Are you crypto-agile?
- 03 January, 2018 02:02
Our world relies on secure digital cryptography. Secure doesn’t mean unbreakable forever. No serious cryptographer will ever declare a cryptographic anything unbreakable. In fact, cryptographers always assume that every cryptographic algorithm will eventually be broken. The best pronouncement you can hope for from a crypto expert is that breaking it is “non-trivial,” meaning that no apparent, easy to accomplish attacks are known. All cryptographic algorithms fall over time, and this has been more true and consistent than the highly respected Moore’s Law, which drives computing evolution.
What is crypto-agility?
The recent flood of huge crypto breaks has been staggering. It seems like one after the other, and that’s just in the last few months. That’s why organizations need to be crypto-agile, expecting to transition from one encryption standard to another at a moment’s notice. That’s the world we live in.
Crypto-agility has been a development concept within the crypto community for a long time. Even the widely used x.509 digital certificate standard (released in 1988) was created with crypto-agility in mind. You can use any conforming cipher to create asymmetric keys and certificates. You just have to indicate which one is being used (and how long the associated key) early on in the certificate so the “consumers” can read and use it appropriately.
Many companies, including Microsoft, have been talking about it publicly since at least 2010. (Full disclosure: I work for Microsoft.) But with the latest breaks, it’s now more important than ever to make sure your crypto-systems are agile. Unfortunately, the world is full of non-agile crypto-systems. You probably have some. You might even be making some today.
Cryptographic algorithms are falling every day
In fact, it’s hard to name a respected cryptographic algorithm that hasn’t fallen in recent years. Not only did the widely used Secure Hash Algorithm (SHA-1) fall, but so did nearly every popular precursor hash algorithm (including MD4 and MD5). Even SHA-1’s recommended predecessor, SHA-2, contains the same cryptographic weakness as SHA-1, but it’s increased length protects it against easy breaking, at least for now.
Today, SHA-3, the recommended replacement for SHA-1 and SHA-2, is what everyone should be using, but almost no hardware or software products support it. Within a few years, we all will be making the move to SHA-3. The question is: Will we do so before it, too, gets a noted public weakness?
The ubiquitous Rivest-Shamir-Adleman (RSA) asymmetric cipher has been under constant attack since its introduction in 1977. Over the years, it has been successfully weakened, and improved, many times. The recently discovered Return of the Coppersmith Attack (ROCA) vulnerability in October 2017, which was a weak implementation of RSA keypair generation on Infineon’s Trusted Platform Module (TPM) chips, impacted billions of security devices, including smartcards.
This announced vulnerability had nearly every large company in the world scrambling to analyze their reliant crypto systems and replace vulnerable smartcards in a very short amount of time. If you’re not familiar with the ROCA issue, just understand that it is a seismic problem and there are probably still billions of vulnerable devices and smartcards being used today that offer very little protection.
In December 2017, ROCA was followed by the ROBOT attack, which found another RSA weakness that impacted a very large percentage of the HTTPS/TLS websites, including over one-third of the most popular websites (e.g., Facebook and Paypal). ROBOT applied to many network security devices and load balancers. Both ROBOT and ROCA allowed passive listeners to decrypt encrypted traffic and to determine the sacred private key from capturing the widely distributed public key.
Because RSA, and its related predecessor, Diffie-Hellman-Merkle, are getting long in the tooth (and likely successfully attacked by the NSA and other nation states), crypto admins are looking to move to anything looking more secure in the future. Many crypto-systems (including bitcoin) are using Elliptical Curve Cryptography (ECC), except for the NSA, which has let it be quietly known, for unexplained reasons, that it doesn’t recommend anyone use ECC.
The NSA is recommending quantum cryptography for long-term security. That’s great, except for the fact that quantum cryptography does not yet exist in sufficient quantities and protections to be useful in most scenarios. It is likely to be that way for another decade or more. When readers ask me for recommendations, I tell them to use one of the generally accepted standards along with larger key sizes.
Even our wireless networks are more vulnerable than ever with the announcement of the KRACK attack in November 2017. For years, we’ve been told that using the WPA2 protocol makes our wireless communications safe. KRACK changed that understanding. Its authors found a fatal re-transmission flaw that allowed them to decrypt WPA2 traffic, manipulate it, and inject malware without having to decrypt the common Wi-Fi “password.” As stated in KRACK’s introduction paragraph, “The attack works against all modern protected Wi-Fi networks…if your device supports Wi-Fi, it is most likely affected.” It’s hard to be clearer than that. The author of KRACK explains the vulnerability and solutions well in his latest Blackhat talk.
Crypto issues don’t just impact companies and products. They can impact sovereignty. As Bruce Schneier reminded us recently, entire countries are learning from the mistakes of not being agile enough.
Are you crypto-agile?
You have to be crypto-agile as a user/admin, and if applicable, as a developer. Crypto-agility is simply preparing (or easily allowing) for moving from one implemented cipher to another without having to re-do or re-write everything. In some instances, you might even be able to keep the same encryption keys and just move to related, safer, improved ciphers.
If you’re a user/admin of crypto-products, and who isn’t, you need to understand the importance of crypto-agility and start to look for it and demand it from your crypto-products and vendors. If you buy crypto products does it appear as if your vendors are aware of and practicing crypto agility?
You need to stay up on the latest critical crypto news. Did you know about all the issues I mentioned above? Did you apply the needed patches and mitigations? Did you update your Wi-Fi routers, VPNs, load balancers, websites, security cameras, firmware, and TPM chips? Did you stop using what couldn’t be fixed? I bet more companies than not are continuing to use encryption unaware that what they have been using to protect their data has become transparent.
If your developers use cryptography, are they making sure that any included crypto is able to be replaced as needed without rebuilding everything from scratch? Many developers struggle with how to appropriately implement cryptographic routines at a basic level. Are they even aware of the concept of crypto-agility and why it is needed?
If your company isn’t crypto-agile, and most aren’t, now is the time to start the education and inclusion of its concepts. The companies that understand and operate with crypto-agility awareness are going to be more efficient and secure over the long run.