Ben Herzog’s Cryptographic Attacks: A Guide for the Perplexed from Check Point Research is one of the clearest, most useful guides to how cryptography fails that I’ve ever read.
While popular media likes to depict crypto as falling prey to brute-force attacks — which offer narratively convenient countdown timers as the digital tumblers roll into place — the actual attacks on crypto are way more interesting (and plausible) than making a lot of guesses very fast.
Herzog lays out how these attacks work, from frequency analysis to precomputation attacks to interpolation attacks to downgrade attacks to oracle attacks, and then gives specific examples of high-profile, real world defects in cryptosystems, including CRIME, POODLE and DROWN.
Understanding how crypto goes wrong — the complex interplay of history, human error, foolishness, and unanticipated interactions — is key to understanding computer security. This is an invaluable guide, and Herzog promises as sequel: “In the next blog post of this series, we’ll talk about advanced attacks — such as meet-in-the-middle, differential cryptanalysis, and the birthday attack. We’ll take a short foray into the land of side-channel attacks, and then we’ll finally delve into the exquisite realm of attacks on public-key cryptography.”
You might wonder who in their right mind would design a real-world system analogous to a “secure, unless you come in sideways” system, or a “secure, unless you insist otherwise” system, as described above. But much like the fictional bank would rather take the risk and retain its crypto-averse customers, systems in general often bow to requirements that are indifferent, or even overtly hostile, to security needs.
Exactly such a story surrounded the release of SSL protocol version 2 in the year 1995. The United States government had long since come to view cryptography as a weapon, best left out of the hands of geopolitical enemies and domestic threats. Pieces of code were approved on a case-by-case basis for leaving the US, often conditional on the algorithm being weakened deliberately. Netscape, then the main vendor of web browsers, was able to obtain a permit for SSLv2 (and by extension, Netscape Navigator) to support a vulnerable-by-design RSA with a key length of 512 bits (and similarly 40 bits for RC4).
By the turn of the millennium, regulations had been relaxed and access to state-of-the-art encryption became widely available. Still, clients and servers supported export-grade crypto for years, due to the same inertia that preserves support for any legacy system. Clients figured they might encounter a server which doesn’t support anything else, so they hung on to optional support for it, as a last resort. Servers did the same. Of course, SSL protocol dictates that clients and servers should never use a weak protocol when a better one is available — but then again, neither should Tressler and his bank.
Cryptographic Attacks: A Guide for the Perplexed [Ben Herzog/Check Point Research]
(via Four Short Links)
SL Huang got a degree in math from MIT, then became a martial artist, stuntwoman and weapons expert; her debut novel, Zero Sum Game, features an ass-kicking action hero called Cas Russell, who combines all of Huang’s areas of expertise: Russell is a ninja-grade assassination/extraction contractor whose incredible math skills let her calculate the precise […]
Jake Olefsky writes, “I am a puzzle author interested in story telling. I recently worked with award winning author Lavie Tidhar to create an interactive sci-fi puzzle story called ‘Svalbard’ that we just published on a new website that will hopefully have more puzzle stories in the future. The idea is that you read a […]
In the 1990s, student filmmaker Christopher Seufert talked his way into Edward Gorey’s life and convinced him to record a series of memoirs and tales from his life; the project blossomed into a documentary, only to be derailed when Gorey died.
The field of internet technology is wide open, for those who know their way around it. And with the infrastructure that drives it changing every day, the best way to learn is to dive right in – with a credible guide, of course. Here are 8 online courses in IT, networking and security that will […]
Hey, we get it. Not everybody’s a master chef – or even a chef. And when all you see on the recipe is prep time, cooking even the simplest meals can seem like a hassle. But trust us, the simple act of dicing up some fresh veggies can make you feel in control of your […]
Virtual Private Networks can make the internet a much safer place, but that’s not all. They can offer freedom from local content restrictions, anonymity and even protection from popup ads – and a really good one will do all that while still keeping you surfing at top speed. Before you go browsing the web, browse […]