Soft question: Examples where lack of mathematical rigour cause security breaches?Is the software that uses PGP broken, or is it PGP itself?Is using the same IV in AES similar to not using an IV in the first place?What is the relation between computational security and provable security?Setting protocol parameters to achieve concrete securityExact mathematical definition of simulation based security?Formal security of recycled random blinding in a Paillier schemeWhen did Kerckhoffs's principle become fully accepted in design and practice of modern ciphers?What level of security is provided when a Feistel Cipher is used as a round function of another Feistel Cipher?Examples of modern, widely used ciphers that suddenly fell?Relaxing Semi-Honest Security in Multiparty ComputationHow few cryptographic primitives can we use to derive all other constructions?What conditions does a provable secure cryptosystem satisfy?Leftover hash lemma-like without lossy functions
Should an arbiter claim draw at a K+R vs K+R endgame?
Give a short name / nick name to a printer in iOS?
What language is the software written in on the ISS?
Cross-dimension teleportation using command block or datapack?
Understanding the TeXlive release cycle: What is the meaning of a TeXlive release and is it ever 'finished'?
Why doesn't Adrian Toomes give up Spider-Man's identity?
Is it possible to 'live off the sea'
Can anyone identify this tank?
Can an Aarakocra use a shield while flying?
Can the poison from Kingsmen be concocted?
Is an early checkout possible at a hotel before its reception opens?
How to create a dictionary within a dictionary
Genetic limitations to learn certain instruments
Why would future John risk sending back a T-800 to save his younger self?
Does a 3rd-level Wolf Totem barbarian get advantage against enemies when an ally is within 5 feet of the enemy?
Confusion about off peak timings of London trains
What risks are there when you clear your cookies instead of logging off?
Was the Tamarian language in "Darmok" inspired by Jack Vance's "The Asutra"?
Avoiding cliches when writing gods
Was there a priest on the Titanic who stayed on the ship giving confession to as many as he could?
How to officially communicate to a non-responsive colleague?
When conversion from Integer to Single may lose precision
Is it a problem if <h4>, <h5> and <h6> are smaller than regular text?
What makes Ada the language of choice for the ISS's safety-critical systems?
Soft question: Examples where lack of mathematical rigour cause security breaches?
Is the software that uses PGP broken, or is it PGP itself?Is using the same IV in AES similar to not using an IV in the first place?What is the relation between computational security and provable security?Setting protocol parameters to achieve concrete securityExact mathematical definition of simulation based security?Formal security of recycled random blinding in a Paillier schemeWhen did Kerckhoffs's principle become fully accepted in design and practice of modern ciphers?What level of security is provided when a Feistel Cipher is used as a round function of another Feistel Cipher?Examples of modern, widely used ciphers that suddenly fell?Relaxing Semi-Honest Security in Multiparty ComputationHow few cryptographic primitives can we use to derive all other constructions?What conditions does a provable secure cryptosystem satisfy?Leftover hash lemma-like without lossy functions
$begingroup$
Cryptographic tools can often become adopted even when their security proofs lack mathematical rigour - or altogether missing.
Are there famous cases of security breaches in the industry, where the underlying cryptography was (up until then) considered secure?
provable-security history
asked 9 hours ago
Melafefon ChamutzMelafefon Chamutz
2488
$endgroup$
add a comment |
$begingroup$
Cryptographic tools can often become adopted even when their security proofs lack mathematical rigour - or altogether missing.
Are there famous cases of security breaches in the industry, where the underlying cryptography was (up until then) considered secure?
provable-security history
asked 9 hours ago
Melafefon ChamutzMelafefon Chamutz
2488
$endgroup$
add a comment |
$begingroup$
Cryptographic tools can often become adopted even when their security proofs lack mathematical rigour - or altogether missing.
Are there famous cases of security breaches in the industry, where the underlying cryptography was (up until then) considered secure?
provable-security history
asked 9 hours ago
Melafefon ChamutzMelafefon Chamutz
2488
$endgroup$
Cryptographic tools can often become adopted even when their security proofs lack mathematical rigour - or altogether missing.
Are there famous cases of security breaches in the industry, where the underlying cryptography was (up until then) considered secure?
provable-security history
provable-security history
asked 9 hours ago
Melafefon ChamutzMelafefon Chamutz
2488
asked 9 hours ago
Melafefon ChamutzMelafefon Chamutz
2488
edited 8 hours ago
Melafefon Chamutz
asked 9 hours ago
Melafefon ChamutzMelafefon Chamutz
2488
asked 9 hours ago
Melafefon ChamutzMelafefon Chamutz
2488
asked 9 hours ago
Melafefon ChamutzMelafefon Chamutz
2488
2488
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
The SSH protocol has a complicated record format with an encrypted message length, variable padding, encrypt-and-MAC, etc. This complicated system, which was designed without any formal analysis relating the security of the system to the security of the building blocks, turned out to be vulnerable to an attack (paywall-free) exploiting the MAC verification as an oracle for information about the plaintext, leading to plaintext recovery attacks on SSH in popular implementations like OpenSSH.
The OpenPGP protocol was designed by the ad hoc '90s-style composition of generic and poorly-understood public-key encryption and signature building blocks with no formal treatment for how they fit together.
The public-key encryption and signature schemes chosen in OpenPGP were designed without any formal analysis relating them to well-studied hard problems like the RSA problem or the discrete log problem, and it turned out that both the particular Elgamal signature scheme and RSA encryption scheme used by OpenPGP were problematic.
It is unclear to me whether these led to practical exploits on OpenPGP—except perhaps for the implementation error in GnuPG of using the same per-message secret for Elgamal signature and encryption, which illustrates the danger of proving a protocol secure without proving the code implements the protocol correctly.
The mechanism for combining fancy math primitives like RSA and standard symmetric cryptography to encrypt long messages in OpenPGP was designed without formal analysis relating them to the security of the building blocks, and it turned out they were exploitable in practice in real email clients in an attack dubbed EFAIL (my answer on it).
The SSL/TLS protocols have a long and sordid history of informal design, leading to a multitude of attacks:
- The Bleichenbacher RSAES-PKCS1-v1_5 padding oracle attack, which breaks an RSA-based encryption scheme designed without formal analysis, broke SSLv3 with RSA key agreement in 1998, and then broke it again in 2014 with the POODLE attack because of security-destroying protocol compatibility fallbacks, and then broke it again in 2018 with the ROBOT attack.
- The BEAST attack, which had been noted by Phil Rogaway in 2002 and documented in theory for SSL/TLS in 2004, exploited the failure of SSL/TLS to follow the security contract of CBC which requires the IV to be unpredictable in advance for each message—the protocol had deployed CBC without formal analysis of how the IV is chosen.
- The Lucky 13 attack (web site) recovers plaintext by using timing of padding verification as a CBC padding oracle, which arose from a CBC padding mechanism designed without even a simple-minded formal analysis of its timing characteristics.
- The TLS renegotiation attack exploited a complicated state machine in the TLS protocol involving key renegotiation and authentication, which was never formally analyzed for its security properties, to forge messages sent to a TLS peer without its notice.
These attacks are all on protocols that were designed by ad hoc engineering without formal analysis guaranteeing the security of the protocol relative to the security of its building blocks. But the primitive building blocks—like $x^3 bmodpq$, cubing modulo a product of secret primes; like $g^x bmod p$, exponentiation of a standard base modulo a safe prime; like the AES-256 permutation family; like the Keccak permutation—don't have formal analysis guaranteeing their security relative to anything. What gives?
The formal analysis or provable security for protocols, which consists of theorems relating security of a protocol to security of its building blocks, is only one part of a global sociological system for getting confidence in security of cryptography:
The reason we suspect the RSA problem is hard is that some of the smartest cryptanalysts on the planet have had strong motivation to study it for decades, and they have left a track record of decades of failure to find any way to break (say) RSA-2048 at cost less than $2^100$ per key. The same goes for discrete logs in certain groups, for AES-256, etc.
The formal analysis of a protocol using RSA and AES enables the cryptanalysts to focus their effort so they don't have to waste time studying SSH, studying OpenPGP, studying SSLv3, studying TLS, studying WPA, etc., to find whether there's some way to break those protocols. If the formal analysis is done well enough, the cryptanalysts can spend their effort on a small number of primitives, and the more effort they spend failing to break those primitives, the more confidence we have in the primitives and everything built on them.
Protocols like SSH, OpenPGP, SSL/TLS, etc., without formal analysis, are a colossal waste by society of the world's supply of cryptanalysts. Formal analysis enables much more efficient use of the world's resources—and it would have paid off, because all of the above attacks could have been caught by studying the formal security properties of all the protocols involved, and in most cases the analysis is not actually that hard.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
26.7k142120
$endgroup$
add a comment |
$begingroup$
Two well known candidates are md5 and DES.
In general, I think if there is no security proof, we should for all intents and purposes, consider it insecure and not roll it out.
Edit: Squeemish made a good point in that RSA/AES/Keccak do not have security proofs. With this, I have taken a softer stance in that we should avoid rolling out implementations which have not been proven secure.
