|
search / subscribe / upload / contact |
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
|
||
| RSS-Feed Depeschen |  |
|
|
||
|
||
Date: 1999-07-19
Crypto/hacking als schoene Kunst betrachtet-.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- Verfahren, Verschlüsselungs/programme seitwärts zu pentrieren. -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- What is "crypto-hacking"? As the first person to use the term, I get to define it. Crypto-hacking is hacking the mathematics of cryptography; it's forcing cryptography to do something new, something different, something unexpected. It's pushing the boundaries of cryptography. And it's been happening regularly over the past several years: Using information about timing, power consumption, and radiation of a device when it executes a cryptographic algorithm, crypto-hackers have been able to break smart cards and other "secure" tokens. These are called "side- channel attacks." By forcing faults during operation, crypto-hackers have been able to break even more smart cards. This is called "failure analysis." In a beautiful display of crypto-hacking, one researcher was able to break RSA when used in the PKCS format. The break didn't break RSA, but the way it was used. Just think of the beauty: we don't know how to factor num bers and we don't know how to break RSA. But if you use RSA in a certain way, which happens to be a pretty common way, than it is possible in some systems to break the security of RSA...without breaking RSA. Crypto-hackers have analyzed many systems by breaking the random number generators used to supply cryptographic keys. The cryptographic algorithms might be secure, but the key-generation procedures were not. Again, thin k of the beauty: the algorithm is secure, but the method to produce keys for the algorithm has a weakness, which means that there aren't as many possible keys as there should be. Researchers have broken cryptographic systems by looking at the way different keys are related to each other. Each key might be secure, but the combination of several related keys can be enough to cryptanalyze the system . The common thread through all of these exploits is that they've all pushed the envelope of what constitutes cryptanalysis. Before side-channel attacks, cryptographers never thought about using information other than the plaintext and the ciphertext to attack algorithms. After the first paper, researchers began to look at different side channels, invasive side channels, attacks based on introducing transient and permanent faults, etc. Su ddenly there was a whole new way to do cryptanalysis. Crypto-hacking = cheating. Several years ago I was talking with an NSA employee about a particular exploit. He told the story about how a system was broken; it was a sneaky attack, one that I didn't think should even count. "That's cheating," I s aid. He looked at me as if I'd just arrived from Neptune. Cheating is one of the basic tenets of security engineering. Conventional engineering is about making things work. It's the genesis of the term "hack," as in "he worked all night and hacked the code together." The code works; it doesn't matter what it looks like. Security is different; it's about making sure things don't NOT work. It's making sure security isn't broken, even in the presence of a malicious adversary who does everything in his power to make sure that things don't work in the worst possible way at the worst possible times. A good attack is one that the engineers never even thought about. Good attackers cheat. And the future of crypto-hacking is the future of cheating. Clever people will continue to invent new ways to attack the mathematics of cryptography. Like any kind of hacking, hacking cryptography requires a specific set of skills. The most important cryptographic skill is advanced mathematics; you can't analyze cryptographic systems without it. You can't cheat witho ut it. You can break systems that use cryptography by going around the cryptography, but that's not crypto-hacking. Crypto-hacking means hacking the cryptography, which means advanced mathematics. And this explains why you don't see many crypto-hackers wandering around: the mathematics is hard. Most of the crypto-hacking we've seen comes not from disenfranchised outsiders, but from fringe insiders: graduate students, and some academic and corporate researchers. I can't think of one crypto-hacking exploit by som eone with a "handle." In fact, most of the crypto-hackers get an amazing amount of positive publicity from their exploits: newspaper articles, academic papers, accolades. There isn't much underground crypto-hacking going on. There are some crypto-hacking tools, but not many. There are programs that take advantage of poor passwords in UNIX and NT, or poor passphrases in PGP, to break the encryption. There's a program that tries to break PKZip encryption, again based on poor password choice. But there aren't any real tools that allow for serious crypto-hacking, simply because too much mathematical expertise would be required to use them. I don't see this changing in the future. Cryptography will continue to be a science of mathematics, and crypto-hacking will necessarily be exactly the same. There will be all sorts of cool crypto-hacking exploits, but it's not going to become a mass-market avocation. Source http://www.counterpane.com -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- - -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- edited by Harkank published on: 1999-07-19 comments to office@quintessenz.at subscribe Newsletter - -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- -.-. --.- 
|
|
|
 |
CURRENTLY RUNNING |
q/Talk 1.Juli: The Danger of Software Users Don't Control
|
|
|
!WATCH OUT! |
bits4free 14.Juli 2011: OpenStreetMap Erfinder Steve Coast live in Wien
|
|