Thanks, excellent info! I'll use that if you don't mind. It still generally comes down to the value and exposure of the target. If you have a high value, highly exposed target such as the encryption algorithm used for DVD then yes, spend liberally on a tough algorithm but for day-to-day transactions over the net, especially when the communicating systems calculate a new session key for each session? Questionable, in my opinion. >>> Seth Arnold <sarnold@private> 04/18/02 11:31AM >>> On Wed, Apr 17, 2002 at 10:01:13PM -0700, Jere Retzer wrote: > Question -- have there been any documented cases of weak encryption > leading to significant exploits? I don't mean to belittle the need for > encryption but I don't see significant exploits actually happening. > Maybe the right attitude is to say if we did not keep up that we would > be seeing exploits. [Jere, your emails would be easier to read if you wrapped your lines at 72 characters. Thanks.] Yes, there is significant evidence of weak crypto being used for significant exploits. The SSH CRC-32 compensation attack, discovered by Michal Zalewski, is the best known example: http://online.securityfocus.com/bid/2347 This has been rooting boxes for over a year. The CRC-32 compensation was a fix for the initial (stupid) SSH-1 protocol, which used CRC-32 in place of stronger hash functions. Had the SSH-1 protocol used a stronger message authentication code, such as HMAC based on md5 or sha1, none of those problems would have existed, and thousands of machines wouldn't have been rooted so easily. (Of course, the ssh-1 protocol had other problems, such as relying on crypto primitives that were patented in the United States.) I'm reasonably certain this bug was the one that allowed for trojaned ssh clients (password collectors) to be installed on sourceforge, granting complete access to the attackers for the apache source code when legitimate apache developers logged into the apache site from sourceforge accounts. Ask the DVD cabal how well they like their CSS encryption scheme being trivially cracked by a 16 year old from Norway. I'm sure they would tell you billions of dollars have been lost as a result of their extremely poor crypto. (Never mind that the crypto was really only intended to require DVD-player manufacturers to belong to the consortium -- as crypto, their 'solution' would never have worked. I'll expand on this if anyone is interested.) Yeah, bad crypto is exploitable. (Of course, I agree with Steve's original points, especially: host security is so poor, 40 bit or 128 bit SSL is probably a moot point.) -- http://immunix.org/
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:41:08 PDT