Cryptographic Design Vulnerabilities

P opular magazines often describe cryptography products in terms of algorithms and key lengths. These security techniques make good headlines. They can be explained in a few words and they’re easy to compare with one another. We’ve seen statements like “128-bit keys mean strong security, while 40-bit keys are weak” or “triple-DES is much stronger than single DES” or even “2,048-bit RSA is better than 1,024-bit RSA.” U n f o rt u n a t e l y, cryptography isn’t so simple: Longer keys do not guarantee more security. C o m p a re a cryptographic algorithm to the lock on your front door. Most door locks have four metal pins, each of which can be in one of 10 positions. A metal key sets the pins in a particular configuration. If the key aligns them all corre c t l y, the lock opens. So there are only 10,000 possible keys, and a burglar willing to try all 10,000 is guaranteed to break into your house. But an improved lock with 10 pins—making 10 billion possible keys—probably won’t make your house m o re secure. Burglars don’t try every possible key (the equivalent of a bru t e f o rce attack); most are n ’t clever enough to pick the lock (the equivalent of a cryptographic attack). No, they smash windows, kick in doors, disguise themselves as police, and rob keyholders at gunpoint. One ring of art thieves in California defeated home security systems by taking a chainsaw to the house walls. Better locks can’t prevent these attacks. S t rong cryptography is very powerful when it is done right, but it is not a panacea. Focusing on cry p t o g r a p h i c algorithms while ignoring other aspects of security is like defending your house not by building a fence a round it, but by putting an immense stake in the g round and hoping that your adversary runs right into it. Smart attackers will just go around the algorithms. Counterpane Systems has spent years designing, analyzing, and breaking cryptographic systems. While we do re s e a rch on published algorithms and pro t o c o l s , most of our work examines actual products. We ’ v e designed and analyzed systems that protect privacy, e n s u re confid e n t i a l i t y, provide fairness, and facilitate c o m m e rce. We’ve worked with software, stand-alone h a rd w a re, and everything in between. We’ve bro k e n our share of algorithms, but we can almost always fin d attacks that bypass the algorithms altogether. We don’t have to try every possible key or even fin d flaws in the algorithms. We exploit errors in design, e rrors in implementation, and errors in installation. Sometimes we invent a new trick to break a system, but most of the time we exploit the same old mistakes that designers make over and over again. This art i c l e conveys some of the lessons we’ve learn e d .