Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Sun, Nov 27, 2011 at 3:10 PM, Steven Bellovin s...@cs.columbia.edu wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI. In July 2009, Benjamin Moody, a United-TI forum user, published the factors of a 512-bit RSA key used to sign the TI-83+ series graphing calculator, http://en.wikipedia.org/wiki/Texas_Instruments_signing_key_controversy. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Dec 2, 2011, at 5:26 27PM, Jeffrey Walton wrote: On Sun, Nov 27, 2011 at 3:10 PM, Steven Bellovin s...@cs.columbia.edu wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI. In July 2009, Benjamin Moody, a United-TI forum user, published the factors of a 512-bit RSA key used to sign the TI-83+ series graphing calculator, http://en.wikipedia.org/wiki/Texas_Instruments_signing_key_controversy. Right. I have five examples. Apart from that one, there is: The (alleged) factoring of 512-bit keys in code-signing certificates The apparent use of WEP-cracking by the Gonzalez gang. While we don't know for sure that they did that, the Canadian Privacy Commissioner's report said that TJX used WEP, and one of the indictments said that Christopher Scott broke in to their wireless net. The GSM interceptor. I'm not using that one because the products I see are (nominally) aimed at government use, and while I'm sure many have been diverted I don't have any documented cases of them being used by the private sector. (For all of the reports about phone hacking by Murdoch's companies, I've seen no reports of cell phone eavesdropping to get the modern equivalent of, say, http://en.wikipedia.org/wiki/Squidgygate or Camillagate.) http://www.wired.com/threatlevel/2011/07/hacking-neighbor-from-hell/ -- someone who *really* wanted revenge on his neighbors. Given that his offenses were discovered to include child pornography, he was sentenced to 18 years. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
Ilya Levin wrote: On Tue, Nov 29, 2011 at 5:52 PM, Jon Callas j...@callas.org wrote: But the other one is Drew Gross's observation. If you think like an attacker, then you're a fool to worry about the crypto. While generally true, this is kind of an overstatement. I'd say that if you think like an attacker then crypto must be the least of your worries. But you still must worry about it. I've seen real life systems were broken because of crypto combined with other thins. Well, I broke couple of these in old days (whitehat legal stuff) For example, the Internet banking service of the bank I would not name here was compromised during a blind remote intrusion simulating exercise because of successful known plaintext attack on DES. Short DES keys together with key derivation quirks and access to ciphertext made the attack very practical and very effective. Indeed, single-length DES cracking for attacking electronic payment networks is the other instance (along with the TI software signature public key factorization) of a production crypto attack. Both are based on brute force against short key material. It is not verifiable because a) the perpetrators needed no publicity to benefit, and b) the financial institutions were upgrading electronic payment gear to triple-DES (suddenly at a faster than usual pace which could raise suspicion, at least in my mind), and also preferred less publicity. I had some form of confirmation (that the attack scenario occurred) by the way the triple-DES upgrade project success has been described by a bank technology specialist who would have been aware of the incident(s). - Thierry Moreau Again, I'm not arguing with Drew Gross's observation. It is just a bit extreme to say it like this. Best regards, Ilya --- http://www.literatecode.com ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Nov 29, 2011, at 8:33 PM, Ilya Levin wrote: On Tue, Nov 29, 2011 at 5:52 PM, Jon Callas j...@callas.org wrote: But the other one is Drew Gross's observation. If you think like an attacker, then you're a fool to worry about the crypto. While generally true, this is kind of an overstatement. I'd say that if you think like an attacker then crypto must be the least of your worries. But you still must worry about it. I've seen real life systems were broken because of crypto combined with other thins. Well, I broke couple of these in old days (whitehat legal stuff) For example, the Internet banking service of the bank I would not name here was compromised during a blind remote intrusion simulating exercise because of successful known plaintext attack on DES. Short DES keys together with key derivation quirks and access to ciphertext made the attack very practical and very effective. Again, I'm not arguing with Drew Gross's observation. It is just a bit extreme to say it like this. Let me try to restate what I was saying, because I think the point is getting lost in the words. If I were an attacker who wanted to compromise your computers, I would not attack your crypto. I would attack your software. Even if what I wanted to do was ultimately to get to your crypto, I wouldn't mount a cryptanalytical attack, I'd attack your system. That's it. We are seeing this in the real world now. The targeted malware that the German government has to compromise Skype is not cryptanalysis, it is a systems-level attack that then gets at the crypto. Robert Morris gave the famous advice, first, check for plaintext. I'm just saying that checking first for Flash today's equivalent. Jon ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Nov 27, 2011, at 12:10 PM, Steven Bellovin wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI. Steve, it's hard to know how to answer that, really. I often quote Drew Gross, I love crypto, it tells me what part of the system not to bother attacking. I'd advise anyone wanting to attack a system that they should look at places other than the crypto. Drew cracked wise about that to me in 1999 and I'm still quoting him on it. If you