Over on Web 1.0, Steve Bellovin is asking an interesting question:
Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography? I’m looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries. I’m not interested in academic attacks — I want to be able to give real-world advice — nor am I looking for yet another long thread on the evils and frailties of PKI.
The responses vary from the useful to the not-so-useful, occasionally punctuated by an all-out flamewar — pretty much par for the course in these things.
Here are a few of the responses that sound pretty reasonable. They’re (mostly) not mine, and I’ve tried to give credit where it’s due:
- Cases of breached databases where the passwords were hashed and maybe salted, but with an insufficient work factor enabling dictionary attacks.*
- NTLMv1/MSCHAPv1 dictionary attacks.*
- NTLMv2/MSCHAPv2 credentials forwarding/reflection attacks.*
- The fail0verflow break of poorly-nonced ECDSA as used in the Sony PlayStation 3.*
- DeCSS.*
- Various AACS reverse-engineering efforts.
- The HDCP master key leak.*
- Various attacks on pay satellite TV services.****
- GSM decryption, which seems to have gone beyond the academic and into commercial products.
- Factoring of the Texas Instruments 512-bit firmware signing key for calculators, and Elcomsoft’s factoring of the Quicken backup key.**
- Key recovery in WEP.
- Exploits on game consoles: the original XBox,*** Wii software signing.
There’s also some debate about recent claims that 512-bit RSA certificate signing keys were factored and used to sign malware. As much as I’d like to believe this, the evidence isn’t too solid. Some posters claim that there were also 1024-bit keys used in these attacks. If that’s true, it points more to key theft (aka Steve’s ‘evils and frailties of PKI’).
You’ll also notice I’m leaving lots of stuff off of this list, only because I don’t know of any specific attacks based on it. That would include all the padding oracle attacks of late, the BEAST attack on TLS, bad Debian keys, and so on.
So what’s the takeway from all of this? Well, it’s complicated. A quick glance at the list is enough to tell us that there are plenty of ‘real people’ (aka non-professional cryptographers) out there with the skills to exploit subtle crypto flaws. That definitely supports my view that proper crypto implementation is important, and that your code will be exploited if you screw it up.
Some people may take comfort from the fact that there’s no crypto ‘pearl harbor’ on this list, i.e., the cryptographic equivalent of a Conficker or Stuxnet. I would say: don’t get too cocky. Sure, software security is a mess, and it’s a whole lot easier to set up a dumb fuzzer than to implement sophisticated crypto exploits. (No offense to dumb fuzzers — I’m friends with several.)
But on the other hand, maybe this is misleading. We mostly learn about software 0days from mass malware, which is relatively easy to catch. If sophisticated crypto exploits are being implemented, I would guess that they’re not going into retail worms and trojans — they’re being very quietly applied against high-value targets. Banking systems, for example.
But again, this is just speculation. What do you think?
Notes:
* Marsh Ray.
** Solar Designer.
*** Tom Ritter.
**** commenter “Swiss Made”, below.
A Few Thoughts on Cryptographic Engineering 
“We mostly learn about software 0days from mass malware, which is relatively easy to catch”
Actually, most 0days don't come from mass malware. Less than a third (7 of 26) of the mass malware in 09/10 used 0days. 7 more of 26 vulns used in mass malware were repruposed targeted attacks, 7 more from ZDI, and 5 from vendor advisory.
Check out Pages 4 & 23 of http://cryptocity.net/files/presentations/EIP-2.0.pdf and google “Exploit Intelligence Project” for different packaging of the slides and a video. Dan did some great work exploring just what it takes to defend against mass malware, and clears up some myths about it.
Personally, I tend to think there's no crypto Stuxnet or Mass Malware because it's just not cost effective. For that I point to http://trailofbits.com/2011/08/09/attacker-math-101/ Chrome isn't exploited because it's more cost effective (easier) to go after something else… Java. Likewise, it's more cost effective to dump CC processors through application level vulnerabilities (SQL Injection) than network vulnerabilities (root on the database/backup serer and attack the crypto.) Similarly, it's easier to go after SSL's trust model than it's crypto.
So I have to wonder, where is crypto the weakest link in the chain?
That's a great presentation. I stand corrected.
“So I have to wonder, where is crypto the weakest link in the chain?”
It's a good question. The only way to answer it is to speculate wildly, however — I would argue that in the case of a /targeted/ attack the chain metaphor might not always be the right one. It's not a question of breaking the weakest link in a given chain. It's more a question of getting through a series of doors. If any one door holds up, you're stuck outside.
The DRM and gaming attacks above aren't a perfect fit here, but I think they offer some insight. People didn't go after ECDSA noncing (resp. RSA padding verification) for fun. They went after them because there were /no/ easily exploitable SQL injection alternatives. When you hit a brick wall, you start looking for loose bricks.
But of course, the thing about targeted attacks (as opposed to DRM exploits) is that you rarely know the details. I doubt the targets often know the precise details.
There are many more fun examples in the pay-tv hacking world.