Schneier on Security

Clive Robinson • September 21, 2023 7:45 PM

@ Wannabe Techguy,

Sorry auto-mod has struck again so…

Part 1,

Re : NSA and NIST

“And yet I’ve been told, right here, that NIST could be trusted.”

It’s a long and realy quite sordid story of how the NSA abuses their charter because people in political positions have been fed what is effectively false information.

Clive Robinson • September 21, 2023 7:56 PM

@ Wannabe Techguy,

Part 3,

As we now know the NSA not only did not tell NIST the facts of what they were doing.

Clive Robinson • September 21, 2023 8:05 PM

@ Wannabe Techguy,

Part 6,

Similar nonsense has happened in Europe with ETSI and their SAGE group and certain European crypto standards that go into all GSM phones and many digital two way radios.

Years ago I had involvment with standards and if you knew as I did you could watch the various nations “Sig Int Agencies” actively “tag teaming” each other.

As I’ve said before the usuall trick was to frame it in terms of “Health and Safety” such that anyone who tried to oppose their nonsense got treated to a variation of “think of the children” with the implication that you were a dispicable person not just unworthy but unfit to sit on a standards committee.

Clive Robinson • September 22, 2023 5:35 AM

@ fib, ALL,

Re Anonymization Software

“It would be really interesting if the major distros shipped anonymization software by default.”

You left out the important bit of,

“and enabled it as the default connection method”

Otherwise the “intent” problem comes back again.

Many view the “HTTPS by default” campaign as a success. The reality is that it was not realy ever an “end user choice”, but a “content peovider” choice.

The ability to use HTTPS was long built in to nearly every commonly used way to access on-line resources but it was not being used for various reasons. It was only when the snowball was pushed hard enough that it started rolling down the mountain.

Anonymization software thus needs to be,

1, On and enabled on every PC by default.
2, Given a sufficient push.

Once over a tipping point it’s usage will become acceptable, but not otherwise.

Clive Robinson • September 22, 2023 5:25 PM

@ Winter,

“FUD, I would say.”

That’s an opinion about your jurisdiction made in your jurisdiction which is in “Continental Europe” and based on a quite different jurisprudence history that eminated from the English legal system that underlies the various WASP and Comenwealth nations jurisdiction behaviours.

What you need to realise is that in the US there are “appointed” Federal judges with life long tenure,

https://www.nbcnews.com/politics/politics-news/us-appeals-judge-96-suspended-rare-clash-fitness-rcna111314

Whilst in other places/States judges are elected, and where in some you need no qualifications of any form to hold the position of a judge or Sherif, as long as the “relevant” citizens are prepared to vote for you…

This “relevant” voting is as true for “appointed” Federal judges as it is for “elected” state judges as you can see in,

https://www.theatlantic.com/ideas/archive/2023/09/federal-judiciary-biden-court-appointments/675336/

And why the current Federal judges are almost alien to the US population denographics,

https://www.theatlantic.com/ideas/archive/2020/10/americas-judiciary-doesnt-look-like-america/616692/

So judges, sheriffs, and prosecutors who do not get elected for life, are often way more mindfull of “voter bias” and firting in with it than they realy should be. But even those who have tenure are still very mindfull of how they are seen politically as they can be selected for higher positions. Likewise those who aspire to such tenure, are keen to appear to be correct not just politicaly but by religion as well…

But also factor into the equation the US actually has litle to no real notion of “presumed inocence”. With local and main stream media running “trial by media” vigilantism / witchhunts on an almost continuous basis like a debased form of Roman Circus. So judged in the public eye on incompleate thus biased information and hearsay prior to an actual court trial… So even jurors are pre-biased by the media nonsense, thus fair trials are not exactly an expected outcome in the US judicial system. And this appears to be supported by the US conviction statistics.

Clive Robinson • September 28, 2023 11:22 PM

@ RobertT,

“How would you ever get away with hiding backdoors on a chip?”

Depends on what you mean by “back-door”.

The allegation is apparebtly that “the standard was back-doored” like the Dual EC-DRBG that the NSA pushed into a NIST standard.

We know for a fact that ETSI had regularly issued under NDA “oh so secret” crypto algorithms for over thirty years under direct “French influance” and design. To be used in Cordless and Mobile Phones, Private Mobile Radio”(PMR) and other commercial communications systems. Especially anything that might be used “internationally” (look up A5/1 abd A5/2 as a starting point).

ETSI’s excuse, “it was a long time ago and it was to meet US requirments for weakend crypto” (yet they were still doing it after “Crypto Wars I” was over under the Clinton Administration).

So with regards,

1, Wouldn’t every junior engineer that even glanced at the code/database see the intentional vulnerabilities?

Maybe if they were very smart enough to spot an algorith trick as in the NSA Dual EC-DRBG, or the fact that there were two switched algorithms in “the standard”. But as they would be “working to standard” it would not be in most engineers employability interests to say anything.

2, How would you ever get away with hiding backdoors on a chip?

The same as with point 1.

3, What would you do with such a backdoor if it existed?

Well the French we know use the weak crypto to spy for “economic advantage”. Many years ago the head of their secret service admitted that such spying was less costly than R&D.

4, I mean the code still has to run correctly, so what’s the point of the “backdooring” at the chip level?

As it’s in the “standard” it is going to work correctly, so the weak crypto “for privacy” in the over the air interface can be either selectively or on mass be turned on to make spying on citizens and companies “Oh so easy”.

5, Which chip functions would you try to backdoor?

The same ones as the NSA and ETSI have already “back-doored”

A, The RNG used for keys, IVs, nonces and similar to take the actual entropy down from say 128bits equivalent to maybe 20bits equivalent. So enough entropy to keep those “not in the know” out, but in reality so little that it can be brut forced in nearly “real time”.

B, Make the crypto algorithm or the mode algorithm it’s used in only 40bits equivalent.

As I said it rather depends on what you consider a “back-door” to be… But we know there are effectively two types

1, Those that are official and in standards or protocols.
2, Those that are unofficial and used like “covert side channels” effectively “riding in the wake” of what appears to be secure.

An exanple of the second was the NSA conning NIST in the AES competition. Whilst the AES algorithm is CS theoretically, in a practical implementation it can be disastrously weak due to time based side channels. The faster / more efficient you make AES in hardware or software the worse the time based side channels have been.

Adam Young and Moti Yung, showed that there is so much redundancy in PubKey crypto that you can put in a covert channel that can be used to prime a brut force search on one of the primes. Thus reduce factoring to seconds or minutes rather than “more than the life of the universe”. Worse it’s a covert channel you can not show the existance for if you only have either the Public or Private keys or even both…

But as I’ve mentioned before to show just how usless “code reviews” are, I back-doored an encryption product that sent “serial data”… As you know ASCII is seven bit and the eight bit can be “none / even / odd” parity. Well that “parity bit” is redundant or can be easily made so, which means it becomes available as a “side channel”. Litter the source code with comments about how a “known bit” can be used to break a stream generator and pull a fast one[1] with regards “randomly filling” the parity bit in the cipher text so infact you send out the equivalent of a LFSR modulated with the key…

I’ve not tried it but I suspect that certain “hardware description languages”(HDLs) like verilog are going to have similar “tricks” that will end up in the “Register Transfer Logic”(RTL) that synthesizes the actual hardware. The question is will it pass under peoples noses…

But also in sufficiently complex designs “macros” will get “bought in” and will get treated like “black boxes” if someone can find a communications protocol that gets sent out into the world with sufficient redundancy in the ciphertext such that a side chanbel becomes available, then it’s game over.

On trick you could use is to apparently randomly send errors in the transmitted ciphertext that the distant end error correction removes. There are numerous ways you could modulate such a channel to turn it into a covert side channel that leaks the crypto key in some way…

And there are a couple of other tricks I can think of where you can find redundancy in a system you can use for a covert side channel to leak information.

[1] I used the trick of creating a buffer with malloc() to load the key into then use that to build the stream cipher state array. Then use free() to get rid of the buffer before exiting the key load&make function… Only free() does not actually get rid of the buffer and it’s contents, because if you immediately use malloc() again for the same size buffer mostly back then you would get given a pointer to the original buffer on the heap that still has the key in it. Back then very few programers knew about this issue, even though one of the most notorious bugs due to the difficulty of finding it was returning an invalidated pointer from a function after using free()… It mostly works without consequences as that part of the heap does not change untill the next malloc() which is why it did not get noticed a lot of the time.

Clive Robinson • September 29, 2023 8:22 AM

@ RobertT,

“If I was really trying to hide something I’d probably use a combination of the above.”

Those are what I would call “low level in the stack” attacks as they are right down on the “physical device” physics. And you would have to do it on a device by device basis as part of the design, or modify the design tools to somehow know where to build in the fault, which would not be that easy.

In effect they are “implementation attacks” and usually require someone “in the know” in the production chain for them to be able to happen.

Longer term readers might remember back rather more than a decade, when I pointed out that from the NSA perspective they needed “known plaintext” (this was in fact pointed out by Robert Morris the NSA chief scientist when he retired). Thus the Microsoft File Formats must have been a deep joy to them…

But I pointed out that from my perspective if I was a SigInt agency I would try to “finesse”

1, Standards
2, Protocols
3, Implementations.

I’ve pointed out that prior to the NSA existing the design of US mechanical field ciphers had strong keys through to very weak keys. As the “keys in use” were issued from a central source, they could ensure that only the strong keys were used by US forces. However any captured equipment that the enemy reused or copied would in all probability be used by those not sufficiently experienced to know which were strong and which were weak keys. This would enable US Cryptographas to easily read around 1/5 of the messages, and from this gain “probable plaintext” to more easily assist in attacking the use of even the strong keys using automated systems (similar to the Enigma bombs etc). The fact that many nations from the end of WWII into the 1980’s were still using those “war surplus” US, German and very similar mechanical crypto devices would have been a positive joy to the NSA, GCHQ, and other Five Eyes and related agencies (we also now know for certain that “Crypto AG” was influanced in this weak key idea all through it’s history).

