51
Crypto Blunders Steve Burnett, RSA Security Inc. [email protected] SJSU Oct. 15, 2002

Crypto Blunders

  • Upload
    fauna

  • View
    93

  • Download
    0

Embed Size (px)

DESCRIPTION

Crypto Blunders. Steve Burnett, RSA Security Inc. [email protected] SJSU Oct. 15, 2002. In History. Scientific American in 1917: The Vigenére Cipher is “impossible of translation” . . . In History. Problem: Union Army broke the Vigenére Cipher - PowerPoint PPT Presentation

Citation preview

Page 1: Crypto Blunders

Crypto Blunders

Steve Burnett, RSA Security [email protected] Oct. 15, 2002

Page 2: Crypto Blunders

In History

Scientific American in 1917:

The Vigenére Cipher is “impossible oftranslation” . . .

Page 3: Crypto Blunders

In History

Problem:

Union Army broke the Vigenére Cipherduring the United States Civil War inthe 1860’s.

Page 4: Crypto Blunders

In History

During WWII:

Message from LuftwaffeHigh Command to a fieldofficer declared Enigma“unbreakable”. Thatmessage was encryptedusing Enigma.

Page 5: Crypto Blunders

In History

How do we know about this message?

It was cracked by the British shortlyafter being intercepted.

Page 6: Crypto Blunders

In History

Scientific American in 1977:

Martin Gardner published the first RSAchallenge, $100 to the first person whocould crack a message encrypted usingthe algorithm. Gardner claimed thecipher was unresolvable. Ron Rivest(the “R”) declared that it would take “40quadrillion years” to crack.

Page 7: Crypto Blunders

In History

Result?

They paid up 17 years later.

Page 8: Crypto Blunders

Crypto Blunder #1

Declare your algorithm to be “unbreakable”.

Page 9: Crypto Blunders

Web Search

• UBE (UnBreakable Encryption) http://www.atlantic-coast.com/ube/

• VME (Virtual Matrix Encryption) “100% Security” “Our technology, VME, is quite simply the only unbreakable encryption available.” http://www.meganet.com$1.2 million in challenges

Page 10: Crypto Blunders

RSA Challenge and Ron Rivest’s Statement

• “Using current technology . . .”

• The algorithm had just been (re)invented that year, more research would yield better security numbers

• The challenge was on a 428-bit key (most use today is 1024 or 2048 bits)

• RSA as an algorithm is still secure

Page 11: Crypto Blunders

Security Proof

”This is the first provably unbreakable code that is really efficient.”

“We have proved that the adversary is helpless.”

”It provides everlasting security.”

Michael Rabin and Yan Zong Ding (algorithm known as Ding-Rabin)

Page 12: Crypto Blunders

Security Proof?

Atjai-Dwork: algorithm proposed in 1997, came with a security proof.

Broken in 1998 (attacked assumptions, not math).

Page 13: Crypto Blunders

Ding-Rabin

One-time pad with an “unbreakable” pad derivation function.

Assumption: Adversary has only one attack.

Assumption: Adversary needs to store an inordinate amount of data.

Assumption: Algorithm can set the threshold of storage beyond adversary’s capacity.

Page 14: Crypto Blunders

One-Time Pad

Belief: “The one-time pad is the only unbreakableencryption scheme.”

P L A I N T E X T . . .Pad: 05 10 03 21 00 07 14 14 08 . . . U V D D N A S L B . . .

Page 15: Crypto Blunders

One-Time Pad

More rigorous declaration: “If the pad is randomand the pad is used only once, the one-time pad hasprovable security properties.”

This implies, “If the pad is not random and/orthe pad is used more than once, there aresecurity holes.”

Page 16: Crypto Blunders

One-Time Pad

1930’s - 1940’s:

Soviet Union used one-time pads to encryptmessages to diplomatic missions throughout theworld.

They used some pads more than once. The errorwas in a manufacturer accidentally printing padsmore than once.

Page 17: Crypto Blunders

Crypto Blunder #2

Worship at the altar of the one-time pad

Page 18: Crypto Blunders

Some proposals

One-time pads for personal use, where do you get the pad?

CD’s or DVD’s

Generate a pad using a PRNG, then store the pad in a file (suggestion from manufacturer: store the pad on a floppy)

Page 19: Crypto Blunders

One-Time Pad

1998:

Microsoft releases an implementation of thePoint-to-Point Tunneling Protocol (PPTP).

They used RC4 to encrypt the bulk data.

RC4 is a kind of one-time pad, generating thepad “on-the-fly”, as more pad data is needed.

Page 20: Crypto Blunders

Microsoft’s PPTP

ServerClient

Messages from client to server:One encryption “subsession”Needs a key

Messages from server to client:Another encryption “subsession”,start over from scratchNeeds another key

Page 21: Crypto Blunders

Microsoft’s PPTP

ServerClient

Message from client to server: Send secret dataRC4 “pad”: 38 0C 5D 77 . . .Ciphertext: kisé . . .

Message from server to client: Buy ACME at $10RC4 “pad”: 38 0C 5D 77 . . .Ciphertext: zy$W . . .

Page 22: Crypto Blunders

Which Algorithm?

1700’s:

Many countries established “Black Chambers”which read and tried to decipher most mail sentto diplomatic missions.

Strategy for sending messages: Use the bestknown cipher.

Page 23: Crypto Blunders

Which Algorithm?

• Vigenére cipher available since 1500’s

• 1700’s, Vigenére had not been broken yet

• Most correspondents knew the ciphers they were using (often simple or complicated letter substitutions) were not secure

• Used them anyway

Page 24: Crypto Blunders

Crypto Blunder #3

Don’t use the best available algorithms

Page 25: Crypto Blunders

Best Available Algorithm?

Microsoft invented a new block cipher to be used in their Digital Rights Management (DRM) software.

Version 2 of the DRM was broken, one byproduct was a reverse-engineering of the new block cipher (dubbed MultiSwap).

UC Berkeley team (including David Wagner) shows the algorithm to be very weak.

Page 26: Crypto Blunders

New Algorithm?

Why invent a new block cipher?

Microsoft had a license to use RC5.

They had no way of knowing their new algorithm would be weak, but had no way of knowing it would be strong either.

Use a studied cipher.

Page 27: Crypto Blunders

DVD (Digital Video Disc)

Disc with movie

DVD player

The movie encrypted: 26D787C34BB7855E 9267F86B25A87B68 6A28E76A6105C991 . . .

Copy-protected location100’s of copies of the moviekey, each encrypted with aseparate DVD player unlock key 432D68E70B B48F71A913 6C46A754D9 8B71F9360A . . .

Extracts itscopy of the moviekey and uses itsunlock key to decryptthe movie key 97 9B 33 0A E2

Page 28: Crypto Blunders

DVD

Disc with movie

DVD player

The movie encrypted: 26D787C34BB7855E 9267F86B25A87B68 6A28E76A6105C991 . . .

With the movie key, theplayer decrypts the movie 97 9B 33 0A E2

Page 29: Crypto Blunders

DVD

• The movie, encrypted or unencrypted, can be copied

• The movie key copies (each encrypted with a different company’s unlock key) cannot be copied

• If a licensed DVD player reads a disc without the movie key copies, even if the movie is unencrypted, it will not play the movie

Page 30: Crypto Blunders

DVD: One way to Cheat

• Copy the movie onto a new disc

• Figure out what the movie key list is supposed to be, must know what each unlock key is (break the encryption)

• create your own movie key list and place it on your disc

Page 31: Crypto Blunders

Best Available Algorithm?

1999:

Jon Johansen in Norway, contributor to breakingDVD, remarked, “I wonder how much they paid forsomeone to actually develop that weak algorithm.”

Furthermore, it used 40-bit encryption (by 1997,when DVD came out, 56 and 64-bit encryption wasexportable from the US).

Page 32: Crypto Blunders

Implementation

1930’s:

The Japanese government replaces old “Red” ciphersince it was not secure any more.

The new algorithm, named“Purple” by US codebreakers,was far superior.

Page 33: Crypto Blunders

Implementation

Problem:

Errors in building and deploying the new machinesaided the enemy in World War II (the Americans)in cracking the system.

One error: “mistake on the plugboard.”

Page 34: Crypto Blunders

Crypto Blunder #4

Implement the algorithm incorrectly

Page 35: Crypto Blunders

Using RSA

RSA Tech Support gets a call one day, using RSA to encrypt, ciphertext is same as plaintext.

