6

I've discovered that a client has SEED enabled in their SSL ciphers, and would like to know a bit more about it from a security perspective. The Wikipedia article doesn't mention any flaws, yet I've found two papers that demonstrate attacks - a differential fault analysis, which is fast but has infeasible requirements, and another differential attack that breaks 8 rounds.

For example, this paper says you can do key recovery by injecting faults into the input registers of the G function. What does that entail at a practical level?

Am I missing anything else? Is there anything I should warn them of?

Glorfindel
  • 506
  • 1
  • 11
  • 22
Polynomial
  • 3,577
  • 4
  • 30
  • 45

2 Answers2

4

A fault injection attack is based on the fact that you have a healthy black box on which you can do queries, but you can mess with the black box, for example flipping random bits.

In real life this could for example be a RFID chip which can be messed with using strong electronic fields. Attacks like these are generally:

  1. Very sophisticated in theory and equipment.
  2. Only apply to "black box models"; you have a side channel into the crypto device, but can't actually access the key.

Other than that, I'm not aware of any successful cryptanalysis against full-round SEED. So my suggestion is to warn your client of the hardware side-channel attacks (but since the question is about SSL I don't think it's applicable), but also make sure their software implementation is side-channel free.

orlp
  • 4,355
  • 21
  • 31
4

There are two papers on conventional differential cryptanalysis of SEED. The last one penetrates only half of the cipher. Even though there are few third-party cryptanalysis papers, there is no indication that the cipher is weak. Fault attacks are quite irrelevant in the SSL setting. I would be more concerned with BEAST-like attacks, as SEED is a blockcipher, and SSL is well known to be weak in this aspect.

Dmitry Khovratovich
  • 5,737
  • 23
  • 25