385221
story
Comments: 236 +- IT: Cryptography Expert Sounds Alarm At Possible Math Hack on Sunday November 18 2007, @09:31PM
background: url(//a.fsdn.com/sd/topics/topicsecurity.gif); width:59px; height:78px;
security
background: url(//a.fsdn.com/sd/topics/topicmath.gif); width:51px; height:47px;
math
background: url(//a.fsdn.com/sd/topics/topichardware.gif); width:64px; height:55px;
hardware
netbuzz writes "First we learn from Bruce Schneier that the NSA may have left itself a secret back door in an officially sanctioned cryptographic random-number generator. Now Adi Shamir is warning that a math error unknown to a chip makers but discovered by a tech-savvy terrorist could lead to serious consequences, too. Remember the Intel blunder of 1996? 'Mr. Shamir wrote that if an intelligence organization discovered a math error in a widely used chip, then security software on a PC with that chip could be "trivially broken with a single chosen message." Executing the attack would require only knowledge of the math flaw and the ability to send a "poisoned" encrypted message to a protected computer, he wrote. It would then be possible to compute the value of the secret key used by the targeted system.'"
Related Stories
Last night I dreamed I ate a ten-pound marshmallow, and when I woke up
the pillow was gone.
-- Tommy Cooper
All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.
The NSA (Score:5, Insightful)
The United States, or the NSA, doesn't have all the world's best cryptographers. Russia, China, etc, other nations have excellent skill in these endeavors. Ironically, by trying to protect the nation, the NSA runs the risk of opening us up to foreign espionage.
Re: (Score:3, Interesting)
I'm not sure, maybe it's election season and so some of these guys are tying to raise the specters again. The Intel bug was with floating point operations and the vast majority of cryptography doesn't use any of that. Of course it's possible that there could be o
NSA "Suite A" is the real problem. (Score:5, Interesting)
The flaw seems too obvious to really have been something illicit. If it was an attempt at a backdoor, it was pretty stupid. And it was a weird/improbable way to create a backdoor -- it was PRNG, not really a cryptographic function per se, and while knowing its output could help you break a system, it wouldn't guarantee it. The people at the NSA had to know it would be combed over.
But the fact that it seems to be incompetence rather than malice doesn't make me feel a whole lot better. There are still a bunch of secret-algorithm ciphers [wikipedia.org] around and in use (and which the government, in its infinite wisdom, treats as more secure than the openly-reviewed ones), that the NSA is basically the only organization that has any access to. If they could miss such a trivial flaw in a PRNG that they knew was going to go out for public scrutiny, what could they have let slip by in a cryptographic function that was supposed to be a state secret?
Parent
NSA/GCHQ Private IS open review, practically (Score:5, Interesting)
In that case, the benefit of open review (that, just possibly, someone in the small pool of non-spook cryptographers who know what they're doing might find a flaw) is far less than the downside (that your opponents get to see what a modern code system looks like). The lowdown on a modern close-world cipher system would reveal attacks they are defending against, give a good impression of their real capabilities and so on. Yes, in a real shooting war, the spooks have to allow for their crypto systems falling into the wrong hands. But in the current climate, the tactical stuff will be exposed, but the strategic stuff can be closed algorithms and closed keys: what's not to like?
This reminds us all of the S Box hoo-hah, where elaborate theories were put forward by open community `experts' about the `flaws' in the S Boxes in DES. It turned out, of course, that they were optimal against an attack that wasn't even public, and close to optimal against other attacks that (allegedly) weren't known to anyone. I'd take a cipher system that the NSA or GCHQ approves for government use over anything advocated outside the wire., simply because the chances of an intentional weakness in the former are far smaller than the chances of an accidental weakness in the latter.
