Hello, suppose the following scenario: you're encrypting and decrypting using a device which provides hardware-accelerated cryptographical primitives (such as full 3DES) or their "component functions" (such as a single round of AES).
The hardware accelerators by necessity know the semantics of the data you give it. For instance, for doing a full-round DES it's obvious to the hardware what the key is - it needs this information in order to operate. Likewise, for accelerated component functions the hardware will know what is a key and what is input data - again, it needs this information in order to operate. Contrast this to a general purpose processor which can't really deduce what is a key and what isn't while processing code that happens to be AES. Now, put on your tinfoil beanie and suppose the hw accelerator is a Mallory. Suppose there is some kind of a built-in weakness/backdoor, for instance as a persistent memory inside the chip, which stores the last N keys. Having physical access to the machine would yield the keys (thus subverting e.g. any disk encryption). And even more paranoidly, a proper instruction sequence could blurt the key cache out for convenient remote access by malware crafted by the People Who Know The Secrets. My questions: 1. How can one ensure this blackbox device really isn't a Mallory? 2. Are there techniques, such as encrypting a lot of useless junk before/after the real deal to flush out the real key, as a way to reduce the impact of untrusted hardware, while still being able to use the hw-accelerated capabilities? And if you know of any good papers around this subject, feel free to mention them :) Thanks! -- GPG 0x13C49F3F - [email protected] - http://slinky.imukuppi.org/ Numb, adj., devoid of sensation... Number, comparative of numb. _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
