Crypto Blunders

1
Crypto Blunders

• Steve Burnett, RSA Security Inc.
• burnett_at_rsasecurity.com
• SJSU Oct. 15, 2002

2
In History
Scientific American in 1917 The Vigenére Cipher
is impossible of translation . . .
3
In History
Problem Union Army broke the Vigenére
Cipher during the United States Civil War in the
1860s.
4
In History
During WWII Message from Luftwaffe High Command
to a field officer declared Enigma unbreakable.
That message was encrypted using Enigma.
5
In History
How do we know about this message? It was
cracked by the British shortly after being
intercepted.
6
In History
Scientific American in 1977 Martin Gardner
published the first RSA challenge, 100 to the
first person who could crack a message encrypted
using the algorithm. Gardner claimed the cipher
was unresolvable. Ron Rivest (the R) declared
that it would take 40 quadrillion years to
crack.
7
In History
Result? They paid up 17 years later.
8
Crypto Blunder 1
Declare your algorithm to be unbreakable.
9
Web Search

• UBE (UnBreakable Encryption) http//www.atlantic-c
  oast.com/ube/
• VME (Virtual Matrix Encryption) 100 Security
  Our technology, VME, is quite simply the only
  unbreakable encryption available.
  http//www.meganet.com1.2 million in challenges

10
RSA Challenge and Ron Rivests Statement

• Using current technology . . .
• The algorithm had just been (re)invented that
  year, more research would yield better security
  numbers
• The challenge was on a 428-bit key (most use
  today is 1024 or 2048 bits)
• RSA as an algorithm is still secure

11
Security Proof
Michael Rabin and Yan Zong Ding (algorithm known
as Ding-Rabin)

• This is the first provably unbreakable code that
  is really efficient.
• We have proved that the adversary is helpless.
• It provides everlasting security.

12
Security Proof?
Atjai-Dwork algorithm proposed in 1997, came
with a security proof. Broken in 1998 (attacked
assumptions, not math).
13
Ding-Rabin
One-time pad with an unbreakable pad derivation
function. Assumption Adversary has only one
attack. Assumption Adversary needs to store an
inordinate amount of data. Assumption Algorithm
can set the threshold of storage beyond
adversarys capacity.
14
One-Time Pad
Belief The one-time pad is the only
unbreakable encryption scheme.
P L A I N T E X T . . . Pad 05 10
03 21 00 07 14 14 08 . . . U V D D N A
S L B . . .
15
One-Time Pad
More rigorous declaration If the pad is
random and the pad is used only once, the
one-time pad has provable security properties.
This implies, If the pad is not random
and/or the pad is used more than once, there
are security holes.
16
One-Time Pad
1930s - 1940s Soviet Union used one-time pads
to encrypt messages to diplomatic missions
throughout the world. They used some pads more
than once. The error was in a manufacturer
accidentally printing pads more than once.
17
Crypto Blunder 2
Worship at the altar of the one-time pad
18
Some proposals
One-time pads for personal use, where do you get
the pad?
CDs or DVDs Generate a pad using a PRNG, then
store the pad in a file (suggestion from
manufacturer store the pad on a floppy)
19
One-Time Pad
1998 Microsoft releases an implementation of
the Point-to-Point Tunneling Protocol
(PPTP). They used RC4 to encrypt the bulk
data. RC4 is a kind of one-time pad, generating
the pad on-the-fly, as more pad data is needed.
20
Microsofts PPTP
Messages from client to server One encryption
subsession Needs a key
Client
Server
Messages from server to client Another
encryption subsession, start over from
scratch Needs another key
21
Microsofts PPTP
Message from client to server
Send secret data RC4 pad 38 0C 5D 77 . .
. Ciphertext kisé . . .
Client
Server
Message from server to client
Buy ACME at 10 RC4 pad 38 0C 5D 77 . .
. Ciphertext zyW . . .
22
Which Algorithm?
1700s Many countries established Black
Chambers which read and tried to decipher most
mail sent to diplomatic missions. Strategy for
sending messages Use the best known cipher.
23
Which Algorithm?

• Vigenére cipher available since 1500s
• 1700s, Vigenére had not been broken yet
• Most correspondents knew the ciphers they were
  using (often simple or complicated letter
  substitutions) were not secure
• Used them anyway

24
Crypto Blunder 3
Dont use the best available algorithms
25
Best Available Algorithm?
Microsoft invented a new block cipher to be used
in their Digital Rights Management (DRM)
software. Version 2 of the DRM was broken, one
byproduct was a reverse-engineering of the new
block cipher (dubbed MultiSwap). UC Berkeley
team (including David Wagner) shows the algorithm
to be very weak.
26
New Algorithm?
Why invent a new block cipher? Microsoft had a
license to use RC5. They had no way of knowing
their new algorithm would be weak, but had no way
of knowing it would be strong either. Use a
studied cipher.
27
DVD (Digital Video Disc)
DVD player
Disc with movie
Copy-protected location 100s of copies of the
movie key, each encrypted with a separate DVD
player unlock key 432D68E70B B48F71A913
6C46A754D9 8B71F9360A . . .
Extracts its copy of the movie key and uses
its unlock key to decrypt the movie key 97 9B
33 0A E2
The movie encrypted 26D787C34BB7855E
9267F86B25A87B68 6A28E76A6105C991 . . .
28
DVD
DVD player
Disc with movie
With the movie key, the player decrypts the
movie 97 9B 33 0A E2
The movie encrypted 26D787C34BB7855E
9267F86B25A87B68 6A28E76A6105C991 . . .
29
DVD

