Schneier on Security

A blog covering security and security technology.

Friday Squid Blogging: Squid Desk Lamp

Beautiful sculpture.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 17, 2012 at 4:37 PM • 11 Comments

What Is a Suspicious-Looking Package, Anyway?

Funny comic.

Posted on February 17, 2012 at 1:45 PM • 11 Comments

Self-Domestication in Bonobos and Other Animals

Self-domestication happens when the benefits of cooperation outweigh the costs:

But why and how could natural selection tame the bonobo? One possible narrative begins about 2.5 million years ago, when the last common ancestor of bonobos and chimpanzees lived both north and south of the Zaire River, as did gorillas, their ecological rivals. A massive drought drove gorillas from the south, and they never returned. That last common ancestor suddenly had the southern jungles to themselves.

As a result, competition for resources wouldn't be as fierce as before. Aggression, such a costly habit, wouldn't have been so necessary. And whereas a resource-limited environment likely made female alliances rare, as they are in modern chimpanzees, reduced competition would have allowed females to become friends. No longer would males intimidate them and force them into sex. Once reproduction was no longer traumatic, they could afford to be fertile more often, which in turn reduced competition between males.

"If females don't let you beat them up, why should a male bonobo try to be dominant over all the other males?" said Hare. "In male chimps, it's very costly to be on top. Often in primate hierarchies, you don't stay on top very long. Everyone is gunning for you. You're getting in a lot of fights. If you don't have to do that, it's better for everybody." Chimpanzees had been caught in what Hare called "this terrible cycle, and bonobos have been able to break this cycle."

This is the sort of thing I write about in my new book. And with both bonobos and humans, there's an obvious security problem: if almost everyone is non-aggressive, an aggressive minority can easily dominate. How does society prevent that from happening?

Posted on February 17, 2012 at 6:25 AM • 17 Comments

Cryptanalysis of Satellite Phone Encryption Algorithms

From the abstract of the paper:

In this paper, we analyze the encryption systems used in the two existing (and competing) satphone standards, GMR-1 and GMR-2. The first main contribution is that we were able to completely reverse engineer the encryption algorithms employed. Both ciphers had not been publicly known previously. We describe the details of the recovery of the two algorithms from freely available DSP-firmware updates for satphones, which included the development of a custom disassembler and tools to analyze the code, and extending prior work on binary analysis to efficiently identify cryptographic code. We note that these steps had to be repeated for both systems, because the available binaries were from two entirely different DSP processors. Perhaps somewhat surprisingly, we found that the GMR-1 cipher can be considered a proprietary variant of the GSM A5/2 algorithm, whereas the GMR-2 cipher is an entirely new design. The second main contribution lies in the cryptanalysis of the two proprietary stream ciphers. We were able to adopt known A5/2 ciphertext-only attacks to the GMR-1 algorithm with an average case complexity of 232 steps. With respect to the GMR-2 cipher, we developed a new attack which is powerful in a known-plaintext setting. In this situation, the encryption key for one session, i.e., one phone call, can be recovered with approximately 50­65 bytes of key stream and a moderate computational complexity. A major finding of our work is that the stream ciphers of the two existing satellite phone systems are considerably weaker than what is state-oft-he-art in symmetric cryptography.

Press release. And news stories.

Posted on February 16, 2012 at 12:22 PM • 7 Comments

Lousy Random Numbers Cause Insecure Public Keys

There's some excellent research (paper, news articles) surveying public keys in the wild. Basically, the researchers found that a small fraction of them (27,000 out of 7.1 million, or 0.38%) share a common factor and are inherently weak. The researchers can break those public keys, and anyone who duplicates their research can as well.

The cause of this is almost certainly a lousy random number generator used to create those public keys in the first place. This shouldn't come as a surprise. One of the hardest parts of cryptography is random number generation. It's really easy to write a lousy random number generator, and it's not at all obvious that it is lousy. Randomness is a non-functional requirement, and unless you specifically test for it -- and know how to test for it -- you're going to think your cryptosystem is working just fine. (One of the reporters who called me about this story said that the researchers told him about a real-world random number generator that produced just seven different random numbers.) So it's likely these weak keys are accidental.

It's certainly possible, though, that some random number generators have been deliberately weakened. The obvious culprits are national intelligence services like the NSA. I have no evidence that this happened, but if I were in charge of weakening cryptosystems in the real world, the first thing I would target is random number generators. They're easy to weaken, and it's hard to detect that you've done anything. Much safer than tweaking the algorithms, which can be tested against known test vectors and alternate implementations. But again, I'm just speculating here.

What is the security risk? There's some, but it's hard to know how much. We can assume that the bad guys can replicate this experiment and find the weak keys. But they're random, so it's hard to know how to monetize this attack. Maybe the bad guys will get lucky and one of the weak keys will lead to some obvious way to steal money, or trade secrets, or national intelligence. Maybe.

And what happens now? My hope is that the researchers know which implementations of public-key systems are susceptible to these bad random numbers -- they didn't name names in the paper -- and alerted them, and that those companies will fix their systems. (I recommend my own Fortuna, from Cryptography Engineering.) I hope that everyone who implements a home-grown random number generator will rip it out and put in something better. But I don't hold out much hope. Bad random numbers have broken a lot of cryptosystems in the past, and will continue to do so in the future.

