[Cryptech Tech] goals / use cases

Peter Gutmann pgut001 at cs.auckland.ac.nz
Wed Jan 28 22:21:14 UTC 2015


=?UTF-8?B?Sm9hY2hpbSBTdHLDtm1iZXJnc29u?= <joachim at secworks.se> writes:

>I'm not worried cores in the SoC don't conform to FIPS 197 or FIPS 180-4 for
>example.

I am.  The DSA/ECDSA family (paranoia: thoughtfully provided to us by the NSA)
is a perfect host for any manner of subliminal channels for leaking keys.  

>If they did somebody would find our very fast.

No they wouldn't.  You can perform infinite amounts of black-box testing and
not be able to detect them.  This is something where you really do need to
trust (or verify) your implementation.  This is why I pointed out that the AES
and SHA-1 cores were deterministic, which makes them safe (enough) to use.
DSA/ECDSA are nondeterministic and very easy to slip subliminal channels into,
which is why if you do anything in an FPGA you'd want it to be these ones.

(Incidentally, your Reply-to is set badly, it redirects replies off-list).

Peter.


More information about the Tech mailing list