Wednesday, November 30, 2011

Academic vs. commercial cryptographers

(credit)
Luther Martin has a post on the difference between academic and commercial cryptographers. You should read the whole thing, but I wanted to add my $.02 on this part:
I don’t have any firsthand experience with this, but I’ve heard stories of how people in the academic world who try to approach cryptography from the point of view of commercial cryptographers also encounter problems. The places where they work typically put more value on inventing new things, so practical implementations are often considered not as good as less practical, yet new, inventions.
I do have some firsthand experience with this. And Luther's basically right.

I'm fortunate to have a foot in both the commercial and academic worlds. On the one hand, this means that I get to spend my days working with real products, which is fascinating because, well, it's fascinating. And it's relevant.

Unfortunately, from a technological point of view, commercial crypto doesn't exactly set the world on fire. Once in a while you get to work with a company which is doing something interesting, like Voltage or PGP. But for the most part you're playing with the same basic set of tools.

Therefore, when I have a chance to do research, I tend to gravitate to the purely academic. This includes protocols that enhance user privacy -- stuff like this.

I will cheerfully admit that there's about a 1% chance that any of my academic work will be deployed in this decade. And I'm ok with that! I enjoy solving problems, and I like that in crypto research, at least, we're not slaves to the immediate practical.

But maybe as academics, we take this too far.

I advise some grad students, and one of my sad duties is to inculcate them with this understanding: you can do whatever you want in your career, but if you want to get published, the absolute worst thing is be too practical. Don't kill yourself implementing some cryptosystem that's practical and deployable, unless there's something extremely sexy and new in it. And if that's the case, try not to waste all that time implementing it in the first place! The reviewers (mostly) don't care.

This is problematic, since in my opinion there's a huge gap between commercial work and academic crypto. This includes a big category of technologies that we need in order to make (secure) crypto easier to deploy. But none of the incentives are there to support this kind of research.

Despite this, I'm trying to shift some of my work in that direction. This means a whole lot of time-consuming work writing tools like this one. Building this kind of tool is a pre-requisite to doing real research. Unfortunately it requires a lot of scut work, and that's not going to get anyone a ton of sexy research publications. Still someone needs to do it.

I'm not really sure what to do about this, and I sure hope it changes at some point.

Tuesday, November 29, 2011

Human error is something to be engineered around, not lamented

Random thought of the day, apropos of this comment by Jon Callas:
Is this the face of human error? (credit)
.
We know that the attack against EMC/RSA and SecureID was done with a vuln in a Flash attachment embedded in an Excel spreadsheet. According to the best news I have heard, the Patient Zero of that attack had had the infected file identified as bad! They pulled it out of the spam folder and opened it anyway. That attack happened because of a security failure on the device that sits between the keyboard and chair, not for any technology of any sort.
Quite frankly, if this is what qualifies as human error in a security system, then we're all in deep trouble. We're stuck with it. We're born to it.

I'll assume one of two things happened here:
  1. An AV scanning system identified a known signature inside of an attachment, recognized that this could be an exploit, and responded to this very serious issue by moving the file into the SPAM folder, where it joined many other legitimate messages that were improperly marked as spam.
     
  2. A Spam filter noticed something funny about a header, and moved the file into the SPAM folder, something it probably does eight times per week for no reason at all.
Unless your users are superhuman, the problem here is not the user. It's the system. If the file legitimately contained a vulnerability, it shouldn't have been moved into the SPAM filter where it could easily be mistaken for a random false positive. 

If, on the other hand, the problem was just something to do with the headers, then maybe the user was just doing what was normal -- pulling a probable false positive out of their spam folder, just like they did every day.

People are not superhuman. They react to the inputs you give them: GIGO applies. If security systems give people crap inputs, then they'll make crap decisions. Fixing this problem is our job. We don't get to complain every time a user does something perfectly understandable in response to bad data that we (security system designers) give them.

And of course, this leaves aside the basic fact that the master seed was available to this attack in the first place, something that boggles the mind... But I guess that's all been said.

Monday, November 28, 2011

Non-governmental crypto attacks

Photo credit: Null Value.
Over on Web 1.0, Steve Bellovin is asking an interesting question:
Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography?  I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries.  I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI.
The responses vary from the useful to the not-so-useful, occasionally punctuated by an all-out flamewar -- pretty much par for the course in these things.

Here are a few of the responses that sound pretty reasonable. They're (mostly) not mine, and I've tried to give credit where it's due:
  1. Cases of breached databases where the passwords were hashed and maybe salted, but with an insufficient work factor enabling dictionary attacks.*
  2. NTLMv1/MSCHAPv1 dictionary attacks.*
  3. NTLMv2/MSCHAPv2 credentials forwarding/reflection attacks.*
  4. The fail0verflow break of poorly-nonced ECDSA as used in the Sony PlayStation 3.*
  5. DeCSS.*
  6. Various AACS reverse-engineering efforts.
  7. The HDCP master key leak.*
  8. Various attacks on pay satellite TV services.****
  9. GSM decryption, which seems to have gone beyond the academic and into commercial products.
  10. Factoring of the Texas Instruments 512-bit firmware signing key for calculators, and Elcomsoft's factoring of the Quicken backup key.**
  11. Key recovery in WEP.
  12. Exploits on game consoles: the original XBox,*** Wii software signing.
There's also some debate about recent claims that 512-bit RSA certificate signing keys were factored and used to sign malware. As much as I'd like to believe this, the evidence isn't too solid. Some posters claim that there were also 1024-bit keys used in these attacks. If that's true, it points more to key theft (aka Steve's 'evils and frailties of PKI').

You'll also notice I'm leaving lots of stuff off of this list, only because I don't know of any specific attacks based on it. That would include all the padding oracle attacks of late, the BEAST attack on TLS, bad Debian keys, and so on.

So what's the takeway from all of this? Well, it's complicated. A quick glance at the list is enough to tell us that there are plenty of 'real people' (aka non-professional cryptographers) out there with the skills to exploit subtle crypto flaws. That definitely supports my view that proper crypto implementation is important, and that your code will be exploited if you screw it up.

Some people may take comfort from the fact that there's no crypto 'pearl harbor' on this list, i.e., the cryptographic equivalent of a Conficker or Stuxnet. I would say: don't get too cocky. Sure, software security is a mess, and it's a whole lot easier to set up a dumb fuzzer than to implement sophisticated crypto exploits. (No offense to dumb fuzzers -- I'm friends with several.)

But on the other hand, maybe this is misleading. We mostly learn about software 0days from mass malware, which is relatively easy to catch. If sophisticated crypto exploits are being implemented, I would guess that they're not going into retail worms and trojans -- they're being very quietly applied against high-value targets. Banking systems, for example.

But again, this is just speculation. What do you think?

Notes:

** Solar Designer.
*** Tom Ritter.
**** commenter "Swiss Made", below.

Thursday, November 24, 2011

Bram Cohen corrects me?

Bram Cohen has responded to my criticism of his comments on Practical Cryptography. For those who didn't read my original post, here are my comments in a nutshell:

  1. No, you shouldn't use RSA with public exponent 2 (i.e., Rabin-Williams). You're way too likely to screw it up.
     
  2. No, you should not authenticate (MAC) before you encrypt. You should encrypt first, then you should add a MAC on the ciphertext. Or better yet, use a standard authenticated encryption scheme.
     