From the introduction to the paper:

In this paper we complement previous studies by concentrating on computational and randomness properties of actual public keys, issues that are usually taken for granted. Compared to the collection of certificates considered in [12], where shared RSA moduli are "not very frequent", we found a much higher fraction of duplicates. More worrisome is that among the 4.7 million distinct 1024-bit RSA moduli that we had originally collected, more than 12500 have a single prime factor in common. That this happens may be crypto-folklore, but it was new to us, and it does not seem to be a disappearing trend: in our current collection of 7.1 million 1024-bit RSA moduli, almost 27000 are vulnerable and 2048-bit RSA moduli are affected as well. When exploited, it could act the expectation of security that the public key infrastructure is intended to achieve.

And the conclusion:

We checked the computational properties of millions of public keys that we collected on the web. The majority does not seem to suffer from obvious weaknesses and can be expected to provide the expected level of security. We found that on the order of 0.003% of public keys is incorrect, which does not seem to be unacceptable. We were surprised, however, by the extent to which public keys are shared among unrelated parties. For ElGamal and DSA sharing is rare, but for RSA the frequency of sharing may be a cause for concern. What surprised us most is that many thousands of 1024-bit RSA moduli, including thousands that are contained in still valid X.509 certificates, offer no security at all. This may indicate that proper seeding of random number generators is still a problematic issue....

Posted on February 16, 2012 at 6:51 AM • 35 Comments

Dumb Risk of the Day

Geotagged images of children:

Joanne Kuzma of the University of Worcester, England, has analyzed photos that clearly show children's faces on the photo sharing site Flickr. She found that a significant proportion of those analyzed were geotagged and a large number of those were associated with 50 of the more expensive residential zip codes in the USA.

The location information could possibly be used to locate a child's home or other location based on information publicly available on Flickr," explains Kuzma. "Publishing geolocation data raises concerns about privacy and security of children when such personalized information is available to internet users who may have dubious reasons for accessing this data."

It's children, though, so it's going to be hard to have a rational risk discussion about this topic.

Posted on February 15, 2012 at 1:11 PM • 43 Comments

The Sudafed Security Trade-Off

This writer wrestles with the costs and benefits of tighter controls on pseudoephedrine, a key chemical used to make methamphetamine:

Now, personally, I sincerely doubt that the pharmaceutical industry has reliable estimates of how many of their purchasers actually have colds--or that they would share data indicating that half of their revenues came from meth cooks. But let's say this is accurate: half of all pseudoephedrine is sold to meth labs. That still wouldn't mean that manufacturers of cold medicines are making "hundreds of millions of dollars a year" off of the stuff--not in the sense that they end up hundreds of millions of dollars richer. The margins on off-patent medicines are not high, and in retail, 50% or more of the cost of the product is retailer and distributor markup*. Then there's the costs of manufacturing.

But this is sort of a side issue. What really bothers me is the way that Humphreys--and others who show up in the comments--regard the rather extraordinary cost of making PSE prescription-only as too trivial to mention.

Let's return to those 15 million cold sufferers. Assume that on average, they want one box a year. That's going to require a visit to the doctor. At an average copay of $20, their costs alone would be $300 million a year, but of course, the health care system is also paying a substantial amount for the doctor's visit. The average reimbursement from private insurance is $130; for Medicare, it's about $60. Medicaid pays less, but that's why people on Medicaid have such a hard time finding a doctor. So average those two together, and add the copays, and you've got at least $1.5 billion in direct costs to obtain a simple decongestant. But that doesn't include the hassle and possibly lost wages for the doctor's visits. Nor the possible secondary effects of putting more demands on an already none-too-plentiful supply of primary care physicians.

I like seeing the debate framed as a security trade-off.

Posted on February 15, 2012 at 7:09 AM • 60 Comments

SSL Traffic Analysis on Google Maps

Interesting.

Posted on February 14, 2012 at 12:36 PM • 12 Comments

Trust Requires Transparency

Adam Shostack explains to VeriSign that trust requires transparency.

This is a lesson Path should have learned.

Posted on February 14, 2012 at 7:12 AM • 16 Comments

Liars and Outliers Update

Liars and Outliers is available. Amazon and Barnes & Noble have been shipping the book since the beginning of the month. Both the Kindle and the Nook versions are available for download. I have received 250 books myself. Everyone who read and commented on a draft will get a copy in the mail. And as of today, I have shipped books to everyone who ordered a signed copy.

I've seen five more reviews. And there's one print and one audio (there's also a transcript) interview about the book.

A bunch of people on Twitter have announced that they're enjoying the book. Right now, there are only three reviews on Amazon. Please, leave a review on Amazon. (I'll write about the problem of fake reviews on these sorts of sites in another post.)

I'm not sure, but I think the Kindle price is going to increase. So if you want the book at the current $10 price, now is the time to buy it.

Posted on February 13, 2012 at 2:53 PM • 37 Comments

What Happens When the Court Demands You Decrypt a Document and You Forget the Key?

Last month, a U.S. court demanded that a defendent surrender the encryption key to a laptop so the police could examine it. Now it seems that she's forgotten the key.

What happens now? It seems as if this excuse would always be available to someone who doesn't want the police to decrypt her files. On the other hand, it might be hard to realistically forget a key. It's less credible for someone to say "I have no idea what my password is," and more likely to say something like "it was the word 'telephone' with a zero for the o and then some number following -- four digits, with a six in it -- and then a punctuation mark like a period." And then a brute-force password search could be targeted. I suppose someone could say "it was a random alphanumeric password created by an automatic program; I really have no idea," but I'm not sure a judge would believe it.

Posted on February 13, 2012 at 5:20 AM • 113 Comments

Friday Squid Blogging: Squid's Beard

It's an acoustic bluegrass band.

As usual, you can also use this squid post to talk about the security stories in the news that I haven't covered.

Posted on February 10, 2012 at 4:04 PM • 38 Comments

Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.