of the two ciphers. This can provide a failsafe if a cryptanalysis is found for either of the two ciphers. -- Tony Arcieri ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography