Surreptitiously Tampering with Computer Chips

For discussions about security.
Post Reply
Message
Author
User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

Surreptitiously Tampering with Computer Chips

#1 Post by Flash »

https://www.schneier.com/crypto-gram-1310.html#15
https://plus.google.com/117091380454742 ... Dcoemc9V3J /dev/random does not use Intel's RDRAND instruction.
http://cm.bell-labs.com/who/ken/trust.html You can't trust code you didn't write? Say it isn't so!

nooby
Posts: 10369
Joined: Sun 29 Jun 2008, 19:05
Location: SwedenEurope

#2 Post by nooby »

Flash thanks for letting us know.

It shows how utterly careful one have to be
if one have something to hide. Fortunately
I only have such secrets as being a total noob
and very naive and too talkative and verbose
but that is only a secret to me and obvious to
everybody else. Still integrity is important due to
the identity theft allowing people to buy things
in your name if they know enough about you.
I use Google Search on Puppy Forum
not an ideal solution though

User avatar
RetroTechGuy
Posts: 2947
Joined: Tue 15 Dec 2009, 17:20
Location: USA

Re: Surreptitiously Tampering with Computer Chips

#3 Post by RetroTechGuy »

Flash wrote:https://www.schneier.com/crypto-gram-1310.html#15
https://plus.google.com/117091380454742 ... Dcoemc9V3J /dev/random does not use Intel's RDRAND instruction.
http://cm.bell-labs.com/who/ken/trust.html You can't trust code you didn't write? Say it isn't so!
But, would this hardware tampering "break" software driven PRNGs? (e.g. Schneier's Yarrow).
[url=http://murga-linux.com/puppy/viewtopic.php?t=58615]Add swapfile[/url]
[url=http://wellminded.net63.net/]WellMinded Search[/url]
[url=http://puppylinux.us/psearch.html]PuppyLinux.US Search[/url]

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#4 Post by Flash »

I don't think so. I can see that it would be extremely time-consuming to determine just how "random" the numbers generated by a RNG really are. So anyone using a RNG just assumes the numbers are truly "random." But if the NSA know that an encryption program uses "random" numbers that are far less random than everyone assumes, it may make their job of breaking the encryption easier. Of course, it would make any snoop's job easier, and it would impact algorithms that have nothing to do with encryption or security but depend on the random number generator.

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#5 Post by Sylvander »

QUOTE...
From 3rd link in 1st post:
"The act of breaking into a computer system has to have the same social stigma as breaking into a neighbor's house.
It should not matter that the neighbor's door is unlocked.
"
It's my understanding that...
Under English and Scottish law...
You do not [cannot be accused of] breaking into an UNLOCKED premises/house.
e.g. If a stranger walks into to your unlocked house.
You can ask them to leave, and they MUST leave when asked, or...
You can use minimum force [and escalate if necessary] to get them out.
But they have committed no offense by entering.

Is it the same with computers?

User avatar
Flash
Official Dog Handler
Posts: 13071
Joined: Wed 04 May 2005, 16:04
Location: Arizona USA

#6 Post by Flash »

I don't know anything about English or Scottish law, but if you can't be accused of breaking and entering an unlocked house, surely you can be accused of trespassing. Any cop can find a law to suit the occasion.

Jasper

#7 Post by Jasper »

Unchecked, from memory of exams well over 50 years ago - under English law "trespass" is a tort (of which the simple definition is "a civil wrong other than breach of contract", but it's far from simple).

Sylvander
Posts: 4416
Joined: Mon 15 Dec 2008, 11:06
Location: West Lothian, Scotland, UK

#8 Post by Sylvander »

Trespass Scottish
QUOTE:
"Section 3 of the Act makes it an offence for any person to lodge in any premises, or occupy or encamp on any land, being private property, without the consent of the owner or legal occupier. While the the use of the words lodge, occupy and encamp could be taken to imply a degree of permanency on the part of the trespasser, their scope could possibly be construed to apply to loitering by a determined lawyer if one did anything other than access, or cross over such property for example."

This is a whole different ball game from simply entering/accessing without breaking in, or tampering with a lock, or using something other than the "true key".

User avatar
RetroTechGuy
Posts: 2947
Joined: Tue 15 Dec 2009, 17:20
Location: USA

#9 Post by RetroTechGuy »

Flash wrote:I don't think so.
That's what I thought. If you rely on hardware encoding, you have a hardware "password" that can be cracked. If you rely entirely on software, that can be customized for every use (generate their own random number/keyring).

Depending on implementation, that may not prevent a targeted attack against an individual, but it would limit the ability to perform widespread snooping.
I can see that it would be extremely time-consuming to determine just how "random" the numbers generated by a RNG really are. So anyone using a RNG just assumes the numbers are truly "random." But if the NSA know that an encryption program uses "random" numbers that are far less random than everyone assumes, it may make their job of breaking the encryption easier. Of course, it would make any snoop's job easier, and it would impact algorithms that have nothing to do with encryption or security but depend on the random number generator.
Well, they numbers have to be pseudorandom, otherwise you can't ever reproduce the string. A true random "seed" is a good idea.

Schneier knows enough to avoid the main pitfalls -- that's how he broke the MS "secure server" that they touted as unbreakable. He broke their old/dated PRNG, which allowed him rapid access.

"Why Cryptography Is Harder Than It Looks"

https://www.schneier.com/essay-037.html
[url=http://murga-linux.com/puppy/viewtopic.php?t=58615]Add swapfile[/url]
[url=http://wellminded.net63.net/]WellMinded Search[/url]
[url=http://puppylinux.us/psearch.html]PuppyLinux.US Search[/url]

Post Reply