We went through all this is the discussion about the S Boxes
Parent
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
2) is about specific cases where particular categories of mathematical failures actually lead to the compromising of the private key, which is significantly more dangerous. It is not about utilitising typical exploits like buffer overflows to take over and kind
Re: (Score:3, Insightful)
Re: (Score:3, Insightful)
While I can't speak for the NSA or US laws, in Australia anyone at all can set up an organisation like the Defence Signals Directorate. It is fully legal to monitor communications of foreign origin and destination. For private individuals the vast majority of domestic transmissions are also legal to intercept. (Some exclusions surrounding radio based telephony exist) The government does have far
So... (Score:3, Insightful)
Original article (Score:5, Informative)
Re: (Score:3, Informative)
There are no terrorist mentioned!! Sensationalist networkworld...
how many encryption schemes us floating point? (Score:5, Interesting)
Re:how many encryption schemes us floating point? (Score:5, Informative)
Parent
Re: (Score:2, Informative)
The point the OP was trying to say was that if the error is in the FPU, that isn't used for integer calculations at all, and so wouldn't be exercised by security code. I don't know if this is true, but for instance RSA in theory is all integers.
Re:how many encryption schemes us floating point? (Score:4, Interesting)
The FPU can be used for integer math. IEEE 754 states that all results from Integer calculations that can be exact, need to be. The exponent gets denormalized for this case. So DOUBLE, for example, can be used as 54 bit unsigned Integer plus sign bit. I have used this occasionally in languages with no 64 bit integers, wne 32 bit were not enough.
Parent
Re: (Score:3, Interesting)
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:3, Interesting)
Re: (Score:3, Informative)
Yet the claim is that an actual error in the implementation of elementary amthematical operations on the processor could weaken a cryptographic algorithm run on that processor, even if the algorithm itself is implemented flawlessly in source. Therefore the relevant question remains "where are processor bugs most likely to occur?"
Also, floating point math is exact since floating points representatio
WTF "terrorist" (Score:5, Insightful)
Re:WTF "terrorist" (Score:4, Interesting)
As far as poisoning your water supply etc. lookie here:
http://sandia.gov/scada/home.htm [sandia.gov]
Hardware errors are a potential problem, but they are #3 on the list after human and software problems. Why search for hardware problems when the first two are far more likely to bear fruit?
Parent
Terrorists? (Score:4, Insightful)
Re: (Score:3, Insightful)
As far as threats to the nation, the spam and popups are just the "tip of the iceberg".
Obviously, the criminals use some pretty smart minds to seek and exploit software weaknesses. I
Risk evaluation (Score:3, Insightful)
1) When we think there's somebody out to get us, we evaluate that risk very highly, even when there are more immediate but "random" risks clearly at hand. For example, a "terrorist" is a bogey-man, it's somebody out to get you. But hunger has no bad guy, and neither do disease, auto accidents, and lightning.
2) We evaluate as "risky" situations where we are not in immediate control,
Re: (Score:3, Interesting)
As far as I can tell, his source of news is "whatever the headlines in the mainstream media are this week". When the corrections come out much more quietly six months later, buried underneath an advert for a home course in Swahili, he misses them entirely.
As far as he's concerned, Osama bin Laden is from Afghanistan (and is probably still living in a cave there), Saddam Hussein had weapons of mass destruction an
don't understand (Score:4, Interesting)
Re:don't understand (Score:5, Insightful)
Actually this is a common attack scenario in security protocol analysis. While it does not always happen in real life there are ways it can occur. For example, you try to decrypt the message and get garbage. So what do you do? You send the garbage back to the guy, saying, I couldn't read your message, all I got was this junk. Now you have been tricked into acting as what is called an "oracle" for the decryption function. This opens up a number of attacks which is why the best cryptosystems are immune to such problems.
Parent
Re: (Score:3, Insightful)
I mean, I could understand it if it was solicited communications, but what are the odds you'll happen to start into an encrypted conversation with someone who just wants y
I take that back (Score:2)
Re: (Score:3, Insightful)
In the same way you aren't the "S" in RSA. Give him some credit, will you?
