Matt Blaze Comments on his 15-Year-Old "Afterword"
Fifteen years ago, Matt Blaze wrote an Afterword to my book Applied Cryptography. Here are his current thoughts on that piece of writing.
Entries Tagged "cryptography"
Page 35 of 55
Man-in-the-Middle Attacks Against SSL
Says Matt Blaze:
A decade ago, I observed that commercial certificate authorities protect you from anyone from whom they are unwilling to take money. That turns out to be wrong; they don’t even do that much.
Scary research by Christopher Soghoian and Sid Stamm:
Abstract: This paper introduces a new attack, the compelled certificate creation attack, in which government agencies compel a certificate authority to issue false SSL certificates that are then used by intelligence agencies to covertly intercept and hijack individuals’ secure Web-based communications. We reveal alarming evidence that suggests that this attack is in active use. Finally, we introduce a lightweight browser add-on that detects and thwarts such attacks.
Even more scary, Soghoian and Stamm found that hardware to perform this attack is being produced and sold:
At a recent wiretapping convention, however, security researcher Chris Soghoian discovered that a small company was marketing internet spying boxes to the feds. The boxes were designed to intercept those communications—without breaking the encryption—by using forged security certificates, instead of the real ones that websites use to verify secure connections. To use the appliance, the government would need to acquire a forged certificate from any one of more than 100 trusted Certificate Authorities.
[…]
The company in question is known as Packet Forensics…. According to the flyer: “Users have the ability to import a copy of any legitimate key they obtain (potentially by court order) or they can generate ‘look-alike’ keys designed to give the subject a false sense of confidence in its authenticity.” The product is recommended to government investigators, saying “IP communication dictates the need to examine encrypted traffic at will.” And, “Your investigative staff will collect its best evidence while users are lulled into a false sense of security afforded by web, e-mail or VOIP encryption.”
Matt Blaze has the best analysis. Read his whole commentary; this is just the ending:
It’s worth pointing out that, from the perspective of a law enforcement or intelligence agency, this sort of surveillance is far from ideal. A central requirement for most government wiretapping (mandated, for example, in the CALEA standards for telephone interception) is that surveillance be undetectable. But issuing a bogus web certificate carries with it the risk of detection by the target, either in real-time or after the fact, especially if it’s for a web site already visited. Although current browsers don’t ordinarily detect unusual or suspiciously changed certificates, there’s no fundamental reason they couldn’t (and the Soghoian/Stamm paper proposes a Firefox plugin to do just that). In any case, there’s no reliable way for the wiretapper to know in advance whether the target will be alerted by a browser that scrutinizes new certificates.
Also, it’s not clear how web interception would be particularly useful for many of the most common law enforcement investigative scenarios. If a suspect is buying books or making hotel reservations online, it’s usually a simple (and legally relatively uncomplicated) matter to just ask the vendor about the transaction, no wiretapping required. This suggests that these products may be aimed less at law enforcement than at national intelligence agencies, who might be reluctant (or unable) to obtain overt cooperation from web site operators (who may be located abroad).
Cryptanalysis of the DECT
New cryptanalysis of the proprietrary encryption algorithm used in the Digital Enhanced Cordless Telecommunications (DECT) standard for cordless phones.
Abstract. The DECT Standard Cipher (DSC) is a proprietary 64-bit stream cipher based on irregularly clocked LFSRs and a non-linear output combiner. The cipher is meant to provide confidentiality for cordless telephony. This paper illustrates how the DSC was reverse-engineered from a hardware implementation using custom firmware and information on the structure of the cipher gathered from a patent. Beyond disclosing the DSC, the paper proposes a practical attack against DSC that recovers the secret key from 215 keystreams on a standard PC with a success rate of 50% within hours; somewhat faster when a CUDA graphics adapter is available.
News.
Cryptography Broken on American Military Attack Video
Any ideas?
At a news conference at the National Press Club, WikiLeaks said it had acquired the video from whistle-blowers in the military and viewed it after breaking the encryption code. WikiLeaks released the full 38-minute video as well as a 17-minute edited version.
And this quote from the WikiLeaks Twitter feed on Feb 20th:
Finally cracked the encryption to US military video in which journalists, among others, are shot. Thanks to all who donated $/CPUs.
Surely this isn’t NSA-level encryption. But what is it?
Note that this is intended to be a discussion about the cryptanalysis, not about the geopolitics of the event.
EDITED TO ADD (4/13): It was a dictionary attack.
iPhone Secret Decoder Ring
It’ll protect your secrets from your kid sister, unless she’s smarter than that.
Looks cool, though.
New Book: Cryptography Engineering
I have a new book, sort of. Cryptography Engineering is really the second edition of Practical Cryptography. Niels Ferguson and I wrote Practical Cryptography in 2003. Tadayoshi Kohno did most of the update work—and added exercises to make it more suitable as a textbook—and is the third author on Cryptography Engineering. (I didn’t like it that Wiley changed the title; I think it’s too close to Ross Anderson’s excellent Security Engineering.)
Cryptography Engineering is a techie book; it’s for practitioners who are implementing cryptography or for people who want to learn more about the nitty-gritty of how cryptography works and what the implementation pitfalls are. If you’ve already bought Practical Cryptography, there’s no need to upgrade unless you’re actually using it.
EDITED TO ADD (3/23): Signed copies are available. See the bottom of this page for details.
EDITED TO ADD (3/29): In comments, someone asked what’s new in this book.
We revised the introductory materials in Chapter 1 to help readers better understand the broader context for computer security, with some explicit exercises to help readers develop a security mindset. We updated the discussion of AES in Chapter 3; rather than speculating on algebraic attacks, we now talk about the recent successful (theoretical, not practical) attacks against AES. Chapter 4 used to recommended using nonce-based encryption schemes. We now find these schemes problematic, and instead recommend randomized encryption schemes, like CBC mode. We updated the discussion of hash functions in Chapter 5; we discuss new results against MD5 and SHA1, and allude to the new SHA3 candidates (but say it’s too early to start using the SHA3 candidates). In Chapter 6, we no longer talk about UMAC, and instead talk about CMAC and GMAC. We revised Chapters 8 and 15 to talk about some recent implementation issue to be aware of. For example, we now talk about the cold boot attacks and challenges for generating randomness in VMs. In Chapter 19, we discuss online certificate verification.
Friday Squid Blogging: Cipherlopods
This makes no sense to me, even though—I suppose—it’s a squid cryptography joke.
Wikibooks Cryptography Textbook
Over at Wikibooks, they’re trying to write an open source cryptography textbook.
Crypto Comic Book
EDITED TO ADD (4/10): It’s out. Here’s a review.
Homebrew Cryptography
Nice article about a would-be spy and his homebrew pencil-and-paper cryptography.
Sidebar photo of Bruce Schneier by Joe MacInnis.