  3. You're almost always better off using a standard encryption scheme that's already been implemented and tested, no matter how much 'better' an alternative might sound.
You can see Bram's response in the comments section, down at the bottom of the original post. I'll try to hit the high points here without doing him an injustice:
Bram: Matthew, first of all, you're being extremely dismissive of any practical concerns here. Practical crypto deployments bottleneck on the server doing modular exponentiations, and if you use the standard exponent over plain old 2, then you need *five times* as much computing power, which frequently translates into five times as many real machines consuming five times the power in five times as large of a colo space. 
My response? Fair enough. Rabin encryption is a little bit faster. If you're writing towards an application that needs to perform enormous amounts of encryption, there's a colorable argument that Rabin might be a good choice. But as Bram points out in his own response, if that's the case, you're probably better off using Elliptic Curve cryptography.

In general, I'm leery of efficiency arguments. Standard RSA encryption is extremely fast. The 0x10001 exponents was chosen to minimize the number of squarings required in the encryption process. According to this benchmark, taken on an Intel Core 2 1.83 GHz processor, 1024-bit encryption takes 0.08 milliseconds. That's without hardware acceleration.

If you're building a massive server farm and performance is an issue, perhaps there's reason to worry about the encryption time. If you're doing something with a very limited processor, and you really know what you're doing, perhaps there's some reason to be concerned about performance.

But as a general recommendation? No way. You're just encouraging people to adopt schemes they don't really understand, in order to realize a minor performance benefit they won't notice.
Bram: Doing encrypt-then-authenticate looks a lot like authenticate-then-encrypt except that the authentication is plaintext, which obviously opens it to attacks which involve guessing the plaintext and verifying it because the authentication is right there, and you can extend those to modifying the ciphertext and replacing the authentication. I simply do not believe that making yourself susceptible to those problems is a win. 
Ok, I admit that I legitimately don't understand Bram's argument here. If anything, this sounds like the argument for encrypt-then-authenticate.

For the benefit of people who are just joining the discussion, there are basically two points of view. Bram says you should authenticate your plaintext (using a MAC) then you should encrypt it. I (and many other cryptographers) say you should encrypt first, then authenticate the ciphertext.

In a nutshell, the advantage of my approach is what happens at decryption time: when a ciphertext comes in, you first verify a MAC to ensure that the ciphertext is correct and hasn't been tampered with. You do this with a key that's not related to the encryption key. If the MAC verification fails, you stop. You simply don't decrypt.

This ensures that no information about the plaintext ever leaks back to the attacker. If the attacker is tampering with ciphertexts (e.g., in an attempt to implement a padding oracle attack), he gets nothing. This approach has all kinds of nice advantages, one of which is its modularity.

You see, provided that you're MACing the ciphertext, it doesn't matter how the encryption scheme works. You don't have to worry about using it a funny padding scheme. You don't have to worry about any encoding or compression that might take place during the encryption process. If someone upgrades your encryption to a different mode of operation, you're still fine -- at least as far as active attacks are concerned.

Even better, the encrypt-then-authenticate approach can be proven IND-CCA secure (semantically secure against adaptive chosen ciphertext attacks). A proof can be found in this paper.
Bram: The other issue with encrypt-then-authenticate is that it makes the code more complicated and just plain uglier, which directly makes you more susceptible to the #1 cause of actual breaks, implementation error.
Ok, here again I disagree. Let's take a look at the most common example of authenticate-then-encrypt that I can think of. It's CBC-mode encryption as defined in the TLS specification. This has been standard going back to SSL 3.0, but it's still used in current versions -- due to backwards-compatibility issues.

So with that in mind, see this note included in the TLS 1.2 spec:
   Implementation note: Canvel et al. [CBCTIME] have demonstrated a
   timing attack on CBC padding based on the time required to compute
   the MAC.  In order to defend against this attack, implementations
   MUST ensure that record processing time is essentially the same
   whether or not the padding is correct.  In general, the best way to
   do this is to compute the MAC even if the padding is incorrect, and
   only then reject the packet.  For instance, if the pad appears to be
   incorrect, the implementation might assume a zero-length pad and then
   compute the MAC.  This leaves a small timing channel, since MAC
   performance depends to some extent on the size of the data fragment,
   but it is not believed to be large enough to be exploitable, due to
   the large block size of existing MACs and the small size of the
   timing signal.
Allow me to translate this to plain English: "because we chose to authenticate our plaintext, rather than our ciphertext, we had to (a) MAC both the message and the padding, and (b) even though we did that, it turned out that attackers could still hoover out a little bit of information based on the time that it takes to check the ciphertext (basically, implementations would immediately throw an error after seeing invalid padding, and this gave away the game). So implementers now have to do all this extra nonsense if they want their implementation to be secure."

None of this is necessary in encrypt-then-authenticate. It's simpler. Really!

I haven't touched on every single point that Bram makes -- you can see his argument in the original posts if you want.

The only final point I would like to make is that this stuff matters. If you get it wrong, you can attack an implementation. And too many people -- professionals, even -- get it wrong.

In conclusion: I certainly didn't mean to bash Bram, but I'm happy to bash the advice itself. We can do better.

Wednesday, November 23, 2011

Digital Fortress: I read it so you don't have to

Once in a while I run into a work of dramatic fiction that takes such a powerful, realistic look at modern cryptography -- and its implications for our national security -- that we should all be grateful to the author. They've made us all a little bit smarter.

Needless to say, Dan Brown's Digital Fortress is not one of those books.

What is Digital Fortress? I'm not sure. It may be a practical joke. I'm hoping so, anyway, because the alternative -- that Dan Brown spent time learning about cryptography and this is what came out -- is too terrible to contemplate.

Miraculously, the end result is so ridiculous that it's almost tolerable. Almost.

(Before I go further, I should warn you that there are huge spoilers below. But don't worry about it because (a) you shouldn't read this book, and (b) the plot is so predictable that I doubt it can really be spoiled.)

Where to begin? Let me just hit some of the high notes:
  • Matt Blaze gets whacked. Ok, Brown doesn't call him Matt Blaze. The character in the book is named Greg Hale (single syllables, get it?) But we know he's Matt Blaze because he single-handedly discovered a backdoor ("a few lines of cunning programming") in the Skipjack cipher, one that would have let the NSA "read the world's email".

    For his efforts, Blaze/Hale is rewarded with a thankless job at the NSA which he hates. And not without reason! Everyone suspects him of being a turncoat (while simultaneously giving him access to their most important secrets, go figure.) Then to cap off the job experience, he's horrifically murdered. I personally would have ended the book halfway through, and just made Hale the bad guy. Who could blame him?
      
  • The EFF are the bad guys. Did you know that the National Security Agency (2011 ops budget: $9 bazillion) lives in constant terror of the "sharks" over at the Electronic Frontier Foundation (2011 ops budget: $67.34, mostly spent on construction paper)?

    I did not know this. I sure hope it's true.

    Near the end of the book the NSA's "firewall" goes down for a few minutes, and within seconds the EFF sharks are circling. This does not appear to be a metaphor -- they're actually swimming in literal circles around the NSA's cyber-perimeter, trying to ferret out our nation's secrets. Only our hero Susan Fletcher can stop them, thanks to her long, willowy legs staggering intellect.
     
