[cryptography] Non-governmental exploitation of crypto flaws?

Peter Gutmann pgut001 at cs.auckland.ac.nz
Mon Nov 28 23:13:50 EST 2011

Steven Bellovin <smb at cs.columbia.edu> writes:

>I'm writing something where part of the advice is "don't buy snake oil
>crypto, get the good stuff".

I wrote about this back in 2002 in "Lessons Learned in Implementing and
Deploying Crypto Software", we've gone from straight snake oil to second-
order snake oil, good algorithms applied badly (the stuff I've seen people do
with RSA, DH, AES, ...).  So figuring out what "the good stuff" is (or at
least spotting the bad stuff and declaring everything else to be good) isn't
nearly as easy as it used to be.

>[SIGINT] So -- is there a real threat that people have to worry about?

I doubt it.  Put another way, if you're paranoid about the MIB then you
probably have more problems than crypto can deal with.

>The claim has been made in the foxit blog, but as noted it's not verified,
>merely asserted.

Having discussed it with the Fox-IT person, I'm pretty convinced now that it
was indeed a factorisation attack.  OTOH there are some really, really strange
things surrounding how it was done, I'll try and get a summary written when I
get time.

>Again, we all know how bad it is, but has it really been used?

So now we're really getting more into philosophical rather than technical
discussions.  Is a system with gaping security holes that's so profoundly
uninteresting to attackers that no-one even bothers looking at it (SCADA) more
secure than one that's been designed and implemented relatively securely but
that's such a tempting target that unreasonable amounts of effort are expended
attacking it (Windows)?  And who are your attackers?  If it's random
china^H^H^Hbogeymen then you need to worry about SCADA, if it's the entire
world's cybercrime industry then you need to worry about Windows and forget
SCADA because you can monetise the former and not the latter.

So to quote Ian Grigg, WYTM (What's Your Threat Model)?  I could put a DOS box
on the Internet (assuming I could find a TCP stack for it) and it'd remain
safe because no-one would ever target that.


More information about the cryptography mailing list