Cryptography Expert Sounds Alarm At Possible Math Hack 236
netbuzz writes "First we learn from Bruce Schneier that the NSA may have left itself a secret back door in an officially sanctioned cryptographic random-number generator. Now Adi Shamir is warning that a math error unknown to a chip makers but discovered by a tech-savvy terrorist could lead to serious consequences, too. Remember the Intel blunder of 1996? 'Mr. Shamir wrote that if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be "trivially broken with a single chosen message." Executing the attack would require only knowledge of the math flaw and the ability to send a "poisoned" encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system.'"
Original article (Score:5, Informative)
Re:how many encryption schemes us floating point? (Score:2, Informative)
The point the OP was trying to say was that if the error is in the FPU, that isn't used for integer calculations at all, and so wouldn't be exercised by security code. I don't know if this is true, but for instance RSA in theory is all integers.
Re:Original article (Score:3, Informative)
There are no terrorist mentioned!! Sensationalist networkworld...
Pentium FDIV Bug (Score:2, Informative)
Re:how many encryption schemes us floating point? (Score:3, Informative)
Yet the claim is that an actual error in the implementation of elementary amthematical operations on the processor could weaken a cryptographic algorithm run on that processor, even if the algorithm itself is implemented flawlessly in source. Therefore the relevant question remains "where are processor bugs most likely to occur?"
Also, floating point math is exact since floating points representations (like IEEE 754) are eventually all calculations and representations in bits which are always exactly reproducible. Also irrelevant - most applications of floating point rely on the fact that floating point numbers are sufficiently precise approximations of the reals, therefore they base their algorithms on real-number math (with hedges built in to protect against numerical instability) and are satisfied with inexact answers. Encryption algorithms depend the exact answers produced, and would therefore have to be based on the specific IEEE-specified behavior of a specific precision of floating point number. While such an encryption scheme is possible, it strikes me as unlikely and unnecessarily complex.
Re:how many encryption schemes us floating point? (Score:5, Informative)
Re:Random Numbers in .NET and in General (Score:3, Informative)
Comment removed (Score:1, Informative)
Re:first post. TFA = WTF? (Score:3, Informative)
Re:Random Numbers in .NET and in General (Score:3, Informative)
Re:NSA "Suite A" is the real problem. (Score:3, Informative)
2) is about specific cases where particular categories of mathematical failures actually lead to the compromising of the private key, which is significantly more dangerous. It is not about utilitising typical exploits like buffer overflows to take over and kind of security software. For example, once they private key is known, it may allow the third party to fake messages appearing to originate from the target of the attack.
3) indeed, the problem here is typically relating to very specific edge conditions, eg overflows, underflows, carries which are handled incorrectly, and have been known to go undetected for years. If you do not believe there are issues in the microcode, take a quick look at the current errata list for the Core2Duo [intel.com], showing many unfixed bugs (and many of them unimportant due to the impossibility of them occurring in modern operating systems).
As for "installing bad microcode", the microcode is something done purely from the software each time the OS boots into volatile memory on the cpu, and so is reset back to the original shipping microcode each time the machine is power-cycled.
If an adversary has access to the booting OS to update the microcode, the adversary already has access to superuser priveleges on your system anyway, so I feel it is irrelevant.