Crypto won't save you

Peter Gutmann is a researcher in the Department of Computer Science at the University of Auckland working on design and analysis of cryptographic security architectures and security usability. Having been part of the team that wrote the popular PGP encryption package, you'd expect that he'd put a lot of trust crypto.

But like cryptographer Adi Shamir, the 'S' in RSA, who once said "cryptography is bypassed, not penetrated", Gutmann used his presentation at AusCert 2014 to highlight the inherent weakness in how we treat security. Cryptography is often seen as a silver bullet solution but is has failed.

During his talk, Gutmann looked at ten years of trying to secure things with crypto that ultimately failed. And, even though is some cases the crypto was so weak that it could be easily beaten, it was much easier to just bypass it.

As did many of the presenters at AusCert 2014, Gutmann started with some references to Edward Snowden, the poster boy for data theft or information liberation depending on your point of view. Among the documents exposed by Snowden was information pertaining to Project BULLRUN. Funded to the tune to of between $250M to $300M, this is a US government initiative designed to develop "capabilities against a technology".

BULLRUN has developed capabilities against TLS/SSL, HTTPS, SSH, VPNs, VoIP and webmail according the documents Snowden leaked.

As Gutmann puts it "You're not paranoid, they really are out to get you".

Gutmann's presentation delivered a history of how sophisticated cryptography has been overcome. For example, he described how most of the major gaming consoles use crypto as a way of securing systems and limiting access to user data. However, all have been hacked to some degree.

"In none of the cases was it necessary to break the cryptography," said Gutmann.

The same went with smartphones with a common method being a hack of firmware to simply bypass any embedded crypto or recovery of private keys from supposedly secured storage.

By the end of this part of Gutmann's presentation there was probably no one in the audience who wasn't carrying a device that hadn’t ben compromised.

Some research in 2012 looked at a number of about 12000 very large organisations including Amazon, Apple, Dell, eBay, HP, HSBC, LinkedIn, Paypal and Twitter. A third of the companies were using keys "so weak that an individual attacker could have broken them," said Gutmann.

However, in none of the case did anyone bother as it was unneccesary in order to compromise systems. In other words:

  • Number of attacks that broke the crypto: 0
  • Number of attacks that bypassed the crypto: All the rest

"No matter how strong the crypto was, or how large the keys were, the attackers walked around it," he added.

Gutmann took a long, hard look at IPsec, the protocols used to secure IP communications. He pointed out that it has a number of errors and is not as secure as many believe. The NSA contributed to development of the IPsec standard with Gutmann citing information from Niels Ferguson and Bruce Schneier's "A Cryptographic Evaluation of IPsec" saying " the ISAKMP specifications [the NSA’s main overt contribution to IPsec] contain numerous errors, essential explanations are missing, and the document contradicts itself in various places".

Despite this, Gutmann did stop short of saying that IPsec was deliberately sabotaged saying " Never attribute to malice what is adequately explained by a committee".

The lesson from all of this is that you need to secure every part of the system and not just throw crypto at one bit and assume that you'll be safe. It's not enough to simply rely on standards and to follow the crowd. Understanding security, not just from an appliance and software solution point of view is not enough.

Security professionals have said for many years that good security is based on layers. That remains true but putting too much trust in one layer, like crypto, can leave you vulnerable in other places.

Join the CSO newsletter!

Error: Please check your email address.

Tags cryptocurrency

More about Amazon Web ServicesAppleAusCertDelleBayHPHSBCNSAPGPRSASSHVoIP

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place