Latest Essays
Page 74
Why the Worst Cryptography is in the Systems that Pass Initial Analysis
Imagine this situation: An engineer builds a bridge. It stands for a day, and then collapses. He builds another. It stands for three days, and then collapses. Then, he builds a third, which stands for two weeks but collapses during the first rainstorm. So he builds a fourth. It’s been standing for a month, and has survived two rainstorms. Do you believe this fourth bridge is strong, secure and safe? Or is it more likely just another accident waiting to happen?
As bizarre as it may seem, this kind of design process happens all the time in cryptography, a field that is full of people who love to design their own algorithms and protocols. With so many aspiring cryptanalysts out there, however, there’s bound to be a lot of weak designs. The problem is this: Anyone, no matter how unskilled, can design an algorithm that he himself cannot break. Though a competent cryptanalyst can break most of this stuff after a short review, the rest of it survives, and in most cases is never looked at again (especially outside the military world). But just because an algorithm survives an initial review is no reason to trust it…
Intel's Processor ID
Last month Intel Corp. announced that its new processor chips would come equipped with ID numbers, a unique serial number burned into the chip during manufacture. Intel said that this ID number will help facilitate e-commerce, prevent fraud and promote digital content protection.
Unfortunately, it doesn’t do any of these things.
To see the problem, consider this analogy: Imagine that every person was issued a unique identification number on a national ID card. A person would have to show this card in order to engage in commerce, get medical care, whatever. Such a system works, provided that the merchant, doctor, or whoever can examine the card and verify that it hasn’t been forged. Now imagine that the merchants were not allowed to examine the card. They had to ask the person for his ID number, and then accept whatever number the person responded with. This system is only secure if you trust what the person says…
Security in the Real World: How to Evaluate Security
The following remarks are excerpted from a general session presentation delivered at CSI’s NetSec Conference in St. Louis, MO, on June 15th, 1999.
At Counterpane Systems, we evaluate security products and systems for a living. We do a lot of breaking of things for manufacturers and other clients. Over the years, I’ve built a body of lore about the ways things tend to fail. I want to share my “top 20 list” of what’s wrong with security products these days.
Cryptography is a really neat technology, because it allows us to take existing business and social constructs from the real world and move them into the world of computer networks. This is actually the big idea of cryptography. It doesn’t do anything new, it doesn’t do anything magical…
The 1998 Crypto Year-in-Review
1998 was an exciting year to be a cryptographer, considering all the developments in algorithms, attacks and politics. At first glance, the important events of the year seem completely unrelated: done by different people, at different times and for different reasons. But when we step back and reflect on the year-that-was, some common threads emerge—as do important lessons about the evolution and direction of cryptography.
New Algorithms
In June, the NSA declassified KEA and Skipjack. KEA is a public-key Key Exchange Algorithm, while Skipjack is a block cipher first used in the ill-fated Clipper Chip. The NSA wanted Fortezza in software, and the only way they could get that was to declassify both algorithms…
WORD IN EDGEWISE: Scrambled Message
Key recovery is like trying to fit a square peg into a round hole. No matter how much you finagle it, it's simply not going to work.
In the September issue of Information Security, Commerce Undersecretary William Reinsch suggests that U.S. crypto export policy hinges on the concept of “balance” (Q&A: “Crypto’s Key Man”).
For key recovery policy to be successful, he argues, it must achieve a balance between privacy and access, between the needs of consumers and the requirements of the law-enforcement community.
For those who have followed the key recovery debate, Reinsch’s comments will have a familiar ring. Ever since the Clipper chip first made headlines in 1993, the crypto community has debated the notion of key recovery (or key escrow, or data recovery, or trusted third party or any other marketing term used to describe the same concept)…
The Crypto Bomb Is Ticking
Today’s faster, less expensive computers can crack current encryption algorithms easier than ever before. So what’s next?
Cryptographic algorithms have a way of degrading over time. It’s a situation that most techies aren’t used to: Compression algorithms don’t compress less as the years go by, and sorting algorithms don’t sort slower. But encryption algorithms get easier to break; something that sufficed three years ago might not today.
Several things are going on. First, there’s Moore’s law. Computers are getting faster, better networked, and more plentiful. The table “Cracking for Dollars” on page 98 illustrates the vulnerability of encryption to computer power. Cryptographic algorithms are all vulnerable to brute force—trying every possible encryption key, systematically searching for hash-function collisions, factoring the large composite number, and so forth—and brute force gets easier with time. A 56-bit key was long enough in the mid-1970s; today that can be pitifully small. In 1977, Martin Gardner wrote that 129-digit numbers would never be factored; in 1994, one was…
The Secret Story of Nonsecret Encryption
GCHQ, the British equivalent of the U.S. NSA, released a document on December 1 1997, claiming to have invented publickey cryptography several years before it was discovered by the research community (http://www.cesg.gov.uk/ellisint.htm). According to the paper, GCHQ discovered both RSA and Diffie-Hellman, then kept their discoveries secret.
