Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Encryption Power Security IT Technology

Poor, Homegrown Encryption Threatens Open Smart Grid Protocol 111

An anonymous reader writes: Millions of smart meters, solar panels, and other grid-based devices rely on the Open smart grid protocol for communication and control — it's similar to SCADA's role for industrial systems. But new research shows that its creators made the common mistake of rolling their own encryption, and doing a poor job of it. The researchers believe this threatens the entire system. They say, "This function has been found to be extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever." Security analyst Adam Crain added, "Protocol designers should stick to known good algorithms or even the 'NIST-approved' short list. In this instance, the researchers analyzed the OMA digest function and found weaknesses in it. The weaknesses in it can be used to determine the private key in a very small number of trials."
This discussion has been archived. No new comments can be posted.

Poor, Homegrown Encryption Threatens Open Smart Grid Protocol

Comments Filter:
  • Homegrown (Score:4, Funny)

    by darkain ( 749283 ) on Friday May 08, 2015 @03:03PM (#49649807) Homepage

    Damn those eco-friendly nuts always trying to grow things at home!

  • Head/desk... (Score:5, Interesting)

    by fuzzyfuzzyfungus ( 1223518 ) on Friday May 08, 2015 @03:06PM (#49649819) Journal
    Hasn't "Don't roll your own crypto, dumbass" been one of the cardinal rules of security since sometime before WEP violated it?

    The least you can do is implement a real algorithm; but screw it up somehow (key handling is always a good place for that); but just making it up? How did they sneak this past a standards body?
    • Re:Head/desk... (Score:5, Insightful)

      by afidel ( 530433 ) on Friday May 08, 2015 @03:16PM (#49649881)

      The least you can do is implement a real algorithm; but screw it up somehow

      That's why the best recommendation is to not only use the approved algorithm, but also the standard implementation. Don't get cute, don't try to optimize it, just use it as is. AES was required to run on emdedded systems 13+ years ago, any modern chip should have zero problem running the standard C implementation today.

      • There are many MCU's that have hardware acceleration for AES256 and SHA256 so there's no real performance based excuse not to use it.

      • Read this - pay attention to the interpretive dance requirement:

        http://www.moserware.com/2009/... [moserware.com]

        K/Tnx/Bai,
        Min

    • by msobkow ( 48369 )

      Even if you use existing crypto algorithms, such as with Java, verifying that a crypto key has not been tampered with is non-trivial. I've been working on such code over the past few months, and what I found is that you need to deliver a set of approved root certificates with your application so that you can verify the certificate chain. That makes delivering an application an on-going maintenance headache compared to just using the crypto and hoping you don't get hit by a man-in-the-middle attack.

      Give

    • Yeah, it's the easiest thing in the world to come up with an encryption scheme that you can't break.
    • by tlhIngan ( 30335 ) <slashdot&worf,net> on Friday May 08, 2015 @05:03PM (#49650421)

      Hasn't "Don't roll your own crypto, dumbass" been one of the cardinal rules of security since sometime before WEP violated it?

      The least you can do is implement a real algorithm; but screw it up somehow (key handling is always a good place for that); but just making it up? How did they sneak this past a standards body?

      WEP used a standard algorithm - RC4. They just accidentally screwed it up because of the way RC4 works (related to key handling and IVs).

      A homegrown algorithm for WiFi is TKIP, which was created because RC4 had hardware acceleration, while AES didn't at the time. So they created TKIP to leverage the hardware crypto alongside several protections to mitigate several shortcomings that were found.

      Even for something as simple as AES it's a chore to find an open implementation that's actively being maintained and that works with your system; and when you do one of your expensive security consultant mandates that you stop using AES for being too old and not cool enough.

      AES is fixed by standard. There is no need to "maintain" it - as long as the code compiles properly you're done.

      And for AES, because it's an official encryption algorithm, NIST has the official specification document [nist.gov], and the original author has the reference code [efgh.com].

      Of course, the vast majority of people will just use OpenSSL or LibreSSL, being BSD licensed and all that. Even on embedded systems there is often a reference AES implementation.

      That alone should be disincentive to roll your own algorithm - the fact that the standard ones are available everywhere for practically no cost and very little effort. Why write your own algorithm when you can copy and paste an existing one in? Even the lazy should see the benefits.

      • >AES is fixed by standard. There is no need to "maintain" it

        Provided the implementation is flawless of course. After all, a lot of maintenance is bug-fixing rather than updates.

      • AES is fixed by standard. There is no need to "maintain" it - as long as the code compiles properly you're done.

        Not if you care about security. What about side channel attacks? What about leaking sensitive data into the heap? What about performance? On various architectures? I could go on.

        Merely compiling and generating correct test vector outputs is far from all an implementation has to do to be good. Luckily, there are good implementations out there, easily obtained and under generous licenses.

    • I'm assuming the MPAA spent good money creating their stupid protocols too; from the Content Scramble System to HDCP.

  • by Anonymous Coward

    Come on we're in 2015, there are plenty of widely available not publicly broken primitives.

    DO NOT ROLL YOUR OWN GOD DAMNED CRYPTO. Unless you're a cryptographer planning to have it reviewed and attacked long before even considering using it.

    Let me quote Schneier's law again: "any person can invent a security system so clever that she or he can't think of how to break it."

    This is a blatant example of Dunning-Kruger. Again.

