[Cryptography] Literature on reusing same key for AES / HMAC?

ianG iang at iang.org
Sat Nov 14 17:16:17 EST 2015 

On 10/11/2015 04:01 am, Ray Dillinger wrote:
>
>
> On 11/07/2015 02:14 AM, ianG wrote:
>
>>   * Homegrown crypto is a far better thing than no crypto, and while it's
>> not being attacked by an actual person with cryptanalytic experience,
>> it's knocking hordes of scammers, script kiddies, criminal gangs and
>> what-have-you.  There still remains a tight negative correlation between
>> cryptanalytic skills and criminal gangs, although the publication of
>> academic results does tend to lead to the development of script exploits
>> leading to potential dangers.
>
> I feel compelled to respond to this one.  I have in the last year
> dealt with a situation in which a client with homemade crypto was
> attacked by a criminal organization intent on stealing bitcoins,
> within which someone actually DID bother to learn and perform
> linear or differential cryptanalysis.  (I don't know which one;
> the system would have been vulnerable to either).


Now, *that* is novel.  Criminal gangs in the bitcoin world are learning 
linear/differential cryptanalysis!  This is a milestone of some 
significance.


> The protocol
> gave them several known and partially-known plaintext blocks for
> each key, so they had a starting point. Doing the math on about
> 2 hours worth of traffic got them from a 128-bit symmetric key
> down to an effective search space of 28 bits, which they promptly
> cracked.


Interesting!  Is there a cite for this?  Not that I don't believe you 
but it becomes much more useful evidence if we have something we can 
point at.


> The client had been almost certain that "someone" was passing keys
> along to people who oughtn't have them, but I saved "someone"s job
> by putting up some fake traffic using keys that nobody but the client
> and I had, and the attacker showed up immediately at the honeypot
> that traffic revealed.  So, the attacker was definitely doing the
> math.
>
> After that I changed some software and configurations and the problem
> went away.


Good.  But in order to damn the homegrown crypto, you'd actually have to 
do some analysis.  How much did they spend on the homegrown crypto, how 
much would a professional job have cost, and how much did you charge to 
"change some software and config" ?

Then, we would have to integrate time into the calculations.  It could 
be that they saved people's bacon for several years on some lightweight 
crypto that cost a few thousand, in which case they can write that off 
against a benefit of protection over years.  If the thefts amounted to a 
few dozen bitcoins, then it could be well in profit.

IDK the answer to these questions - what I do know that a crack of 
crypto isn't evidence of bad engineering nor bad choices in production 
of homebrew crypto, by itself.


>>   * people in the crypto business like to say "homegrown crypto is a bad
>> idea" so that they get the job.  But this is about their security not
>> yours.  Unfortunately, the professionals who say that often can't do
>> risk analysis so they can't see that their approach can take away
>> important elements of your other security.  Leaving you worse off than
>> if you focus on what is really hurting your business.
>
> I like people who wade in and learn enough to do their own crypto well.
> I admire the effort, and try not to discourage them, especially when
> they're already feeling down because they've just had their first
> "learning experience".  I don't want them to quit trying, I want them
> to get better!
>
> That said, when something is breaking, I have to look at the least-
> tested stuff first because the negative correlation between still-
> unsquished bugs and long testing is well established. In practical
> terms that means I start by looking at the homemade stuff.


Yep.  One thing I have noticed is that encouraging people to use some 
homegrown stuff actually gets them into the business.  Then, step by 
step they professionalise.

In the alternate, the cryptoguild approach of must-be-perfect before 
you're allowed to send your first packet tends to be such a high barrier 
that most devs choose no crypto.

Perhaps we need an award for most promising homebrew crypto protocols?

iang

More information about the cryptography mailing list