look at the serious attacks going on of late, none of them are crypto, to the best of my knowledge, anyway. The existing quote-quote APT attacks are simple spear-phishing at best. A number of them are amazingly simplistic. We know that the attack against EMC/RSA and SecureID was done with a vuln in a Flash attachment embedded in an Excel spreadsheet. According to the best news I have heard, the Patient Zero of that attack had had the infected file identified as bad! They pulled it out of the spam folder and opened it anyway. That attack happened because of a security failure on the device that sits between the keyboard and chair, not for any technology of any sort. There are also a number of cases where suspects or convicted criminals in the hands of powerful governments along with their encrypted data have not had their crypto broken. Real world evidence says that if you pick a reasonably well-designed-and-implemented cryptosystem (like PGP or TrueCrypt) and exercise good OPSEC, then your crypto won't be broken, even if you're up against the likes of First World TLAs. I have, however, hidden many details in a couple of phrases above, especially the words exercise good OPSEC. If we look at it from the other angle, though, one of the cautionary tales I'd tell, along with a case study is the TI break. The fellow who did it announced on a web board that very long number equals long number_1 times long number_2. People didn't get it, so he wrote it out in hex. They still didn't get it, and he pointed out that the very long number could be found in a certain certificate. The other people on the board went through all of Kubler-Ross's stages in about fifteen posts. It's hilarious to read. The analyst said that he'd sieved the key on a single computer in -- I remember it being about 80 days, but it could be 60ish. Nonetheless, he just went and did it. On the one hand, he broke the crypto. But on the other hand, we had all known that 512-bit numbers can be quasi-easily factored. It was a shock, but not a surprise. Another thing to look at would be the cryptanalysis of A5/n over the years. Certainly, there's been brilliant cryptanalysis on those ciphers. But it's also true that the people who put them in place willfully avoided using ciphers known to be strong. It is as if they built their protocols so that they could hack them but they presumed we couldn't. We proved them wrong. Does that really count as cryptanalysis as opposed to puncturing arrogance? If you want to look at protocol train wrecks, WEP is the canonical one. But that one had at its core the designers cheaping out on the crypto so that the hardware could be cheaper. I think it is a good exercise to look the mistakes in WEP, but a better one is to look at creating something significantly more secure within the same engineering constraints. You *can* do better with about the same constraints, and there are a number of ways to do it, even. I can list a number of oopses of lesser degrees, where someone took reasonable components and there were still problems with it. But I really don't think that's what you're asking for, either. The good news we face today is that there really isn't any snake oil any more. If there is anything that we can be proud of as a discipline, it's that the problems we face are genuine mistakes as opposed to genuine or malicious not understanding the problem. The bad news is that there are two major problems left. One is mis-use of otherwise mostly okay protocols. Users picking crap passwords is the most glaring example of this. There are a number of well-tested cryptosystems out there that are nearly universally used badly. But the other one is Drew Gross's observation. If you think like an attacker, then you're a fool to worry about the crypto. Go buy a few zero days, instead. But that's only if you don't want to be discovered afterwards. If you don't care, there are so many unpatched systems out there that scattershotting well-crafted spam with a Flash exploit works just fine. What I'm really saying here is that in the chain of real security, crypto is
Re: [cryptography] Non-governmental exploitation of crypto flaws?
Just my 2.373 cents: I recently gave a talk entitled Cryptanalysis vs. reality that covers the issues discussed in the present thread. The slides: http://131002.net/data/talks/hashdays11_slides.pdf On Tue, Nov 29, 2011 at 10:52 AM, Jon Callas j...@callas.org wrote: On Nov 27, 2011, at 12:10 PM, Steven Bellovin wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI. Steve, it's hard to know how to answer that, really. I often quote Drew Gross, I love crypto, it tells me what part of the system not to bother attacking. I'd advise anyone wanting to attack a system that they should look at places other than the crypto. Drew cracked wise about that to me in 1999 and I'm still quoting him on it. If you look at the serious attacks going on of late, none of them are crypto, to the best of my knowledge, anyway. The existing quote-quote APT attacks are simple spear-phishing at best. A number of them are amazingly simplistic. We know that the attack against EMC/RSA and SecureID was done with a vuln in a Flash attachment embedded in an Excel spreadsheet. According to the best news I have heard, the Patient Zero of that attack had had the infected file identified as bad! They pulled it out of the spam folder and opened it anyway. That attack happened because of a security failure on the device that sits between the keyboard and chair, not for any technology of any sort. There are also a number of cases where suspects or convicted criminals in the hands of powerful governments along with their encrypted data have not had their crypto broken. Real world evidence says that if you pick a reasonably well-designed-and-implemented cryptosystem (like PGP or TrueCrypt) and exercise good OPSEC, then your crypto won't be broken, even if you're up against the likes of First World TLAs. I have, however, hidden many details in a couple of phrases above, especially the words exercise good OPSEC. If we look at it from the other angle, though, one of the cautionary tales I'd tell, along with a case study is the TI break. The fellow who did it announced on a web board that very long number equals long number_1 times long number_2. People didn't get it, so he wrote it out in hex. They still didn't get it, and he pointed out that the very long number could be found in a certain certificate. The other people on the board went through all of Kubler-Ross's stages in about fifteen posts. It's hilarious to read. The analyst said that he'd sieved the key on a single computer in -- I remember it being about 80 days, but it could be 60ish. Nonetheless, he just went and did it. On the one hand, he broke the crypto. But on the other hand, we had all known that 512-bit numbers can be quasi-easily factored. It was a shock, but not a surprise. Another thing to look at would be the cryptanalysis of A5/n over the years. Certainly, there's been brilliant cryptanalysis on those ciphers. But it's also true that the people who put them in place willfully avoided using ciphers known to be strong. It is as if they built their protocols so that they could hack them but they presumed we couldn't. We proved them wrong. Does that really count as cryptanalysis as opposed to puncturing arrogance? If you want to look at protocol train wrecks, WEP is the canonical one. But that one had at its core the designers cheaping out on the crypto so that the hardware could be cheaper. I think it is a good exercise to look the mistakes in WEP, but a better one is to look at creating something significantly more secure within the same engineering constraints. You *can* do better with about the same constraints, and there are a number of ways to do it, even. I can list a number of oopses of lesser degrees, where someone took reasonable components and there were still problems with it. But I really don't think that's what you're asking for, either. The good news we face today is that there really isn't any snake oil any more. If there is anything that we can be proud of as a discipline, it's that the problems we face are genuine mistakes as opposed to genuine or malicious not understanding the problem. The bad news is that there are two major problems left. One is mis-use of otherwise mostly okay protocols. Users picking crap passwords is the most glaring example of this. There are a number of well-tested cryptosystems out there that are nearly universally used badly. But the other one is Drew Gross's observation. If you think like an attacker, then you're a fool to worry about the
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Nov 29, 2011, at 7:44 AM, d...@geer.org wrote: Steve/Jon, et al., Would you say something about whether you consider key management as within scope of the phrase crypto flaw? There is a fair amount of snake oil there, or so it seems to me in my line of work (reading investment proposals and the like) -- things like secure boot devices that, indeed, are encrypted but which have the decryption key hidden on the device (security through obscurity). That's just an example; don't pick on it, per se. But to repeat, is key management within scope of the phrase crypto flaw? It's a grey area for my purposes. DRM is out completely; that's something that can't work. I'm looking for situations where (a) it's easy for someone who knows the field to say, idiots -- if they'd done XXX instead of YYY, there wouldn't be a flaw, and (b) there was a real-world consequence of the failure, and not just someone saying gotcha! Leaving out key management entirely, like WEP did, would qualify under (a) but not (b). --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On 28/11/11 15:00 PM, Peter Gutmann wrote: Steven Bellovins...@cs.columbia.edu writes: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? Could you be a bit more precise about what flaws in cryptography covers? If you mean exploiting bad or incorrect implementations of crypto then there's so much that I barely know where to start, if it's actual cryptanalytic attacks on anything other than toy crypto (homebrew ciphers, known-weak keys, etc) then there's very little around. If it's something else, you'd have to let us know where the borders lie. To be fair to Steve, although we've been bandying the term toy crypto and cousins around for a while, we haven't really defined it. It's a bit like american pornography, we know it when we see it. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On 28/11/11 07:10 AM, Steven Bellovin wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'd suggest: 1. GSM. The phones were first cracked by Lucky Green back in 1998 as an academic demo, and a few years back I heard it was possible to buy crack devices. I didn't follow up, but the existance of kits would indicate there was a market for paparrazi or minute-theft or PIs. 2. chip pin. Look at the Cambridge lab work. They've been involved in some legal cases, and there might be some verified crunches in there. I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI. Yeah. If you are doing research to document the state of real breaches, that would be valuable info. iang ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Nov 27, 2011, at 11:00 49PM, Peter Gutmann wrote: Steven Bellovin s...@cs.columbia.edu writes: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? Could you be a bit more precise about what flaws in cryptography covers? If you mean exploiting bad or incorrect implementations of crypto then there's so much that I barely know where to start, if it's actual cryptanalytic attacks on anything other than toy crypto (homebrew ciphers, known-weak keys, etc) then there's very little around. If it's something else, you'd have to let us know where the borders lie. I'm writing something where part of the advice is don't buy snake oil crypto, get the good stuff. By good I mean well-accepted algorithms (not proprietary for extra security!), and protocols that have received serious analysis. I also want to exclude too-short keys. But -- honesty requires that I define the threat model. We *know* why NSA wanted short keys in the 1990s, but most folks are not being targeted by pick your favorite SIGINT agency, and hence don't have a major worry. So -- is there a real threat that people have to worry about? The TI example is a good one, since it's fully verified. The claim has been made in the foxit blog, but as noted it's not verified, merely asserted. WEP? Again, we all know how bad it is, but has it really been used? Evidence? For GSM, is there something I can footnote about these kits? Is anyone using BEAST? Did anyone use the TLS renegotiate vulnerability? A lot of the console and DRM breaks were flaws in the concept, rather than the crypto. Password guessing doesn't count... --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On 11/28/2011 04:56 PM, Steven Bellovin wrote: I'm writing something where part of the advice is don't buy snake oil crypto, get the good stuff. By good I mean well-accepted algorithms (not proprietary for extra security!), and protocols that have received serious analysis. I also want to exclude too-short keys. But -- honesty requires that I define the threat model. We *know* why NSA wanted short keys in the 1990s, but most folks are not being targeted bypick your favorite SIGINT agency, and hence don't have a major worry. But where's the evidence of that claim? AFAICT there is evidence of widespread wiretapping in the world. From extra equipment closets in ATT buildings to Carnivore AKA Omnivore NSA programs. That's to say nothing of someone traveling internationally. If you are a tech, aerospace, or military company in the West, you would should expect state-sponsored adversaries to rattle your doorknobs on a regular basis. Furthermore, some of the largest distributed supercomputers in the world are botnets or on-line game systems now. The days of Western intelligence agencies having unambiguously greater brute-force capabilities than The Bad Guys^TM are drawing to a close. The purported RSA factorization is a sign of that. So -- is there a real threat that people have to worry about? The TI example is a good one, since it's fully verified. Funny, that one sounds to me like a failed model. This idea of keeping secrets locked in a plastic box while simultaneously selling it to millions of consumers has failed every time it has been tried. The claim has been made in the foxit blog, but as noted it's not verified, merely asserted. If we can't get clarification, perhaps we can obtain some samples of the malware and confirm it ourselves. WEP? Again, we all know how bad it is, but has it really been used? Evidence? Yes, WEP was a confirmed vector in the Gonzales TJX hack: http://www.jwgoerlich.us/blogengine/post/2009/09/02/TJ-Maxx-security-incident-timeline.aspx http://en.wikipedia.org/wiki/TJX_Companies#Computer_systems_intrusion number of affected customers had reached 45.7 million [9] and has prompted credit bureaus to seek legislation requiring retailers to be responsible for compromised customer information saved in their systems. In addition to credit card numbers, personal information such as social security numbers and driver's license numbers from 451,000 customers were downloaded by the intruders. The breach was possible due to a non-secure wireless network in one of the stores. Is anyone using BEAST? Not to my knowledge. Did anyone use the TLS renegotiate vulnerability? I have spoken with pentesters who has used it successfully. Not on your typical web site. And it's still out there. For example, the Ultra High Secure Password Generator: https://www.grc.com/passwords.htm Every one is completely random (maximum entropy) without any pattern, and the cryptographically-strong pseudo random number generator we use guarantees that no similar strings will ever be produced again. Also, because this page will only allow itself to be displayed over a snoop-proof and proxy-proof high-security SSL connection, and it is marked as having expired back in 1999, this page which was custom generated just now for you will not be cached or visible to anyone else. Qualys reports that site as vulnerable to CVE-2009-3555 (it accepts unsolicited insecure TLS renegotiation) and gives it a grade D overall: https://www.ssllabs.com/ssldb/analyze.html?d=grc.com A lot of the console and DRM breaks were flaws in the concept, rather than the crypto. I agree there's such a thing as proper and improper crypto. But it also seems a bit unhelpful to draw the boundaries so carefully that the commonly broken stuff is subsequently defined out of bounds. If you divorce it completely from actual usable implementations, people will find the advice so impractical that they will be susceptible to the very snake oil we wish to denounce. Password guessing doesn't count... How about dictionary attacks and rainbow tables then? I heard it stated somewhere that an Apple product was using PBKDF2 with a work factor of 1. Does that count? - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On 11/28/2011 05:58 PM, Marsh Ray wrote: I heard it stated somewhere that an Apple product was using PBKDF2 with a work factor of 1. Does that count? Follow-up. It was Blackberry, not Apple: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-3741 Vulnerability Summary for CVE-2010-3741 Original release date:10/05/2010 Last revised:07/19/2011 Source: US-CERT/NIST Overview The offline backup mechanism in Research In Motion (RIM) BlackBerry Desktop Software uses single-iteration PBKDF2, which makes it easier for local users to decrypt a .ipd file via a brute-force attack. Vulnerability Summary for CVE-2010-3741 Original release date:10/05/2010 Last revised:07/19/2011 Source: US-CERT/NIST Overview The offline backup mechanism in Research In Motion (RIM) BlackBerry Desktop Software uses single-iteration PBKDF2, which makes it easier for local users to decrypt a .ipd file via a brute-force attack. http://www.infoworld.com/t/mobile-device-management/you-can-no-longer-rely-encryption-protect-blackberry-436 [Elcomsoft] In short, standard key-derivation function, PBKDF2, is used in a very strange way, to say the least. Where Apple has used 2,000 iterations in iOS 3.x, and 10,000 iterations in iOS 4.x, BlackBerry uses only one. Via http://en.wikipedia.org/wiki/PBKDF2#BlackBerry_vulnerability . - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On 11/28/2011 06:52 PM, Steven Bellovin wrote: On Nov 28, 2011, at 6:58 PM, Marsh Ray wrote: On 11/28/2011 04:56 PM, Steven Bellovin wrote: I'm writing something where part of the advice is don't buy snake oil crypto, get the good stuff. By good I mean well-accepted algorithms (not proprietary for extra security!), and protocols that have received serious analysis. I also want to exclude too-short keys. But -- honesty requires that I define the threat model. We *know* why NSA wanted short keys in the 1990s, but most folks are not being targeted bypick your favorite SIGINT agency, and hence don't have a major worry. But where's the evidence of that claim? For which claim? That most folks aren't being targeted by major SIGINT agencies? I suspect that it's the converse that needs proving. Is there a distinction being made here? How fine is it? Targeted may imply that someone has your name on a finite sized list somewhere. On the other hand, some percentage of your traffic (or metadata about it) are likely being intercepted, archived, and indexed for later searching. We know Google, Facebook, and every sleazy ad server network on the internet does this. We know Syria does this, their BlueCoat logs were uploaded the other day. We know the US government believes in warrantless wiretapping and has at least one wiring closet in US telcos. We could call this non-targeted surveillance. But given the searching and retrieval capabilities today (e.g., Palantir's glowing review in the WSJ the other day), is this still a useful distinction? Just asking questions out loud here. If you are a tech, aerospace, or military company in the West, you would should expect state-sponsored adversaries to rattle your doorknobs on a regular basis. Right. And if you manufacture paper clips or sell real estate, you're not in that category. One would certainly think so. But surely the Malaysian Agricultural Research and Development Institute did not realize it was painting a target on itself when some IT staffer requested the code signing flag be set on their cert request for anjungnet.mardi.gov.my. ( http://www.f-secure.com/weblog/archives/2269.html ) I do note that none of the news stories about cyberattacks from China have mentioned crypto. EIther it's not part of the attack -- my guess -- or Someone doesn't want attention called to weak crypto. With all the vulnerable Adobe client software out there they probably have more hack targets than they can possibly handle. Funny, that one sounds to me like a failed model. This idea of keeping secrets locked in a plastic box while simultaneously selling it to millions of consumers has failed every time it has been tried. I don't follow. TI put a public key into their devices, and used the private key to sign updates. Yes that makes more sense then. That's a perfectly valid way to use digital signatures, even if I think their threat model was preposterous. If they had used 1024-bit keys it wouldn't have been an issue. Right, it likely would have fallen to some other issue. If we can't get clarification, perhaps we can obtain some samples of the malware and confirm it ourselves. How? Private keys are private keys; the fact that they exist somewhere says nothing about how they were obtained. The question remaining in my mind was: was this batch of signed malware found in the wild by F-Secure really signed with a set of exclusively 512 bit keys? - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Nov 28, 2011, at 8:03 PM, Nico Williams wrote: The list is configured to set Reply-To. This is bad, and in some cases has had humorous results. I recommend the list owners change this ASAP. Agree, strongly. The mailman documentation agrees with us. I'm on the verge of unsubscribing on the grounds that the list is a privacy violation in action. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
WEP? Again, we all know how bad it is, but has it really been used? Evidence? Yes, WEP was a confirmed vector in the Gonzales TJX hack: http://www.jwgoerlich.us/blogengine/post/2009/09/02/TJ-Maxx-security-incident-timeline.aspx http://en.wikipedia.org/wiki/TJX_Companies#Computer_systems_intrusion Ah --- I'll check. I knew they attacked WiFi; I didn't recall that they'd cracked WEP. Thanks. I don't believe the TJX attack cracked WEP. I believe that the post-hack auditors identified WEP as a weak point, but the attackers got in through an easily-cracked network. By easily cracked I mean something like a stupid password or unsecured. The attackers were not sophisticated. Jon ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On 2011-11-28 14:56, Steven Bellovin wrote: On Nov 27, 2011, at 11:00 49PM, Peter Gutmann wrote: Steven Bellovin s...@cs.columbia.edu writes: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? [...[ For GSM, is there something I can footnote about these kits? Steve, There is a boatload of GSM interception gear on the market and has been for over 10 years that performs cryptanalytical attacks on GSM's A5/1 and A5/2 ciphers. Fire up your favorite search engine and look for passive GSM interceptor. Indeed, there are subscribers to this mailing list that sell commercial GSM interception gear that performs cryptanalytical attacks. --Lucky Green ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On 2011-11-28 2:00 PM, Peter Gutmann wrote: Steven Bellovins...@cs.columbia.edu writes: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? Could you be a bit more precise about what flaws in cryptography covers? If you mean exploiting bad or incorrect implementations of crypto then there's so much that I barely know where to start, if it's actual cryptanalytic attacks on anything other than toy crypto (homebrew ciphers, known-weak keys, etc) then there's very little around. The various wifi breaks are reasonably described as actual cryptanalytic attacks. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
