[Cryptography] Sabotaged hardware (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Perry E. Metzger
On Thu, 5 Sep 2013 22:31:50 -0400 Jerry Leichter leich...@lrw.com
 For example, at
 the following goal appears for FY 2013 appears:  Complete enabling
 for [redacted] encryption chips used in Virtual Public Network and
 Web encryption devices.  The Times adds the following note:
 Large Internet companies use dedicated hardware to scramble
 traffic before it is sent. In 2013, the agency planned to be able
 to decode traffic that was encoded by one of these two encryption
 chips, either by working with the manufacturers of the chips to
 insert back doors or by exploiting a security flaw in the chips'

This is troubling. It implies that there are widely used crypto
accelerators in use at large organizations that intentionally harm
the security of users. Random number generator flaws would seem like
an obvious possibility here.

This is especially disturbing because other actors can now start
doing teardowns on a wide variety of such devices looking to find the
flaws so they can themselves attack the traffic in question.

Perry E. Metzgerpe...@piermont.com
The cryptography mailing list

Re: [Cryptography] Sabotaged hardware (was Re: Opening Discussion: Speculation on BULLRUN)

2013-09-06 Thread Jerry Leichter
On Sep 6, 2013, at 11:37 AM, John Ioannidis wrote:
 I'm a lot more worried about FDE (full disk encryption) features on modern 
 disk drives, for all the obvious reasons.
If you're talking about the FDE features built into disk drives - I don't know 
anyone who seriously trusts it.  Every secure disk that's been analyzed has 
been found to be secured with amateur-level crypto.  I seem to recall one 
that advertised itself as using AES (you know, military-grade encryption) which 
did something like:  Encrypt the key with AES, then XOR with the result to 
encrypt all the data.  Yes, it does indeed use AES

There's very little to be gained, and a huge amount to be lost, be leaving the 
crypto to the drive, and whatever proprietary, hacked-up code the bit-twiddlers 
who do driver firmware decide to toss in to meet the marketing requirement of 
being able to say they are secure.  Maybe when they rely on a published 
standard, *and* provide a test mode so I can check to see that what they wrote 
to the surface is what the standard says should be there, I might change my 
mind.  At least them, I'd be worrying about deliberate attacks (which, if you 
can get into the supply chain are trivial - there's tons of space to hide away 
a copy of the key), rather than the nonsense we have today.

 And if I wanted to be truly paranoid, I'd worry about HSMs to
Now, wouldn't compromising HSM's be sweet.  Not that many vendors make HSM's, 
and they are exactly the guys who already have a close relationship with the CI 
(crypto-industrial) complex
-- Jerry


The cryptography mailing list