Schneier on Security

Nick P • December 21, 2013 9:29 AM

@ Garfield

Good to see work in the area, esp published source and API’s. What bothers me a little though is these points all being made together in the FAQ:

“Telegram is cloud-based and heavily encrypted. As a result, you can access your messages from several devices and store an unlimited number of photos and videos in the cloud. Thanks to our multi-data center infrastructure and encryption”

“We believe in fast and secure messaging that is also 100% free. Therefore Telegram is not a commercial project. It is not intended to sell ads, bring revenue or accept outside investment.If Telegram runs out of money, we’ll invite our users to donate or add non-essential paid options. ”

So, it’s a cloud-based crypto solution with a bunch of datacenters, clients on two platforms, and no business model. Sounds legit.

@ 65535

“RSA sold their customers a “secure” product only to stab their customer’s in the back – for a relatively small sum in dollars. Is there any way to sue RSA for their gross business misconduct?”

Like I said before, people often word this situation like RSA sold hacker bait crypto that black hats everywhere were compromising to get NSA money. That’s far from the truth. The backdoors could only be accessed by the NSA, the protection against other threats remained, and the NSA would have switched to coercion if they didn’t take the money.

As Bruce’s book indicates, the pressures both within RSA and from govt said “take the money, cooperate, don’t ruin the business over an issue Americans don’t even vote about.” The option they picked was rational at the time. That said, it’s safe to say that no American technology product can be trusted to be free of subversion from NSA because their pressures are highly effective (and big companies highly selfish). The foreign companies racing away from American software/hardware are entirely justified.

They better be careful, though, that they don’t inadvertantly run right back into America’s arms via one of its foreign subversions.

Nick P • December 21, 2013 2:38 PM

@ Clive Robinson, RobertT

Self-clocking logic to defeat timing channels

Clive used to tell me to avoid timing channels by using self-clocking or asynchronous logic. I decided to look into the stuff due to recent discussions. I found this excellent paper you guys might like that does several things:

1. Enumerate many side channel attacks and countermeasures.
2. Discuss attributes, pro’s and con’s of asynchronous logic.
3. Design an asynchronous processor for cryptographic operations.

http://www.era.lib.ed.ac.uk/bitstream/1842/860/1/Spadavecchia_thesis.pdf

Pretty nice work. Done in 2005. Good news is that there are ARM and MIPS chips built with this kind of logic already. Any security enhancing tech targeting those architectures can realize timing channel resistance more quickly. And I’ll add that the APT group behind the ARM chip has a lot of interesting work in self-timed DSP’s and NOC’s on their web site.

Nick P • December 21, 2013 3:22 PM

@ NobodySpecial

“So RSA either put in a backdoor for the NSA which will immediatley have been leaked by a crooked/incompetent/blackmailed employee at RSA or NSA. Or they weakened the crypto so that the NSA would be able to break it and of course nobody else would be able to (when did you last hear of a Russian/German/Chinese/Israeli/Japanese mathematician)”

In a nutshell yes. That means the tech could protect companies from almost everyone they were worried about. Only the most sophisticated, well-funded attackers could break in. Attackers who… always broke in anyway without RSA’s help. Let’s face it, running Windows or UNIX-based platforms in the way companies typically did gave attackers much more opportunities in than any RNG flaw.

The one thing they didn’t count on was Edward Snowden. (And some good academic research before him.) Had he not leaked the information, much of this would still be going on in secret and the US companies would still be making money while sleeping at night. So, taking the NSA’s side isn’t what hurt their brand or bottom line. The disclosure was what did it. Rightly so I’ll add. It’s like any risk: it can payoff or bite you in the ass. It paid off for a while then they got the fangs.

“Did any US company discuss anything vital to the US interests using this encryption? Do we assume that is now all in the hands of the opposition?”

We don’t assume anything. We act on evidence. The evidence will be a combination of what is known and what is probable. My assumption for ten years was that any US telecommunication was tapped and traceable. The evidence was that they constantly sought to do that publicly, were caught making deals with US companies in the past (eg Lotus), and did similar things privately to foreign countries. It was probable that they’d succeed so I assumed they had access to anything running unprotected through US companies, servers, crypto products, etc.

