Crypto dongles to secure online transactions

Jerry Leichter leichter at lrw.com
Tue Nov 10 09:44:58 EST 2009


On Nov 8, 2009, at 7:45 PM, Thorsten Holz wrote:
> ...There are several approaches to stop (or at least make it more  
> difficult) this attack vector. A prototype of a system that  
> implements the techniques described in your blog posting was  
> presented by IBM Zurich about a year ago, see http://www-03.ibm.com/press/us/en/pressrelease/25828.wss 
>  for details.
Bring two threads together:  The ZTIC is designed to work with  
unmodified servers, hence implements SSL/TLS internally.  Could the  
recently discovered SSL injection attack be used against it?  (I  
haven't thought it through and have no idea.)  Whether or not it can,  
it demonstrates the hazards of freezing implementations of crypto  
protocols into ROM:  Imagine a world in which there are a couple of  
hundred million ZTIC's or similar devices fielded - and a significant  
vulnerability is found in the protocol they speak.  (Since we're  
talking about a *protocol* vulnerability, having multiple competing  
implementations doesn't help.)

Now, you could make the same argument about the encryption mechanisms  
- AES, RSA, whatever else is frozen in that silicon - as well.  We're  
reasonably sure of our ability to build strong block and public key  
ciphers - there have been no significant (publicly known!) breaks in  
any fielded system in years.  The problems with hash functions show  
that our abilities there aren't as good as we thought.  But this  
recent attack against SSL/TLS, studied by so many people for so many  
years, should make us really humble about the state of the art in  
secure protocol development.

Not that this should block the use of devices like the ZTIC!  They're  
still much more secure than the alternatives.  But it's important to  
keep in mind the vulnerabilities we engineer *into* systems at the  
same time we engineer others *out*.
                                                         -- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list