[Cryptography] Literature on reusing same key for AES / HMAC?

Mon Nov 9 23:01:30 EST 2015

On 11/07/2015 02:14 AM, ianG wrote:

>  * Homegrown crypto is a far better thing than no crypto, and while it's
> not being attacked by an actual person with cryptanalytic experience,
> it's knocking hordes of scammers, script kiddies, criminal gangs and
> what-have-you.  There still remains a tight negative correlation between
> cryptanalytic skills and criminal gangs, although the publication of
> academic results does tend to lead to the development of script exploits
> leading to potential dangers.

I feel compelled to respond to this one.  I have in the last year
dealt with a situation in which a client with homemade crypto was
attacked by a criminal organization intent on stealing bitcoins,
within which someone actually DID bother to learn and perform
linear or differential cryptanalysis.  (I don't know which one;
the system would have been vulnerable to either).   The protocol
gave them several known and partially-known plaintext blocks for
each key, so they had a starting point. Doing the math on about
2 hours worth of traffic got them from a 128-bit symmetric key
down to an effective search space of 28 bits, which they promptly
cracked.

The client had been almost certain that "someone" was passing keys
along to people who oughtn't have them, but I saved "someone"s job
by putting up some fake traffic using keys that nobody but the client
and I had, and the attacker showed up immediately at the honeypot
that traffic revealed.  So, the attacker was definitely doing the
math.

After that I changed some software and configurations and the problem
went away.

>  * people in the crypto business like to say "homegrown crypto is a bad
> idea" so that they get the job.  But this is about their security not
> yours.  Unfortunately, the professionals who say that often can't do
> risk analysis so they can't see that their approach can take away
> important elements of your other security.  Leaving you worse off than
> if you focus on what is really hurting your business.

I like people who wade in and learn enough to do their own crypto well.
I admire the effort, and try not to discourage them, especially when
they're already feeling down because they've just had their first
"learning experience".  I don't want them to quit trying, I want them
to get better!

That said, when something is breaking, I have to look at the least-
tested stuff first because the negative correlation between still-
unsquished bugs and long testing is well established. In practical
terms that means I start by looking at the homemade stuff.

				Bear

--
"As far as I know we've never had an undetected error."
   -- Howard Aiken, IBM Engineer.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20151109/8d5f0e58/attachment.sig>