[cryptography] Non-governmental exploitation of crypto flaws?

Steven Bellovin smb at cs.columbia.edu
Mon Nov 28 19:52:26 EST 2011

On Nov 28, 2011, at 6:58 PM, Marsh Ray wrote:

> On 11/28/2011 04:56 PM, Steven Bellovin wrote:
>> I'm writing something where part of the advice is "don't buy snake
>> oil crypto, get the good stuff".  By "good" I mean well-accepted
>> algorithms (not "proprietary for extra security!"), and protocols
>> that have received serious analysis.  I also want to exclude
>> too-short keys.
>> But -- honesty requires that I define the threat model.  We *know*
>> why NSA wanted short keys in the 1990s, but most folks are not being
>> targeted by<pick your favorite SIGINT agency>, and hence don't have
>> a major worry.
> But where's the evidence of that claim?

For which claim?  That most folks aren't being targeted by major SIGINT
agencies?  I suspect that it's the converse that needs proving.
> AFAICT there is evidence of widespread wiretapping in the world. From
> extra equipment closets in AT&T buildings to "Carnivore" AKA "Omnivore"
> NSA programs. That's to say nothing of someone traveling
> internationally. If you are a tech, aerospace, or military company in
> the West, you would should expect state-sponsored adversaries to rattle
> your doorknobs on a regular basis.

Right.  And if you manufacture paper clips or sell real estate, you're
not in that category.  

I do note that none of the news stories about cyberattacks from China have
mentioned crypto.  EIther it's not part of the attack -- my guess -- or 
Someone doesn't want attention called to weak crypto.
> Furthermore, some of the largest distributed supercomputers in the world
> are botnets or on-line game systems now. The days of Western
> intelligence agencies having unambiguously greater brute-force
> capabilities than "The Bad Guys^TM" are drawing to a close. The
> purported RSA factorization is a sign of that.
>> So -- is there a real threat that people have to worry about?  The TI
>> example is a good one, since it's fully verified.
> Funny, that one sounds to me like a failed model. This idea of keeping
> secrets locked in a plastic box while simultaneously selling it to
> millions of consumers has failed every time it has been tried.

I don't follow.  TI put a public key into their devices, and used the
private key to sign updates.  That's a perfectly valid way to use
digital signatures, even if I think their threat model was preposterous.
If they had used 1024-bit keys it wouldn't have been an issue.
>> The claim has been made in the foxit blog, but as noted it's not
>> verified, merely asserted.
> If we can't get clarification, perhaps we can obtain some samples of the
> malware and confirm it ourselves.

How?  Private keys are private keys; the fact that they exist somewhere
says nothing about how they were obtained.
>> WEP?  Again, we all know how bad it is, but has it really been used?
>> Evidence?
> Yes, WEP was a confirmed vector in the Gonzales TJX hack:
>> http://www.jwgoerlich.us/blogengine/post/2009/09/02/TJ-Maxx-security-incident-timeline.aspx
> http://en.wikipedia.org/wiki/TJX_Companies#Computer_systems_intrusion

Ah --- I'll check.  I knew they attacked WiFi; I didn't recall that they'd
cracked WEP.  Thanks.
>> Did anyone use the TLS renegotiate vulnerability?
> I have spoken with pentesters who has used it successfully. Not on your typical web site.

RIght -- not what I was asking about.
>> Password guessing doesn't count...
> How about dictionary attacks and rainbow tables then?
> I heard it stated somewhere that an Apple product was using PBKDF2 with
> a work factor of 1. Does that count?

There's a separate section on bad passwords...


		--Steve Bellovin, https://www.cs.columbia.edu/~smb

More information about the cryptography mailing list