[cryptography] Non-governmental exploitation of crypto flaws?
smb at cs.columbia.edu
Mon Nov 28 19:52:26 EST 2011
On Nov 28, 2011, at 6:58 PM, Marsh Ray wrote:
> On 11/28/2011 04:56 PM, Steven Bellovin wrote:
>> I'm writing something where part of the advice is "don't buy snake
>> oil crypto, get the good stuff". By "good" I mean well-accepted
>> algorithms (not "proprietary for extra security!"), and protocols
>> that have received serious analysis. I also want to exclude
>> too-short keys.
>> But -- honesty requires that I define the threat model. We *know*
>> why NSA wanted short keys in the 1990s, but most folks are not being
>> targeted by<pick your favorite SIGINT agency>, and hence don't have
>> a major worry.
> But where's the evidence of that claim?
For which claim? That most folks aren't being targeted by major SIGINT
agencies? I suspect that it's the converse that needs proving.
> AFAICT there is evidence of widespread wiretapping in the world. From
> extra equipment closets in AT&T buildings to "Carnivore" AKA "Omnivore"
> NSA programs. That's to say nothing of someone traveling
> internationally. If you are a tech, aerospace, or military company in
> the West, you would should expect state-sponsored adversaries to rattle
> your doorknobs on a regular basis.
Right. And if you manufacture paper clips or sell real estate, you're
not in that category.
I do note that none of the news stories about cyberattacks from China have
mentioned crypto. EIther it's not part of the attack -- my guess -- or
Someone doesn't want attention called to weak crypto.
> Furthermore, some of the largest distributed supercomputers in the world
> are botnets or on-line game systems now. The days of Western
> intelligence agencies having unambiguously greater brute-force
> capabilities than "The Bad Guys^TM" are drawing to a close. The
> purported RSA factorization is a sign of that.
>> So -- is there a real threat that people have to worry about? The TI
>> example is a good one, since it's fully verified.
> Funny, that one sounds to me like a failed model. This idea of keeping
> secrets locked in a plastic box while simultaneously selling it to
> millions of consumers has failed every time it has been tried.
I don't follow. TI put a public key into their devices, and used the
private key to sign updates. That's a perfectly valid way to use
digital signatures, even if I think their threat model was preposterous.
If they had used 1024-bit keys it wouldn't have been an issue.
>> The claim has been made in the foxit blog, but as noted it's not
>> verified, merely asserted.
> If we can't get clarification, perhaps we can obtain some samples of the
> malware and confirm it ourselves.
How? Private keys are private keys; the fact that they exist somewhere
says nothing about how they were obtained.
>> WEP? Again, we all know how bad it is, but has it really been used?
> Yes, WEP was a confirmed vector in the Gonzales TJX hack:
Ah --- I'll check. I knew they attacked WiFi; I didn't recall that they'd
cracked WEP. Thanks.
>> Did anyone use the TLS renegotiate vulnerability?
> I have spoken with pentesters who has used it successfully. Not on your typical web site.
RIght -- not what I was asking about.
>> Password guessing doesn't count...
> How about dictionary attacks and rainbow tables then?
> I heard it stated somewhere that an Apple product was using PBKDF2 with
> a work factor of 1. Does that count?
There's a separate section on bad passwords...
--Steve Bellovin, https://www.cs.columbia.edu/~smb
More information about the cryptography