Steven Bellovin s...@cs.columbia.edu writes: I'm writing something where part of the advice is don't buy snake oil crypto, get the good stuff. I wrote about this back in 2002 in Lessons Learned in Implementing and Deploying Crypto Software, we've gone from straight snake oil to second- order snake oil, good algorithms applied badly (the stuff I've seen people do with RSA, DH, AES, ...). So figuring out what the good stuff is (or at least spotting the bad stuff and declaring everything else to be good) isn't nearly as easy as it used to be. [SIGINT] So -- is there a real threat that people have to worry about? I doubt it. Put another way, if you're paranoid about the MIB then you probably have more problems than crypto can deal with. The claim has been made in the foxit blog, but as noted it's not verified, merely asserted. Having discussed it with the Fox-IT person, I'm pretty convinced now that it was indeed a factorisation attack. OTOH there are some really, really strange things surrounding how it was done, I'll try and get a summary written when I get time. Again, we all know how bad it is, but has it really been used? So now we're really getting more into philosophical rather than technical discussions. Is a system with gaping security holes that's so profoundly uninteresting to attackers that no-one even bothers looking at it (SCADA) more secure than one that's been designed and implemented relatively securely but that's such a tempting target that unreasonable amounts of effort are expended attacking it (Windows)? And who are your attackers? If it's random china^H^H^Hbogeymen then you need to worry about SCADA, if it's the entire world's cybercrime industry then you need to worry about Windows and forget SCADA because you can monetise the former and not the latter. So to quote Ian Grigg, WYTM (What's Your Threat Model)? I could put a DOS box on the Internet (assuming I could find a TCP stack for it) and it'd remain safe because no-one would ever target that. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Tue, Nov 29, 2011 at 1:03 AM, Nico Williams n...@cryptonector.com wrote: The list is configured to set Reply-To. This is bad, and in some cases has had humorous results. I recommend the list owners change this ASAP. IMO its good. So there. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA512 GSM and the Kaos club expert would be a good example. So would the recent $200 hardware break of hdmi encryption. Steven Bellovin s...@cs.columbia.edu wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI. --Steve Bellovin, https://www.cs.columbia.edu/~smb ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography Mathematics is the part of science you could continue to do if you woke up one morning and the universe was gone. -BEGIN PGP SIGNATURE- Version: APG v1.0.8 iQJBBAEBCgArBQJO0pwtJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu Y29tPgAKCRAaY8KU7mMFusg5D/9QKodndZogwHIter3OP9F111NVGqY1vemayzz6 BmtQy6RLM7f0ZbPzc+jVFbQ9rT5YKs75BxAo8nW6gxEHSRYY3D3qF2FS772jQLw0 NZsGDYKgP4D4QLgivejLIOpR5QURXifdMyxsWP7C08KyH6BQ6OSOHYF7D7c7pGaQ QRoEIHQQiwBTSlbeDG8fUko73kvlrCbXIBawnKpT18o8LaHXOwVprul/6kpctEtx 7cRO+gLsqPXH4JVHv46WIa91uNE5XXuHHcqPqPuvWFRIY96AVyvXFp8yYRWnhdtB GklBGk86QS2yQln6Lha9IRKC1/gGyA9IER1UzPzs6TzuQnQLhWf8bWHVbZzLrHu+ 05fKrTUVE+1toC1r5ZFEhgdHrUI4H2C6L3Ql3d6BKZtihl4ha8xWKk4nX+1RMbV4 5ZEdqJiFw6bI6pW/hrGpDBH8JFLhJ2W7iNA5x9fXCMH7Fbm261YQMwhcEUQikenA lrm1sgtqzObJpWjVHkpqkLrvOBfcdvnvlqxduMOWjttHUda6YKIdIs8lFJbwtANJ O42ekKVOzW9rYfAFugsfIv6iOECjljSY4U5ocxW9rThB5rX5zjPlk7JdqkxCnb/5 tcpbiBuySKrRuCaPxUEQg8yQtqO9MEIEym6VoDFFT43/BYRWOG/mvoKHbDKx7Emg I2B1Eg== =7GPe -END PGP SIGNATURE- ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
Steven Bellovins...@cs.columbia.edu wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'm not interested in academic attacks Here are some ideas. I can probably run down some specific details and references if you need them: * Cases of breached databases where the passwords were hashed and maybe salted, but with an insufficient work factor enabling dictionary attacks. * NTLMv1/MSCHAPv1 dictionary attacks. * NTLMv2/MSCHAPv2 credentials forwarding/reflection attacks. * Here's an example of RSA-512 certificates being factored and used to sign malware: http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/ On 11/27/2011 02:23 PM, Landon Hurley wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 GSM and the Kaos club expert would be a good example. ...and non-academic researchers would seem to be an important category. * There's the fail0verflow break of the specific use of ECC in the Sony PlayStation 3. http://www.theregister.co.uk/2010/12/30/ps3_jailbreak_hack/ The copy protection industry would seem fertile ground for this sort of example. So would the recent $200 hardware break of hdmi encryption. * http://aktuell.ruhr-uni-bochum.de/pm2011/pm00386.html.en As I read it the HDMI master key was leaked, perhaps by an insider, in 2010. The $200 hardware was basically an implementation of the protocol using that key. * Last but not least, there's DeCSS. The DVD consortium was dumb enough to distribute the decryption key in a software player where it could be examined so maybe it's not a crypto break like you're looking for. On the other hand, having a single symmetric key for a mass-produced consumer distribution channel certainly counts as a faulty protocol. -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI. Say, anyone looked at the Bitcoin prices lately? :-) - Marsh ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