By rolling out, I am referring to initially rolling out. If it’s already in the wild at this moment, then it is too late.
answered 9 hours ago
user679128user679128
192
New contributor
user679128 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
$begingroup$
In the case of ecdsa, I believe we have one for the bijective random oracle model
$endgroup$
– user679128
8 hours ago
1
$begingroup$
There's no security proof for the RSA problem, for the discrete log problem in RFC 3526 Group #14 or in Curve25519, for AES, for Keccak—should we avoid rolling those out and anything that depends on them?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@SqueamishOssifrage good point. It’s a bit too late now. I should have a softer stance and say that we should avoid rolling out implementations that do not have security proofs, whenever possible. I don’t have enough historical context to argue on whether the decision to roll those out was wise at that time . Although empirical evidence is on our side
$endgroup$
– user679128
8 hours ago
1
$begingroup$
Can you name a single practical cryptosystem in use that has a ‘security proof’ all the way down, not just bottoming out at (say) the RSA problem or the discrete log problem in a particular group or AES pseudorandomness or Keccak indifferentiability?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@A.Hersean The same wikipedia article you mentioned saysDES has been considered insecure right from the start because of the feasilibity of brute-force attacks. Diffie and Hellman published a paper in 1977 showing that DES could be broken in a single day, without even needing to use any real cryptanalysis. Just because there are worse attacks doesn't mean that it is secure.
$endgroup$
– Ella Rose♦
8 hours ago
|
show 1 more comment
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71024%2fsoft-question-examples-where-lack-of-mathematical-rigour-cause-security-breache%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
The SSH protocol has a complicated record format with an encrypted message length, variable padding, encrypt-and-MAC, etc. This complicated system, which was designed without any formal analysis relating the security of the system to the security of the building blocks, turned out to be vulnerable to an attack (paywall-free) exploiting the MAC verification as an oracle for information about the plaintext, leading to plaintext recovery attacks on SSH in popular implementations like OpenSSH.
The OpenPGP protocol was designed by the ad hoc '90s-style composition of generic and poorly-understood public-key encryption and signature building blocks with no formal treatment for how they fit together.
The public-key encryption and signature schemes chosen in OpenPGP were designed without any formal analysis relating them to well-studied hard problems like the RSA problem or the discrete log problem, and it turned out that both the particular Elgamal signature scheme and RSA encryption scheme used by OpenPGP were problematic.
It is unclear to me whether these led to practical exploits on OpenPGP—except perhaps for the implementation error in GnuPG of using the same per-message secret for Elgamal signature and encryption, which illustrates the danger of proving a protocol secure without proving the code implements the protocol correctly.
The mechanism for combining fancy math primitives like RSA and standard symmetric cryptography to encrypt long messages in OpenPGP was designed without formal analysis relating them to the security of the building blocks, and it turned out they were exploitable in practice in real email clients in an attack dubbed EFAIL (my answer on it).
The SSL/TLS protocols have a long and sordid history of informal design, leading to a multitude of attacks:
- The Bleichenbacher RSAES-PKCS1-v1_5 padding oracle attack, which breaks an RSA-based encryption scheme designed without formal analysis, broke SSLv3 with RSA key agreement in 1998, and then broke it again in 2014 with the POODLE attack because of security-destroying protocol compatibility fallbacks, and then broke it again in 2018 with the ROBOT attack.
- The BEAST attack, which had been noted by Phil Rogaway in 2002 and documented in theory for SSL/TLS in 2004, exploited the failure of SSL/TLS to follow the security contract of CBC which requires the IV to be unpredictable in advance for each message—the protocol had deployed CBC without formal analysis of how the IV is chosen.
- The Lucky 13 attack (web site) recovers plaintext by using timing of padding verification as a CBC padding oracle, which arose from a CBC padding mechanism designed without even a simple-minded formal analysis of its timing characteristics.
- The TLS renegotiation attack exploited a complicated state machine in the TLS protocol involving key renegotiation and authentication, which was never formally analyzed for its security properties, to forge messages sent to a TLS peer without its notice.
These attacks are all on protocols that were designed by ad hoc engineering without formal analysis guaranteeing the security of the protocol relative to the security of its building blocks. But the primitive building blocks—like $x^3 bmodpq$, cubing modulo a product of secret primes; like $g^x bmod p$, exponentiation of a standard base modulo a safe prime; like the AES-256 permutation family; like the Keccak permutation—don't have formal analysis guaranteeing their security relative to anything. What gives?
The formal analysis or provable security for protocols, which consists of theorems relating security of a protocol to security of its building blocks, is only one part of a global sociological system for getting confidence in security of cryptography:
The reason we suspect the RSA problem is hard is that some of the smartest cryptanalysts on the planet have had strong motivation to study it for decades, and they have left a track record of decades of failure to find any way to break (say) RSA-2048 at cost less than $2^100$ per key. The same goes for discrete logs in certain groups, for AES-256, etc.