It rationally followed that their attacks would only get better. Hayden’s transformation meant that their operational effectiveness would as well. That’s why I advocated use of multinational designs for secure comms multiple times on this blog and used it in the past. Most recently, I enumerated many options for chips and software that have a low probability of U.S. subversion. I’ve enumerated designs to prevent most attacks by even sophisticated opponents domestic and foreign assuming the chips are clean.

Remember that I’ve done plenty and for free to help people get secure. The reason for our problems is that voters put power into bad people’s hands and bought products that traded off security/privacy for everything else. The surveillance state followed. The NSA and RSA deal followed that.

My honest reaction on RSA hack…

Our systems from hardware to protocols have tremendous inherent vulnerability that makes security hard and subversion easy. People loose real money and I.P. due to this all the time. In foreign countries, some loose their freedom or their lives. The marketplace profit incentive (and lemons market effect) means they’ve continually produced false or flawed security offerings. This hasn’t changed for decades.

So, it’s hard for me to see why people would trust a US govt supplied RNG in a closed-source commercial product of a U.S. publicly traded company with a tight relationship with US govt to be safe against US govt subversion. And be extremely pissed off when a tiny risk is present there, while continuing to use insecure systems that hackers target regularly with losses estimated in billions.

People’s priorities and expectations are sometimes mindboggling to me.

EDIT TO ADD: modular, open source software is your friend if you’re really worred about backdoors. People rarely were hacked because they started with OpenBSD+Botan instead of Windows+RSA.

@ figureitout

“-At some point, you have to wonder, since it is a US company, could this be a foreign intel operation? What if Gen. Alexander is a foreign agent? If our country is so stupid to attack it’s own companies then I guess we should all start learning Mandarin.”

I doubt it but it’s a good idea. A movie with that plot, done using our laws and Congress people’s real statements defending NSA, might be just the thing that’s needed to get lay people worried enough to push Congress. Enemy of the State did so much damage to NSA’s reputation that they still gripe about it. I think it’s time for a sequel.

Nick P • December 22, 2013 11:02 AM

@ Clive, RobertT

Well, darn, here I was thinking I was onto something. Appreciate the replies.

“Personally I’m more interested in fixing timing channels by focusing on matching the clock cycles for all operations so that Branch-Taken and Branch-Not-Taken always have the same number of cycles” (RobertT)

I came up with the same trick so maybe it’s a good idea. My concern was “does making things take same number of cycles solve a timing channel at the algorithm level?” Remember that the algorithms use certain things more often than others. Instructions that are identical timing makes masking easier but how effective is masking really? Does it take just one identical looking computation to mask the emanations or power draw of the real one? Or 100’s of them with nondeterministic execution sequence?

“There are many Real-Time operating systems where this is style of programming is very desirable, so maybe Security guys need to learn some tricks from RTOS guys. ” (RobertT)

A few years back I was posting RTOS-based solutions here. 😀 I particularly liked the potential of ARINC fixed scheduling and the way INTEGRITY manages CPU/memory. The kernel makes the user mode processes use their own memory and time for every kernel request. It’s also structured internally & with fast instructions to run with interrupts on in a way also subject to RMA. Clever, clever. BSD/Linux guys need to start learning tricks like this.

“I realize that what I’m saying is not really practical because many of the operations that cause timing channels are not really accessible at the applications programming level AND as a programmer you dont want to give up the execution speed advantages of skipping unnecessary cycles. ” (RobertT)

It’s always a concern. My system level solution in the past was to fuzz test to determine the timing variation of a critical component, then make it always take the longest time. Of course, the algorithm chosen had an acceptable longest time. The idea was the algorithm timed its own execution and didn’t even return to calling code until enough time had passed. Such designs were never independently reviewed but they seemed like they should defeat at least software level timing attacks.

@ Clive

“Whilst this means that the connecting interfaces of two blocks are asynchronous to each other I did not intend to imply the logic inside a block was asynchronous. ”

Ah, I get it now.

So, are there any security or other advantages to using asynchronous logic? Two of the non-deterministic processors in the paper sounded interesting esp if combined with randomized instructions or execution block locations. It wouldn’t even take a modification of the processor.

