[cryptography] Non-governmental exploitation of crypto flaws?

Marsh Ray marsh at extendedsubset.com
Mon Nov 28 20:31:11 EST 2011

On 11/28/2011 06:52 PM, Steven Bellovin wrote:
> On Nov 28, 2011, at 6:58 PM, Marsh Ray wrote:
>> On 11/28/2011 04:56 PM, Steven Bellovin wrote:
>>> I'm writing something where part of the advice is "don't buy snake
>>> oil crypto, get the good stuff".  By "good" I mean well-accepted
>>> algorithms (not "proprietary for extra security!"), and protocols
>>> that have received serious analysis.  I also want to exclude
>>> too-short keys.
>>> But -- honesty requires that I define the threat model.  We *know*
>>> why NSA wanted short keys in the 1990s, but most folks are not being
>>> targeted by<pick your favorite SIGINT agency>, and hence don't have
>>> a major worry.
>> But where's the evidence of that claim?
> For which claim?  That most folks aren't being targeted by major SIGINT
> agencies?  I suspect that it's the converse that needs proving.

Is there a distinction being made here? How fine is it?

"Targeted" may imply that someone has your name on a finite sized list 

On the other hand, some percentage of your traffic (or metadata about 
it) are likely being intercepted, archived, and indexed for later 
searching. We know Google, Facebook, and every sleazy ad server network 
on the internet does this. We know Syria does this, their BlueCoat logs 
were uploaded the other day. We know the US government believes in 
warrantless wiretapping and has at least one wiring closet in US telcos.

We could call this "non-targeted surveillance". But given the searching 
and retrieval capabilities today (e.g., Palantir's glowing review in the 
WSJ the other day), is this still a useful distinction?

Just asking questions out loud here.

>> If you are a tech, aerospace, or military company in
>> the West, you would should expect state-sponsored adversaries to rattle
>> your doorknobs on a regular basis.
> Right.  And if you manufacture paper clips or sell real estate, you're
> not in that category.

One would certainly think so.

But surely the Malaysian Agricultural Research and Development Institute 
did not realize it was painting a target on itself when some IT staffer 
requested the code signing flag be set on their cert request for 
( http://www.f-secure.com/weblog/archives/00002269.html )

> I do note that none of the news stories about cyberattacks from China have
> mentioned crypto.  EIther it's not part of the attack -- my guess -- or
> Someone doesn't want attention called to weak crypto.

With all the vulnerable Adobe client software out there they probably 
have more hack targets than they can possibly handle.

>> Funny, that one sounds to me like a failed model. This idea of keeping
>> secrets locked in a plastic box while simultaneously selling it to
>> millions of consumers has failed every time it has been tried.
> I don't follow.  TI put a public key into their devices, and used the
> private key to sign updates.

Yes that makes more sense then.

> That's a perfectly valid way to use
> digital signatures, even if I think their threat model was preposterous.
> If they had used 1024-bit keys it wouldn't have been an issue.

Right, it likely would have fallen to some other issue.

>> If we can't get clarification, perhaps we can obtain some samples of the
>> malware and confirm it ourselves.
> How?  Private keys are private keys; the fact that they exist somewhere
> says nothing about how they were obtained.

The question remaining in my mind was: was this batch of signed malware 
found in the wild by F-Secure really signed with a set of exclusively 
512 bit keys?

- Marsh

More information about the cryptography mailing list