It's Still a Theory, but Hardware Errors Could Lead to Security Vulnerabilities
I think many of us have come to assume that any complex software contains vulnerabilities. We're used to patching operating systems, databases, and other applications. Now one of the inventors of the RSA public key encryption algorithm has conjectured that errors in hardware design of microprocessors can lead to exploitable errors in hardware.
From the New York Times:
A subtle math error would make it possible for an attacker to break the protection afforded to some electronic messages by a popular technique known as public key cryptography.
and
Mr. Shamir wrote that if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be “trivially broken with a single chosen message.”Executing the attack would require only knowledge of the math flaw and the ability to send a “poisoned” encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system.
With this approach, “millions of PC’s can be attacked simultaneously, without having to manipulate the operating environment of each one of them individually,” Mr. Shamir wrote.
I'm not losing any sleep over this now, but it calls the question of hardware vulnerabilities. There has been speculation over the years that quantum computing could render today's best encryption essentially useless but that is still a long way off. Hardware vulnerabilities may be with us today.
Can some flaws be patched with through firmware? If so, what about trusted computing platform devices that should be inviable? At some point we need to trust something in our software/hardware stack. Mr. Shamir is saying that may not be an option.
Email This!
Digg it!
Sphere it!
Del.icio.us
Reddit!
Newsvine
