Posts so far

The problem with blogs is that, well, they’re weblogs. The ‘good’ posts dribble off the bottom, where they get mixed in with the bad, and nobody ever sees them again. The more crap I write, the worse this problem is.

To fight this — and to prevent myself from writing the same post over and over again — I thought it might be helpful to compile a list of a few posts that aren’t too embarassing. If you’re new here, you can treat this as a table of contents to this blog.

(Hey, there are things going on in the world! The CRYPTO list of accepted papers has finally been published! There are neat attacks on cryptographic tokens! I want to write about all of it, but I just don’t have time today. So please accept these re-runs for now, and hopefully I’ll have new content soon.)

On the mess that is our public-key infrastructure:

  1. The Internet is broken, can we please fix it? On Trustwave & MITM attacks.
  2. TACK, a proposal for dynamically ‘pinning’ certificates.
High-level intro posts:
  1. It’s the end of the world as we know it, and I feel fine. Post-quantum crypto from 30,000 feet.
  2. What is the random oracle model and why should I care? An early series, a little embarrassing.
  3. Format preserving encryption. Or: how to encrypt a credit card number with AES.
  4. What’s TLS Snap Start? and So long False Start. On two (now withdrawn) TLS extensions.
  5. The future of electronic currency. On anonymous e-cash.
  6. Offline security through CAPTCHAs. A neat old idea for preventing dictionary attacks.
  7. Poker is hard, especially for cryptographers. All about mental poker.
  8. Fully-Homomorphic Encryption. Unfortunately this is still unfinished…
How to use cryptography (in)securely:
  1. How (not) to use symmetric encryption. A few of the worst pitfalls.
  2. What’s the deal with RC4? A history of attacks on an old stream cipher.
  3. How to choose an authenticated encryption mode. Very important!
  4. Random number generation, an illustrated primer. A look under the hood.
  5. Surviving a bad RNG. What to do if your (P)RNG isn’t carrying its weight.
  6. Circular security. A wonkier, more theoretical subject.
  7. On multiple encryption. Are you safer if you encrypt twice?
Crypto attack(s) of the week:
  1. On the BEAST attackNote: written before the details were made public.
  2. XML Encryption. Why you should authenticate your ciphertexts.
  3. Side-channel attacks on DESFire. Neat.
  4. Datagram TLS. Alfardan & Paterson show that  timing attacks are (still) practical.
  5. 2011 Redux. A quick summary of a whole year.
  6. Satellite phone encryption is terrible. Attacks on two satphone ciphers.
  7. The story of EAX(prime). And why security proofs are like Knight Rider.
  8. A tale of two patches. Analyzing two recent OpenSSL bugs.
  1. Digital Fortress: I read it so you don’t have to. Dan Brown embarrasses cryptography.
  2. Bram Cohen corrected. In which I randomly flame Bram Cohen.
  3. Bram Cohen corrects me? Bram turns out to be a good sport.
  4. Why Antisec matters. The security industry is a joke?
When I though this blog was a book:
  1. Introduction
  2. Where things fall apart: PrimitivesProtocols

2011 Redux

I started this blog just a few months ago and it’s been something of a learning experience. Someday maybe I’ll talk about that, but not in this post. What I’m here to talk about is regret — regret that there are so many things I missed the opportunity to blog about in 2011.

Since I’m finally done traveling and the alternative is to actually be productive, I thought this might be a good opportunity to make up for some of that lost blogging ground. Hence this post: my attempt to sum up what’s happened in practical cryptography in 2011.

Before anyone objects, I’m going to clarify the ground rules. This list is naturally incomplete, and moreover, I’m going to take ‘practical‘ seriously. That rules out reduced-round attacks (on anything); improvements in Fully-Homomorphic Encryption (getting faster!); and any paper with ‘composable’ in the title. I will cover implementation and usability issues. But I don’t really plan to take any of my own rules that seriously. If you think I missed something important, please feel free to follow up in comments.

Phishers don’t mess with the
imaginary SecurID key storage facility.
  1. SecurID not so secure after all. RSA’s SecurID has become practically synonymous with two-factor authentication. And it’s not a bad system. Back in 2010 if you’d asked me about the most likely avenue for a compromise, I would have guessed (a) theft of secrets from a local SecurID server, or (b) some kind of bug in the authentication software.What I wouldn’t have guessed was (c) compromise of RSA’s master seed data. Obviously that wasn’t going to happen — given the sensitivity of this information, RSA naturally took good care of it. Remember the underground research facility in Resident Evil? My vision of the RSA master seed storage facility was kind of like that, only without the friendly computer or Milla Jovovich.

    In retrospect this seems a bit naive, but really: SecurID was everywhere. Even military contractors used it. If local banks had learned to store their secrets in hardware security modules, then certainly RSA would take modest precautions with something as important as their master seed database.

    What 2011 taught us is that just because you think something will be done a certain way, it won’t necessarily be so. Perhaps 2012 will be different.

  2. Still more attacks on AES. I promised to keep this to the practical, and the latest attacks against AES certainly aren’t. The best of them still only shave a couple of bits off of the security of an AES key (although the new attacks don’t depend on related keys).Still, AES is such an important cipher that any reduction in its security margin is going to have some kind of practical impact. The question now is what lies down the road: (a) an improved AES beefed up with additional rounds, (b) a new standards competition, (c) apathy, or (d) something even weirder. Maybe 2012 will put us on a path to finding that answer.
  3. D-Wave actually builds a quantum computer. With two caveats: it’s not really a computer, and it may or may not be quantum.In case you’ve never heard of D-Wave, they’re a private company that purports to sell the first working adiabatic quantum computer, complete with “128 pair-wise coupled superconducting flux qubits”. If you’re not sure what to make of this, you’re not the only one. Thanks to D-Wave’s NDA-heavy business model, there’s been some doubt in learned quarters as to whether the D-Wave device actually performs useful quantum computation at all.

