Columbia crypto box

Steven M. Bellovin smb at research.att.com
Sun Feb 9 23:34:01 EST 2003 

In message <3E465CCB.5080107 at skygate.co.uk>, Pete Chown writes:
>Bill Stewart wrote:
>
>> These days nobody *has* a better cryptosystem than you do They might
>> have a cheaper one or a faster one, but for ten years the public's
>> been able to get free planet-sized-computer-proof crypto ...
>
>I seem to remember that the Nazis said the same thing about Enigma.
>Even when evidence began to filter back that it had been broken, they
>ignored it because they were so confident that a break was impossible.
>
>It's true that protocol and programming problems account for the huge
>majority of security holes.  The WEP break, though, was one notable
>exception.  They were using an established cryptosystem (RC4) with a
>planet sized key (128 bits).  However, a weakness in RC4 itself let them
>down.

Actually, that's missing the point.  Yes, the cryptanalytic attack on 
RC4, especially as it's used in WEP, was impressive.  But that attack 
was the least important problem with WEP -- the more serious problems 
were protocol issues.

First, there was no key management.  This means that loss of a single 
unit -- a stolen laptop or a disgruntled (ex-)employee would do -- 
compromises the entire network, since it's impossible to rekey 
everything at once in an organization of any size.  For most real-world 
deployments, this is the most serious weakness.  Furthermore, if there 
were real key management, the next two problems couldn't have happened.
This was clearly avoidable.

The second most serious problem was the set of problems documented by 
Borisov et al. at Berkeley.  These mostly relied on the inappropriate 
use of a stream cipher, especially with too short an "IV".  Note that 
if it were possible to rekey before 2^24 packets were sent under any 
one key, the attacks mostly wouldn't be possible.

The cryptanalytic attack did exploit an unforeseen weakness in RC4.  
But the attack was a related-key attack, and it required a noticeable 
amount of traffic.  If rekeying had taken place, or if the "IV" were 
properly mixed with the seed key, there wouldn't have been a problem 
here.

To be sure, Enigma was largely broken because it wasn't being used 
properly.  As you say, protocol issues are the leading cause of crypto 
holes.  (And, as you note, programming bugs account for *far* more 
real-world security problems.)

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com (2nd edition of "Firewalls" book)



---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com

More information about the cryptography mailing list