Re: covert channels in hardware devices (was RSA chips from Japan)

Bill Stewart (bill.stewart@pobox.com)
Tue, 04 Aug 1998 21:18:32 -0700

• Next message: Jamen Porteus: "ATM card pins"
• Previous message: Bruce Schneier: "M6: Cryptography algorithm for Firewire"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: bram: "Re: covert channels in hardware devices (was RSA chips from Japan)"
• Reply: bram: "Re: covert channels in hardware devices (was RSA chips from Japan)"

At 06:52 AM 8/5/98 +1000, proff@iq.org wrote:
>This is why hardware algorithms without sub-liminal channels are
>so important.

Unfortunately, you're correct here. The problem is that
the algorithm I most want a system to use, Diffie-Hellman,
is easy to put subliminal channels in if you're using it in the
new-key-every-time mode for perfect forward secrecy.

For instance, if you've got a private one-use key of x,
and public key of g**x mod p, your accelerator hardware can
use its spare time to look for values of x that give
interesting low-order bits for g**x mod p, and leak
your authentication keys or whatever.

Diffie-Hellman can profit quite well from a dumb
bignum-modmult chip, which doesn't give you this problem,
but applications like cellphones encourage integration
of a lot of functions onto one chip, which means
it can have access to the interesting data
on the same chip that has the ability to leak it.
                                Thanks!
                                        Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639

• Next message: Jamen Porteus: "ATM card pins"
• Previous message: Bruce Schneier: "M6: Cryptography algorithm for Firewire"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"
• Next in thread: bram: "Re: covert channels in hardware devices (was RSA chips from Japan)"
• Reply: bram: "Re: covert channels in hardware devices (was RSA chips from Japan)"