[Cryptography] What is an attack, and what is not an attack?

ianG iang at iang.org
Wed Jan 8 03:47:41 EST 2014 

Apologies for late reply!  This point was important...

On 3/01/14 22:45 PM, John Kelsey wrote:

> There have been a lot of flawed
> RNGs in the literature.  Were any intentional, or accidentally created but left in as a backdoor?  If so, by whom?  Absent an attack of conscience along the lines of Manning or Snowden, how would we know?


Indeed, so what's a validated attack?  How do we know, really know? 
Here's my call:

1.  Literature is theory.
2.  Attacks in labs are experiments, not attacks.
3.  Academic exploits and corporate embarrassments aren't real 
demonstrations of economic risk, they are more reputation-leaching from 
innocent corps to press-hungry security rock stars.
4.  Absent any evidence, we cannot disamgiguate between myth, fear, 
marketing, fraud and self-deception (Dan Geer's observation).

So, if we're doing risk analysis, attacks do not include literature, lab 
demos (like that of Dave and Ian in the Netscape days), academic stuff, 
journalism, and stuff we make up ourselves in order to sell our product. 
  These are all interesting, informative, helpful, but they do not add 
to our knowledge of economic attacks directly.



The only evidence that slices through is *damages*.  How much money was 
lost?  (Excluding reputation damage and re-work efforts.)  If there are 
events with damages, if we can measure losses and frequencies, then we 
can calculate likelihoods and expected losses, etc [0].



So by this definition, the only validated attack on an RNG that I know 
of was the Bitcoin theft of coins using the sloppy Java PRNG [1].  We 
know how many coins were lost, roughly.  Notice the economics -- theft 
of money, and it's the sort of money you might be able to get cleaned 
before anyone notices, so there is a tight and solid feedback loop to 
inform us.

If not, then we have to use our judgement.  I use my judgement to say 
that DUAL_EC was a real attack, but I can't validate it because I cannot 
calculate the damages.  It goes on the list, because my judgement says 
so, but I don't *know it happened* as yet.



iang



[0] CA threat history: http://wiki.cacert.org/Risk/History
[1] Java's crypto system should be called Diana because it has a huge 
cross painted on it...

More information about the cryptography mailing list