@ Adryna

“To add to your list of chips using asynchronous logic, there’s also the 144-core GA144, ”

Ahh, I see they hit their 100+ core target. This fits nicely into the previous Forth discussion as that’s its underlying technology. It also might be useful in my “one piece of hardware per function” investigation. My worry is its network on a chip nature might bring new attack potentials and (like the Cell) might be hard to program. Worth looking into, though.

@ 65535

“I did. And, I would guess others that use RSA products put Their trust in RSA because of their accumulated track record, safety and trust that RSA has built over its long and wide history. This type of rote bribery is a slap-in-the-face to all of RSA’s customers.”

And none of that has changed in reality. Their products quality (good or bad) is unchanged. The mistake all of you made was assuming their dedication to stop attackers translated to their host government. Companies must always be assumed vulnerable to their host country. It might have been bribery, a national security letter, a warrant, a good speech about “protecting our country” to the board, and/or extortion using their state power. This is true in every country. So, RSA might in fact protect you from as much as possible. Just not the US govt.

Another issue is how everyone is handling trust. Quite simply, many are doing it wrong. They treat it as all or nothing: “I trusted RSA” “RSA has ruined my trust.” Even Bruce’s posts show he agrees trust is more context sensitive. You trust X to do Y under Z circumstances. RSA and other security vendors should be treated no differently. So, do I trust them to make crypto that stops the general hacker? Yes. Do I trust them to not try to cause me damage via their products? Mostly yes. Do I trust them to tell a TLA in their home country to f*** off for my sake? Not a chance.

I think people worried about such issues should pause to take a hard look at each vendor and tech they use to determine what trust they can have in them under what contexts. And plan contignencies for what happens if they’re wrong.

@ Aspie

Best of luck on your project.

“(Anyone here remember the venerable INMOS Transputer?)”

Funny you mention that because we were just talking about Transputers yesterday here. Petrobras was kind enough in that comment to link to papers describing not only its operation, but parts of how its made. I also noticed it was used in a workstation by Atari and another company put a distributed UNIX-like OS on it. It’s been long surpassed by Massively Parallel Processing (MPP) systems but the Transputer was an innovator in its time. Too far ahead of its time actually.

On a related note, I proposed a while back(bold part of that comment) that we should copy MPP architectures b/c they solve some of our biggest POLA vs performance problems already. It’s one of my only pieces of research that’s still original as I’ve not seen one paper on POLA via MPP model in academia.

@ Mike

” Surely the decision to retain copies of all the Secure-Id keys is suspicious. What else?”

I agree. That in combination with probable govt cooperation is why I never used RSA products. There’s too many vendors offering stuff here and abroad to have myself worried over one product/vendor.

Nick P • December 22, 2013 2:01 PM

A wireless signalling system immune to long range TEMPEST collection? Or my plan to make my vodka a business expense? You decide.

http://www.gizmag.com/molecular-signalling-vodka-text-message/30199/

Nick P • December 23, 2013 9:34 AM

@ figureitout

“With all due respect to Mr. T, and using your own arguments, do you think it wise to put all your trust in one opinion? I understand it’s a pretty nerve-wracking project to even be a part of, let alone lead…Maybe a better goal to aim for is cheaper tools for custom fabs, that will be really cool (yet what if they’re subverted…arrrggg!!!)”

Find one counterargument from someone with experience working at nanometer scales and I’ll listen. Haven’t heard anyone make an argument for verifiable fab process at that scale in years. Even the chips that are made for scrutiny are being fabbed by a regular company although a few aren’t being fabbed because they couldn’t solve the fab problem.

Far as economics, people have been saying that for a few decades. Since then we’ve only seen fabs for lower process node tech close down. They must be expensive to operate because they sell in the high millions of dollars and that’s considered a mark down. So, a few decades latter and fabs for chips of decent capabilities are still only for the richest to operate (at a loss). Thinking it will change is putting blind faith into something that hasn’t worked for a long time and shows no signs of getting easier.

(Even many homebrew systems like Magic 1 use TTL chips are are essentially a black box fabbed by someone else.)

So, I’m having to approach the problem in new, inconvenient ways. Of course, pessimistic as it may seem, that’s an indicator that I’m on the right track because few things in trust engineering have been easy for me. It was always an uphill battle.