  • The NSA has a secret supercomputer named TRANSLTR that can brute-force any cryptosystem. Hmm. Ok. This one is actually pretty accurate.
     
  • TRANSLTR is stumped by a new cipher that uses "rotating cleartext" to resist brute-force attacks. No, seriously. "Rotating cleartext". Brilliant! This is such a good idea that I hereby offer to make this scheme a reality for only $800. My only condition is that you must never, ever try to decrypt anything with it.
I suppose I could also mention the NSA's recruiting program for cryptographers, which would make a Big Ten football coach blush. Or the way that brilliant, righteous people always seem to be beautiful and athletic, while stupid evil people look like trolls (have you ever been to a crypto conference, Dan?)

These and other details are embedded in a stew of unintentional comic awfulness that really defies summarization. But it's good. Not to read, mind you. Just to know about, so you have a reason to chuckle while you're lamenting the damage that Brown's writing has done to your temporal lobe.

I really could not recommend this book less, and am considering sending Dan Brown a bill for the time I spent reading it. But if you're afflicted by a terrible case of Seasonal Affective Disorder and just need some levity in your life, it might keep you giggling through the long dark months ahead.

Happy Thanksgiving everyone!

Monday, November 21, 2011

Neat research ideas that went nowhere: Preventing offline dictionary attacks with CAPTCHAs

Once in a while I come across a research paper that's so off the beaten path and so obviously applicable to a real problem, that I know it's going to sink like a stone and never be heard from again.

Today I'd like to talk about an idea that was introduced back in CRYPTO 2006, but doesn't seem to have gotten any real traction out in the real world since. (If I'm wrong and someone is using it, feel free to email me. I'd be happy to eat my words and hear more.)

This particular idea comes from a 2006 paper by Ran Canetti, Shai Halevi and Michael Steiner,* and it addresses a very real problem that we have with deployed encryption schemes: namely, they tend to rely on passwords. This means that even if you use strong cryptography, all of your data is vulnerable to someone with a password dictionary and a lot of computing power.

Password-Based Encryption (and why we hate it)

To explain how Canetti, Halevi and Steiner propose to deal with this, I need to give a little bit of background on password-based encryption.

First of all of all, no matter what Dan Brown says, we've gotten pretty good at building encryption schemes that stand up against very motivated adversaries. If you're using a modern scheme and are properly generating/storing your secret keys, then it's awfully unlikely that a third party is going to decrypt your data -- even if that party is a government agency.** (I'm leaving aside the wrench factor).

Unfortunately, the previous paragraph embeds one major assumption that makes it inapplicable to the way that many people secure their data. You see, in a cryptographer's imagination, everyone encrypts with a strong, random 128+ bit secret key, which they memorize and never write down.

But in real life, people mostly prefer to use their cat's name.

The use of passwords to derive encryption keys is a lot more common than it should be. It's depressingly common in many applications where people really need security. Passwords are the default authorization method for many fancy encrypting hard-drives and WDE packages. Windows just loves to encrypt things under your login credentials. (Many of these tools also support hardware tokens and TPM, but these are such a drag that most people don't bother.)

To your attacker, this is a feature not a bug. If a key is derived from dictionary words, or some predictable mutation of dictionary words, then it can be guessed. All it takes is time and  computing power. Moreover, since password guessing is embarrassingly parallel, it's just the kind of enterprise that you can throw a data center or five at. (Ever wondered why the state of Maryland uses so much electricity?)

So far I haven't said anything you didn't already know. But just for fun, let's quickly talk about what we currently do to prevent dictionary attacks. There are basically three approaches:
  1. Use some trusted, on-line server (or tamper-resistant hardware) to assist with the key derivation process. If done correctly, the server/hardware can shut off an attacker after a few invalid guesses, assuming that it isn't also compromised. Unfortunately, this solution assumes that the server or hardware will be available when you need your data. That isn't always possible.
     
  2. Use key stretching, which increases the time required to convert a password into a cryptographic key. This can slow down a dictionary attack, but it just slows it down. Moreover, it's pretty ineffective against an attacker with specialized hardware.
     
  3. Use salt, which is hardly worth mentioning since if you aren't salting your passwords then you're crazy. Unfortunately all this does is prevent pre-computation. It does nothing against normal dictionary attacks.
The human touch

In a perfect world, the online solution (1) above would probably be the best way to go. Unfortunately, we don't live in a perfect world, and this may not be compatible with people's requirements. 

While it's not possible to prevent dictionary attacks in an offline system, we may be able to slow them down. To do this, we have to make the decryption process much more resource-intensive. Unfortunately, it's hard to win this game through computation alone, at least not in a world full of FPGAs and elastic compute clouds.

Not this sort of brains. (XKCD).
What Canetti, Halevi and Steiner realized is that there's one resource that the adversary might not have in abundance: human brains.

What if we could mandate some sort of human interaction each time a user tries to decrypt a file? This shouldn't be too burdensome for the legitimate decryptor, since presumably he's human, and moreover he only needs to try once.

But a password cracker needs to try millions of passwords. Requiring a human interaction for each attempt should throw a serious wrench into the process.

Using Human Puzzles to stop dictionary attacks

Fortunately we already have a whole class of technologies that differentiate human beings from computers. Generally, these are known as Reverse Turing Tests (RTTs). Canetti, Halevi and Steiner propose to use RTTs to construct "human puzzles". At a high level, the idea is pretty simple.

In every PBE scheme, a password must first be converted into a key. Normally you do this by hashing the password and some salt via a standard key derivation function (e.g., PBKDF2). Usually this is where you'd stop. The output of this function, which we'll call K, would be the key used to encrypt and decrypt.

However, now we're going to take things one step further. The first key will be further processed by converting it into a puzzle that only a human can solve. When a human solves this puzzle, they create a new key that, ideally, a computer all by itself should not be able to recover. The process should be reliable -- it needs to produce the same result every time it's run, possibly across many different users.

Once you get past the theoretical stuff, the concrete example that Canetti, Halevi and Steiner propose is to use CAPTCHAs to implement human puzzles.

CAPTCHAs: don't you love them?
In their example, the process of deriving an encryption key from a password now looks like this:

  1. First hash the password with some random salt r to derive a first key K. Now break this into a bunch of small chunks, each (for example) about 20 bits long.
      
  2. Use each of these 20-bit chunks to index into a huge table containing 2^20 (about 1 million) distinct CAPTCHA images. Each CAPTCHA contains a hard-to-read string with at least 20 bits of entropy in it. This string could be a bunch of numbers, or some randomly-selected dictionary words.
     
  3. Give each CAPTCHA to the human user to solve. Collect the results.
     
  4. Hash all of the user's responses together with another salt s to derive a final decryption key.

If we instantiate the hash function with, say, PBKDF2 and a 160-bit output, then this requires the legitimate user to solve 8 puzzles the first time they encrypt, and every subsequent time they decrypt.

The dictionary attacker, however, has to solve eight puzzles for every password they try. If we assume that they have to guess a large number of passwords, this means that over time they'll have to solve a substantial fraction (if not all) of the 1 million CAPTCHAs. Even if they can outsource this work at a rate of 5 cents per CAPTCHA, solving the whole collection will still cost $50,000 and a whole lot of hassle.

