[cryptography] philosophical question about strengths and attacks at impossible levels

Marsh Ray marsh at extendedsubset.com
Wed Nov 24 01:43:14 EST 2010


On 11/23/2010 04:31 PM, travis+ml-rbcryptography at subspacefield.org wrote:
> On Sat, Nov 20, 2010 at 01:10:53PM +1000, James A. Donald wrote:
>> Ian G wrote:
>>> The result of 15-20 years is that nobody has ever lost money
>>> because of a cryptographic failure, to a high degree of
>>> reliability.
>>
>> How about all the money lost because Wifi security does not work?
>
> How about accounts broken into because of: LANMAN password hashing?

Definitely some problems with the LANMAN and NTLMv1 and v2. But in 
fairness, the were not really designed for use over hostile networks in 
the first place.

How about all the weak and insufficiently seeded RNGs out there?
http://www.techwarelabs.com/blackhat-2010-%E2%80%93-smb-ntlm-weak-nonce/

> Non-salted (or iterated, or memory-hard) password hashes?

I think that counts, but only to the extent that the basic premise (that 
passwords possess sufficient entropy to be thought of as cryptographic 
primitives) is credible.

> Cost of
> replacing DES?

DES was published in 1975, intentionally weakened to 56 bit keys. First 
public crack came 22 years later using ~14000 PCs.

Transition to 3DES and now, 35 years later, the best attack on 3DES 
takes 2^113 work.
"NIST considers (3DES) keying option 1 to be appropriate through 2030".

I think we got our money's worth.

> I think Denning made a similar observation after working on database
> security; that attackers didn't attack in the ways you thoughtfully
> defined for them, they flow around your strong defenses like water.

Attack and defense are two sides of the same coin. There's not a way to 
advance one without advancing the other. Or if there is, it's the attack 
side that tends to lead.

> However, given that (e.g.) network crypto was designed to deal with
> the "sniffer on a core router" attack (no reference, sorry, think it
> was mid-90s),

Undoubtedly people have thought that way over the years, and many still 
do. But if that were indeed the case, why have we funded a $B++ CA 
industry all these years? You can defeat passive eavesdropping with 
anonymous crypto.

> I think the fact that we haven't seen too many of
> these stories any more suggests that the solution worked, not that
> the solution was misguided in some way.

We don't really have systems in place to detect passive eavesdropping.

A "core router" is presumably using dedicated ASICs to route a lot of 
bandwidth. Even if you pwned one, it might not have much extra capacity 
to help you selectively filter specific traffic to monitor. To get info 
of it reliably you would need some high-end gear, which would need to be 
colocated or have some other connection of equivalent bandwidth to the 
core router. Which puts this attack out of reach of most script kiddies 
and makes it the domain of insiders and well-funded entities.

Or maybe it actually is happening, and we know it is happening, yet it 
represents a truth so large that we find it difficult to accept?
http://www.wired.com/science/discoveries/news/2006/05/70944
http://www.uscc.gov/annual_report/2010/Chapter5_Section_2%28page236%29.pdf

> IMHO, having attackers move to other systems (or attack parts of a
> system you designed), is a sign of success, not failure.  If you
> designed that system (or part), that's the best possible outcome.
>
> A few parting thoughts.
>
> The vast majority of government equipment is COTS; economics of
> scale enforce this.

Yeah the US government needs very secure COTS systems more than anybody.

> Absence of evidence is not evidence of absence.

Sometimes it can be. For example, if you run a honeypot and have a good 
experimental design. Or if your attackers can be expected to actually 
attempt a bank transaction within a short timeframe, or brag to all 
their buddies about their l33t hack.

> Not everything that can be counted counts, and not everything that
> counts can be counted.
>
> As measured in Internet time, an installed base's half-life is
> forever.
>
> Successful systems tend to be evolutionary rather than revolutionary
> when there's a non-trivial ecosystem around them.

These don't bode well for the adoption of IPv6!

> A successful system is used in ways its designers never imagined.

E.g., NTLM being used for VPN authentication.

> Resistance to a unforseen class of attack is basically chance.

Or worse, it's a one-time accident of design against an intelligent 
adaptive human adversary.

> Is doing more of what you're already good at necessarily a bad
> strategy?

It's a guaranteed way to get outdated in 18-36 months.

- Marsh



More information about the cryptography mailing list