The formal analysis of a protocol using RSA and AES enables the cryptanalysts to focus their effort so they don't have to waste time studying SSH, studying OpenPGP, studying SSLv3, studying TLS, studying WPA, etc., to find whether there's some way to break those protocols. If the formal analysis is done well enough, the cryptanalysts can spend their effort on a small number of primitives, and the more effort they spend failing to break those primitives, the more confidence we have in the primitives and everything built on them.
Protocols like SSH, OpenPGP, SSL/TLS, etc., without formal analysis, are a colossal waste by society of the world's supply of cryptanalysts. Formal analysis enables much more efficient use of the world's resources—and it would have paid off, because all of the above attacks could have been caught by studying the formal security properties of all the protocols involved, and in most cases the analysis is not actually that hard.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
26.7k142120
$endgroup$
add a comment |
$begingroup$
The SSH protocol has a complicated record format with an encrypted message length, variable padding, encrypt-and-MAC, etc. This complicated system, which was designed without any formal analysis relating the security of the system to the security of the building blocks, turned out to be vulnerable to an attack (paywall-free) exploiting the MAC verification as an oracle for information about the plaintext, leading to plaintext recovery attacks on SSH in popular implementations like OpenSSH.
The OpenPGP protocol was designed by the ad hoc '90s-style composition of generic and poorly-understood public-key encryption and signature building blocks with no formal treatment for how they fit together.
The public-key encryption and signature schemes chosen in OpenPGP were designed without any formal analysis relating them to well-studied hard problems like the RSA problem or the discrete log problem, and it turned out that both the particular Elgamal signature scheme and RSA encryption scheme used by OpenPGP were problematic.
It is unclear to me whether these led to practical exploits on OpenPGP—except perhaps for the implementation error in GnuPG of using the same per-message secret for Elgamal signature and encryption, which illustrates the danger of proving a protocol secure without proving the code implements the protocol correctly.
The mechanism for combining fancy math primitives like RSA and standard symmetric cryptography to encrypt long messages in OpenPGP was designed without formal analysis relating them to the security of the building blocks, and it turned out they were exploitable in practice in real email clients in an attack dubbed EFAIL (my answer on it).
The SSL/TLS protocols have a long and sordid history of informal design, leading to a multitude of attacks:
- The Bleichenbacher RSAES-PKCS1-v1_5 padding oracle attack, which breaks an RSA-based encryption scheme designed without formal analysis, broke SSLv3 with RSA key agreement in 1998, and then broke it again in 2014 with the POODLE attack because of security-destroying protocol compatibility fallbacks, and then broke it again in 2018 with the ROBOT attack.
- The BEAST attack, which had been noted by Phil Rogaway in 2002 and documented in theory for SSL/TLS in 2004, exploited the failure of SSL/TLS to follow the security contract of CBC which requires the IV to be unpredictable in advance for each message—the protocol had deployed CBC without formal analysis of how the IV is chosen.
- The Lucky 13 attack (web site) recovers plaintext by using timing of padding verification as a CBC padding oracle, which arose from a CBC padding mechanism designed without even a simple-minded formal analysis of its timing characteristics.
- The TLS renegotiation attack exploited a complicated state machine in the TLS protocol involving key renegotiation and authentication, which was never formally analyzed for its security properties, to forge messages sent to a TLS peer without its notice.
These attacks are all on protocols that were designed by ad hoc engineering without formal analysis guaranteeing the security of the protocol relative to the security of its building blocks. But the primitive building blocks—like $x^3 bmodpq$, cubing modulo a product of secret primes; like $g^x bmod p$, exponentiation of a standard base modulo a safe prime; like the AES-256 permutation family; like the Keccak permutation—don't have formal analysis guaranteeing their security relative to anything. What gives?
The formal analysis or provable security for protocols, which consists of theorems relating security of a protocol to security of its building blocks, is only one part of a global sociological system for getting confidence in security of cryptography:
The reason we suspect the RSA problem is hard is that some of the smartest cryptanalysts on the planet have had strong motivation to study it for decades, and they have left a track record of decades of failure to find any way to break (say) RSA-2048 at cost less than $2^100$ per key. The same goes for discrete logs in certain groups, for AES-256, etc.
The formal analysis of a protocol using RSA and AES enables the cryptanalysts to focus their effort so they don't have to waste time studying SSH, studying OpenPGP, studying SSLv3, studying TLS, studying WPA, etc., to find whether there's some way to break those protocols. If the formal analysis is done well enough, the cryptanalysts can spend their effort on a small number of primitives, and the more effort they spend failing to break those primitives, the more confidence we have in the primitives and everything built on them.