(This is a hugely simplified analysis. Obviously the attacker doesn't have to solve all of the CAPTCHAs. Rather, their probability of guessing the key is a function of the number of CAPTCHAs, the fraction of the CAPTCHAs that they've been able to solve, the complexity of the password, etc. See the full paper for a much better analysis.)

The sticky wicket

Now, this really might work, in the sense that it will slow down attacks. But if you're a practical-minded sort, you probably have one small question about this proposal. Namely: where do the CAPTCHAs come from?

Well, a simple answer is that you generate them all randomly the first time you encrypt, and you ship them along with the encrypted file. If we assume that each CAPTCHA is a 4KB image file, then storing the entire collection will require about 4GB.

That's seems like a lot of space, but really it isn't. After all, it's not like we're working with floppy drives. We live in a world where a 16GB USB Flash Drive can be had for about $10. So it's perfectly reasonable to assume that we'll have lots storage for things we really care about.

In summary

Now maybe CAPTCHAs aren't your thing. Maybe you don't like the idea of storing 4GB worth of files just to ship someone an encrypted ZIP file. That's fine. One of the neatest open problems in the paper is to find new sorts of human puzzles. In general, a human puzzle is any function that converts some input (say a 20-bit string) into an output, such that only a human being can do the transformation.

These don't need to rely on bulky, stored CAPTCHAs. Hypothetically you could come up with a human puzzle that dynamically generates instances without a big stored database. For example, your puzzle might be based on recognizing human expressions, or inkblots. It just has to be reliable.

And that's why I think this is such a neat paper. Whether or not this particular idea changes the world, it's a new idea, it tries to solve a hard practical problem that most people have given up on, and it inspires some new ideas.

The crypto publishing game rarely produces papers with that particular combination. Just for that, I'd love to see it go somewhere.

Notes:

* Ran Canetti, Shai Halevi and Michael Steiner. 2006. Mitigating Dictionary Attacks on Password-Protected Local Storage. In CRYPTO '06.

** Leaving aside what we all know the NSA's got in its basement.

Monday, November 14, 2011

An update on our contest

Update 11/26/11: You can download all of these symbols in PDF and high-res PNG here.

A couple of weeks ago I sang the praises of the AIGA Symbol Signs package. I think it's a great way to get nice looking presentations and diagrams, especially if you're as graphically challenged as I am. (H/t goes to Thomas Ptacek for introducing me to it.)

The one thing Symbol Signs lacks is a good symbol for the Adversary. I've been using the diapered baby. Thomas likes the Martini glass. And yet both of these are really hacks. We can do better.

Thus I proposed a contest: $200 to the person who could come up with a new AIGA-consistent symbol to use for the adversary. Honestly, I kind of figured I'd never have to shell out. So it's with pride and some financial trepidation that I today present not one, but two fantastic entries. The first, really a collection of adversaries, comes from my good friend Sam Small:


I particularly like that he provided me with the adversaries in both sexes. In my teaching I've been making a concerted effort to provide equal time to both female adversaries. I find that too many male (and even female!) cryptographers implicitly relate adversarial behavior to the male gender. (Apparently the whole Eve thing is just a figleaf.) But this isn't fair. Women can be attackers too!

Also, I like the devil baby.

Our second entry comes straight from Thomas Ptacek himself. He only has one proposal, but what he lacks in quantity he makes up for in sinisterness:
And so here we are. I'm not quite sure who the winner is -- it'll take some thinking -- but I can tell you that thanks to Sam and Thomas the security community is better off today than we were a few weeks ago.

As soon as I have time (this weekend) I'll post both of these adversaries in downloadable PDF form. I urge you to use them frequently, and to use them wisely.

The first rule of vulnerability acknowledgement is: there is no vulnerability acknowledgement

Just for fun, today we're going to look at two recent vulnerability acknowledgements. The first one's pretty mild; on the Torino scale of vulnerability denial, it rates only about a three:
The research team notified Amazon about the issues last summer, and the company responded by posting a notice to its customers and partners about the problem. “We have received no reports that these vulnerabilities have been actively exploited,” the company wrote at the time. 
But this one from RSA, wow. The charts weren't made for it. I suggest you read the entire interview, perhaps with a stiff drink to fortify you. I warn you, it only gets worse.
If our customers adopted our best practices, which included hardening their back-end servers, it would now become next to impossible to take advantage of any of the SecurID information that was stolen.
... We gave our customers best practices and remediation steps. We told our customers what to do. And we did it quickly and publicly. If the attackers had wanted to use SecurID, they would want to have done it quietly, effectively and under the covers. The fact that we announced the attack immediately, and the fact that we gave our customers these remediation steps, significantly disadvantaged the attackers from effectively using SecurID information. 
... We think because we blew their cover we haven't seen more evidence [of successful attacks].
I have a paper deadline midweek, so blogging will be light til then. Once that's done, I'll have something more substantial to say about all this.

Thursday, November 10, 2011

Format Preserving Encryption, or, how to encrypt a credit card number with AES

Photo by Flickr user Images_of_Money,
used under a CC license.
People like to encrypt all kinds of things. This is really their own business. One of the lovely things about modern crypto is that for the most part, we don't care.

You see, data is data. If you can encode it as a file then we can tell you how to encrypt it. There's rarely any reason to develop special domain-specific encryption algorithms, like image encryptors. If you're developing such an algorithm then chances are you're doing it to implement some sort of goofy DRM scheme, rather than to provide serious cryptographic protection.

However, once in a blue moon, you do come across a case where you legitimately need an encryption algorithm that works with specific data types.

For example, let's say I want to encrypt my credit card number. In principle this is no problem: card numbers are just numbers, after all.

Assuming that we want a general technique*, I could simply represent my 16-digit VISA card number as an integer between 0 and 9,999,999,999,999,999. In binary this value will require up to 54 bits to store (since lg 10,000,000,000,000,000 = 53.1508495).

In the absolute 'best case' -- assuming that we don't need to pad the message or add an IV (for example, if we're using a stateful stream cipher, like AES-CTR), and we don't care about authentication, we can encrypt this value without expansion. Thus, the ciphertext will be a randomish 54-bit string. Not bad at all.

But here's a question: what if our software can't handle a 54-bit string?

No, this isn't crazy! For example, let's say we need to store that encrypted card number in some legacy retail system that only accepts standard 16-digit decimal card numbers. Or alternatively, we want to transmit it through a normal payment processing network.** For both of these applications, we may need to first translate our ciphertext back into something that looks like a credit card number.

And this can be a problem. Certainly, the naive solution doesn't work. If you've properly encrypted the card number, it should now be a uniformly distributed 54-bit string, which encodes to an integer between 0 and 18,014,398,509,481,983. Too many digits!

Moreover, there are applications where you might require additional properties from your encryption scheme. For example, it might be necessary to search a database for a particular card number. One way to do this is to use a deterministic encryption scheme, one that's a permutation on the message space. This ensures that a given card number X will always encrypt to a unique number Y, which makes searching and comparison really easy.

