[cryptography] Non-governmental exploitation of crypto flaws?

Steven Bellovin smb at cs.columbia.edu
Mon Nov 28 17:56:13 EST 2011

On Nov 27, 2011, at 11:00 49PM, Peter Gutmann wrote:

> Steven Bellovin <smb at cs.columbia.edu> writes:
>> Does anyone know of any (verifiable) examples of non-government enemies
>> exploiting flaws in cryptography?
> Could you be a bit more precise about what "flaws in cryptography" covers?  If 
> you mean exploiting bad or incorrect implementations of crypto then there's so 
> much that I barely know where to start, if it's actual cryptanalytic attacks 
> on anything other than toy crypto (homebrew ciphers, known-weak keys, etc) 
> then there's very little around.  If it's something else, you'd have to let us
> know where the borders lie.
I'm writing something where part of the advice is "don't buy snake oil crypto,
get the good stuff".  By "good" I mean well-accepted algorithms (not "proprietary
for extra security!"), and protocols that have received serious analysis.  I also
want to exclude too-short keys.  But -- honesty requires that I define the threat
model.  We *know* why NSA wanted short keys in the 1990s, but most folks are not
being targeted by <pick your favorite SIGINT agency>, and hence don't have a
major worry.  So -- is there a real threat that people have to worry about?  The
TI example is a good one, since it's fully verified.  The claim has been made in
the foxit blog, but as noted it's not verified, merely asserted.  WEP?  Again, we
all know how bad it is, but has it really been used?  Evidence?  For GSM, is there
something I can footnote about these kits?  Is anyone using BEAST?  Did anyone
use the TLS renegotiate vulnerability?  A lot of the console and DRM breaks were
flaws in the concept, rather than the crypto.  Password guessing doesn't count...

		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list