Document 7347371
Download
Report
Transcript Document 7347371
Crypto Blunders
Steve Burnett, RSA Security Inc.
[email protected]
SJSU Oct. 15, 2002
In History
Scientific American in 1917:
The Vigenére Cipher is “impossible of
translation” . . .
In History
Problem:
Union Army broke the Vigenére Cipher
during the United States Civil War in
the 1860’s.
In History
During WWII:
Message from Luftwaffe
High Command to a field
officer declared Enigma
“unbreakable”. That
message was encrypted
using Enigma.
In History
How do we know about this message?
It was cracked by the British shortly
after being intercepted.
In History
Scientific American in 1977:
Martin Gardner published the first RSA
challenge, $100 to the first person who
could crack a message encrypted using
the algorithm. Gardner claimed the
cipher was unresolvable. Ron Rivest
(the “R”) declared that it would take “40
quadrillion years” to crack.
In History
Result?
They paid up 17 years later.
Crypto Blunder #1
Declare your algorithm to be “unbreakable”.
Web Search
• UBE (UnBreakable Encryption)
http://www.atlantic-coast.com/ube/
• VME (Virtual Matrix Encryption) “100% Security”
“Our technology, VME, is quite simply the only
unbreakable encryption available.”
http://www.meganet.com
$1.2 million in challenges
RSA Challenge and Ron Rivest’s
Statement
• “Using current technology . . .”
• The algorithm had just been (re)invented that
year, more research would yield better security
numbers
• The challenge was on a 428-bit key (most use
today is 1024 or 2048 bits)
• RSA as an algorithm is still secure
Security Proof
Michael Rabin and Yan Zong Ding
(algorithm known as Ding-Rabin)
”This is the first provably unbreakable code
that is really efficient.”
“We have proved that the adversary is
helpless.”
”It provides everlasting security.”
Security Proof?
Atjai-Dwork: algorithm proposed in 1997,
came with a security proof.
Broken in 1998 (attacked assumptions, not
math).
Ding-Rabin
One-time pad with an “unbreakable” pad
derivation function.
Assumption: Adversary has only one attack.
Assumption: Adversary needs to store an
inordinate amount of data.
Assumption: Algorithm can set the
threshold of storage beyond adversary’s
capacity.
One-Time Pad
Belief: “The one-time pad is the only unbreakable
encryption scheme.”
P L A I N T E X T . . .
Pad: 05 10 03 21 00 07 14 14 08 . . .
U V D D N A S L B . . .
One-Time Pad
More rigorous declaration: “If the pad is random
and the pad is used only once, the one-time pad has
provable security properties.”
This implies, “If the pad is not random and/or
the pad is used more than once, there are
security holes.”
One-Time Pad
1930’s - 1940’s:
Soviet Union used one-time pads to encrypt
messages to diplomatic missions throughout the
world.
They used some pads more than once. The error
was in a manufacturer accidentally printing pads
more than once.
Crypto Blunder #2
Worship at the altar of the one-time pad
Some proposals
One-time pads for personal use, where do you
get the pad?
CD’s or DVD’s
Generate a pad using a PRNG, then store the
pad in a file (suggestion from manufacturer:
store the pad on a floppy)
One-Time Pad
1998:
Microsoft releases an implementation of the
Point-to-Point Tunneling Protocol (PPTP).
They used RC4 to encrypt the bulk data.
RC4 is a kind of one-time pad, generating the
pad “on-the-fly”, as more pad data is needed.
Microsoft’s PPTP
Messages from client to server:
One encryption “subsession”
Needs a key
Client
Server
Messages from server to client:
Another encryption “subsession”,
start over from scratch
Needs another key
Microsoft’s PPTP
Message from client to server:
Send secret data
RC4 “pad”: 38 0C 5D 77 . . .
Ciphertext: kisé . . .
Client
Server
Message from server to client:
Buy ACME at $10
RC4 “pad”: 38 0C 5D 77 . . .
Ciphertext: zy$W . . .
Which Algorithm?
1700’s:
Many countries established “Black Chambers”
which read and tried to decipher most mail sent
to diplomatic missions.
Strategy for sending messages: Use the best
known cipher.
Which Algorithm?
• Vigenére cipher available since 1500’s
• 1700’s, Vigenére had not been broken yet
• Most correspondents knew the ciphers they were
using (often simple or complicated letter
substitutions) were not secure
• Used them anyway
Crypto Blunder #3
Don’t use the best available algorithms
Best Available Algorithm?
Microsoft invented a new block cipher to be
used in their Digital Rights Management
(DRM) software.
Version 2 of the DRM was broken, one
byproduct was a reverse-engineering of the
new block cipher (dubbed MultiSwap).
UC Berkeley team (including David Wagner)
shows the algorithm to be very weak.
New Algorithm?
Why invent a new block cipher?
Microsoft had a license to use RC5.
They had no way of knowing their new
algorithm would be weak, but had no way of
knowing it would be strong either.
Use a studied cipher.
DVD (Digital Video Disc)
DVD player
Disc with movie
Extracts its
copy of the movie
key and uses its
unlock key to decrypt
the movie key
97 9B 33 0A E2
Copy-protected location
100’s of copies of the movie
key, each encrypted with a
separate DVD player unlock key
432D68E70B
B48F71A913
6C46A754D9
8B71F9360A
...
The movie encrypted:
26D787C34BB7855E
9267F86B25A87B68
6A28E76A6105C991
...