    But D-Wave has an active and respectable research department. Just this past May they published an article in Nature demonstrating apparent quantum tunneling amongst eight qubits. This is a far cry from the 128 qubits claimed in their commercial products, it doesn’t demonstrate entanglement, and of course, it doesn’t result in computation. Still it’s not nothing. So does this mean practical implementations of Shor’s algorithm are just around corner? Probably not.

  4. TLS falls to the BEAST. This fall Thai Duong and Juliano Rizzo raised the pulse of the security industry by demonstrating the most exciting practical attack against SSL/TLS in years. This attack is dear to my heart because it’s one of the first attacks I wrote about on this blog.BEAST is based on a five year-old academic attack on a twelve year old standard. Now there’s a bit more to the attack that Rizzo/Duong implemented, but still — how in the world does such a thing stay in the wild so long? A colleague describes Rizzo/Duong’s research strategy as ‘working their way through the Eurocrypt archives, actually exploiting the theoretical vulnerabilities that academics couldn’t be bothered to follow through on’. If this sounds dismissive, it wasn’t — he only wished that he’d done it first.

    Lesson: there’s a hell of a gap between academic crypto and ‘the real world’. We’re only safe as long as you believe in attackers who are sophisticated enough to spear-phish SecurID, but not bright enough to read a crypto paper. Time will tell if that belief is a good one.

  5. Nothing much happens with hash functions. Well, that’s a bit unfair. Things did happen, and there are some papers to show for it. The SHA3 finalists, announced late last year, continued to percolate through the system. (Go BLAKE!) Still, 2011 was a huge disappointment for those of us you who thought that it would be the year of SHA1 collisions. I guess there’s always 2012.
  6. Unsigned code running on iOS. Many cryptographers would exclude this from a list of ‘crypto’ happenings. Still, a theme of this blog is that your crypto doesn’t matter if your implementation undermines it.This is exactly what Charlie Miller demonstrated when he showed how to execute malicious application code on an iPhone. Even though iOS devices are only supposed to run signed code, it turns out that a few bad checks created a tiny section of memory in which these requirements were irrelevant. To thank him, Apple created a tiny section of their developer program in which Charlie Miller is irrelevant.
  7. Certificate Authorities still a giant mess. Some will say I’m exaggerating — there were only a few major hacks this year, notably Dutch CA DigiNotar, and a smaller CA called Gemnet. But don’t forget, Microsoft also revoked Digicert Malaysia — not because they were hacked, but for using 512-bit RSA keys to sign certificates (!!) And this is only a partial list of the problems we know about. All in all, it was not a good year to be a CA.
  8. Secure police radios not all that secure. APCO Project 25 is a digital radio standard used by law enforcement. Naturally it supports encryption — a valuable tool when you’re discussing a confidential source or razzing those Occupy protestors. And the P25 encryption itself isn’t half bad (it’s unauthenticated AES). Rather, the problem with P25 is that simply getting encryption turned on is a daunting prospect — to the point where it often doesn’t happen.
    To illustrate the problem, a team from UPenn spent two years snarfing up confidential traffic. The agents generating most of this traffic either thought it was encrypted, or would have encrypted it if only they could’ve figured out how to set the keys. Still more evidence that usability is every bit as important as crypto, implementation, or any other issue that we come across in our field.
  9. XML Encryption nearly as awful as XML itself. This fall brought news of a clever attack on the unauthenticated W3C XML Encryption standard. The attack, by researchers Tibor Jager and Juraj Somorovsky, used various features of XML encoding to implement what I would call a ‘padding oracle attack-plus-plus’ — which completely decrypts protected XML on Axis2 and JBoss systems.The W3C response: “We are so sorry for promulgating this terrible standard and recommend that you never, ever listen to anything we say regarding security every again.” No, of course I’m just kidding. Actually, they’re adding AES-GCM as an option. Should take care of everything.
  10. Quantum key distribution still a work in progress. Quantum Key Distribution (QKD), sometimes known as ‘quantum crypto’ is a promising technique for distributing keys over geographic distances without the need to rely on complicated stuff like hard mathematical problems. Instead, you just need to run direct fiber-optic cables to the person you want to communicate with (much easier). On the bright side, the security of QKD is supposedly based on fundamental quantum-physical properties.In general, the caveat in any QKD design is that security only holds if the physical device works as expected. This year researchers from Singapore and Norway showed that this is a big assumption: by exploiting certain limitations of existing detector equipment, they were able to extract an entire secret key without anyone being the wiser. None of these attacks are fundamental ‘breaks’ of QKD, and indeed they’ve already been mitigated. But it goes to show how you should never trust a system just because someone tells you it’s ‘theoretically unbreakable’.
And that’s 2011. I’m sure I’m missing tons of important stuff — and that’s what comments are for. Please enjoy the rest of your holidays and be safe in the new year.

A question for you

This post is addressed to you, my patient and wonderful audience.

I realize that my interests may not be entirely representative of yours. So what would you like to read about? I don’t guarantee that I’ll write on any of your suggestions, but I do promise to at least think about the topics you propose.

Feel free to make your suggestions in comments or Twitter. If you don’t, be warned: you’ll be as much to blame for that future post on Leakage Resilient Cryptography as I will.

Programming note

I realize that posts have been a bit light on this blog over the past couple of weeks. I’ve been a bit preoccupied recently, but this will soon change. I’m also aware that I have a few outstanding unfinished threads, and I certainly haven’t forgotten them. If you have no idea what I’m talking about, that’s great! See:

Stay tuned. There will be content.