Protocols like SSH, OpenPGP, SSL/TLS, etc., without formal analysis, are a colossal waste by society of the world's supply of cryptanalysts. Formal analysis enables much more efficient use of the world's resources—and it would have paid off, because all of the above attacks could have been caught by studying the formal security properties of all the protocols involved, and in most cases the analysis is not actually that hard.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
26.7k142120
$endgroup$
add a comment |
$begingroup$
The SSH protocol has a complicated record format with an encrypted message length, variable padding, encrypt-and-MAC, etc. This complicated system, which was designed without any formal analysis relating the security of the system to the security of the building blocks, turned out to be vulnerable to an attack (paywall-free) exploiting the MAC verification as an oracle for information about the plaintext, leading to plaintext recovery attacks on SSH in popular implementations like OpenSSH.
The OpenPGP protocol was designed by the ad hoc '90s-style composition of generic and poorly-understood public-key encryption and signature building blocks with no formal treatment for how they fit together.
The public-key encryption and signature schemes chosen in OpenPGP were designed without any formal analysis relating them to well-studied hard problems like the RSA problem or the discrete log problem, and it turned out that both the particular Elgamal signature scheme and RSA encryption scheme used by OpenPGP were problematic.
It is unclear to me whether these led to practical exploits on OpenPGP—except perhaps for the implementation error in GnuPG of using the same per-message secret for Elgamal signature and encryption, which illustrates the danger of proving a protocol secure without proving the code implements the protocol correctly.
The mechanism for combining fancy math primitives like RSA and standard symmetric cryptography to encrypt long messages in OpenPGP was designed without formal analysis relating them to the security of the building blocks, and it turned out they were exploitable in practice in real email clients in an attack dubbed EFAIL (my answer on it).
The SSL/TLS protocols have a long and sordid history of informal design, leading to a multitude of attacks:
- The Bleichenbacher RSAES-PKCS1-v1_5 padding oracle attack, which breaks an RSA-based encryption scheme designed without formal analysis, broke SSLv3 with RSA key agreement in 1998, and then broke it again in 2014 with the POODLE attack because of security-destroying protocol compatibility fallbacks, and then broke it again in 2018 with the ROBOT attack.
- The BEAST attack, which had been noted by Phil Rogaway in 2002 and documented in theory for SSL/TLS in 2004, exploited the failure of SSL/TLS to follow the security contract of CBC which requires the IV to be unpredictable in advance for each message—the protocol had deployed CBC without formal analysis of how the IV is chosen.
- The Lucky 13 attack (web site) recovers plaintext by using timing of padding verification as a CBC padding oracle, which arose from a CBC padding mechanism designed without even a simple-minded formal analysis of its timing characteristics.
- The TLS renegotiation attack exploited a complicated state machine in the TLS protocol involving key renegotiation and authentication, which was never formally analyzed for its security properties, to forge messages sent to a TLS peer without its notice.
These attacks are all on protocols that were designed by ad hoc engineering without formal analysis guaranteeing the security of the protocol relative to the security of its building blocks. But the primitive building blocks—like $x^3 bmodpq$, cubing modulo a product of secret primes; like $g^x bmod p$, exponentiation of a standard base modulo a safe prime; like the AES-256 permutation family; like the Keccak permutation—don't have formal analysis guaranteeing their security relative to anything. What gives?
The formal analysis or provable security for protocols, which consists of theorems relating security of a protocol to security of its building blocks, is only one part of a global sociological system for getting confidence in security of cryptography:
The reason we suspect the RSA problem is hard is that some of the smartest cryptanalysts on the planet have had strong motivation to study it for decades, and they have left a track record of decades of failure to find any way to break (say) RSA-2048 at cost less than $2^100$ per key. The same goes for discrete logs in certain groups, for AES-256, etc.
The formal analysis of a protocol using RSA and AES enables the cryptanalysts to focus their effort so they don't have to waste time studying SSH, studying OpenPGP, studying SSLv3, studying TLS, studying WPA, etc., to find whether there's some way to break those protocols. If the formal analysis is done well enough, the cryptanalysts can spend their effort on a small number of primitives, and the more effort they spend failing to break those primitives, the more confidence we have in the primitives and everything built on them.
Protocols like SSH, OpenPGP, SSL/TLS, etc., without formal analysis, are a colossal waste by society of the world's supply of cryptanalysts. Formal analysis enables much more efficient use of the world's resources—and it would have paid off, because all of the above attacks could have been caught by studying the formal security properties of all the protocols involved, and in most cases the analysis is not actually that hard.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
26.7k142120
$endgroup$
The SSH protocol has a complicated record format with an encrypted message length, variable padding, encrypt-and-MAC, etc. This complicated system, which was designed without any formal analysis relating the security of the system to the security of the building blocks, turned out to be vulnerable to an attack (paywall-free) exploiting the MAC verification as an oracle for information about the plaintext, leading to plaintext recovery attacks on SSH in popular implementations like OpenSSH.
The OpenPGP protocol was designed by the ad hoc '90s-style composition of generic and poorly-understood public-key encryption and signature building blocks with no formal treatment for how they fit together.
The public-key encryption and signature schemes chosen in OpenPGP were designed without any formal analysis relating them to well-studied hard problems like the RSA problem or the discrete log problem, and it turned out that both the particular Elgamal signature scheme and RSA encryption scheme used by OpenPGP were problematic.
It is unclear to me whether these led to practical exploits on OpenPGP—except perhaps for the implementation error in GnuPG of using the same per-message secret for Elgamal signature and encryption, which illustrates the danger of proving a protocol secure without proving the code implements the protocol correctly.
The mechanism for combining fancy math primitives like RSA and standard symmetric cryptography to encrypt long messages in OpenPGP was designed without formal analysis relating them to the security of the building blocks, and it turned out they were exploitable in practice in real email clients in an attack dubbed EFAIL (my answer on it).
The SSL/TLS protocols have a long and sordid history of informal design, leading to a multitude of attacks:
- The Bleichenbacher RSAES-PKCS1-v1_5 padding oracle attack, which breaks an RSA-based encryption scheme designed without formal analysis, broke SSLv3 with RSA key agreement in 1998, and then broke it again in 2014 with the POODLE attack because of security-destroying protocol compatibility fallbacks, and then broke it again in 2018 with the ROBOT attack.
- The BEAST attack, which had been noted by Phil Rogaway in 2002 and documented in theory for SSL/TLS in 2004, exploited the failure of SSL/TLS to follow the security contract of CBC which requires the IV to be unpredictable in advance for each message—the protocol had deployed CBC without formal analysis of how the IV is chosen.
- The Lucky 13 attack (web site) recovers plaintext by using timing of padding verification as a CBC padding oracle, which arose from a CBC padding mechanism designed without even a simple-minded formal analysis of its timing characteristics.
- The TLS renegotiation attack exploited a complicated state machine in the TLS protocol involving key renegotiation and authentication, which was never formally analyzed for its security properties, to forge messages sent to a TLS peer without its notice.
These attacks are all on protocols that were designed by ad hoc engineering without formal analysis guaranteeing the security of the protocol relative to the security of its building blocks. But the primitive building blocks—like $x^3 bmodpq$, cubing modulo a product of secret primes; like $g^x bmod p$, exponentiation of a standard base modulo a safe prime; like the AES-256 permutation family; like the Keccak permutation—don't have formal analysis guaranteeing their security relative to anything. What gives?
The formal analysis or provable security for protocols, which consists of theorems relating security of a protocol to security of its building blocks, is only one part of a global sociological system for getting confidence in security of cryptography:
The reason we suspect the RSA problem is hard is that some of the smartest cryptanalysts on the planet have had strong motivation to study it for decades, and they have left a track record of decades of failure to find any way to break (say) RSA-2048 at cost less than $2^100$ per key. The same goes for discrete logs in certain groups, for AES-256, etc.
The formal analysis of a protocol using RSA and AES enables the cryptanalysts to focus their effort so they don't have to waste time studying SSH, studying OpenPGP, studying SSLv3, studying TLS, studying WPA, etc., to find whether there's some way to break those protocols. If the formal analysis is done well enough, the cryptanalysts can spend their effort on a small number of primitives, and the more effort they spend failing to break those primitives, the more confidence we have in the primitives and everything built on them.
Protocols like SSH, OpenPGP, SSL/TLS, etc., without formal analysis, are a colossal waste by society of the world's supply of cryptanalysts. Formal analysis enables much more efficient use of the world's resources—and it would have paid off, because all of the above attacks could have been caught by studying the formal security properties of all the protocols involved, and in most cases the analysis is not actually that hard.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
26.7k142120
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
26.7k142120
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
26.7k142120
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
26.7k142120
26.7k142120
add a comment |
add a comment |
$begingroup$
Two well known candidates are md5 and DES.
In general, I think if there is no security proof, we should for all intents and purposes, consider it insecure and not roll it out.
Edit: Squeemish made a good point in that RSA/AES/Keccak do not have security proofs. With this, I have taken a softer stance in that we should avoid rolling out implementations which have not been proven secure.
