Schneier on Security

Clive Robinson • April 26, 2018 2:42 PM

@ RonK,

Since I’ve dabbled in trying to invent secure algorithms which can be run manually, a la Solitaire, I’ve had strikingly similar thoughts.

As you might know I’ve mentioned “manual” or “Paper and pencil” ciphers as a way of extending the security end point beyond the communications end point for some time now.

The reality of electronics in all it’s forms is it is “inefficient” and the excess energy has to go somewhere. Usually by radiation or conduction, thus providing “communications paths” out to the wider world no matter what precautions you take.

The big problem is what information is impressed or modulated onto this radiated or conducted energy as an implicit behaviour of it’s normal operation. Which leads to the big question of “Can the information carried by the radiated or conducted energy be used by an adversary who is passively monitoring?” To which the answer is almost certainly yes unless strict precautions have been made.

Such precautions are not taken with consumer or commercial equipment and only occasionaly with proffessional equipment used for test and measurment in laboratory conditions.

Which brings you to the inescapable conclusion that all electronics “used normally” is in effect hemorrhaging information to an adversary invisable to you and the electronics you use… Thus crypto is only of use on the non user side of the security end point or for information at rest.

It’s actually worse than described above because both radiation and conduction channels are in general bi-directional. Which means that an adversary can do such things as “illuminate” your electronics to encorage information to be cross modulated onto the illuminating signal. Or send a modulated signal that will induce faults into your electronics that will cause information to leak. Oh and a number of other tricks, some of which I’ve mentioned in the past.

So unless you know the how to turn consumer grade electronics into laboratory grade instrumentation, or the precautions required to render the radiated and conducted energy bandwidth insufficient to carry usefull information then your best mitigation is not to do crypto on electronics that almost always will have the communications end point “end running” the security end point thus making plaintext or keytext available to an attacker.

I happen to like “card shuffling” algorithms andva deck of cards is not exactly a suspicious thing to have around your person.

The big problem I’ve found with them is that of being “observed in use”. There are many ways to shuffle cards manually and with a little practice they have a certain fluidity due to efficiency of opperation. That is they appear to flow naturally to an observers eye. Many of the shuffles suggested for doing crypto use “marker cards” to act as pointers etc, it is actually quite difficult to move these around with a “natural flow” which makes the shuffle look awkward to an observer thus somewhat suspicious to a “hinky thinker”.

So I’ve looked into using those near “endless patience games” like “Madman’s patience”. With small variations these can become endless games as well as effectively shuffling the deck without need for overt thus suspicious marker cards.

Oh and Solitair was not the first playing card cipher used in a book . For instance Robert A.Heinlein wrote four stories for his “Assignment In Eternity” series the first of which is “Gulf” where the protagonist called “Joseph Gilead” at the time meets “Gregory Baldwin” in what is temporary imprisonment, but under observation. Baldwin teaches Gilead a very simple card game so they can pass messages back and forth covertly whilst otherwise talking trash talk. It’s in effect a simple substitution cipher where a red card replaces a letter of the alphabet so as secure as Pig Pen or similar. The story was first published back in the Oct-Nov 49 edition of Astounding Science Fiction. If you can dig out a copy of the story it’s still fairly good as science fiction and has stood the test of nearly seven decades of time.

Clive Robinson • April 29, 2018 6:49 PM

@ justinacolmena,

How much “technical information” do you want? Do you need it spoon-fed to you?

Those are questions you should be asking of those who made them as statments for rejecting the NSA algos, not onlookers.

As quite a few suspect there is quite likely a “political message” being sent.

However as I’ve noted above I’m not keen on these ciphers or other ARX ciphers in general for various reasons.

Whilst in theory ARX operations do not leak key or data[1] information by “time based side channels” there are other side channels that need to be considered. There is however a another issue with ARX instruction usage, in that as a result the ciphers tend to use a vastly increased number of Fiestel rounds, which leaks other information in a similar way to traffic analysis.