But it’s not just crypto. This backdoor on a chip is what is known to have happened with a German manufacturer of line interface chips for the “Plain Old Telephone System”(POTS) that reproduced the old “capacitor across the hook switch trick”. Whereby low frequencies in the audio band saw an “open circuit” or atleast a very high impedence to a low impedence transmission line. Whilst frequencies in the LF through MF and into HF bands would see a “closed circuit” or atleast a very low impedence to the transmission line. Howrver arrange for a device behind that capacitor to be “impedence modulated” by the microphone and that HF current will get modulated. The use of the equivalent of a circulator in the transmission line will pull out that modulated current and give you the audio.

It was in effect one way to do your,

“Actual onchip Analog and RF circuitry”

To make it more of a “covert backdoor” it was not a “capacitor” equivalent but a “Twin T and gyrator”[1] equivalent to making a very narrow band pass at a frequency[2] outside of the frequency range used in the compliance standards for testing.

Moving to “protocols” as I’ve mentioned “error correction” at the transmission level makes an almost perfect covert backdoor. Because whilst it leakes at the transmission level to Eve etc, it never gets seen at the higher levels as error correction gets stripped from the data as it gets passed up the comms stack.

By it’s nature error correction is generally a highly specialised subject and few understand it or even want to understand it. The fact you can build it into a secure encryption system –see McEliece[3]– does not appear to have endeared it to people. Which brings us onto “standards” you can hide a backdoor in an error correction standard with little or no difficulty, you simply need to use the excuse of “whitening” / “randomization” to equalise the communications bandwidth or make it “Post Quantum Secure” and few if any will look further into it.

We know the NSA attack standards in various ways the most obvious being the Dual EC-DRBG and the humiliation it caused NIST.

Few others though have gone on to ask the all important question of,

“What other standards?”

As I’ve repeatedly pointed out it’s quite a lot… The excuse is generally a “Health and Safety Capability” which is why your GSM mobile phones truely are “bugs in your pocket”. But the one that made me laugh sardonically is a step or two up the computing stack, from “standards” to “legislation”. That is for “Health and Safety” the US decided all mobile phones would have to have GPS installed that could be accessed “in an emergency” by an operator…

I could go on but the point is most technology has two failings,

1, It’s dual use or can be presented as “for the common good”.
2, It all has “redundancy” that builds in side chanbels.

Few ever notice how easily “good becomes bad”, and even less ever ask “Just a moment…” because they don’t want to be seen as a nail that sticks up, thus get banged down or thrown out the door (a mistake I made early on in my career over “fingerprint scanners”).

[1] Whilst I’ve built such a Twin T circuit using more discrete components, I’ve not tried doing the equivalent with a Sallen–Key circuit but I suspect it will work.

[2] For those who are having trouble getting their heads around the idea imagine a transmission line terminated in a low pass filter a series switch and finally a variable impedence load such as a FET or Transistor to ground driven by the audio signal. This is a standard POTS telephone circuit to replace the old hook switch and carbon granual microphone. Now the “covert back door” is simply a series tuned RF circuit at a suitably high frequency and Q that goes from the transmission line to the variable impedence load, thus bypassing the lowpass audio filter and electronic hook switch. It’s the same trick as is used in those TAO so called “radar bugs” where the series tuned circuit is a dipole antenna with the low impedence mid point bridged by the variable impedence.

[3] Sadly Robert McEliece’s system from the 1970’s never gained favour with the open cryptographic community. Even now when it’s known to have “Quantum Computing”(QC) algorithm resistance it’s still more or less shuned for mostly spurious reasons,

https://en.m.wikipedia.org/wiki/McEliece_cryptosystem

Clive Robinson • September 29, 2023 4:36 PM

@ Maureen Monroe, ALL,

Re : McEliece Key size.

“Although Classic McEliece is widely regarded as secure, NIST does not anticipate it being widely used due to its large public key size [around 1 megabyte]. NIST may choose to standardize Classic McEliece at the end of the fourth round.”

They neglected to mention why the alleged key size is large, but when used in a sensibley designed communications system would not actually be of any real note.

You first have to realize in a conventional system encryption and error correction are done on entirely seperate levels and kept segregated. The McEliece system I worked with some years ago, actually combined encryption and error correction into one effective function.

So when you add back in all the extra bits for “error correction” you have to put in the communications channel for a conventional system it can be quite a shock. Thus what appears to be a large McEliece key size is not as big as other seperate encryption and error correction systems need.

Also with modern large media files, including modern “documents” the actual combined encryption and error correction bits added are actually not as significant as it first sounds.

Something tells me NIST’s advisors the NSA have already decided against McEliece, but have decided not to say. There are a couple of basic reasons to do this,

1, To limit the spread of encryption they can not break.

2, They have already broken it but won’t reveal the method. To stop it being reciprocated on US / Five Eye systems.

But at the end of the day it could be other reasons or none at all.