By rolling out, I am referring to initially rolling out. If it’s already in the wild at this moment, then it is too late.
answered 9 hours ago
user679128user679128
192
New contributor
user679128 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
$begingroup$
In the case of ecdsa, I believe we have one for the bijective random oracle model
$endgroup$
– user679128
8 hours ago
1
$begingroup$
There's no security proof for the RSA problem, for the discrete log problem in RFC 3526 Group #14 or in Curve25519, for AES, for Keccak—should we avoid rolling those out and anything that depends on them?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@SqueamishOssifrage good point. It’s a bit too late now. I should have a softer stance and say that we should avoid rolling out implementations that do not have security proofs, whenever possible. I don’t have enough historical context to argue on whether the decision to roll those out was wise at that time . Although empirical evidence is on our side
$endgroup$
– user679128
8 hours ago
1
$begingroup$
Can you name a single practical cryptosystem in use that has a ‘security proof’ all the way down, not just bottoming out at (say) the RSA problem or the discrete log problem in a particular group or AES pseudorandomness or Keccak indifferentiability?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@A.Hersean The same wikipedia article you mentioned saysDES has been considered insecure right from the start because of the feasilibity of brute-force attacks. Diffie and Hellman published a paper in 1977 showing that DES could be broken in a single day, without even needing to use any real cryptanalysis. Just because there are worse attacks doesn't mean that it is secure.
$endgroup$
– Ella Rose♦
8 hours ago
|
show 1 more comment
$begingroup$
Two well known candidates are md5 and DES.
In general, I think if there is no security proof, we should for all intents and purposes, consider it insecure and not roll it out.
Edit: Squeemish made a good point in that RSA/AES/Keccak do not have security proofs. With this, I have taken a softer stance in that we should avoid rolling out implementations which have not been proven secure.
By rolling out, I am referring to initially rolling out. If it’s already in the wild at this moment, then it is too late.
answered 9 hours ago
user679128user679128
192
New contributor
user679128 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
$begingroup$
In the case of ecdsa, I believe we have one for the bijective random oracle model
$endgroup$
– user679128
8 hours ago
1
$begingroup$
There's no security proof for the RSA problem, for the discrete log problem in RFC 3526 Group #14 or in Curve25519, for AES, for Keccak—should we avoid rolling those out and anything that depends on them?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@SqueamishOssifrage good point. It’s a bit too late now. I should have a softer stance and say that we should avoid rolling out implementations that do not have security proofs, whenever possible. I don’t have enough historical context to argue on whether the decision to roll those out was wise at that time . Although empirical evidence is on our side
$endgroup$
– user679128
8 hours ago
1
$begingroup$
Can you name a single practical cryptosystem in use that has a ‘security proof’ all the way down, not just bottoming out at (say) the RSA problem or the discrete log problem in a particular group or AES pseudorandomness or Keccak indifferentiability?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@A.Hersean The same wikipedia article you mentioned saysDES has been considered insecure right from the start because of the feasilibity of brute-force attacks. Diffie and Hellman published a paper in 1977 showing that DES could be broken in a single day, without even needing to use any real cryptanalysis. Just because there are worse attacks doesn't mean that it is secure.
$endgroup$
– Ella Rose♦
8 hours ago
|
show 1 more comment
$begingroup$
Two well known candidates are md5 and DES.
In general, I think if there is no security proof, we should for all intents and purposes, consider it insecure and not roll it out.
Edit: Squeemish made a good point in that RSA/AES/Keccak do not have security proofs. With this, I have taken a softer stance in that we should avoid rolling out implementations which have not been proven secure.
By rolling out, I am referring to initially rolling out. If it’s already in the wild at this moment, then it is too late.
answered 9 hours ago
user679128user679128
192
New contributor
user679128 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$endgroup$
Two well known candidates are md5 and DES.
In general, I think if there is no security proof, we should for all intents and purposes, consider it insecure and not roll it out.
Edit: Squeemish made a good point in that RSA/AES/Keccak do not have security proofs. With this, I have taken a softer stance in that we should avoid rolling out implementations which have not been proven secure.
By rolling out, I am referring to initially rolling out. If it’s already in the wild at this moment, then it is too late.
answered 9 hours ago
user679128user679128
192
New contributor
user679128 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
edited 8 hours ago
answered 9 hours ago
user679128user679128
192
New contributor
user679128 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
answered 9 hours ago
user679128user679128
192
answered 9 hours ago
user679128user679128
192
192
New contributor
user679128 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
New contributor
user679128 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.
$begingroup$
In the case of ecdsa, I believe we have one for the bijective random oracle model
$endgroup$
– user679128
8 hours ago
1
$begingroup$
There's no security proof for the RSA problem, for the discrete log problem in RFC 3526 Group #14 or in Curve25519, for AES, for Keccak—should we avoid rolling those out and anything that depends on them?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@SqueamishOssifrage good point. It’s a bit too late now. I should have a softer stance and say that we should avoid rolling out implementations that do not have security proofs, whenever possible. I don’t have enough historical context to argue on whether the decision to roll those out was wise at that time . Although empirical evidence is on our side
$endgroup$
– user679128
8 hours ago
1
$begingroup$
Can you name a single practical cryptosystem in use that has a ‘security proof’ all the way down, not just bottoming out at (say) the RSA problem or the discrete log problem in a particular group or AES pseudorandomness or Keccak indifferentiability?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@A.Hersean The same wikipedia article you mentioned saysDES has been considered insecure right from the start because of the feasilibity of brute-force attacks. Diffie and Hellman published a paper in 1977 showing that DES could be broken in a single day, without even needing to use any real cryptanalysis. Just because there are worse attacks doesn't mean that it is secure.
