Thursday, 9 February 2012

Practical cryptography in 2011

Before anyone objects, I'm going to clarify the ground rules. This list is naturally incomplete, and moreover, I'm going to take 'practical' seriously. That rules out reduced-round attacks (on anything); improvements in Fully-Homomorphic Encryption (getting faster!); and any paper with 'composable' in the title. I will cover implementation and usability issues. But I don't really plan to take any of my own rules that seriously. If you think I missed something important -- and I will -- please feel free to follow up in comments.
·     SecurID not so secure after all. RSA's SecurID has become practically synonymous with two-factor authentication. And it's not a bad system. Back in 2010 if you'd asked me about the most likely avenue for a compromise, I would have guessed (a) theft of secrets from a local SecurID server, or (b) some kind of bug in the authentication software.

What I
 wouldn't have guessed was (c) compromise of RSA's master seed data. Obviously that wasn't going to happen -- given the sensitivity of this information, RSA naturally took good care of it. Remember the underground research facility in Resident Evil? My vision of the RSA master seed storage facility was kind of like that, only without the friendly computer or Milla Jovovich.

In retrospect this seems a bit naive, but really: SecurID was everywhere. Even
 military contractors used it. If local banks had learned to store their secrets in hardware security modules, then certainly RSA would take modest precautions with something as important as their master seed database.

What 2011 taught us is that just because you think something will be done a certain way, it won't necessarily be so. Perhaps 2012 will be different.
·         Still more attacks on AES. I promised to keep this to the practical, and the latest attacks against AES certainly aren't. The best of them still only shave a couple of bits off of the security of an AES key (although the new attacks don't depend on related keys).

Still, AES is such an important cipher that any reduction in its security margin is going to have some kind of practical impact. The question now is what lies down the road:
 (a) an improved AES beefed up with additional rounds, (b) a new standards competition, (c) apathy, or (d) something even weirder. Maybe 2012 will put us on a path to finding that answer.
·         D-Wave actually builds a quantum computer. With two caveats: it's not really a computer, and it may or may not be quantum.

In case you've never heard of
 D-Wave, they're a private company that purports to sell the first working adiabatic quantum computer, complete with "128 pair-wise coupled superconducting flux qubits". If you're not sure what to make of this, you're not the only one. Thanks to D-Wave's NDA-heavy business model, there's been some doubt in learned quarters as to whether the D-Wave device actually performs useful quantumcomputation at all.

But D-Wave has an active and respectable research department. Just this past May they published an
 article in Nature demonstrating apparent quantum tunnelingamongst eight qubits. This is a far cry from the 128 qubits claimed in their commercial products, it doesn't demonstrate entanglement, and of course, it doesn't result in computation. Still it's not nothing. So does this mean practical implementations ofShor's algorithm are just around corner? Probably not.
·      TLS falls to the BEAST. This fall Thai Duong and Juliano Rizzo raised the pulse of the security industry by demonstrating the most exciting practical attack againstSSL/TLS in years. This attack is dear to my heart because it's one of the first attacks I wrote about on this blog.

BEAST is based on a five year-old
 academic attack on a twelve year old standard. Now there's a bit more to the attack that Rizzo/Duong implemented, but still --- how in the world does such a thing stay in the wild so long? A colleague describes Rizzo/Duong's research strategy as 'working their way through the Eurocrypt archives, actually exploiting the theoretical vulnerabilities that academics couldn't be bothered to follow through on'. If this sounds dismissive, it wasn't -- he only wished that he'd done it first.

Lesson: there's a hell of a gap between academic crypto and 'the real world'. We're only safe as long as you believe in attackers who are sophisticated enough to spear-phish SecurID, but not bright enough to read a crypto paper. Time will tell if that belief is a good one.
·     Nothing much happens with hash functions. Well, that's a bit unfair. Thingsdid happen, and there are some papers to show for it. The SHA3 finalists, announced late last year, continued to percolate through the system. (Go BLAKE!) Still, 2011 was a huge disappointment for those of us you who thought that it would be the year of SHA1 collisions. I guess there's always 2012.
·      Unsigned code running on iOS. Many cryptographers would exclude this from a list of 'crypto' happenings. Still, a theme of this blog is that your crypto doesn't matter if your implementation undermines it.

This is exactly what Charlie Miller demonstrated
 when he showed how to execute malicious application code on an iPhone. Even though iOS devices are only supposed to run signed code, it turns out that a few bad checks created a tiny section of memory in which these requirements were irrelevant. To thank him, Apple created atiny section of their developer program in which Charlie Miller is irrelevant.
·        Certificate Authorities still a giant mess. Some will say I'm exaggerating -- there were only a few major hacks this year, notably Dutch CA DigiNotar, and a smaller CA called Gemnet. But don't forget, Microsoft also revoked Digicert Malaysia -- not because they were hacked, but for using 512-bit RSA keys to sign certificates (!!) And this is only a partial list of the problems we know about. All in all, it was not a good year to be a CA.
·      Secure police radios not all that secure. APCO Project 25 is a digital radio standard used by law enforcement. Naturally it supports encryption -- a valuable tool when you're discussing a confidential source or razzing those Occupy protestors. And the P25 encryption itself isn't half bad (it's unauthenticated AES). Rather, the problem with P25 is that simply getting encryption turned on is a daunting prospect -- to the point where it often doesn't happen.
To illustrate the problem, a team from UPenn
 spent two years snarfing up confidential traffic. The agents generating most of this traffic either thought it was encrypted, or would have encrypted it if only they could've figured out how to set the keys. Still more evidence that usability is every bit as important as crypto, implementation, or any other issue that we come across in our field.
·      XML Encryption nearly as awful as XML itself. This fall brought news of a clever attack on the unauthenticated W3C XML Encryption standard. The attack, by researchers Tibor Jager and Juraj Somorovsky, used various features of XML encoding to implement what I would call a 'padding oracle attack-plus-plus' -- which completely decrypts protected XML on Axis2 and JBoss systems. 

 W3C response: "We are so sorry for promulgating this terrible standard and recommend that you never, ever listen to anything we say regarding security every again." No, of course I'm just kidding. Actually, they're adding AES-GCM as an option. Should take care of everything.
·      Quantum key distribution still a work in progress. Quantum Key Distribution (QKD), sometimes known as 'quantum crypto' is a promising technique for distributing keys over geographic distances without the need to rely on complicated stuff like hard mathematical problems. Instead, you just need to run direct fiber-optic cables to the person you want to communicate with (much easier). On the bright side, the security of QKD is supposedly based on fundamental quantum-physical properties.

In general, the caveat in any QKD design is that security only holds
 if the physical device works as expected. This year researchers from Singapore and Norway showed that this is a big assumption: by exploiting certain limitations of existing detector equipment, they were able to extract an entire secret key without anyone being the wiser. None of these attacks are fundamental 'breaks' of QKD, and indeed they've already been mitigated. But it goes to show how you should never trust a system just because someone tells you it's 'theoretically unbreakable'.

No comments:

Post a Comment