Re: (Score:2)
That's the way you'd do it (Score:3, Interesting)
Step 2: Generate the "poisoned" SSL session shared key K1, and encrypt it with the server's public RSA key
Step 3: The server decrypts the poisoned SSL session shared key K1 with its private key and obtains a value K2, which is
different than the original poisoned shared key K1. If the shared key K1 was not poisoned, K2 would be equal to K1,
but the attacker is exploiting an error in the CPU implementation that causes K2 != K1.
Step 4: All the AES-encrypted m
Re: (Score:2)
Ron Harris did some thing like this with slots (Score:2)
In other words... (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
Re:First Post? (Score:5, Insightful)
Of course, if you were refering to China or someone else then that might be a different story (but again, the wording sounded like someone regurgitating the drivel that gets thrown out by politicians and pundits in the mainstream media).
Parent
Re:First Post? (Score:5, Insightful)
Quite a bold concept! We can't let this fall into the wrong hands!
Parent
No. (Score:5, Insightful)
They don't give a flying f--- about "our freedoms" except where they think that shows we are "morally corrupt." Islamic militants are under no illusions that they're going to change our culture any time soon, though. They've got bigger fish to fry back home trying to establish a power block.
How we govern ourselves beyond our foreign policy is utterly unimportant to their larger goals.
Parent
Terrorist & government symbiosis. (Score:5, Insightful)
Want the citizens to give up some freedom/pay some new tax/whatever? Easy! Play the terrorism trump card.
Without some Evil Empire force (that the US plays so well), it is very hard for terrorists to get the emotions going either. Terrorists & empire building governments need each other.
Parent
Re:No. (Score:5, Insightful)
Stop pissing people off and the nut-jobs who do want us removed will have lost their primary recruitment method.
Parent
Re: (Score:3, Insightful)
Nutcases who want to establish a world-wide caliphate under sharia law? The only "sensible" way to deal with them is bombs, and lots of them.
No, the sensible way of dealing with them is to lock them up somewhere where they can receive psychiatric help or, failing that, shoot them. Dropping lots of bombs just serves to cause otherwise rational people that they might have a point and that the world would be a better place without the people responsible for the death of their family.
Re:No. (Score:5, Insightful)
Yeah, but al-Qaeda doesn't care about our democracy. And seeing us turn into a secular or Christian dictatorship in no way helps further their goals. The more crazy fascist our government becomes, ironically, the less accepting of Islamic fundamentalism it becomes even as it becomes equally repressive. If anything, it's against their long term goals to see us harder ourselves against them.
Next time, educate yourself about our sworn western enemies before justifying their cause. Bluntly put, I don't give a damn about their cause. These people need to die like the parasites they are on humanity.
What does explaining their motivations have to do with justifying them? You seem to be the sort of reactionary type that associates any attempt to understand your enemy with accepting them and capitulating to them.
Geez, it's no wonder you people are losing the War on Terrorism for us.
Parent
Re:National Safety Administration? (Score:5, Funny)
They're the sister outfit to the "National Highway Traffic Security Administration".
Parent
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Re: (Score:3, Informative)
Re:first post. TFA = WTF? (Score:5, Interesting)
Most chips have flaws of one kind or another. Most of these are trivial and can be worked around in microcode. The article mentions the Pentium floating point bug. This caused the original Pentium to return the wrong result for some calculations. In theory, it would be possible to produce a cyphertext that would generate this error if the key contained one of the two values that you needed to generate the error. This then lets you dramatically reduce the key search space.
Other CPU flaws are more serious. There are a few in the Core 2 which allow a process to violate the page protection mechanism, for example. If an attacker found one that caused the program counter to be modified as a side effect of an arithmetic operation then they could create a cyphertext which contained a program at the end and some data at the beginning that caused execution to jump into the exploit code. This is much easier for cypertexts than arbitrary data because the attacker has can make some good guesses about how a cyphertext will be processed.
It seems like this is a very theoretical category of vulnerability to use for anything more than a DoS. On the other hand, as Theo de Raadt says, the only difference between a bug and a vulnerability is the intelligence of your attacker.
Parent