From: "Timothy C. May" <tcmay@got.net>
Date: Fri, 1 Nov 1996 18:42:37 -0800 (PST)
To: cypherpunks@toad.com
Subject: Re: New Bihman-Shamir Fault Analysis Paper
In-Reply-To: <v03007804ae9e6eb1b360@[204.246.66.47]>
Message-ID: <v03007801aea06461b8d2@[207.167.93.63]>
MIME-Version: 1.0
Content-Type: text/plain


At 4:18 PM -0800 11/1/96, Martin Minow wrote:
>There is an inherent conflict between two claims that are
>central to the fault-analysis paper(s):
>   "the secret key [is] stored in a tamperproof cryptographic device"
>and
>   "the cryptographic key is stored in an asymmetric type of
>    memory, in which induced faults ..."
>
>If the device is truly tamperproof, the attacker should not
>be able to induce faults.  Even given susceptable "consumer-

OK, so the authors might have better used the phrase "putatively
tamperproof." Or the more accepted modern phrase, "tamper-resistant."

As with safes, castles, and "bulletproof vests," all claims of absolute
security are dubious.

What the Bellcore and Biham-Shamir (and other, reportedly) attacks have
done is to show another vector by which "tamperproof" is not.

>quality" devices, it would be trivial to store the cryptographic keys
>in a redundant memory configuration, such as ECC "error-correcting
>code" memory that can self-correct a range of failures and detect
>a much wider range. It would also seem reasonable to protect the
>cryptographic core (algorithms and data) with a digital signature
>that would "crash" the device, rather than proceed with incorrect
>key information.

Faults can be induced as well in logic devices. I agree that redundancy can
be added to logic devices (I worked on this for Intel a while back), but
this would require an almost complete re-doing of smartcard processors.
(For starters, imagine implementing triple redundancy in smartcards....not
cheap.)

Again, what these recent attacks show is a theoretical avenue by which
nominally tamper-resistant cards may have their defenses breached. Whether
this is an important threat depends on a bunch of factors. Whether
cardmakers change their chips also depends on a bunch of factors.

--Tim May


P.S. A while back there were a bunch of posts with the title "Professor
Shamir Arrested." Was it ever established whether or not the arrested
Shamir was in fact _our_ Adi Shamir? And what the charges were?






"The government announcement is disastrous," said Jim Bidzos,.."We warned IBM
that the National Security Agency would try to twist their technology."
[NYT, 1996-10-02]
We got computers, we're tapping phone lines, I know that that ain't allowed.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay@got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
W.A.S.T.E.: Corralitos, CA  | knowledge, reputations, information markets,
Higher Power: 2^1,257,787-1 | black markets, collapse of governments.
"National borders aren't even speed bumps on the information superhighway."