On Sun, 8 Sep 2013 15:10:45 -0400 Thor Lancelot Simon <t...@panix.com> wrote: > On Sun, Sep 08, 2013 at 02:34:26PM -0400, Perry E. Metzger wrote: > > > > Any other thoughts on how one could sabotage hardware? An > > exhaustive list is interesting, if only because it gives us > > information on what to look for in hardware that may have been > > tweaked at NSA request. > > I'd go for leaking symmetric cipher key bits into exposed RNG > output: nonces, explicit IVs, and the like. Crypto hardware with > "macro" or "record" operations (ESP or TLS record/packet handling > as a single operation; TLS or IKE handshake, etc.) offers ample > opportunities for this, but surely it could be arranged even with > simpler hardware that just happens to accellerate both, let's say, > AES and random number generation.
Ah, now *this* is potentially interesting. Imagine if you have a crypto accelerator that generates its IVs by encrypting information about keys in use using a key an observer might have or could guess from a small search space. Hadn't even occurred to me since it seems way more blatant than the other sort of leaks I was thinking of, but of course the mere fact that it is blatant doesn't mean that it would never be tried... Perry -- Perry E. Metzger pe...@piermont.com _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography