On Mon, Jan 14, 2008 at 01:48:29PM +0100, oguh@xxxxxxx wrote: > > > > However, it got me thinking whether I trust these solution. I > > > inherently feel more secure when using software I wrote and compiled > > > myself than using hardware. But what's the difference when the > > > bitstream that tumbles out at both ends -- AES hardware and AES > > > software -- are identical? > > > > Ciphers in hardware are generally not a problem, except for local > > attacks. > > This is pretty naive. Every modern hardware contains software stored > for example in EEPROMs or flash. If a malicious software is good > enough it can do a lot of possible things that needs not only > local attacks. I would consider these local attacks. You do not? > > I am sure the enemies of freedom sure would like to have backdooors > > in everything. But having a backdoor in a block cipher in hardware > > is only possible if the cipher itself has the backdoor. AES is a > > 1:1 mapping and cannot have a backkdoor that allways works. It > > could (theoretically) have one that compresses the data and then > > embeds something in the bits gained. However the AES structure > > does not seem to do that. > > There are a lot of possible attacks for malicious implementations. > It can for example store the AES key in a flash memeory on the hardware > and reveal on special commands or it can be exploited by site channel > attacks. The flash again is a local attack. As to side-channels, this is disk encryption. Sure, if in was something going over the network, leaking key material via timing information would be easy. However serving, e.g., websites from an encrypted disk is a very bad idea in the first place. If you do such a thing, there could be a side channel. > I have the same objections as Clemens. Its pretty hard to verify > site-channel security and find backdoors on hardware without for > really good documentations like VHLD layout and auditable microcode. The objections actually go one step further. After all the design documents would be doctored and, unlike software available as source code, hardware is not easily alanysed or checked to match its suppodes documantation. Arno -- Arno Wagner, Dipl. Inform., CISSP --- CSG, ETH Zurich, arno@xxxxxxxxxxx GnuPG: ID: 1E25338F FP: 0C30 5782 9D93 F785 E79C 0296 797F 6B50 1E25 338F ---- Cuddly UI's are the manifestation of wishful thinking. -- Dylan Evans If it's in the news, don't worry about it. The very definition of "news" is "something that hardly ever happens." -- Bruce Schneier --------------------------------------------------------------------- dm-crypt mailing list - http://www.saout.de/misc/dm-crypt/ To unsubscribe, e-mail: dm-crypt-unsubscribe@xxxxxxxx For additional commands, e-mail: dm-crypt-help@xxxxxxxx