The secret's out for secure chip design

Summary:An American designed chip made in China and used for military security has a secret back door. We may never find out who did it: it doesn't matter.

The story that Cambridge researchers have identified a back door in a military chip made in China is stirring up a lot of interest, verging on the sensationalist.

It's too soon to say whether that story is true, but the Cambridge security group has a superb track record in finding and disclosing this level of vulnerability, and it's been accepted for a peer-reviewed conference. For now, it's safe to assume that what they say they found, they found.

Does this mean that the Chinese have control of our military information infrastructure? No: it means that one particular chip has an undocumented feature. An unfortunate feature, to be sure, to find in a secure system — but secret ways in have been built into security systems for as long as such systems have existed.

It's not possible, for example, to say who put the back door in there. It could have been the company who designs the chips in the US. It could have been the Chinese who made it. It could have been someone involved in programming the chip. It could have been the Tongans, with an agent involved somewhere in the chain of third-party hardware, software and verification tools that all chip designers, makers and programmers rely on.

Any security expert will tell you that you have to consider the entire chain information flows through when trying to lock things down. Enigma, if used properly, would have resisted Bletchley Park's efforts to crack it for far longer than it did, if it hadn't been compromised by poor procedures over use and key management. The American and British codes were even more badly managed. Even then, 70 years ago, trying to create and maintain a complete secure system across a warring military was at the limit of human capabilities.

These days, characterising the information chain for a modern, high-performance chip defies analysis. No one organisation — indeed, no one country — can create and verify everything involved from idea to finished product.

At each stage, highly developed and opaque computerised aids take human ideas, convert them into usable form and put them together, and each stage has the potential to introduce and hide covert channels. The engineers involved are as likely to come from Shanghai, Haifa or Dnepropetrovsk as Surrey, Harvard or Detroit. Yet no organisation or country can afford not to use the latest techniques in the race to get and keep an advantage, or can pass up the brightest and the best brains.

Does this make us in the West vulnerable to sophisticated attack from China or other technologically advanced nation? It does: but the same's just as true for everyone else. The Chinese are no less vulnerable to attacks by us, and neither side is safe against the sort of long-term deep penetration by highly skilled individuals that regularly took place during the Cold War.

Nobody is safe from anybody, unless we find a way where it's in everyone's best interests to work together through trust and mutual advantage. That will at least put the odds back in our favour.

Welcome to the 21st century, where knowing each other's secrets will keep us from disaster. Some things don't change.

Topics: Security

About

Editor, ZDNet UK. Ex technology/technical editor of ZDNet UK, IT Week, PC Magazine, Computer Life, Mac User, Alfa Systems, Amstrad, Sinclair. Micronet 800, Marconi Space and Defence Systems, and a dodgy TV repair shop in the back streets of Plymouth. Can still swap out a gassy PL509 with the best of 'em.Dear Reader - contact me via our m... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.