[cryptography] Which encryption chips are compromised?

coderman coderman at gmail.com
Thu Dec 12 09:08:35 EST 2013


i see your skepticism, and i raise you a retort! ;)

i even have a list of candidates you can experiment with to confirm
Intel Ivy Bridge as best fit. [0]



On Wed, Dec 11, 2013 at 9:15 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> ...
> Suppose I'm the manager writing this document, reporting the expected
> accomplishments of my group.  We do cryptanalysis.

plus a few more things, e.g. your ~250-300million $USD/year budget goes toward:
"actively engag[ing] the US and foreign IT industries to covertly
influence and/or overtly leverage their commercial products' designs
[... to] make the systems in question exploitable through SIGINT
collection (e.g., Endpoint, MidPoint, etc.) with foreknowledge of the
modification. and, Insert vulnerabilities into commercial encryption
systems, IT systems, networks and endpoint communications devices used
by targets.

only with "foreknowledge of the modification" are you able to utilize
this backdoor. (NSA does not like to share)


also, this year by end of year, in 2013 you expect to:
- Make gains in enabling decryption and Computer Network Exploitation
(CNE) access to fourth generation/Long Term Evolution (4GL/LTE)
networks by inserting vulnerabilities.
- Complete enabling for [well recognized name] encryption chips used
in Virtual Private Network and Web encryption devices.
and last but not least,
- Shape the worldwide commercial cryptography marketplace to make it
more tractable to advanced cryptanalytic capabilities being developed
by NSA/CSS.

Ok, given those requirements. Who fits the bill?


High end platform:
http://www.techweekeurope.co.uk/news/intel-networks-high-end-platform-133501
"""
Intel targets what it believes is a significant growth opportunity to
bring the Intel Architecture into a rapidly evolving networking space.
...
Intel added to its portfolio with the introduction of the Highland
Forest platform, which combines the vendor’s Xeon E5-2600 v2 CPU with
its new Coleto Creek chipset. Price said Highland Forest – which can
pack up to 20 2.4GHz “Ivy Bridge” CPU cores – will offer two to six
times the performance of the previous Crystal Forest platform, which
was launched in October 2012.

Highland Forest, with Intel’s Data Plane Development Kit, can deliver
up to 255 million packets per second (p/s) – more than the 140 million
p/s from Crystal Forest – as well as security capabilities of 110
Gigabits per second of IPsec and 200 Gb/s SSL security for encrypted
traffic.
"""


IPsec (VPN) and SSL (Web crypto) and lots of it!  sounds interesting.
tell me more!


other market points of note:
- "Intel currently has over 15 SDN/NFV qualification trials underway
with carriers in all major regions.  Schooler emphasized that Intel
has no intention to sell directly to service providers and is fully
committed to launching an Intel Network Builders Ecosystem of industry
players supporting the Intel Architecture."

- "6WIND Announces Availability of Support for Intel® Xeon® Processor
Platform for Large-Scale Communications Infrastructure Systems,
Formerly Called “Highland Forest” 6WIND announces the availability of
support within the 6WINDGate™ software for the Intel® Xeon® Processor
Platform for Large-Scale Communications Infrastructure Systems,
formerly called “Highland Forest.” With its optimized support for the
Intel® QuickAssist Technology that provides hardware acceleration for
encryption and compression, 6WINDGate delivers best-in-class
performance for networking applications such as WAN optimization, VPN
appliances, firewalls and Unified Threat Management (UTM) systems." -
funny they seem to distance themselves from "Highland Forest" and "Ivy
Bridge" in this press release and product launch...  [
http://www.prweb.com/releases/2013/12/prweb11387583.htm ]

they sound interesting, like they sell to many industries at large
scale.  are they a popular company/product?

 ""“6WINDGate is already deployed in tens of commercial LTE networks
throughout Asia, Europe and North America, while also being used by
multiple tier-1 suppliers of enterprise and cloud networking
equipment.""


hey look, LTE! ...


ok, so that's a little suspect.  what's that, there's more you say?

https://plus.google.com/+TheodoreTso/posts/SDcoemc9V3J
"I am so glad I resisted pressure from Intel engineers to let
/dev/random rely only on the RDRAND instruction."
, "Oh, I should add that just today I had to fight back an attempt by
a Red Hat engineer to add a configuration option to blindly trust
RDRAND and bypass the entropy pool"

...

then the FreeBSD change of heart.

hey Wind River, how are you using RDRAND?



now what about Intel themselves, are they also pushing the chip?
"""
Intel officials are making aggressive moves to expand the reach of its
silicon beyond servers and into other parts of the data centre.
Schooler said the company has been making products for networking gear
for about a decade, and has made significant strides in recent years.