With regards,

Have people actually tried to crack them? What ever happened to the cypherpunks’ mailing lists? Has anyone published an actual report of cryptanalysis of these ciphers with a technical opinion of their strengths and weakness?

Both yes and no. The actual algorithms have been looked at mathematically / logically etc as algorithms quite extensively. However there are few if any analyses of “implementations” for side channels. But worse the proposed standards have an obvious series of “to weak” variations where block size and key size are way to small to be considered secure. As I’ve mentioned above to be “standards compliant” an implementation would have to be able to work in these “to weak” variations, which opens up a large can of worms with regards Man In The Middle “Fall-back” attacks. For that reason alone the standard should be “deep sixed” and resubmitted without the “to weak” variations.

But there is another fly in the ointment,

NSA’s cryptanalysts and code-breakers may indeed be aware of some theoretical weaknesses in these ciphers of which the general public is not, but it just goes too far and rubs a person the wrong way to call out “NSA-designed backdoors” in these ciphers without any evidence to back that statement up.

The simple fact is that what became GCHQ and what became the NSA have a very long history of “finessing” in all manner of ways. The point is that aside from the still open question of DES all algorithms they have produced from the earlirst mechanical ciphers through to modern mathmatical ciphers have had some sort of “fix” built in. Mostly it is a matter of putting in forms of hidden backdoors to make breaking either the algorithm or the system easier. But in atleast one case (clipper chip) it was so that they could make the “Key Escrow” recovery process by the Law Enforcment Access Field useless to law enforcment. There were two seperate failings with LEAF the first found by Mat Blaze in 1994 the second found by Yair Frankel and Moti Yung the following year. These supppsed failings would alow the US SigInt agencies “in the know” to put themselves in effect above the law of the land. Thus people need to remember that “NOBUS” is “dual use” in meaning (something you hardly hear mentioned at all). But the NSA even know how to “put in the fix” on other algorithms they did not design… As I’ve indicated in the past they quite deliberatly put the fix in on the AES competition. The result was weak implementations that could be broken on a PC via observing network packet timings. Some of those weak implementations are still out there on the Internet and in Industrial Control Systems (ICS) today and may well still be so in twenty to thirty years.

So yes people who have been around for a while or have studied the BRUSA / UKUSA countries SigInt agencies histories are deeply suspicious of what comes out of the NSA et al as they all have “previous”.

[1] The theory is that the ARX instructions of “Add Rotate and eXclusive or” are not just “atomic” but “fixed execution time”. Unfortunatly whilst Xor is a logical or bitwise instruction, Add is an arithmetic instruction and has a data dependent carry function across the CPU word. If you examine the fine power consumption information it will to a certain extent be data dependent. In turn the power consumption effects the EM power spectrum which can be detected in a number of ways (you could look up Differential Power Analysis from the late 1990’s to get an idea from an earlier similar problem). One thing embeded microcontroler designs are frequently known for especially new IoT devices is their Radio Frequency Interference (RFI) issues due to “cost savings” on the likes of decoupling capacitors. Capacitors with the required low ESR and inductance are more expensive on a same value of capacitance basis. Thus if decoupling capacitors are actually used, they will be the cheaper higher inductance and ESR capacitors which have much lower self resonant frequencies and lower effective Q’s. Worse they will often be used on too long a length of PCB trace. Thus high frequency signals get radiated as RFI that at best interferes with communications as well as having the reciprocal effect of making the devices more sensitive to EM radiation. The point is whilst it may be regarded as “interference” in the general sense, it actually has information impressed / modulated upon it, that can be detected (see TEMPEST / EmSec). People need to remember it is not just time based side channels you need to be concerned about but EM side channels and their power spectrum as well.

Clive Robinson • April 29, 2018 8:30 PM

@ echo,

Not to mention turning your electronic device into a radar capable of detecting movement (such as the movement of hands which may beyond the electronic device end point reveal key presses or writing).

Yup, and a couple of years back on this blog when talking about making your own defensive area using unsuspicious house hold items I mentioned a way to deal with the problem to a certain extent.

