520 likes | 744 Views
Crypto Blunders. Steve Burnett, RSA Security Inc. burnett@rsasecurity.com SJSU Oct. 15, 2002. In History. Scientific American in 1917: The Vigenére Cipher is “impossible of translation” . . . In History. Problem: Union Army broke the Vigenére Cipher
E N D
Crypto Blunders Steve Burnett, RSA Security Inc. burnett@rsasecurity.com SJSU Oct. 15, 2002
In History Scientific American in 1917: The Vigenére Cipher is “impossible of translation” . . .
In History Problem: Union Army broke the Vigenére Cipher during the United States Civil War in the 1860’s.
In History During WWII: Message from Luftwaffe High Command to a field officer declared Enigma “unbreakable”. That message was encrypted using Enigma.
In History How do we know about this message? It was cracked by the British shortly after being intercepted.
In History Scientific American in 1977: Martin Gardner published the first RSA challenge, $100 to the first person who could crack a message encrypted using the algorithm. Gardner claimed the cipher was unresolvable. Ron Rivest (the “R”) declared that it would take “40 quadrillion years” to crack.
In History Result? They paid up 17 years later.
Crypto Blunder #1 Declare your algorithm to be “unbreakable”.
Web Search • UBE (UnBreakable Encryption) http://www.atlantic-coast.com/ube/ • VME (Virtual Matrix Encryption) “100% Security” “Our technology, VME, is quite simply the only unbreakable encryption available.” http://www.meganet.com$1.2 million in challenges
RSA Challenge and Ron Rivest’s Statement • “Using current technology . . .” • The algorithm had just been (re)invented that year, more research would yield better security numbers • The challenge was on a 428-bit key (most use today is 1024 or 2048 bits) • RSA as an algorithm is still secure
Security Proof ”This is the first provably unbreakable code that is really efficient.” “We have proved that the adversary is helpless.” ”It provides everlasting security.” Michael Rabin and Yan Zong Ding (algorithm known as Ding-Rabin)
Security Proof? Atjai-Dwork: algorithm proposed in 1997, came with a security proof. Broken in 1998 (attacked assumptions, not math).
Ding-Rabin One-time pad with an “unbreakable” pad derivation function. Assumption: Adversary has only one attack. Assumption: Adversary needs to store an inordinate amount of data. Assumption: Algorithm can set the threshold of storage beyond adversary’s capacity.
One-Time Pad Belief: “The one-time pad is the only unbreakable encryption scheme.” P L A I N T E X T . . . Pad: 05 10 03 21 00 07 14 14 08 . . . U V D D N A S L B . . .
One-Time Pad More rigorous declaration: “If the pad is random and the pad is used only once, the one-time pad has provable security properties.” This implies, “If the pad is not random and/or the pad is used more than once, there are security holes.”
One-Time Pad 1930’s - 1940’s: Soviet Union used one-time pads to encrypt messages to diplomatic missions throughout the world. They used some pads more than once. The error was in a manufacturer accidentally printing pads more than once.
Crypto Blunder #2 Worship at the altar of the one-time pad
Some proposals One-time pads for personal use, where do you get the pad? CD’s or DVD’s Generate a pad using a PRNG, then store the pad in a file (suggestion from manufacturer: store the pad on a floppy)
One-Time Pad 1998: Microsoft releases an implementation of the Point-to-Point Tunneling Protocol (PPTP). They used RC4 to encrypt the bulk data. RC4 is a kind of one-time pad, generating the pad “on-the-fly”, as more pad data is needed.
Microsoft’s PPTP Messages from client to server: One encryption “subsession” Needs a key Client Server Messages from server to client: Another encryption “subsession”, start over from scratch Needs another key
Microsoft’s PPTP Message from client to server: Send secret data RC4 “pad”: 38 0C 5D 77 . . . Ciphertext: kisé . . . Client Server Message from server to client: Buy ACME at $10 RC4 “pad”: 38 0C 5D 77 . . . Ciphertext: zy$W . . .
Which Algorithm? 1700’s: Many countries established “Black Chambers” which read and tried to decipher most mail sent to diplomatic missions. Strategy for sending messages: Use the best known cipher.
Which Algorithm? • Vigenére cipher available since 1500’s • 1700’s, Vigenére had not been broken yet • Most correspondents knew the ciphers they were using (often simple or complicated letter substitutions) were not secure • Used them anyway
Crypto Blunder #3 Don’t use the best available algorithms
Best Available Algorithm? Microsoft invented a new block cipher to be used in their Digital Rights Management (DRM) software. Version 2 of the DRM was broken, one byproduct was a reverse-engineering of the new block cipher (dubbed MultiSwap). UC Berkeley team (including David Wagner) shows the algorithm to be very weak.
New Algorithm? Why invent a new block cipher? Microsoft had a license to use RC5. They had no way of knowing their new algorithm would be weak, but had no way of knowing it would be strong either. Use a studied cipher.