* Steven Bellovin: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? DeCSS and subsequent DRM failures (including modchips), L0phtcrack, the IMSI catcher*, some Elcomsoft products (particularly those better than brute force), attacks on WEP, debit card skimming*, attacks on malware encryption schemes by the AV industry. All these have been productized in some form or other, which suggests that some sort of enemy exploitation exists in this context. * depending on your definition of cryptography ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On 27 November 2011 20:10, Steven Bellovin s...@cs.columbia.edu wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'm not interested in academic attacks The Padding Oracle attack enabled real-world attacks on both common (DotNetNuke) and proprietary .Net and JSF web applications, as well as CAPTCHAs. Based on emails I've seen, this was widely exploited online. The BEAST attack on TLS was demonstrated practically, but wasn't exploited widely AFAIK, which is the same case for the MD5-colliding CA cert. The console hacking scene may have more examples besides the PS3 break mentioned by Marsh. XBox 360 was rooted using a glitch attack to make a hash comparison fail: http://www.free60.org/Reset_Glitch_Hack This may not be what you're looking for, but inducing a fault to bypass a cryptographic check is at least on the same street. Several encrypted hard drives are crappy implementations. This one: http://www.h-online.com/security/features/Cracking-budget-encryption-746225.html was broken after discovering its encryption was just a matrix multiplication. I'd say this is actually farther from crypto than the fault attack. The Debian Weak Key bug produced many exploitable scenarios, although I'm not sure if there are public tales of one being actively exploited. There was also a presentation in the last three years about practical crypto attacks on web applications. I believe it had two examples, one of which was a crappy RNG in the password reset mechanism of a popular web framework. I can't for the life of me find it after searching for 30 minutes though. (There was another recently I believe around a timing attack on string comparisons but that's not really crypto.) -tom ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Mon, Nov 28, 2011 at 4:10 AM, Steven Bellovin s...@cs.columbia.edu wrote: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI. Ross Anderson http://www.cl.cam.ac.uk/~rja14/ has a classic paper Why cryptosystems fail based on analyzing failures in banking systems. Mostly not the stuff you mention, but poor management. He has a bunch of related papers too. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
Landon Hurley ljrhur...@gmail.com writes: So would the recent $200 hardware break of hdmi encryption. HDCP was a social, political, and economic fail, not necessarily a crypto fail. I certainly don't want to denigrate the work that the guys the the Ruhr Uni did, but you've been able to buy commercial HDCP strippers for years for a few tens of dollars. Here's an article on this that I wrote a few years ago but never posted because I wasn't sure whether shining too much light on their existence would be a good thing. -- Snip -- Digital Macrovision scrubbers Some years ago you could buy video signal stabilisers (still sold today) which were useful for cleaning up video signals that had, for example, a noisy black-level signal that screws up your receiver's AGC and a poor sync signal that causes sync loss in your receiver. Well, that was the official story in any case, in practice they had one and only one purpose and that was to remove Macrovision when feeding the signal to a VCR or some equivalent device (most TV sets weren't affected by the above so there was no need to stabilise the signal). The digital equivalent of the video signal stabiliser is the HDMI splitter. These take an input HDMI signal (with HDCP if present) and output an HDMI or DVI signal, not necessarily with HDCP present. HDCP strippers have been around for awhile, initially they were explicitly advertised and sold as such (which made their manufacturers obvious targets for reprisals) but now as HDMI becomes commoditised we're seeing the predictable flood of cheap Chinese-made HDMI splitters and repeaters that, um, forget to turn on HDCP on the output. I recently got a chance to play with a fairly new model that a friend of mine had bought for some work that his company is doing. He's a professional video producer and had been having problems with being prevented from editing his own content by HDCP (cue my recent shortcomings-of-DRM analysis :-). For an unrelated reason he'd needed to feed an HDMI signal to two different editing devices and so bought (in his words) the cheapest, nastiest no-name HDMI splitter I could find. When he hooked it up to his video-editing gear he was surprised to see that although he was feeding it input with HDCP, the output was clear of HDCP (one of the advantages of having access to multi-thousand dollar video editing equipment is that you get a lot more info than just a blank or noise-filled screen). He's since performed a series of tests on it with a range of gear (including, for example, sending BluRay output to a non-HDCP DVI monitor that normally results in no content being displayed) and it works just fine. So what's inside this thing? The entire content is just a basic board with a bunch of HDMI splitter chips and an all-in-one 8051 to control them, probably a $10 BOM for the lot. The splitters are 1-2 devices and you can cascade them, so to get 1-4 you use 1-2 and then 2-4 with a tree of three chips. 