What I suggested was an oscillating desk fan onto which you connect “streamers” that have a metallized or foil conductive component which make them a resonant length at the various likely frequencies[1]. The signal from a randomly moving resonant conductor is going to be many many times that of your moving fingers.

Further I don’t know how old you are but back in the early 1980’s a firm in Mitchem Surrey built a device called the “Microwriter” it had six buttons and a small green calculator style display. It alowed you to type quite rapidly with one hand as the keys formed a “chording keyboard” and only fractional movments of the fingers is required. I nearly ended up working for them, however other world events changed that. Whilst the original is nolonger made or realy remembered there is a modern version called the CyKey after one of the original designers,

http://www.cykey.co.uk

You kind of put your hand on it like it is a large mouse and your fingers rest on the buttons so your finger only depresses about an 1/8th of an inch, which would be difficult to pick up with wall penetrating radara or WiFi back scatter systems.

Mad as it might seem at times, any advancment in surveillance has usually been in effect countered by other technology, usually quite unintentionaly. It just takes a “hinky mind” to see the possabilities and thus stay a step or two ahead of the game 😉

[1] In principle you are going back to the war of the beams back in World War II where German radar was in effect jamed or decoyed by the use of thousands of small “half wave radiators” launched from a single air craft. It was variously known as Window or Chaff. Both the British and Germans developed it independently, but neither side used it originally due to fear of retaliation. It was only with the development of the cavity resonator magnetron by John Randall and Harry Boot at Birmingham University that gave us centrimetric radar that the British started using it to good effect. The US learned of “window” that they later named “chaff” at the same time as they learned about the cavity resonator magnetron with the Linderman mission to the US.

Clive Robinson • May 1, 2018 10:48 PM

@ Keith,

As for the security of this algorithms. They are a symmetric key algorithms so it strikes me as harder to put a backdoor that would not be noticed.

You left the word “block” out before algorithms.

It’s actually quite hard to put a backdoor into a symmetric key block algorithm compared to doining it to a symmetric key stream algorithm.

One of the tricks the predecessors of the NSA pulled in the past is was by having an algorithm that had a range of key strengths from very weak to sufficiently strong in mechanical cipher systems. Knowing that the enemy was likely to capture and make their own versions of the cipher machines or use those caprured, but without knowing about which keys were weak and which sufficiently strong. Thus if say 1 in 5 of the keys was very weak they would break 1/5th of the messages, but by analysing the content and format that would make the next two or three fifths much easier to break. This in turn along with the likes of traffic analysis would give them even the strong keys… To prevent the same fate happening to their own side they were also responsible for setting the key schedules, thus would only ever pick sufficiently strong keys.

It’s why after various wars etc mechanical crypto machines were sold with little or no restrictions thus ended up getting used by many countries in the Middle Eaat, Africa, South America, Asia and even Europe. Thus life was fairly easy for the Five Eyes SigInt agencies for three decades or more till the secret finally came out.

As we also know there was a secret agrement between AG Crypto of Zug Switzerland and the NSA to have atleast three different levels of crypto kit that would be sold into different markets, further aiding the SigInt agencies for another couple of decades.

It was in the 1990’s that MCUs available to all had sufficient powere to run more secure algorithms that the SigInt agencies could not easily break. However the problems with implementation alowed them to use side channels that leaked keytext or plaintext to get the information.

In fact if you look at the way the NSA rigged the AES competition through NIST that we ended up with “publically available code” that hemoraged keytext information through cache timing etc. This code ended up in “crypto code libraries” and thus the leaky code is still running on devices connected to the Internet and other networks the Five Eyes SigInt agencies have easy access to.

I’m guessing that other nations SigInt agencies are likewise taking advantage of implimentation side channels.

I’ve yet to see an analysis of Simon and Speck to various side channel attacks (not just time based) but it’s where I would put a small wager on where they might have “added a little pepper” to the algorithms.