• The movie, encrypted or unencrypted, can be
  copied
• The movie key copies (each encrypted with a
  different companys unlock key) cannot be copied
• If a licensed DVD player reads a disc without the
  movie key copies, even if the movie is
  unencrypted, it will not play the movie

30
DVD One way to Cheat

• Copy the movie onto a new disc
• Figure out what the movie key list is supposed to
  be, must know what each unlock key is (break the
  encryption)
• create your own movie key list and place it on
  your disc

31
Best Available Algorithm?
1999 Jon Johansen in Norway, contributor to
breaking DVD, remarked, I wonder how much they
paid for someone to actually develop that weak
algorithm. Furthermore, it used 40-bit
encryption (by 1997, when DVD came out, 56 and
64-bit encryption was exportable from the US).
32
Implementation
1930s The Japanese government replaces old
Red cipher since it was not secure any
more. The new algorithm, named Purple by US
codebreakers, was far superior.
33
Implementation
Problem Errors in building and deploying the
new machines aided the enemy in World War II (the
Americans) in cracking the system. One error
mistake on the plugboard.
34
Crypto Blunder 4
Implement the algorithm incorrectly
35
Using RSA
RSA Tech Support gets a call one day, using RSA
to encrypt, ciphertext is same as plaintext.
Find two primes, p and q, multiply them together
to produce a modulus n. Decide on a public
exponent, e, and find the private exponent, d
inverse of e mod (p-1)(q-1). To encrypt message m
and produce ciphertext c, perform
exponentiation c me mod n. To decrypt m cd
mod n.
36
RSA implementation
Upon investigation, we discovered the customer
had chosen 1 as the public exponent. c m1 mod
n
37
DSA (Digital Signature Algorithm)
Sign Generate two values (r and s) based on
the data to sign, the private key and a random
value
Data to Sign
DSA Algorithm
r
s
Signers DSA Private Key
Random k
38
DSA Security

• If someone knows your private key, they can sign
  for you (forge your signature)
• If someone knows the random k you used, they
  can compute your private key
• If you use the same k twice, its simple high
  school algebra to figure out what that k is
• DONT use the same k twice.

39
JavaSoft DSA Implementation

• JDK 1.1 includes DSA (believed to have no
  intellectual property entanglements)
• How does one generate a new random k every
  signature?
• Hardcoded the k and planned to solve the
  problem later
• Released JDK 1.1 with the hardcoded k
• Fixed in JDK 1.1.2

40
The ks
512-bit keys 66 D1 F1 17 51 44 7F 6F
2E F7 95 16 50 C7 38 E1 85 0B
38 59
1024-bit keys 65 A0 7E 54 72 BE 2E 31
37 8A EA 7A 64 7C DB AE C9 21
54 29
Others, computation of which is left as an
exercise for the audience.
41
Disaster Mitigated
The code to sign and verify was flawed anyway,
there was no way to use old keys. That is, you
could generate a new key pair, sign with the
private key, but no one could load the public
key. You could sign, but not verify. Likewise,
you could encrypt, but not decrypt.
42
Enigma keys
Enigma was broken. One of the ways it was broken
was that operators were using 6- character keys,
easy to guess. Admiral Dönitz of the German Navy
had operators use longer keys generated randomly.
43
Enigma keys
British Navy boarded a disabled sub (U-559) and
found a book with the list of keys. The
operators original instructions were to destroy
the key book if the sub were damaged, but the
captain ordered all personnel to abandon the ship
(the operator saved his correspondence with his
girlfriend).
44
Crypto Blunder 5
Dont protect the key.
45
PBE technique to protect keys
Password-Based Encryption (PBE) used to protect
Windows for Workgroups passwords in a PWL
file. 1995 Peter Gutmann demonstrates the
technique is flawed. 1996 Gutmann extends the
technique to recover server private keys in
Netscape. 1997 Gutmann reports that Microsoft
Internet Explorer uses same technique to protect
private keys.
46
Responses
1995 Microsoft declares, The password list file
is encrypted with an algorithm that meets the
U.S. government Data Encryption Standard (DES).
This encryption technology is the highest
security allowed in software exported from the
United States. 1996 Netscape replaced
key-protection (unrelated to the Gutmann
announcement). 1997 Microsoft offers new
technique, Gutmann shows its not much better.
47
Crypto AG
Swiss company offering crypto products. One
product was a teletext machine used by
many governments to securely communicate
among embassies and other diplomatic
stations. In 1992, Hans Buehler, a sales rep for
Crypto AG, was arrested in Iran. The Iranian
government accused Crypto AG of putting a back
door into the product delivered to Iran.
48
Crypto Blunder 5
Put a back door into your product.
49
Clipper Chip
In 1993, the US government offered the Clipper
chip, a crypto device to be used on phones, in
computers, networks, etc. From the US
government? Back door?
50
Clipper Chip
Back door? It was advertised. According to the
US government, that was one of its best features.
The Clipper is no longer in production.
51
Crypto Blunders

• Steve Burnett, RSA Security Inc.
• burnett_at_rsasecurity.com
• SJSU Oct. 15, 2002