[cryptography] Is it possible to protect against malicious hw accelerators?

slinky slinky at iki.fi
Sat Jun 18 16:08:53 EDT 2011


suppose the following scenario: you're encrypting and decrypting using
a device which provides hardware-accelerated cryptographical primitives
(such as full 3DES) or their "component functions" (such as a single
round of AES).

The hardware accelerators by necessity know the semantics of the data
you give it. For instance, for doing a full-round DES it's obvious to
the hardware what the key is - it needs this information in order to
operate. Likewise, for accelerated component functions the hardware
will know what is a key and what is input data - again, it needs this
information in order to operate. Contrast this to a general purpose
processor which can't really deduce what is a key and what isn't while
processing code that happens to be AES. 

Now, put on your tinfoil beanie and suppose the hw accelerator is a
Mallory. Suppose there is some kind of a built-in weakness/backdoor,
for instance as a persistent memory inside the chip, which stores the
last N keys. Having physical access to the machine would yield the keys
(thus subverting e.g. any disk encryption). And even more paranoidly, a
proper instruction sequence could blurt the key cache out for convenient
remote access by malware crafted by the People Who Know The Secrets.

My questions:
  1. How can one ensure this blackbox device really isn't a Mallory?
  2. Are there techniques, such as encrypting a lot of useless junk
  before/after the real deal to flush out the real key, as a way to
  reduce the impact of untrusted hardware, while still being able to
  use the hw-accelerated capabilities?

And if you know of any good papers around this subject, feel free to
mention them :)


GPG 0x13C49F3F - slinky at iki.fi - http://slinky.imukuppi.org/
Numb, adj., devoid of sensation... Number, comparative of numb.

More information about the cryptography mailing list