If we didn't care about the size of the ciphertext, we might be able to get away with encrypting the credit card number as a single block in ECB mode. Block ciphers are permutations, so this would satisfy the requirements just above.***

Unfortunately, this even further exacerbates our original problem. The block size for AES is 128 bits, even poor old DES is 64 bits. If we use ECB mode to encrypt, that's how long the resulting ciphertext will be. We'll never be able to encode something that long back to a 16-digit decimal number.

So what to do?

Format-Preserving Encryption

Fortunately there's an answer to these problems, and it goes by the name of "Format-Preserving Encryption", or FPE. As the name implies, the goal of a Format-Preserving Encryption scheme is to securely encrypt while preserving the original formatting of the plaintext data. That means, in a nutshell, that our 16-digit card number can encrypt to a 16-digit number, no problem at all.

The seminal work in this area was written by Black and Rogaway back in 2002. Right off the bat, these guys made three very important observations:
  1. There are all sorts of applications where you need to preserve the format of input data.
  2. You could design your own cipher to do it, but it would probably suck.****
  3. It would sure be nice if we could do it securely using standard ciphers, like AES.
And then, in one of those amazing coincidences that always seem to turn up in research papers, Black and Rogaway discovered that you can do it with standard ciphers. And better yet, you can do it fairly efficiently.

Two Problems

What Black and Rogaway noticed is that there are really two problems here. The first is to build a cipher that works on arbitrary bit lengths. The second problem is to use such a cipher to encrypt arbitrary sets, like the set of all people named "Gino" who live in Atlanta. Or, more usefully, the set of integers from 0 to 9,999,999,999,999,999.

Even better, they pointed out, the first problem has already been solved. Various people, starting with Luby and Rackoff, had shown how to use a pseudorandom function or permutation (e.g., AES) to build ciphers of arbitrary block size. This is usually accomplished with a Feistel network construction like the one used in the DES cipher.

The basic idea is illustrated in the diagram below. To build a cipher that operates on 54-bit blocks, for example, we would cut the input block input block into two 27-bit halves, L0 and R0, and push them through a Feistel network for several rounds. This is an amazingly simple construction; it requires only XOR and some non-linear function F(), which we'll implement using an existing cipher like AES (with truncation of the output).

Note that each call to AES must use a different key, although we can derive these all from one single key using standard techniques. Since AES is much better than the DES S-boxes, we won't need to run the network for 16 rounds. Three or four rounds is probably sufficient.*****
Diagram of a Feistel network, courtesy RSA labs. The input (left side) is split into two halves and passed
through a number of rounds. In the Luby-Rackoff variant, each function "F" is implemented via
an independent, keyed pseudorandom function. Decryption is accomplished by reversing the process.
But like I said, this is only half the battle. Now we can construct a strong block cipher that operates on 54-bit inputs. I said above that this big enough to handle credit card, but I also pointed out that it's too big.

If we encrypt a card number with such a cipher (in ECB mode), we'll end up with a randomly-distributed 54-bit ciphertext that might not easily translate back into a 16-digit integer. We still need something more.

Cycling

Black and Rogaway had a few ideas on how to deal with this. One of their approaches is something called 'cycling', which is so astonishingly straightforward that you'd assume it doesn't work. It does!

Here's how it works. Let's say I want to encrypt my Visa card number ("4532294977918448"). I'll follow these steps:

  1. First, I'll encode the number as 54-bit integer, then encrypt it using the fancy 54-bit block cipher I built above.
     
  2. At the end of this process I should have 54-bit ciphertext C. Now, there's a very good chance that, represented as an integer, C will be 'small' enough to represent as a 16-digit integer. If so, then I'm done. That's my output!
     
  3. But what if C is too large? No problem. If it first you don't succeed, just try again. Take that first ciphertext C, and encrypt it again using the blockcipher to get a new C. Go back to step 2.

I'll let you work out the decryption algorithm.

Now, the pedantic among you will observe that technically speaking, this encryption process could put you in an infinite a ridiculously long (but finite) loop.***** At very least, you can't say in advance how long it will go on.

However, if we assume that the cipher behaves 'randomly', then we can easily get an idea of how likely we are to be satisfied at stage (2). Roughly speaking, there's a 55% probability that we'll get it right each time through the loop (10,000,000,000,000,000 / 2^54). This means that on average we shouldn't require more than a couple of encryptions

If you're not convinced, go grab a (slightly biased) coin and start flipping. You're done when you get tails.

A note on security 
  
Cycling is not the only technique that Black and Rogaway propose. They have a couple of others that may be better for your specific application. You can check out the paper if this kind of thing interests you.

Another neat thing about the cycling technique is that it actually doesn't cost you anything. This is a very cryptographer kind of thing to say, since it actually does cost you quite a lot --- in terms of time and extra computation. But what it doesn't cost you much of is security. You might think that all this repetition might make the cipher somehow weaker. But Black and Rogaway show that it doesn't, at least not in the ideal case.

In Summary: The real world 

So we know how to deterministically encipher arbitrary numbers. But a more important question is: is any of this a good idea?

Well, sometimes in security, application requirements trump perfection. Obviously it would be better to protect your data using standard, randomized encryption. This deterministic stuff only works well if there's a certain amount of unpredictability in the underlying data, and that's never guaranteed.

For example, your typical credit card number isn't really 16 digits of random data at all. Typically it's composed of a 4-6 digit Bank Identification Number (BIN), followed by a Personal Account Number (PAN), followed by a special checksum digit that's computed deterministically based on the previous digits. The Personal Account number is the really unpredictable bit, and if you use an American Express card (15 digits total), it could be as short as 8 digits.

That means in an extreme case, there might be only about 100 million possible PAN numbers. Still a pretty large number, but if you knew the BIN and could gain access to an encryption oracle that lets you encrypt arbitrary card numbers at a rate of 1,000 per second, you could generate every possible ciphertext in a little over a day. This would let you decrypt any encrypted card number, simply by looking it up in a table.

Probably this scenario is unrealistic, but it's something to keep in mind if you plan to deploy a system like this.

Notes:

* Credit card numbers do have some structure, so in practice you could take advantage of that. For the moment, let's not.

** In practice, this application requires more thinking. CCNs contain routing information called the Bank Identification Number (the first few digits) as well as a meaningful checksum digit (the last one).

*** Though be careful with this: the permutation property only holds if you can encode your data into a single cipher block. If you have to break it up across multiple blocks, it doesn't work anymore.

**** As I've explained elsewhere, I am not being rude. In cryptography 'suck' is a purely technical term meaning "slow, complex, and probably insecure".

***** There are various specific attacks that dictate how many rounds you need to use. Don't take my word here as gospel.

****** Updated per Terence's comment below. However I'm not sure that this is comforting to anyone but a cryptographer :) Also see JoachimV's comment for some updates on the field.

Tuesday, November 8, 2011

How not to redact a document: NHTSA and Toyota edition


Allow me to apologize in advance for today's offtopic post, which has nothing to do with crypto. Consider it a reflection on large organizations' ability to manage and protect sensitive data without cryptography. Report card: not so good.

Some backstory. You probably remember that last year sometime Toyota Motors had a small amount of trouble with their automobiles. A few of them, it was said, seemed prone to sudden bouts of acceleration. Recalls were issued, malfunctioning throttle cables were held aloft, the CEO even apologized. That's the part most people have heard about.