    • by mlts ( 1038732 ) on Friday May 08, 2015 @03:32PM (#49649963)

      Homegrown crypto has been a constant menace since the 1990s when people sold numerous encryption programs, usually sporting their own encryption algorithm and DES.

      A few I've seen were running 1-2 rounds of DES at most (FWB Hammer's hard disk drivers for Macs did this, but at the time, it was the best encryption one could get due to the relatively slow CPUs like 68000s at the time.) Others were seeding random() with a CRC of the password and XORing the output with the plaintext.

      However, back then, there were no government entities standardizing functions like is done now with AES, RSA, and other algos, so people had to write their own, and if it jumbled and unjumbled stuff, it was good enough, since not much in the way of ciphertext was really being attacked.

      Times are different now.

      These days, with most ARM, AMD, SPARC, POWER, and Intel CPUs having hardware AES acceleration, why would one want to roll their own algorithm?

      If one thinks AES is backdoored, cascade it with another known good algorithm like SERPENT, Threefish, heck, maybe even an older one like IDEA, 3DES, or even 3-Skipjack. There are other less known algorithms which have withstood testing as well. Cascading isn't intended to expand the bit width, but to have protection should one algorithm get broken. TrueCrypt offers/offered this functionality.

      Same with public key algorithms. Worried about RSA? Have two signatures, one RSA, and one with ECC or a lattice based algorithm that is resistant to TWIRL and quantum factoring, and validate both sigs.

      As for crypto implementations, if a user needs to encrypt a file, OpenPGP is a known standard. For communicating across the wire, SSH and SSL are known standards that are decently robust. For encrypting stuff in RAM, almost all modern operating systems have a facility like KeyChain to keep sensitive data from being swapped out, or if it is, have it encrypted.

      With almost every programming language offering hooks for AES and RSA, there isn't a need to roll crypto, even for obfuscation reasons. If one just needs obfuscation, use an AES() function with all zeroes as the key.

      • by PRMan ( 959735 ) on Friday May 08, 2015 @03:37PM (#49649993)
        In fact, you can use AES but not the recommended default values. Satoshi did this with Bitcoin, just in case the NSA was recommending those values for a reason.
      • And if you absolutely, positively MUST roll your own encryption (because, reasons!), then cascade THAT behind something battle-tested.

      • I was an embedded developer for many years. It is just a totally different way of thinking. Embedded guys are always writing the same thing again from scratch. They also are obsessed with knowing exactly what is going on. Before I got into high level software development, the idea of dumping someone else's library into my carefully constructed embedded code made me cringe.

        The other issue is that embedded guys can think they know it all, because they normally understand how a line of code they write affects

        • by mlts ( 1038732 )

          "Suit wearing chatter monkey" describes so many of those out there out there, especially "security consultants" which are sprouting up left and right. I have cleaned up the messes that those types leave behind, especially after they "do" a job for six months, and the fundamental issues are still present. Usually they may be familiar with one tool, and because they have that hammer, everything is a nail.

          I can see the NIH mentality of embedded programmers, since those are the types who usually are proud of

    • by sl149q ( 1537343 )

      To be (slightly) fair the 1.1.1 standard was published in 2012. Presumably the first versions where a year or several before that. So most likely this is circa 2008-2010 protocol standard writing.

      Doesn't really excuse them. But it wasn't 2015 and not quite as obvious then.

      • Right. At that point only pretty much every homegrown encryption algorithm on the planet had been trivially cracked. Not like today when pretty much every homegrown encryption algorithm on the planet has been trivially cracked

  • by red_dragon ( 1761 ) on Friday May 08, 2015 @03:15PM (#49649879) Homepage
    "We use a custom-made encryption algorithm with organic S-boxes and artisanal feistels. You probably have never heard of it."
  • by Anonymous Coward

    If you are going to implement your own crypto, you will screw it up, so at least make it entertaining:

    https://xkcd.com/153/

  • We have found the first FBI-compliant system!!!

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration

      Holy fuck you're dumb as bricks. How exactly could the TSA be "Obama's legacy" when it was created during George W's presidency and before Obama was even a US Senator?

  • It is easy to sneak a back door into a complicated mathematical algorithm. Most people do not understand how it works anyway. And as we know it does happen on an epic scale, from many sides.

    But there are impregnable physical laws, which all people understand. Still this type of security is neglected by hardware producers. For example, why there is no a light physical plastic lid, which can be used to close web-camera on a ultra-book physicaly? Why the web-camera lenses are always open? Why people shall u
  • People called me a luddite when I refused a smartmeter. Then they started overcharging people, actually overreporting power consumption where when the old mechanical meters fail, they underreport it. Next the power meters literally started exploding, yes exploding, not just burning. Now it turns out anyone good at crypto, or any skript kiddie, can read your smartmeter in the near future.

    I'm not worried about RF interfering with my brain, even if I thought that was a concern with these frequencies they only

  • I work for a smart grid consulting company...before that, a major (nearly a century old, and widely-recognized) civil engineering firm, again in the power industry. Before that I was the official smart grid security spokesman for a large IT company, and briefed Gartner, Ponemon, Forrester, etc. I've been deep into the guts of generation, T&D, energy marketing, and smart metering infrastructure at dozens of power companies over the past decade.

    I've never seen OSGP in the field, not once. The OP talks

Almost anything derogatory you could say about today's software design would be accurate. -- K.E. Iverson

Working...