[cryptography] Is it possible to protect against malicious hw accelerators?
slinky at iki.fi
Sat Jun 18 16:08:53 EDT 2011
suppose the following scenario: you're encrypting and decrypting using
a device which provides hardware-accelerated cryptographical primitives
(such as full 3DES) or their "component functions" (such as a single
round of AES).
The hardware accelerators by necessity know the semantics of the data
you give it. For instance, for doing a full-round DES it's obvious to
the hardware what the key is - it needs this information in order to
operate. Likewise, for accelerated component functions the hardware
will know what is a key and what is input data - again, it needs this
information in order to operate. Contrast this to a general purpose
processor which can't really deduce what is a key and what isn't while
processing code that happens to be AES.
Now, put on your tinfoil beanie and suppose the hw accelerator is a
Mallory. Suppose there is some kind of a built-in weakness/backdoor,
for instance as a persistent memory inside the chip, which stores the
last N keys. Having physical access to the machine would yield the keys
(thus subverting e.g. any disk encryption). And even more paranoidly, a
proper instruction sequence could blurt the key cache out for convenient
remote access by malware crafted by the People Who Know The Secrets.
1. How can one ensure this blackbox device really isn't a Mallory?
2. Are there techniques, such as encrypting a lot of useless junk
before/after the real deal to flush out the real key, as a way to
reduce the impact of untrusted hardware, while still being able to
use the hw-accelerated capabilities?
And if you know of any good papers around this subject, feel free to
mention them :)
GPG 0x13C49F3F - slinky at iki.fi - http://slinky.imukuppi.org/
Numb, adj., devoid of sensation... Number, comparative of numb.
More information about the cryptography