What you probably didn't hear too much about (except maybe in passing) was that NASA and NHTSA spent nearly a year poring through the Toyota engine control module code to figure out if software could be at fault. Their report, issued in February of this year, basically said the software was ok. Or maybe it didn't. It's not really clear what it said, because major portions -- particularly of the software evaluation section -- were redacted.

Now, like every major redaction of the digital age, these redactions were done thoughtfully, by carefully chopping out the sensitive portions using sophisticated digital redaction software, designed to ensure that the original meaning could never leak through.

Just kidding!

Seriously, as is par for the course in these things, NHTSA just drew big black squares over the parts they wanted to erase.

And this is where we get to the sophistication of organizations when it comes to managing secure data. You see, NHTSA released these reports online in February 2011, as a response to a FOIA request. They were up there for anybody to see, until about April --- when somebody noticed that Google was magically unredacting these documents. Whoops. Time to put up some better documents!

Naturally NHTSA also remembered to contact Archive.org and ask that the old reports be pulled off of the Wayback Machine. No, really, I'm just kidding about that, too.

Of course, they're all cached there for all to see, in their full un-redactable glory. All it takes is a copy and paste. For example, take this portion:


Where the redacted part decodes to:
The duty % is converted into three boolean flags, a flag describing the sign of the duty, a flag if the absolute value of the duty is greater than or equal to 88%, and a flag if the absolute value of the duty is less than 1%.  The 64 combinations of these flags and their previous values are divided into ten cases. Of the ten cases, five will open the throttle, two of the five will make the throttle more open than currently but not wide open, two will provide 100% duty instantaneously, and one will perpetually open the throttle. Any duty command from the PID controller greater than or equal to 88% will perpetually open the throttle and lead to WOT [wide open throttle]. This also means that any duty greater than 88% will be interpreted by the hardware as a 100% duty command.
Yikes!

So what's the computer security lesson from this? Once data's out on the wire, it's gone for good. People need to be more careful with these kinds of things. On the bright side, this was just information, possibly even information that might be useful to the public. It's not like it was sensitive source code, which I've also seen find its way onto Google.

Monday, November 7, 2011

In defense of Applied Cryptography

Over the weekend I found myself re-reading a few bits of Bruce Schneier's Applied Cryptography for a historical research project, and it reminded me what a fantastically wonderful, completely insane piece of writing it is. I'm sure Bruce Schneier needs no additional validation in his life, but I do think it's worth saying a few words about the book -- and why we need more works like it in our field.

I should preface this all by saying that Applied Cryptography is probably one of the most influential crypto books ever written. It certainly played a part in getting me interested in the field. If you don't own a copy, you should, if only to be awed by Bruce's knowledge of bizarre, historical ciphers and all of the ways they've been broken. (Though the most recent edition is from 1996, so don't go looking for up to date information in it.)

Much the way a hard-core Nirvana fan will roll their eyes if you mention "Nevermind", people in the crypto research community tend to get a little bent out of shape if someone references Applied Cryptography. This is not because AC is a lousy book, or because the material is inaccessible or wrong. Quite the contrary. Rather, the case against Applied Cryptography is that it made cryptography too damned accessible. And that has led to a whole lot of fail, some on a pretty grand scale.

The detailed argument goes something like this: Applied Cryptography demystified cryptography for a lot of people. By doing so, it empowered them to experiment with crypto techniques, and to implement their own code. No problem so far.

Unfortunately, some readers, abetted by Bruce's detailed explanations and convenient source code examples, felt that they were now ready to implement crypto professionally. Inevitably their code made its way into commercial products, which shipped full of horribly ridiculous, broken crypto implementations. This is the part that was not so good. We're probably still dealing with the blowback today.

Just for one modest example, take this fragment of code spotted in a Diebold voting machine, circa 2003:

// LCG - Linear Conguential Generator - used to generate ballot serial numbers 
// A psuedo-random-sequence generator  
// (per Applied Cryptography, by Bruce Schneier, Wiley, 1996) 
#define LCG_MULTIPLIER 1366 
#define LCG_INCREMENTOR 150889 ...
Thanks to Applied Cryptography, the Diebold coders were able to write a perfectly functional Linear Congruential Generator in no time at all. You certainly can't blame Bruce for anything here -- the LCG code is fine. It's certainly not his fault that Diebold missed the part where he warned never to use LCGs for security applications. Whoops!

Although it's all said with love, some people really do blame Applied Cryptography for this sort of thing. Even Bruce has at various points himself apologized for this aspect of the book.

(Not coincidentally, you'll notice that his more recent books are nowhere near as brazenly useful as AC. Where Practical Cryptography is all crapped up with grave warnings about the dangers of rolling your own crypto implementations, Applied Cryptography just laid it all out there sans apology, like a copy of the Anarchist Cookbook left open in a middle school library.)

But I said that I'm writing this post to praise the book, not to damn it with faint praise.

What's magical about Applied Cryptography is really two things. First of all, it's an incredible historical document. If there's a cipher that was used in the period 1970-1996, you'll read about it in Applied Cryptography. Even if the cipher was based on the cryptographic equivalent of an abacus, even if it was broken in the same conference in which it was published, Bruce will still give you a full design description and the address of the guy who owns the patent.

And you have to love the understated way in which he sums up his opinions. Take, for example, the section on the FEAL cipher. After four dense paragraphs in which he lays out not one, but eleven devastating attacks culminating in the total demolition of FEAL (and possibly, the ritual suicide of its designers), he could have written something terrible, capping it with three exclamation points. Instead, he leaves it with the following, dry remark:
Whenever someone discovers a new cryptanalytic attack, he always seems to try it out on FEAL first.
All joking aside, I've found Applied Cryptography (and its massive bibliography) to be incredibly useful, particularly when examining historical crypto software, and (most importantly) when finding prior art to current crypto patents. Applied Cryptography is like a key to a time period that's not well covered by Google Scholar or other Internet search tools. It's helped me through more than one trip to the library.

The other magical thing about AC is that you really feel that after writing it, Bruce must have been a few pounds lighter -- and some of that weight was his soul. I'm not saying he's soulless! (Though he does work for BT now, doesn't he?) It's just that there's just no way to read through this monster of a book, with its enormous compendium of bibliographies and source code, and imagine someone writing this thing just for the money or even for the fame. In my opinion it's an achievement of practical cryptography that has not been matched either before or since.

And that's too bad, because someone really should try.

Friday, November 4, 2011

On symbol signs, the adversary, and announcing a contest


Update 11/26/2011: I've had two excellent responses to my challenge. You can see them all on this page.

A couple of people have asked me about the symbols that I use to illustrate protocol diagrams. Let me first say that I claim no particular credit or blame for this style; all of that goes to Thomas Ptacek.

These symbols are part of the AIGA Symbol Signs package, a collection of freely downloadable stencils for the standard international symbols. They're wonderful for someone as graphically challenged as I am. You can download a stencil set for Omnigraffle, or get the EPS templates from the AIGA site.

As Thomas points out, there's all kinds of useful security stuff in them: the international symbols for Alice and Bob, the passport agent and keys, and some less-useful things like pictures of ships and planes. (Though even these turned out to be useful once, when I reviewed a security system for a cruise ship.)

However, I think what prompts questions is not Symbol Signs, but rather, it's the symbol I've been using to represent the adversary. Some people seem to think the baby is an odd choice. (My guess is that these people simply don't have one.)

