Friday, November 6, 2015

Tales of The Cryptographer

Once upon a time most people thought that RSA encryption was unbreakable, until a cryptographer demonstrated a plaintext-recovery attack. The attack, a.k.a the million message attack, became instant classic and is the root of all error oracle attacks including padding oracle. It was 20 years ago.

There were a lot of criticisms against the Digital Signature Algorithm when it was introduced in the early 90s, but nobody actually came up with any concrete attacks, until a cryptographer demonstrated a private key-recovery attack. The attack, which exploits a leakage of a fraction of a bit, became legendary, and still works against most naive implementations. It was 15 years ago.

Hal Finney, who was probably the person that designed or co-designed Bitcoin, was once excited about a signature-forging attack against RSA. The attack was discovered by a cryptographer, who developed an exploit using only paper and pencil. It turned out that the attack can be used to forge CA certificates, which could be used, you know, to own the Internet. It was 10 years ago.

There were a lot of complaints against JavaScript crypto, but most of them don’t actually show any concrete pitfalls, until a cryptographer showed a key-recovery attack against a JavaScript implementation of AES. The same cryptographer went on disclosing multiple key-recovery or plaintext-recovery attacks against several well-known JavaScript implementations of OpenPGP. It was 5 or 4 years ago.

Like it or not, people love rolling their own crypto. They read Bruce Schneier, and they know the fact that themselves being incapable of breaking their own schemes does not give any security guarantee, so they go to StackOverflow, and challenge random strangers on the Internet to prove them wrong. Most answers are usually just as "OK, look good to me," but every once in a while there’s a cryptographer who'd reply with their secret keys. The cryptographer was upset because his answer didn’t get the most upvotes, but he keeps coming back because he just can’t stop breaking crypto. It was just last week, or perhaps, yesterday.

You might have guessed that I’ve been talking about the same cryptographer: Daniel Bleichenbacher. I didn’t know anyone else whose last name has almost become synonymous with most creative crypto attacks.

No comments: