Phillip Hallam-Baker's Web Security Blog

DES has been broken for a decade now. So why do some banks still rely on DES based security?

One reason is that until recently the compromise of DES has been distinctly theoretical. Deep Crack was built for $250,000 in 1998. If the cost of the developer's time was factored in the cost would be twice that.

So now I learn at Financial Cryptograpy that Tim Guneysu and Christof Paar from University of Bochum have put together a machine 'COPACOBANA) for $10,000 using more or less off the shelf parts that can brute force DES keys in a few days.

That is a figure that should be much more worrying for the banks. An Internet criminal would have to go to considerable effort to steal $250K of computer parts but blagging $10K of stolen parts is an afternoon's work. The risky, time consuming part of the phishing process is converting fenced goods into cash.

The ANSI X9.9 OTP tokens should not be a great concern, they are easy enough to change. Secure OATH-compatible tokens using 128 bit secret keys are available from VeriSign and other vendors. But other parts of the banking infrastructure that almost certainly depend on 56 bit DES should be a real focus of urgent concern.

Posted by Phillip Hallam-Baker at 09:48 AM | Permalink | Comments (1) | TrackBacks (0)

So we managed to make it past the RSA conference without a new break on a major algorithm. Some people had been expecting that this would be the year that someone finally broke SHA-1, at least at the level of the compression function.

One of the more worrying issues of the debate though is when people say things like 'well you are still using SHA-1 so why the concern?' This is to miss the point.

One of the reasons that commercial cryptographic systems have proved so durable is precisely because we are so conservative in choice of algorithms. Changing a cryptographic algorithm is expensive and takes many years. So we look to deploy systems with an expected lifetime of decades.

I am certainly not going to design a new cryptographic security protocol using SHA-1 today. I would look to use SHA-256 or 512. But that does not mean that we should abandon all our existing SHA-1 based applications immediately because we would no longer sanction a new system using that design.

What we do instead is to look at each application in turn and decide whether the known algorithm compromise is significant in the context that the algorithm is used. This is tedious, time consuming work but necessary. It is not work that I would care to do for a new protocol, I am certainly not going to spend my time asking 'must we use SHA-256 here or is SHA-1 sufficient?' when building from scratch - just use the stronger algorithm and be done.

When you have a legacy base to support it is essential to know whether a new algorithm is a choice or a requirement. Fortunately for Certificate Authorities the practice of a CA is not critically dependent on the particular cryptographic properties of SHA1 (or MD5 for that matter) that have been compromised. It is still necessary to plan for SHA-256 support so that future applications can be supported but we don't need to withdraw support for existing, deployed product.

So if you are desigining a new system use the algorithm we recommend, not the one we support in legacy products with a billion users.

Posted by Phillip Hallam-Baker at 05:40 AM | Permalink | Comments (0) | TrackBacks (0)

Recently I have been restoring my 1977 MGB Roadster over the weekends. While removing the carpet I discovered a problem, there was wood underneath the carpet rather than steel.

From a strength point of view there is absolutely nothing wrong with a wooden floor. Most houses have wooden floors. The MGs of the 1950s had wooden floors when the left the factory. The problem is not the wooden floor itself, the problem is that I expected to find steel. The previous owner was clearly hiding something and when the wood panels were finally removed I found a rust problem that could have been serious if left much longer.

That in a nutshell is the problem that we are currently finding with the cryptographic digest function SHA-1. We keep finding wood where the design calls for steel. The defects found to date are not a major safety concern in themselves, the problem is what they say about the security of the design.

It may be possible to repair the car with a special purpose rust inhibiting epoxy paint. If the rust turns out to be too bad it will be necessary to have the old floors removed and new ones welded in place.

Similar options exist to fix SHA-1. In the short term the industry is switching to SHA-2 which is believed to be considerably stronger and offers 256 and 512 bit versions. In the longer term a replacement will be agreed. The good news is that there is no reason at this point to believe that SHA-1 is unsafe to drive.

Posted by Phillip Hallam-Baker at 10:32 PM | Permalink | Comments (0) | TrackBacks (0)