[cryptography] Non-governmental exploitation of crypto flaws?

Ilya Levin ilevin at gmail.com
Tue Nov 29 23:33:08 EST 2011


On Tue, Nov 29, 2011 at 5:52 PM, Jon Callas <jon at callas.org> wrote:

> But the other one is Drew Gross's observation. If you think like an attacker, then you're a fool to worry about the crypto.

While generally true, this is kind of an overstatement. I'd say that
if you think like an attacker then crypto must be the least of your
worries.  But you still must worry about it.

I've seen real life systems were broken because of crypto combined
with other thins. Well, I broke couple of these in old days (whitehat
legal stuff)

For example, the Internet banking service of the bank I would not name
here was compromised during a blind remote intrusion simulating
exercise because of successful known plaintext attack on DES. Short
DES keys together with key derivation quirks and access to ciphertext
made the attack very practical and very effective.

Again, I'm not arguing with Drew Gross's observation. It is just a bit
extreme to say it like this.

Best regards,
Ilya

---
http://www.literatecode.com



More information about the cryptography mailing list