Security Newsletter 22 is available

The  Security Newsletter 22 is available. We are proud to have as guest Joan DAEMEN. Joan is one of the authors of KECCAK, the new algorithm selected by NIST to become the new official SHA-3 function. Mohamed is presenting this new hash function. SSL is the most deployed security protocol on the Internet, thus it is highly scrutinized by the community. Olivier, Christoph and Benoit have a deep dive into the latest attacks against SSL.

Hoping that you will enjoy its reading. Do not hesitate to comment.

SHA-3 is born

In 2005, the first serious attacks on the widely use hash function SHA-1 were published.  Researchers were able to generate some collisions.   The new generation SHA-2 was also prone to these attacks.  In 2007, NIST launched a contest to select the future replacing algorithm.  At the first round, there were 63 submissions.  The second round kept only five algorithms.   On Tuesday, NIST published the winner: KECCAK

KECCAK was designed by researchers from STMicroelectronics and NXP.  According to NIST, KECCAK won because it was elegantly simple and had higher performance in hardware implementation than the other competitors.  As it is foreseen that SHA-3  may be used in many lite weight embedded devices (smart dust, intelligent captors, RFID…) , this was a strong asset.  No surprise that its implementation was optimized for hardware; Its four fathers are working for companies designing such chipset.  STMicroelectronics is one of the leaders in secure components for smart cards, whereas NXP is the leader in NFC.  Another interesting argument is as KECCAK uses totally different principles than SHA-2, attacks that would work on SHA-2, most likely will not work for SHA-3.

On September 24, 2012, Bruce Schneier, one of the five finalists with his Skein algorithm, called for a “no award”.  Currently, SHA-512 is still secure for many years.  Thus,according to him, there was no need to switch to another algorithm.

In its announcement of the winner, NIST confirmed that

SHA-2 has held up well and NIST considers SHA-2 to be secure and suitable for general use.

Thus, be not afraid when you will still find SHA-2 in designs for the coming years.  We’re safe.  It will take several years to tame this new algorithm.  Nevertheless, NIST estimates that having a successor to SHA-2, if ever it weakens, is a good insurance policy.

Securing Digital Video: the text is final and frozen

About one year ago, I informed you that the final draft of my book was sent to Springer, my editor.  Today, a new step:  after several copy edit rounds, the text is final.   We enter now the final stage:  layout and printing.  In other words, the book should be now soon available in the stores (before end of this quarter).

The book will have inserts entitled “Devil’s in the Details”.  These short sections will deeply dive in some naughty details highlighting the difference between theoretical schemes and actual robust security.  For instance, you will learn some details on the Black Sunday, or on how AACS was hacked.

I will keep you informed about the next steps.

DPA contest V2

Since the seminal work of Paul KOCHER (founder of CRI), side channel attacks have challenged many cryptographers and implementers. In a nutshell, side channel attacks use side information to guess secret keys. A simplified explanation: let’s imagine that your AES implementation takes longer when processing a “1” of the secret key than a “0”, by measuring the processing time you may guess the secret keys (without any intrusion). This is called a timing attack. There are other available side channel pieces of information such as power, electro-magnetic … Side channel attacks are devastating.

There is no standard way to compare the efficiency of different side channel attacks. Under the initiative of Telecom Paris Tech, the DPA contest expects to benchmark these attacks.

The second edition, DPA contest V2, allows different teams to compare their respective Differential Power Analysis attacks (DPA) against an unprotected AES implementation. Results will be presented in one coming crypto conference.

Will Quantum cryptography become mainstream?

Siemens SIS has teamed up with Swiss ID quantique company to propose quantum cryptography protected key exchange over dark fiber. (See id Quantique and Siemens collaborate to commercialize Quantum Key Distribution in the Netherlands)

Quantum cryptography has the intrinsic propriety to be robust against eavesdropping. According to Heisenberg, when observing an electron, you change its spin. This makes (in theory) its interception impossible, thus extremely secure.

It is one of the first large scale commercial initiative. The offer is currently limited to Netherlands and costs about 80,000$ for a pair of boxes. Thus, it is not yet to protect your personal mails.

But, the future is coming nearer.

Is SSL still secure?

I know that the title is somewhat provocative. Nevertheless, the current system of certificates and more precisely the way the browsers handle them presents some weaknesses.

In security newsletter N°12, Mohamed Karroumi explained the latest attacks using forged MD5 certificates for mounting a man in the middle attack. The designers of the attack were Alexander SOTIROV and Mike ZUSMAN. At that time, the countermeasure seemed simple: do not use anymore MD5 certificates.

At last Black Hat 2009, the same researchers have disclosed a new attack that bypassed this protection. The Extended Validation (EV)certificates standard has been designed to have more secure certificate attribution (no simple online application…) and also banned RSA1024 and MD5. Thus, we could believe that a site using EV certificate should be safe against the MD5 based man in the middle. They demonstrated that it was wrong. In fact most browsers accept to start a session with an EV certificate and continue with a non EV certificate. Game over. SOTIROV and ZUSMAN showed the actual attack at the conference.

The countermeasure seems not simple if a smooth deployment is expected unless it is possible to ban ALL MD5 certificates. May be some news in our next newsletter.

NIST SHA3 and buffer overflows

For several months, NIST launched the public challenge to define SHA-3, the successor of SHA-1. All the 42 contenders had to submit the description of their algorithm together with C reference implementation.
Tool supplier, Fortify, decided to analyze these implementations. They used their source analysis code on these reference implementations. Guess what? They found some common mistakes, such as buffer overflows. See the the report. But, most implementations were excellent.

The fact that the implementations had weaknesses does not mean that the algorithm itself is weak. But we may learn two lessons:

  • – As we all know, writing a secure implementation of an algorithm is a difficult task. And Fortify did not test the robustness against attacks, just the programming errors.
  • – Using software testing tools such as static analyzers, memory manager, … is MANDATORY when developing software for security. It will not eliminate all the weakness, but at least avoid some basic ones.