DVD (Digital Video Disc) DVD player Disc with movie Copy-protected location 100’s of copies of the movie key, each encrypted with a separate DVD player unlock key 432D68E70B B48F71A913 6C46A754D9 8B71F9360A . . . Extracts its copy of the movie key and uses its unlock key to decrypt the movie key 97 9B 33 0A E2 The movie encrypted: 26D787C34BB7855E 9267F86B25A87B68 6A28E76A6105C991 . . .
DVD DVD player Disc with movie With the movie key, the player decrypts the movie 97 9B 33 0A E2 The movie encrypted: 26D787C34BB7855E 9267F86B25A87B68 6A28E76A6105C991 . . .
DVD • The movie, encrypted or unencrypted, can be copied • The movie key copies (each encrypted with a different company’s unlock key) cannot be copied • If a licensed DVD player reads a disc without the movie key copies, even if the movie is unencrypted, it will not play the movie
DVD: One way to Cheat • Copy the movie onto a new disc • Figure out what the movie key list is supposed to be, must know what each unlock key is (break the encryption) • create your own movie key list and place it on your disc
Best Available Algorithm? 1999: Jon Johansen in Norway, contributor to breaking DVD, remarked, “I wonder how much they paid for someone to actually develop that weak algorithm.” Furthermore, it used 40-bit encryption (by 1997, when DVD came out, 56 and 64-bit encryption was exportable from the US).
Implementation 1930’s: The Japanese government replaces old “Red” cipher since it was not secure any more. The new algorithm, named “Purple” by US codebreakers, was far superior.
Implementation Problem: Errors in building and deploying the new machines aided the enemy in World War II (the Americans) in cracking the system. One error: “mistake on the plugboard.”
Crypto Blunder #4 Implement the algorithm incorrectly
Using RSA RSA Tech Support gets a call one day, using RSA to encrypt, ciphertext is same as plaintext. Find two primes, p and q, multiply them together to produce a modulus n. Decide on a public exponent, e, and find the private exponent, d = inverse of e mod (p-1)(q-1). To encrypt message m and produce ciphertext c, perform exponentiation: c = memod n. To decrypt: m = cdmod n.
RSA implementation Upon investigation, we discovered the customer had chosen 1 as the public exponent. c = m1mod n
DSA (Digital Signature Algorithm) Sign: Generate two values (r and s) based on the data to sign, the private key and a random value Data to Sign DSA Algorithm r: s: Signer’s DSA Private Key Random “k”
DSA Security • If someone knows your private key, they can sign for you (forge your signature) • If someone knows the random “k” you used, they can compute your private key • If you use the same “k” twice, it’s simple high school algebra to figure out what that “k” is • DON’T use the same “k” twice.
JavaSoft DSA Implementation • JDK 1.1 includes DSA (believed to have no intellectual property entanglements) • How does one generate a new random “k” every signature? • “Hardcoded” the “k” and planned to solve the problem later • Released JDK 1.1 with the hardcoded “k” • Fixed in JDK 1.1.2
The k’s 512-bit keys: 66 D1 F1 17 51 44 7F 6F 2E F7 95 16 50 C7 38 E1 85 0B 38 59 1024-bit keys: 65 A0 7E 54 72 BE 2E 31 37 8A EA 7A 64 7C DB AE C9 21 54 29 Others, computation of which is left as an exercise for the audience.
Disaster Mitigated The code to sign and verify was flawed anyway, there was no way to use old keys. That is, you could generate a new key pair, sign with the private key, but no one could load the public key. You could sign, but not verify. Likewise, you could encrypt, but not decrypt.
Enigma keys Enigma was broken. One of the ways it was broken was that operators were using 6- character keys, easy to guess. Admiral Dönitz of the German Navy had operators use longer keys generated randomly.
Enigma keys British Navy boarded a disabled sub (U-559) and found a book with the list of keys. The operator’s original instructions were to destroy the key book if the sub were damaged, but the captain ordered all personnel to abandon the ship (the operator saved his correspondence with his girlfriend).
Crypto Blunder #5 Don’t protect the key.
PBE technique to protect keys Password-Based Encryption (PBE) used to protect Windows for Workgroups passwords in a PWL file. 1995: Peter Gutmann demonstrates the technique is flawed. 1996: Gutmann extends the technique to recover server private keys in Netscape. 1997: Gutmann reports that Microsoft Internet Explorer uses same technique to protect private keys.
Responses 1995: Microsoft declares, “The password list file is encrypted with an algorithm that meets the U.S. government Data Encryption Standard (DES). This encryption technology is the highest security allowed in software exported from the United States.” 1996: Netscape replaced key-protection (unrelated to the Gutmann announcement). 1997: Microsoft offers new technique, Gutmann shows it’s not much better.
Crypto AG Swiss company offering crypto products. One product was a “teletext” machine used by many governments to securely communicate among embassies and other diplomatic stations. In 1992, Hans Buehler, a sales rep for Crypto AG, was arrested in Iran. The Iranian government accused Crypto AG of putting a “back door” into the product delivered to Iran.
Crypto Blunder #5 Put a back door into your product.
Clipper Chip In 1993, the US government offered the Clipper chip, a crypto device to be used on phones, in computers, networks, etc. From the US government? Back door?
Clipper Chip Back door? It was advertised. According to the US government, that was one of its best features. The Clipper is no longer in production.