James Ellis the author of the paper (who died a few days before the paper’s release), wrote that he was inspired by an unknown Bell Telephone labs researcher during World War II. This researcher had the idea that a receiver could inject noise onto a communications circuit and effectively drown out any signal. An eavesdropper would only hear the noise, but the receiver could subtract the noise and recover the signal. The interesting idea here is that the sender doesn’t have to know any encryption “key” to send a secret message to the receiverthe receiver does all the work. (This is essentially what ech(>cancelling modems do; they scream at each other along the same line, and subtract out their own signal when they listen for the other.) This was promptly classified by the Li.S. government…
Security for Remote Access VPNs Must Be Simple
Unlike site-to-site VPNs, where remote offices are hard-wired to a central facility firewall, remote access VPNs are fraught with security problems. Much of the security consists of trusted passwords that traveling workers use on their notebook computers.
To be effective, a VPN’s security implementation must be user-friendly while not penalizing your enterprise in other ways, such as by degrading network performance or compromising corporate control of the remote access network.
Think of the lock on the front door of your home. It certainly is easy to use, and it doesn’t force you to endure undue hardship to install, maintain or control…
Security Pitfalls in Cryptography
Magazine articles like to describe cryptography products in terms of algorithms and key length. Algorithms make good sound bites: they can be explained in a few words and they’re easy to compare with one another. “128-bit keys mean good security.” “Triple-DES means good security.” “40-bit keys mean weak security.” “2048-bit RSA is better than 1024-bit RSA.”
But reality isn’t that simple. Longer keys don’t always mean more security. Compare the cryptographic algorithm to the lock on your front door. Most door locks have four metal pins, each of which can be in one of ten positions. A key sets the pins in a particular configuration. If the key aligns them all correctly, then the lock opens. So there are only 10,000 possible keys, and a burglar willing to try all 10,000 is guaranteed to break into your house. But an improved lock with ten pins, making 10 billion possible keys, probably won’t make your house more secure. Burglars don’t try every possible key (a brute-force attack); most aren’t even clever enough to pick the lock (a cryptographic attack against the algorithm). They smash windows, kick in doors, disguise themselves as policemen, or rob keyholders at gunpoint. One ring of art thieves in California defeated home security systems by taking a chainsaw to the house walls. Better locks don’t help against these attacks…
Des chausses-trappes de sécurité en cryptologie
Des articles de périodiques aiment à décrire les produits de cryptologie en termes d’algorithmes et de longueur de clés. Les algorithmes font de bons titres: ils peuvent être expliqués en quelques mots et ils sont faciles à comparer les uns aux autres. “Le triple-DES gage de bonne sécurité”. “Des clés de 40 bits sont une sécurité faible.” ” Le RSA à 2048 bits est meilleur que le RSA à 1024 bits.”
Mais la réalité n’est pas aussi simple. Les clés plus longues ne signifient pas toujours plus de sécurité. Comparez l’algorithme cryptographique au verrou de votre porte d’entrée. La plupart des verrous ont quatre goupilles en métal, qui peuvent prendre chacune dix positions. Une clé place les goupilles dans une configuration particulière. Si la clé les aligne correctement, le verrou s’ouvre. De sorte qu’il n’y a que 10 000 clés possibles, et qu’un cambrioleur prêt à essayer les 10 000 possibilités est sûr d’entrer dans votre maison. Mais un verrou de qualité supérieure à 10 goupilles, qui autorise 10 miliards de clés distinctes, n’améliorera probablement pas la sécurité de votre maison. Des cambrioleurs n’essayent pas toutes les clés (une attaque systématique -“brute-force”); la plupart ne sont pas assez intelligents pour crocheter la serrure (une attaque cryptographique contre l’algorithme). Ils fracassent les fenêtres, donnent des coups de pieds dans les portes, se déguisent en policiers, ou bien dévalisent les détenteurs des clés avec une arme. Un groupe de voleurs en Californie mettait en défaut les systèmes de sécurité en attaquant les murs à la tronçonneuse. Contre ces attaques, de meilleures serrures ne sont d’aucun secours…
Sidebar photo of Bruce Schneier by Joe MacInnis.