Nick P • December 23, 2013 5:33 PM

@ Anura

“There has been an insane amount of discussion about making secure hardware in the comments of this blog (not that I have a problem with it, it’s a very interesting subject), but it seems to me that 99.99% of the problem we have today are backdoors in firmware/software, exploits in code, lack of government oversight, excessive secrecy (at both the government and corporate level), and a disconnect between the goals of private enterprise, government, and the people, as far as internet and communications are concerned.”

Our discussion, much broader than hardware, cover most of that often with specific recommendations. Except for the last part which I don’t think I can solve.

“The fact is that you can’t make 100% secure systems, but the short term focus, in my opinion, should be on the quickest ways to make privacy and security as easy as possible and surveillance as expensive as possible.”

That kind of thinking led to subverted SSL/IPSec standards running on vulnerable OS’s running on possibly subverted Intel hardware that also makes it hard to write correct code. In other words, it sounds good in theory but didn’t work out in practice. The attackers simply had too many layers to hit to do an end run around whatever protocol or software strategy the security community came up with. So, the solution is to look at every layer or aspect of system operation to find the risks. And deal with as many as possible.

So, I’ve been pushing discussion along many levels in parallel:

1. Secure ground up hardware and software architectures preventing as much as possible (eg SAFE, CAP, Intel 432)
2. Modifying existing hardware architectures to prevent huge problems easily while allowing legacy operation (eg CHERI, IBMON, CODESEAL, HISC)
3. Creating abstractions and tools that let us existing hardware in a safer fashion (eg SVA, H-Layer, separation kernels, JX)
4. Modifications to core of OS’s to enforce stronger application security (eg Xax, Capsicum, Trusted OS’s)

5. Use of safer systems programming languages without very complex runtimes for key apps/services (e.g. Ada, Oberon/Pascal/Modula, Cyclone, Ocaml)

6. Very different protocols from the norm that solve plenty of security/complexity problems of current protocols (e.g. SILENTKNOCK before VPN, ZRTP instead of SRTP, XDR/JSON instead of XML)

7. Improvements to existing protocols to remedy their weaknesses (e.g. TLS/DTLS in transport, PGP in email, DNSSEC instead of DNS)

8. Robust or secure implementations of legacy protocols and services (HYDRA for web firewall, secure64 DNS, MicroSINA VPN)

9. Ways to protect firmware from attack (e.g. physical write protect, BootSafe, SHIELDSTRAP, Chromebook architecture).

10. Diversity in hardware among implementations of both standards and ISA’s.

11. Diversity in usage where individual instructions, data encapsulation strategies, system internal labels, etc. can change repeatedly to hamper attacks.

12. Certifying or proof-generating compilation & linking systems so we don’t worry so much about that step.

Fortunately, there’s been work in every area as I’ve referenced. Much of it when in a final form is plug and play for user, developer, OEM or wherever is most convenient. Some enhancements are already on the market or are free with helpful guides on usage.

For example, just how hard is it to write code in Python or a form of BASIC on a platform that’s immune by design to issues like code injection? How technical do you have to be to accomplish this?

On the other hand, how hard is it to design a secure service written in an unsafe language (eg C/C++) calling unsafe user+kernel code on an OS & hardware platform designed to be fast/flexible rather than secure? The current CVE lists make me think one would have to be a technical genius that makes top IT people drop their jaw regularly.

Nick P • December 24, 2013 10:40 AM

Snowden says mission accomplished
http://www.washingtonpost.com/world/national-security/edward-snowden-after-months-of-nsa-revelations-says-his-missions-accomplished/2013/12/23/49fc36de-6c1c-11e3-a523-fe73f0ff6b8d_story.html

I say BS on that headline. The political side of this in the US, the only thing that can change it, has been an abysmal failure. NSA is still in charge. Far as Internet security issues, there is awareness and work going on as a result of the leaks. That’s a good effect.

Change, though, will require powerful private or public interests putting the squeeze on Congress and President to put sqeeze on NSA. That’s about the only way to stop them. Snowden failed to have an impact there. That’s where power interests are winning. That’s where almost all effort needs to be focused.