Find two primes, p and q, multiply them together to produce a modulus n.

Decide on a public exponent, e, and find the private exponent,d = inverse of e mod (p-1)(q-1).

To encrypt message m and produce ciphertext c, perform exponentiation:

c = me mod n.To decrypt:

m = cd mod n.

Page 36: Crypto Blunders

RSA implementation

Upon investigation, we discovered the customer had chosen 1 as the public exponent.

c = m1 mod n

Page 37: Crypto Blunders

DSA (Digital Signature Algorithm)

Sign: Generate two values (r and s) based on thedata to sign, the private key and a random value

Data toSign

Signer’sDSA Private

KeyRandom “k”

DSA Algorithmr:

s:

Page 38: Crypto Blunders

DSA Security

• If someone knows your private key, they can sign for you (forge your signature)

• If someone knows the random “k” you used, they can compute your private key

• If you use the same “k” twice, it’s simple high school algebra to figure out what that “k” is

• DON’T use the same “k” twice.

Page 39: Crypto Blunders

JavaSoft DSA Implementation

• JDK 1.1 includes DSA (believed to have no intellectual property entanglements)

• How does one generate a new random “k” every signature?

• “Hardcoded” the “k” and planned to solve the problem later

• Released JDK 1.1 with the hardcoded “k”

• Fixed in JDK 1.1.2

Page 40: Crypto Blunders

The k’s

512-bit keys: 66 D1 F1 17 51 44 7F 6F 2E F7 95 16 50 C7 38 E1 85 0B 38 59

1024-bit keys: 65 A0 7E 54 72 BE 2E 31 37 8A EA 7A 64 7C DB AE C9 21 54 29

Others, computation of which is left asan exercise for the audience.

Page 41: Crypto Blunders

Disaster Mitigated

The code to sign and verify was flawedanyway, there was no way to use old keys.

That is, you could generate a new key pair,sign with the private key, but no one couldload the public key.

You could sign, but not verify. Likewise, youcould encrypt, but not decrypt.

Page 42: Crypto Blunders

Enigma keys

Enigma was broken. One of the ways it was broken was that operators were using 6- character keys, easy to guess.

Admiral Dönitz of the German Navy had operators use longer keys generated randomly.

Page 43: Crypto Blunders

Enigma keys

British Navy boarded a disabled sub (U-559) and found a book with the list of keys.

The operator’s original instructions were to destroy the key book if the sub were damaged, but the captain ordered all personnel to abandon the ship (the operator saved his correspondence with his girlfriend).

Page 44: Crypto Blunders

Crypto Blunder #5

Don’t protect the key.

Page 45: Crypto Blunders

PBE technique to protect keys

Password-Based Encryption (PBE) used to protect Windows for Workgroups passwords in a PWL file.

1995: Peter Gutmann demonstrates the technique is flawed.

1996: Gutmann extends the technique to recover server private keys in Netscape.

1997: Gutmann reports that Microsoft Internet Explorer uses same technique to protect private keys.

Page 46: Crypto Blunders

Responses

1995: Microsoft declares, “The password list file is encrypted with an algorithm that meets the U.S. government Data Encryption Standard (DES). This encryption technology is the highest security allowed in software exported from the United States.”

1996: Netscape replaced key-protection (unrelated to the Gutmann announcement).

1997: Microsoft offers new technique, Gutmann shows it’s not much better.

Page 47: Crypto Blunders

Crypto AG

Swiss company offering crypto products.

One product was a “teletext” machine used by manygovernments to securely communicate amongembassies and other diplomatic stations.

In 1992, Hans Buehler, a sales rep for Crypto AG, wasarrested in Iran. The Iranian government accusedCrypto AG of putting a “back door” into the productdelivered to Iran.

Page 48: Crypto Blunders

Crypto Blunder #5

Put a back door into your product.

Page 49: Crypto Blunders

Clipper Chip

In 1993, the US government offered theClipper chip, a crypto device to be usedon phones, in computers, networks, etc.

From the US government? Back door?

Page 50: Crypto Blunders

Clipper Chip

Back door? It was advertised.

According to the US government,that was one of its best features.

The Clipper is no longer in production.

Page 51: Crypto Blunders

Crypto Blunders

Steve Burnett, RSA Security [email protected] Oct. 15, 2002