$endgroup$
– Ella Rose♦
8 hours ago
|
show 1 more comment
$begingroup$
In the case of ecdsa, I believe we have one for the bijective random oracle model
$endgroup$
– user679128
8 hours ago
1
$begingroup$
There's no security proof for the RSA problem, for the discrete log problem in RFC 3526 Group #14 or in Curve25519, for AES, for Keccak—should we avoid rolling those out and anything that depends on them?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@SqueamishOssifrage good point. It’s a bit too late now. I should have a softer stance and say that we should avoid rolling out implementations that do not have security proofs, whenever possible. I don’t have enough historical context to argue on whether the decision to roll those out was wise at that time . Although empirical evidence is on our side
$endgroup$
– user679128
8 hours ago
1
$begingroup$
Can you name a single practical cryptosystem in use that has a ‘security proof’ all the way down, not just bottoming out at (say) the RSA problem or the discrete log problem in a particular group or AES pseudorandomness or Keccak indifferentiability?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
$begingroup$
@A.Hersean The same wikipedia article you mentioned saysDES has been considered insecure right from the start because of the feasilibity of brute-force attacks. Diffie and Hellman published a paper in 1977 showing that DES could be broken in a single day, without even needing to use any real cryptanalysis. Just because there are worse attacks doesn't mean that it is secure.
$endgroup$
– Ella Rose♦
8 hours ago
$begingroup$
In the case of ecdsa, I believe we have one for the bijective random oracle model
$endgroup$
– user679128
8 hours ago
$begingroup$
In the case of ecdsa, I believe we have one for the bijective random oracle model
$endgroup$
– user679128
8 hours ago
1
1
$begingroup$
There's no security proof for the RSA problem, for the discrete log problem in RFC 3526 Group #14 or in Curve25519, for AES, for Keccak—should we avoid rolling those out and anything that depends on them?
$endgroup$
– Squeamish Ossifrage
8 hours ago
$begingroup$
There's no security proof for the RSA problem, for the discrete log problem in RFC 3526 Group #14 or in Curve25519, for AES, for Keccak—should we avoid rolling those out and anything that depends on them?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
1
$begingroup$
@SqueamishOssifrage good point. It’s a bit too late now. I should have a softer stance and say that we should avoid rolling out implementations that do not have security proofs, whenever possible. I don’t have enough historical context to argue on whether the decision to roll those out was wise at that time . Although empirical evidence is on our side
$endgroup$
– user679128
8 hours ago
$begingroup$
@SqueamishOssifrage good point. It’s a bit too late now. I should have a softer stance and say that we should avoid rolling out implementations that do not have security proofs, whenever possible. I don’t have enough historical context to argue on whether the decision to roll those out was wise at that time . Although empirical evidence is on our side
$endgroup$
– user679128
8 hours ago
1
1
$begingroup$
Can you name a single practical cryptosystem in use that has a ‘security proof’ all the way down, not just bottoming out at (say) the RSA problem or the discrete log problem in a particular group or AES pseudorandomness or Keccak indifferentiability?
$endgroup$
– Squeamish Ossifrage
8 hours ago
$begingroup$
Can you name a single practical cryptosystem in use that has a ‘security proof’ all the way down, not just bottoming out at (say) the RSA problem or the discrete log problem in a particular group or AES pseudorandomness or Keccak indifferentiability?
$endgroup$
– Squeamish Ossifrage
8 hours ago
1
1
$begingroup$
@A.Hersean The same wikipedia article you mentioned says
DES has been considered insecure right from the start because of the feasilibity of brute-force attacks. Diffie and Hellman published a paper in 1977 showing that DES could be broken in a single day, without even needing to use any real cryptanalysis. Just because there are worse attacks doesn't mean that it is secure.$endgroup$
– Ella Rose♦
8 hours ago
$begingroup$
@A.Hersean The same wikipedia article you mentioned says
DES has been considered insecure right from the start because of the feasilibity of brute-force attacks. Diffie and Hellman published a paper in 1977 showing that DES could be broken in a single day, without even needing to use any real cryptanalysis. Just because there are worse attacks doesn't mean that it is secure.$endgroup$
– Ella Rose♦
8 hours ago
|
show 1 more comment
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f71024%2fsoft-question-examples-where-lack-of-mathematical-rigour-cause-security-breache%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
