Re: Oh, the irony. (Was Re: CRIME NIPC DAILY REPORT: 18 APRIL, 2002)

From: Seth Arnold (sarnold@private)
Date: Thu Apr 18 2002 - 11:31:06 PDT

  • Next message: Jere Retzer: "CRIME Re: cryptography"

    On Wed, Apr 17, 2002 at 10:01:13PM -0700, Jere Retzer wrote:
    > Question -- have there been any documented cases of weak encryption
    > leading to significant exploits? I don't mean to belittle the need for
    > encryption but I don't see significant exploits actually happening.
    > Maybe the right attitude is to say if we did not keep up that we would
    > be seeing exploits.  
    
    [Jere, your emails would be easier to read if you wrapped your lines at
    72 characters. Thanks.]
    
    Yes, there is significant evidence of weak crypto being used for
    significant exploits.
    
    The SSH CRC-32 compensation attack, discovered by Michal Zalewski, is
    the best known example:
    http://online.securityfocus.com/bid/2347
    This has been rooting boxes for over a year.
    
    The CRC-32 compensation was a fix for the initial (stupid) SSH-1
    protocol, which used CRC-32 in place of stronger hash functions. Had the
    SSH-1 protocol used a stronger message authentication code, such as HMAC
    based on md5 or sha1, none of those problems would have existed, and
    thousands of machines wouldn't have been rooted so easily. (Of course,
    the ssh-1 protocol had other problems, such as relying on crypto
    primitives that were patented in the United States.)
    
    I'm reasonably certain this bug was the one that allowed for trojaned
    ssh clients (password collectors) to be installed on sourceforge,
    granting complete access to the attackers for the apache source code
    when legitimate apache developers logged into the apache site from
    sourceforge accounts.
    
    Ask the DVD cabal how well they like their CSS encryption scheme being
    trivially cracked by a 16 year old from Norway. I'm sure they would tell
    you billions of dollars have been lost as a result of their extremely
    poor crypto. (Never mind that the crypto was really only intended to
    require DVD-player manufacturers to belong to the consortium -- as
    crypto, their 'solution' would never have worked. I'll expand on this if
    anyone is interested.)
    
    Yeah, bad crypto is exploitable.
    
    (Of course, I agree with Steve's original points, especially: host
    security is so poor, 40 bit or 128 bit SSL is probably a moot point.)
    
    -- 
    http://immunix.org/
    
    
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:06 PDT