On 27 November 2011 20:10, Steven Bellovin <s...@cs.columbia.edu> wrote: > Does anyone know of any (verifiable) examples of non-government enemies > exploiting flaws in cryptography? I'm looking for real-world attacks on > short key lengths, bad ciphers, faulty protocols, etc., by parties other > than governments and militaries. I'm not interested in academic attacks
The Padding Oracle attack enabled real-world attacks on both common (DotNetNuke) and proprietary .Net and JSF web applications, as well as CAPTCHAs. Based on emails I've seen, this was widely exploited online. The BEAST attack on TLS was demonstrated practically, but wasn't exploited widely AFAIK, which is the same case for the MD5-colliding CA cert. The console hacking scene may have more examples besides the PS3 break mentioned by Marsh. XBox 360 was rooted using a glitch attack to make a hash comparison fail: http://www.free60.org/Reset_Glitch_Hack This may not be what you're looking for, but inducing a fault to bypass a cryptographic check is at least on the same street. Several "encrypted" hard drives are crappy implementations. This one: http://www.h-online.com/security/features/Cracking-budget-encryption-746225.html was broken after discovering its encryption was just a matrix multiplication. I'd say this is actually farther from crypto than the fault attack. The Debian Weak Key bug produced many exploitable scenarios, although I'm not sure if there are public tales of one being actively exploited. There was also a presentation in the last three years about practical crypto attacks on web applications. I believe it had two examples, one of which was a crappy RNG in the password reset mechanism of a popular web framework. I can't for the life of me find it after searching for 30 minutes though. (There was another recently I believe around a timing attack on string comparisons but that's not really crypto.) -tom _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
