Peter Gutmann wrote: > Tinfoil-hat mode. Agreed, but some people want to be thorough, or pedantic, or paranoid.
At 04:20 AM 9/30/2004, Jonathan Thornburg wrote:
UNDOCUMENTED_EVIL_WIRETAP_MODE can be just about impossible to spot
without full design oversight. Even for a 3DES chip, where supposedly
you can use deterministic test vectors to verify things, the following
scheme due to Henry Spencer embeds an almost-impossible-to-spot-in-practice backdoor:
A somewhat simpler backdoor could be used in block chaining modes.
Occasionally output the data you're leaking instead of one or a few blocks
of cyphertext, and the CBC will glitch on it and then resync a few blocks later;
in many environments the application layer will correct for it,
e.g. IPSEC will lose a few packets, TCP will timeout and retransmit,
and 3 seconds later it's as if nothing happened except that
the private keypart has been leaked for the passive eavesdropper.
Bill Stewart [EMAIL PROTECTED]
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
