Columbia crypto box
Steven M. Bellovin
smb at research.att.com
Sun Feb 9 23:34:01 EST 2003
In message <3E465CCB.5080107 at skygate.co.uk>, Pete Chown writes:
>Bill Stewart wrote:
>
>> These days nobody *has* a better cryptosystem than you do They might
>> have a cheaper one or a faster one, but for ten years the public's
>> been able to get free planet-sized-computer-proof crypto ...
>
>I seem to remember that the Nazis said the same thing about Enigma.
>Even when evidence began to filter back that it had been broken, they
>ignored it because they were so confident that a break was impossible.
>
>It's true that protocol and programming problems account for the huge
>majority of security holes. The WEP break, though, was one notable
>exception. They were using an established cryptosystem (RC4) with a
>planet sized key (128 bits). However, a weakness in RC4 itself let them
>down.
Actually, that's missing the point. Yes, the cryptanalytic attack on
RC4, especially as it's used in WEP, was impressive. But that attack
was the least important problem with WEP -- the more serious problems
were protocol issues.
First, there was no key management. This means that loss of a single
unit -- a stolen laptop or a disgruntled (ex-)employee would do --
compromises the entire network, since it's impossible to rekey
everything at once in an organization of any size. For most real-world
deployments, this is the most serious weakness. Furthermore, if there
were real key management, the next two problems couldn't have happened.
This was clearly avoidable.
The second most serious problem was the set of problems documented by
Borisov et al. at Berkeley. These mostly relied on the inappropriate
use of a stream cipher, especially with too short an "IV". Note that
if it were possible to rekey before 2^24 packets were sent under any
one key, the attacks mostly wouldn't be possible.
The cryptanalytic attack did exploit an unforeseen weakness in RC4.
But the attack was a related-key attack, and it required a noticeable
amount of traffic. If rekeying had taken place, or if the "IV" were
properly mixed with the seed key, there wouldn't have been a problem
here.
To be sure, Enigma was largely broken because it wasn't being used
properly. As you say, protocol issues are the leading cause of crypto
holes. (And, as you note, programming bugs account for *far* more
real-world security problems.)
--Steve Bellovin, http://www.research.att.com/~smb (me)
http://www.wilyhacker.com (2nd edition of "Firewalls" book)
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list