[cryptography] Non-governmental exploitation of crypto flaws?

Marsh Ray marsh at extendedsubset.com
Mon Nov 28 18:58:53 EST 2011

On 11/28/2011 04:56 PM, Steven Bellovin wrote:
> I'm writing something where part of the advice is "don't buy snake
> oil crypto, get the good stuff".  By "good" I mean well-accepted
> algorithms (not "proprietary for extra security!"), and protocols
> that have received serious analysis.  I also want to exclude
> too-short keys.

> But -- honesty requires that I define the threat model.  We *know*
> why NSA wanted short keys in the 1990s, but most folks are not being
>  targeted by<pick your favorite SIGINT agency>, and hence don't have
> a major worry.

But where's the evidence of that claim?

AFAICT there is evidence of widespread wiretapping in the world. From
extra equipment closets in AT&T buildings to "Carnivore" AKA "Omnivore"
NSA programs. That's to say nothing of someone traveling
internationally. If you are a tech, aerospace, or military company in
the West, you would should expect state-sponsored adversaries to rattle
your doorknobs on a regular basis.

Furthermore, some of the largest distributed supercomputers in the world
are botnets or on-line game systems now. The days of Western
intelligence agencies having unambiguously greater brute-force
capabilities than "The Bad Guys^TM" are drawing to a close. The
purported RSA factorization is a sign of that.

> So -- is there a real threat that people have to worry about?  The TI
> example is a good one, since it's fully verified.

Funny, that one sounds to me like a failed model. This idea of keeping
secrets locked in a plastic box while simultaneously selling it to
millions of consumers has failed every time it has been tried.

> The claim has been made in the foxit blog, but as noted it's not
> verified, merely asserted.

If we can't get clarification, perhaps we can obtain some samples of the
malware and confirm it ourselves.

> WEP?  Again, we all know how bad it is, but has it really been used?
>  Evidence?

Yes, WEP was a confirmed vector in the Gonzales TJX hack:
> http://www.jwgoerlich.us/blogengine/post/2009/09/02/TJ-Maxx-security-incident-timeline.aspx


 > number of affected customers had reached 45.7 million [9] and has
> prompted credit bureaus to seek legislation requiring retailers to
> be responsible for compromised customer information saved in their
> systems. In addition to credit card numbers, personal information
> such as social security numbers and driver's license numbers from
> 451,000 customers were downloaded by the intruders. The breach was
> possible due to a non-secure wireless network in one of the stores.

> Is anyone using BEAST?

Not to my knowledge.

> Did anyone use the TLS renegotiate vulnerability?

I have spoken with pentesters who has used it successfully. Not on your 
typical web site.

And it's still out there.
For example, the "Ultra High Secure Password Generator":
> Every one is completely random (maximum entropy) without any pattern,
> and the cryptographically-strong pseudo random number generator we
> use guarantees that no similar strings will ever be produced again.
> Also, because this page will only allow itself to be displayed over a
> snoop-proof and proxy-proof high-security SSL connection, and it is
> marked as having expired back in 1999, this page which was custom
> generated just now for you will not be cached or visible to anyone
> else.

Qualys reports that site as vulnerable to CVE-2009-3555 (it accepts
unsolicited insecure TLS renegotiation) and gives it a grade "D" overall:

> A lot of the console and DRM breaks were flaws in the concept, rather
> than the crypto.

I agree there's such a thing as "proper" and "improper" crypto. But it
also seems a bit unhelpful to draw the boundaries so carefully that the
commonly broken stuff is subsequently defined out of bounds. If you
divorce it completely from actual usable implementations, people will
find the advice so impractical that they will be susceptible to the very
snake oil we wish to denounce.

> Password guessing doesn't count...

How about dictionary attacks and rainbow tables then?

I heard it stated somewhere that an Apple product was using PBKDF2 with
a work factor of 1. Does that count?

- Marsh

More information about the cryptography mailing list