DVD
DVD player
Disc with movie
With the movie key, the
player decrypts the movie
97 9B 33 0A E2
The movie encrypted:
26D787C34BB7855E
9267F86B25A87B68
6A28E76A6105C991
...
DVD
• The movie, encrypted or unencrypted, can be
copied
• The movie key copies (each encrypted with a
different company’s unlock key) cannot be copied
• If a licensed DVD player reads a disc without the
movie key copies, even if the movie is
unencrypted, it will not play the movie
DVD: One way to Cheat
• Copy the movie onto a new disc
• Figure out what the movie key list is supposed to
be, must know what each unlock key is (break the
encryption)
• create your own movie key list and place it on
your disc
Best Available Algorithm?
1999:
Jon Johansen in Norway, contributor to breaking
DVD, remarked, “I wonder how much they paid for
someone to actually develop that weak algorithm.”
Furthermore, it used 40-bit encryption (by 1997,
when DVD came out, 56 and 64-bit encryption was
exportable from the US).
Implementation
1930’s:
The Japanese government replaces old “Red” cipher
since it was not secure any more.
The new algorithm, named
“Purple” by US codebreakers,
was far superior.
Implementation
Problem:
Errors in building and deploying the new machines
aided the enemy in World War II (the Americans)
in cracking the system.
One error: “mistake on the plugboard.”
Crypto Blunder #4
Implement the algorithm incorrectly
Using RSA
RSA Tech Support gets a call one day, using RSA
to encrypt, ciphertext is same as plaintext.
Find two primes, p and q, multiply them together to produce a
modulus n.
Decide on a public exponent, e, and find the private
exponent,
d = inverse of e mod (p-1)(q-1).
To encrypt message m and produce ciphertext c, perform
exponentiation:
c = me mod n.
To decrypt:
m = cd mod n.
RSA implementation
Upon investigation, we discovered the
customer had chosen 1 as the public
exponent.
c = m1 mod n
DSA (Digital Signature Algorithm)
Sign: Generate two values (r and s) based on the
data to sign, the private key and a random value
Data to
Sign
DSA Algorithm
r:
s:
Signer’s
DSA Private
Key
Random “k”
DSA Security
• If someone knows your private key, they can sign
for you (forge your signature)
• If someone knows the random “k” you used, they
can compute your private key
• If you use the same “k” twice, it’s simple high
school algebra to figure out what that “k” is
• DON’T use the same “k” twice.
JavaSoft DSA Implementation
• JDK 1.1 includes DSA (believed to have no
intellectual property entanglements)
• How does one generate a new random “k” every
signature?
• “Hardcoded” the “k” and planned to solve the
problem later
• Released JDK 1.1 with the hardcoded “k”
• Fixed in JDK 1.1.2
The k’s
512-bit keys: 66 D1 F1 17 51 44 7F 6F
2E F7 95 16 50 C7 38 E1
85 0B 38 59
1024-bit keys: 65 A0 7E 54 72 BE 2E 31
37 8A EA 7A 64 7C DB AE
C9 21 54 29
Others, computation of which is left as
an exercise for the audience.
Disaster Mitigated
The code to sign and verify was flawed
anyway, there was no way to use old keys.
That is, you could generate a new key pair,
sign with the private key, but no one could
load the public key.
You could sign, but not verify. Likewise, you
could encrypt, but not decrypt.
Enigma keys
Enigma was broken. One of
the ways it was broken was
that operators were using 6character keys, easy to
guess.
Admiral Dönitz of the German
Navy had operators use
longer keys generated
randomly.
Enigma keys
British Navy boarded a disabled sub (U-559) and
found a book with the list of keys.
The operator’s original instructions were to
destroy the key book if the sub were damaged, but
the captain ordered all personnel to abandon the
ship (the operator saved his correspondence with
his girlfriend).
Crypto Blunder #5
Don’t protect the key.
PBE technique to protect keys
Password-Based Encryption (PBE) used to protect
Windows for Workgroups passwords in a PWL file.
1995: Peter Gutmann demonstrates the technique is
flawed.
1996: Gutmann extends the technique to recover
server private keys in Netscape.
1997: Gutmann reports that Microsoft Internet
Explorer uses same technique to protect private keys.
Responses
1995: Microsoft declares, “The password list file is
encrypted with an algorithm that meets the U.S.
government Data Encryption Standard (DES). This
encryption technology is the highest security allowed
in software exported from the United States.”
1996: Netscape replaced key-protection (unrelated to
the Gutmann announcement).
1997: Microsoft offers new technique, Gutmann
shows it’s not much better.
Crypto AG
Swiss company offering crypto products.
One product was a “teletext” machine used by many
governments to securely communicate among
embassies and other diplomatic stations.
In 1992, Hans Buehler, a sales rep for Crypto AG, was
arrested in Iran. The Iranian government accused
Crypto AG of putting a “back door” into the product
delivered to Iran.
Crypto Blunder #5
Put a back door into your product.
Clipper Chip
In 1993, the US government offered the
Clipper chip, a crypto device to be used
on phones, in computers, networks, etc.
From the US government? Back door?
Clipper Chip
Back door? It was advertised.
According to the US government,
that was one of its best features.
The Clipper is no longer in production.
Crypto Blunders
Steve Burnett, RSA Security Inc.
[email protected]
SJSU Oct. 15, 2002