8-way just adds one more stage. Looking at the datasheets for them, everything in these chips is software- controlled. In this case they just cleared the HDCP_ENC_OUT bit in a control register and there was no more HDCP on the output. In fact the cascade nature of operation of these devices practically requires this, in order to avoid running an HDCP setup for each link in the cascade (which according to Silicon Image's FAQ can take up to five or six seconds per link, so for a three-level cascade you're looking at up to 15s delay between changing the HDMI channel and actually seeing any output from the box) so of necessity you need to turn off HDCP for the links inside the box, with the result that you've got plain HDMI running between the individual devices even if the output did still have HDCP enabled. Even if the firmware in the controller didn't already disable HDCP it'd be a fairly simple patch to flip the required single bit in the control register write in order to disable it. In addition the keys are stored in external EEPROMs (since putting EEPROM cells onto VLSI chips is a royal pain to do) so you can grab the HDCP keys off those (they're supposedly encrypted, but lots of vendors have made claims like this in the past, whether they really are is still being investigated). Heck, if you were really lazy and didn't want to patch the software you could insert an ATtiny into the I2C control line (which is used for controlling the HDMI chips from the 8051) and rewrite any accesses to the HDCP registers so that it's disabled, the entire control code in the ATtiny would be: while 1 read I2C command from input; if( bit pattern == store data Y to register X ) flip bit in data Y; write I2C command to output; (hmm, modchips for HDMI... I claim dibs on hacking next year's Defcon badge to do this!). Anyway, back to this specific device, it really is the cheapest, nastiest no-name HDMI splitter, the circuit board looks like it's been assembled by Stevie Wonder,
Re: [cryptography] Non-governmental exploitation of crypto flaws?
Marsh Ray ma...@extendedsubset.com writes: * Here's an example of RSA-512 certificates being factored and used to sign malware: http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/ That's an example of *claims* of 512-bit keys being factored, with the thinking being everyone knows 512-bit keys are weak, the certs used 512-bit keys, therefore they must have got them by factoring. Unfortunately this doesn't explain how they go the 1024-bit and longer keys that were also used in the attack. That's not to say they weren't obtained in this manner, but with nothing more than the Politician's Fallacy as supporting evidence there's nothing to indicate they didn't just steal them like everyone else does. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
Steven Bellovin s...@cs.columbia.edu writes: Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? Could you be a bit more precise about what flaws in cryptography covers? If you mean exploiting bad or incorrect implementations of crypto then there's so much that I barely know where to start, if it's actual cryptanalytic attacks on anything other than toy crypto (homebrew ciphers, known-weak keys, etc) then there's very little around. If it's something else, you'd have to let us know where the borders lie. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Mon, Nov 28, 2011 at 04:57:03PM +1300, Peter Gutmann wrote: Marsh Ray ma...@extendedsubset.com writes: * Here's an example of RSA-512 certificates being factored and used to sign malware: http://blog.fox-it.com/2011/11/21/rsa-512-certificates-abused-in-the-wild/ That's an example of *claims* of 512-bit keys being factored, with the thinking being everyone knows 512-bit keys are weak, the certs used 512-bit keys, therefore they must have got them by factoring. Unfortunately this doesn't explain how they go the 1024-bit and longer keys that were also used in the attack. Here are some examples of 512-bit RSA keys factored: http://en.wikipedia.org/wiki/Texas_Instruments_signing_key_controversy http://www.schneier.com/blog/archives/2009/09/texas_instrumen.html http://www.ticalc.org/archives/news/articles/14/145/145154.html http://www.ticalc.org/archives/news/articles/14/145/145273.html http://www.elcomsoft.com/news/127.html http://www.prweb.com/releases/quicken/backdoor/prweb534367.htm As far as I'm aware, these are real (not just claims). Alexander ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
Solar Designer so...@openwall.com writes: Here are some examples of 512-bit RSA keys factored: Right, but that doesn't say anything about what happened here. In every other case we know of in which malware has been signed by CA-issued certs, the keys were either stolen or, more rarely, bought using stolen credentials. Given that you can get certs and keys for free from your botnet (a single months' data from the Kneber botnet alone, a single instance of a Zeus-based botnet, had over two thousand private keys and certs), you can't use the Politician's Fallacy to claim that the keys used in this case were obtained by factoring. They may have been, but they could just as easily have been stolen, and in every other instance where this has occurred in the past they've been stolen or fraudulently obtained. Until there's a web interface that the bad guys can click on that, when fed a cert, gives them the private key a few seconds later, you're not going to beat the convenience of a straightforward kleptographic attack. Peter. ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
Re: [cryptography] Non-governmental exploitation of crypto flaws?
On Mon, Nov 28, 2011 at 06:06:45PM +1300, Peter Gutmann wrote: Solar Designer so...@openwall.com writes: Here are some examples of 512-bit RSA keys factored: Right, but that doesn't say anything about what happened here. [...] Sure. I was not arguing with you, but rather I thought I'd provide some more and better examples (better in terms of certainty that the factoring actually took place) for Steve's original request. Alexander ___ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
