[16266] in cryptography@c2.net mail archive
Re: Linux-based wireless mesh suite adds crypto engine support
daemon@ATHENA.MIT.EDU (Bill Stewart)
Mon Oct 4 16:58:13 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 30 Sep 2004 13:43:10 -0700
To: Jonathan Thornburg <jthorn@aei.mpg.de>
From: Bill Stewart <bill.stewart@pobox.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <Pine.LNX.4.21.0409301314350.24577-100000@xeon14.aei.mpg.de
>
Peter Gutmann wrote:
> Tinfoil-hat mode.
Agreed, but some people want to be thorough, or pedantic, or paranoid.
At 04:20 AM 9/30/2004, Jonathan Thornburg wrote:
>UNDOCUMENTED_EVIL_WIRETAP_MODE can be just about impossible to spot
>without full design oversight. Even for a 3DES chip, where supposedly
>you can use deterministic test vectors to verify things, the following
>scheme due to Henry Spencer embeds an
>almost-impossible-to-spot-in-practice backdoor:
A somewhat simpler backdoor could be used in block chaining modes.
Occasionally output the data you're leaking instead of one or a few blocks
of cyphertext, and the CBC will glitch on it and then resync a few blocks
later;
in many environments the application layer will correct for it,
e.g. IPSEC will lose a few packets, TCP will timeout and retransmit,
and 3 seconds later it's as if nothing happened except that
the private keypart has been leaked for the passive eavesdropper.
Bill Stewart bill.stewart@pobox.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