However you feel about my choices, I think we can all agree that there's a tremendous need for better design style in scientific presentations. It's 2011, and Comic Sans + Microsoft clip art no longer cuts the mustard.

Announcing a contest. In order to do my small part to improve the appearance of security presentations, and to resolve this baby-as-adversary issue, I have decided to offer a whopping $200 (plus fame and glory) to any artist, or person of artistic bent, who can come up with a better AIGA-style symbol for the adversary, and/or other security-related symbols if they're exceptional. This is a one-time prize, and will be offered to a single winner of my choice. I realize this isn't a whole ton of money, but if I like the result I promise I'll do my level best to praise your talents far and wide.

Wednesday, November 2, 2011

What is the Random Oracle Model and why should you care? (Part 4)

This is part four of a series on the Random Oracle Model.  See here for the previous posts:

Part 1: An introduction
Part 2: The ROM formalized, a scheme and a proof sketch
Part 3: How we abuse the ROM to make our security proofs work

Photo by Flickr user gringer, used
under a CC license.
This is the penultimate post in a series on the Random Oracle Model. I originally meant for this to be short and tidy, something that could be easily digested by a non-expert who was interested in what cryptographers were up to. More to the point, I expected to be done by now.

But the end is in sight, and I feel that there are only a few things left that I want to cover. Even better, one of these topics is of a very practical bent, which is in keeping with the theme of this blog.

Specifically: I keep talking about the random oracle model, but what impact does it have on anyone's life? Where is this thing used?

Giving a complete answer to that question is hard --- it's kind of like coming up with a list of all the foods that have sodium benzoate in their ingredients list. So in this post I'm going to at least hit at least a couple of the high points, meaning: the schemes that are probably most relevant to our daily security lives.

RSA Signing and Encryption

RSA is probably the most famous cryptosystem in use today. I don't know exactly why it's so popular, but I suspect there are few reasons. First of all, RSA is flexible; it provides signature and encryption in one scheme. It's relatively simple -- you can compute simple encryptions with a calculator. It's been around for a while and hasn't been broken yet. And I would be remiss if I didn't mention that there are no current patents on RSA.

This is all great, but in some sense it's also too bad. Over the past twenty years, attacks on the factoring problem (and by implication, RSA) have been getting better at the margins. This means that RSA key sizes have had to get bigger just to keep up. Sooner or later we're going to lose this game.*

More interesting (to me) is RSA's status as a sort-of-provably-secure cryptosystem. There's a general understanding that RSA encryption is provably secure under the hardness of the RSA problem. However, this really isn't true, at least given the way that most people have traditionally used RSA. You can get a reduction to the RSA assumption, but you need to take some very specific steps. Most importantly: you need to invoke the random oracle model.

To explain all this, I need to take you back in time to the late 1990s and I need to talk about padding.

If you've ever looked at a real RSA implementation, you probably know that we don't use plain-old 'textbook' RSA ("m^e mod N") to encrypt or sign raw messages. There are lots of reasons for this. One is that plain-old RSA isn't randomized, meaning that a given message will always encrypt to the same ciphertext.

Another reason is that RSA is malleable, meaning that you can mess with ciphertexts and signatures in creative ways -- for example, by multiplying them by constants of your choice. When you do this, the decrypted (resp: verified) message will be altered in predictable ways. This is bad for encryption. It's downright awful for signatures.

We deal with these problems by applying padding to the message before encrypting or signing it. Padding schemes can add randomness, apply hashing in the case of signature, and most importantly, they typically add structure that lets us know when a message has been tampered with.

Some historical background: RSA before the ROM

The first widely-used, standard padding schemes were described in RSA's PKCS#1 standard. Nowadays we refer to these as the "PKCS #1 v1.5" standards, with the implication that the standard (now at version 2.1) has left them behind.

Back in the 90s these standards were the only game in town. Sure, there were a few pedantic cryptographers who objected to the lack of formal security justification for the standards. But these troublemakers were mainly confined to academic institutions, which meant that the real security professionals could get on with business.

And that business was to implement the PKCS padding standards everywhere. PKCS #1 v1.5 padding still turns up in products that I evaluate. Most notably at the time, it was all over a young standard known as SSL, which some people were using to encrypt credit card numbers traveling over the Internet.

Daniel Bleichenbacher
shortly after his arrest. Or
possibly just posing for a
Bell Labs publicity photo.
Now, I said that almost nobody of a practical bent had a problem with PKCS. One notable exception was a bright cryptographer from Bell Labs named Daniel Bleichenbacher.

Dr. Bleichenbacher had a real problem with the PKCS padding standards. In fact, one could say that he made it his life's mission to destroy them. This vendetta reached its zenith in 2006, when he showed how to break common implementations of PKCS signature with a pencil and paper, shortly before driving a fireworks-laden minivan into the headquarters of RSA Data Security.

(Ok, the last part did not happen. But the rest of it did.)

Bleichenbacher took his first crack at PKCS in CRYPTO 1998. In a surprisingly readable paper, he proposed the first practical adaptive chosen ciphertext attack against "protocols using the PKCS #1" encryption standard. Since, as I've just mentioned, the major protocol that met this description was SSL, it was a pretty big deal.

The attack goes something like this.

Whenever somebody sends their credit card info over an SSL connection to a web server, their browser and server execute a handshake protocol to derive a secret key. In particular, at one step of the protocol, the browser encrypts a very important value called the "pre-master secret" under the server's RSA public key, and ships the resulting ciphertext to it over net.

This encryption is important, because anyone who decrypts that ciphertext -- immediately, or five years later -- can ultimately recover the SSL transport key, and hence decrypt all communications between the server and browser.

What Bleichenbacher pointed out was very specific to how most web servers processed RSA messages. Specifically, every time the server receives an RSA ciphertext, it first decrypts it, and then checks that the padding is valid. For a typical RSA key, PKCS #1 padding looks like this:

0x 00 02 { at least 8 non-zero random bytes } 00 { message }

When an SSL webserver doesn't like the padding it sees, it may kick back a specific 'bad padding' error. Bleichenbacher first showed that if he could intercept a legitimate RSA ciphertext "C = M^e mod N" on the wire, then he could 'maul' it by multiplying it by a chosen value. In other words, given some C, he would pick some "s" and compute:

C' = C * s^e mod N

This value C' will decrypt to "M * s mod N". Bleichenbacher showed that for some values of "s", this mauled message might also be a valid PKCS-padded message, meaning that it would begin with "0x 00 02" etc. This wasn't all that unlikely, mainly because just looking at a couple of bytes was a pretty crappy padding check in the first place.

It was quite common for servers to leak the result of the padding check back to the sender, by way of some specialized error code like "BAD PADDING". Even if they didn't do that, you could sometimes detect a failure in the padding check by measuring the time it took the server to get back to you.

Bleichenbacher's main trick was noting that the "s" values that led to a successful padding check could also be used to learn something about the original message M. To make a long story short, he showed how to choose these values adaptively in such a way as to gradually zero in on the actual plaintext, until he had just one candidate. And that was the ballgame.

The actual attack could require a couple of million decryption queries, on average. This sounds like a lot, but it meant you could decrypt an SSL session overnight, as long as nobody was paying attention to the server logs.

