On Sun, Sep 08, 2013 at 03:22:32PM -0400, Perry E. Metzger wrote: > > Ah, now *this* is potentially interesting. Imagine if you have a > crypto accelerator that generates its IVs by encrypting information > about keys in use using a key an observer might have or could guess > from a small search space. > > Hadn't even occurred to me since it seems way more blatant than > the other sort of leaks I was thinking of, but of course the mere > fact that it is blatant doesn't mean that it would never be tried...
Well, I guess it depends what your definition of "blatant" is. Treating the crypto hardware as a black box, it would be freaking hard to detect, no? And not so easy even if you're willing to go at the thing at the gate level. You could end up forced to examine everything attached to any of your crypto chip's I/Os, too, and it goes rapidly downhill from there... When we build protocols that have data elements we *expect* to be random, and rely on cryptographic primitives whose outputs we expect to be indistinguishable from random, we kind of set ourselves up for this type of attack. Not that I see an easy way not to. I also wonder -- again, not entirely my own idea, my whiteboard partner can speak up for himself if he wants to -- about whether we're going to make ourselves better or worse off by rushing to the "safety" of PFS ciphersuites, which, with their reliance on DH, in the absence of good RNGs may make it *easier* for the adversary to recover our eventual symmetric-cipher keys, rather than harder! Thor _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