It’s also made several acquisitions – such as of Sensory Networks,
Ethernet chip maker Fulcrum Microsystems and networking software maker
Aepona, whose technology enables telecoms and cloud service providers
to offer more services on their networks.

Intel is looking to take advantage of the growth opportunity
networking represents, Schooler said. The market Intel is targeting is
about $16 billion (£9.7bn), and the chip maker currently has about 5
percent of it. Along with its x86 architecture, Intel also is
developing accelerator chips for such jobs as packet inspection and
encryption.
"""




whew.  that's a lot of context and circumstance.  let's look back over
your goals for 2013:

Make gains in enabling decryption and Computer Network Exploitation
(CNE) access to fourth generation/Long Term Evolution (4GL/LTE)
networks...
 - AFFIRMATIVE!

Complete enabling for [Intel Ivy Bridge] encryption chips used in
Virtual Private Network and Web encryption devices.
- AFFIRMATIVE!

Shape the worldwide commercial cryptography marketplace to make it
more tractable to advanced cryptanalytic capabilities being developed
by NSA/CSS.
- AFFIRMATIVE!


i will admit that i am continually impressed by NSA/SCS achievements.
they're extremely competent!



> If we're projecting success against FooBarCo chips' encryption sub-core,
> and everybody knows FooBarCo chips are used in both encryption and
> non-encryption products, it makes sense to cite the specific
> applications where FooBarCo chips are used.

agreed.



> However, in "for FooBarCo encryption chips used in VPN", the
> "encryption" seems to me to denote a special purpose chip, rather than a
> general purpose chip with an encryption sub-core.

my reading between the lines: it is not a special chip, it is a
special collection of many of them (20+) handling tier-1 core traffic
encryption, which is an excellent point to aggregate a vulnerability
in keying ciphers. (ignore public key for now, since we can just focus
directly on session/temporal keys!)




> "Cavium Networks" or "Cavium Nitrox" are approximately the right length
> to fit.  Other vendors that might be interesting include F5, Barracuda,
> Riverbed, Cisco SCA 11000, Radware (an Israeli/American company), and
> everybody listed on http://en.wikipedia.org/wiki/SSL_Acceleration


0.  please to be experimenting with datas:
Interface Masters Technologies
Freescale Semiconductor
Alteon SSL Accelerator
Nortel SSL Accelerator
Strangeloop Networks
Riverbed Technology
Coyote point systems
Crescendo Networks
Microchip PIC32MZ
Barracuda Networks
Kemp Technologies
STMicroelectronics
Check Point VPN-1
Sun Microsystems
Foundry Networks
Cavium Networks
Cavium NITROX
Juniper Networks
Nortel Networks
Array Networks
Intel Ivy Bridge <- only this is right length in justified context shown
Forum Systems
Cavium Nitrox
CAI Networks
A10 Networks
Cisco Systems
Citrix Systems
Sun SCA6000
MIFARE Plus
Network Box
Coleto Creek
F5 Networks
jetNEXUS
Cisco PIX
Radware
Cotendo
Exinda
Hifn
IBM


---


parting words:

"""
On April 17 at the Open Networking Summit, Intel executives laid out
the company’s strategy around data center networking and the
burgeoning trend of software-defined networking (SDN). They also
showed that their efforts will expand beyond simply supplying the
processors for networking hardware. The company unveiled reference
architectures designed to help enterprises, cloud service providers
and telecommunications companies more quickly create hardware and
software for SDN and network-function virtualization (NFV), moves that
could bring Intel into closer competition with the likes of networking
giant Cisco Systems and chip maker Broadcom.
 - http://www.eweek.com/networking/intel-makes-push-into-competitive-sdn-space/
"""


don't let them get away with it!

open up raw access to entropy sources!!

don't discriminate against the unit, one is prime!!!


More information about the cryptography mailing list