Random Oracles to the Rescue

The Bleichenbacher attack was a big deal for a whole variety of reasons. First of all, it was practical. It worked on a widely-deployed system, and it could be implemented and executed even by non-experts. It completely negated the protections offered by SSL, unless you were willing to monitor your SSL webserver literally night and day.

But to cryptographers the attack had special significance. First, it demonstrated that adaptive-chosen ciphertext attacks were a real problem, not just some airy academic topic. I suspect that even the cryptographers who worked in this area were a bit surprised by this. Some probably started looking for less useful topics to work on.

More importantly, the Bleichenbacher demonstration was seen as a victory for proponents of provable security. Up until now, their concerns had mostly fallen on deaf ears. Now a lot of people were listening.

And even better, the crypto research community had something to say to them. The overwhelming consensus was to immediately switch to a new RSA padding scheme that had been proposed all the way back in 1994. This scheme was called Optimal Asymmetric Encryption Padding (OAEP), and it was only a little bit more complex than PKCS #1. Even better, and unlike PKCS #1, RSA encryption with OAEP could be provably reduced to the hardness of the RSA problem, in the random oracle model. 

The success of OAEP also led to the adoption of the PSS padding scheme, which did essentially the same thing for RSA signatures.
OAEP padding, courtesy Wikipedia.  G and H are independent hash functions with different output lengths.
Now, to hear some people tell it, this is where the story ends. And it's a good story -- bad, unproven security protocol gets broken. New, provably-secure protocol steps in and saves the day.

And for the most part the story is true. With some important caveats.

The first of these is implementation-related. Just as PKCS #1 was broken because the server gave too many detailed errors, even OAEP encryption can break if the server leaks too much info on its error conditions. And when OAEP implementations go bad, they can really go bad. James Manger showed that you can break 1024-bit RSA-OAEP in a mere 1100 queries, assuming your server leaks a little bit too much information on why a given decryption attempt went wrong.****

But even if you do everything correctly, the OAEP security proof only holds in the random oracle model. That means that whatever guarantees it supposedly offers are only valid if the hash function is ideal. That's a good heuristic, meaning that OAEP is unlikely to be laden with obvious flaws.

But if you dig into the OAEP security proof, you'll see that it's using random oracles in about the strongest ways imaginable. The essential concept of OAEP is to use a pair of hash functions to construct a tiny, invertible Feistel network. The beauty is that every time you encrypt, you're essentially sending the message (and some randomness) directly "through" the random oracle, in a way that permits all sorts of nonsense.

The reduction proof can then see what the adversary's encrypting, which turns out to be very useful when you're building a system that's secure against chosen ciphertext attacks. This would never work if you implemented OAEP with a real hash function, like the ones that are actually used to implement it in real life.

So in one very real sense, we still don't really have a practical, provably-secure way to encrypt with RSA. Moreover, there's little reason to believe that we ever will, given a slew of impossibility results that seem to keep getting in the way.*****

All of which raises an important question. Given all the limitations of RSA, why are we so darn attached to it?

The Digital Signature Algorithm (DSA/DSS)

You might find it a bit strange that I'm mentioning DSA in a discussion about provable security. This is mainly because, unlike the Elgamal signature on which DSA is based, the DSA standard has no security proof whatsoever.******

There's no really defensible reason for this. As best I can tell, NIST took a look at the Elgamal signature and thought it was cute, but the signatures were a little bit too long. So they took some scissors to it and produced something that looks basically the same, but doesn't have the very nice reduction to the Discrete Logarithm assumption that Elgamal did.

This kind of behavior is par for the course, and honestly it gets me a little down on government standards bodies.

For the record, while DSA isn't really provably-secure at all, the Elgamal scheme is. But unfortunately, the Elgamal scheme is only provably secure in the random oracle model. This means that if your hash function has the very nice property of being a perfectly random function and programmable, Elgamal signatures can be reduced to the hardness of the Discrete Logarithm problem. But otherwise you're on your own.

Key Derivation and Beyond

There are probably a zillion cryptosystems that ought to be mentioned here, and we can't cover them all. Still, there's one more class of 'things that hash functions are used for' that probably isn't really secure at all, unless you're willing to make some pretty strong assumptions about the properties of your hash function.

The example I'm thinking of is the use of hashing to derive cryptographic keys. For example, many password-based encryption schemes use a hash function to combine a password and some salt to derive a key for encryption. This approach seems to work ok in most cases (assuming a high entropy password), but it doesn't have any strong theoretical legs to stand on.

An extractor.
In general, if you're trying to extract a uniform random key from from a 'lumpy', non-uniform source like a password, the proper tool to use is something called a randomness extractor. These can be implemented in the standard model (no random oracles), but all of the existing constructions pretty much suck. This sounds rude, but it's actually a technical term that cryptographers use to indicate that a scheme is complicated and slow.

So in real life, nobody uses these things. Instead they just hash the password and salt together, and assume that the result will be pretty good. If they're feeling frisky they might even hash it a bunch of times, which is the crypto equivalent of shooting a turkey with an AK-47. It's probably just fine, although technically you can never rule out bulletproof turkeys.*******

Whenever people bother to argue formally about the security of schemes like this (which is, essentially, never), the usual argument goes like this: let's just assume the hash function is a random oracle. In the random oracle model, of course, every hash function is a perfect extractor. Stick any high-entropy source into an ideal hash function, no matter how 'lumpy' or 'weird' the input is, and you get a fantastic key out the other end.

So even if your favorite key derivation has no formal security proof whatsoever, you can bet somebody, somewhere has made this argument, if only to help themselves sleep better at night.

In Summary

This was supposed to be a post about the random oracle model, but I feel that it took on a life of its own. That's not a bad thing. I promised that I'd spend some time talking about practical crypto, and I've certainly accomplished that.

Although I could say a million things about the random oracle model, I only have one more post left in me. And in some ways, this is going to be the most important post of all.

You see, we always knew that this ride wouldn't last forever, we just thought we had more time. Unfortunately, the end is nigh. Just like the imaginary city that Leonardo de Caprio explored during the boring part of Inception, the random oracle model is collapsing under the weight of its own contradictions.

This collapse -- and what it means for cryptographers, security professionals, and everyone else -- will be the subject of my final post.

Notes:

* NIST has begun to deprecate RSA in its FIPS standards. You can use it in some places, but it's no longer a major supported algorithm.

**** Specifically, the OAEP decoding algorithm has a step in which it decodes the padded plaintext (a value between 0 and N-1) into a bitstring. This requires it to check that the decrypted RSA value is less than 2^n, where n is some number of bits that can be reliably encoded within the range. The Manger attack assumes that the decoding algorithm might leak the result of this check.

***** Although, on the signature side things are a little better. Hohenberger and Waters recently proposed a hash-and-sign RSA signature that's secure under the RSA assumption without random oracles. This is really a very neat result. Unfortunately it's inefficient as hell.

****** This is not to say people haven't tried to piece a proof together. You can do it, if you're willing to work in the random oracle model, and also assume the existence of leprechauns and unicorns and similarly unrealistic things.

******* In fact, repeated hashing is usually just as as much about making the hash process slow as it is about achieving a strong key. This can be helpful in thwarting dictionary attacks.