Welcome to the Golden Age of Applied Crypto Research
The year 2015 saw the publication of an unprecedented number of practical attacks on real cryptographic systems. Attacks like FREAK and LOGJAM which combine model-based testing of crypto code with state-of-the-art numerical algorithms for cryptanalysis give a taste of the kinds of capabilities that are available to sophisticated adversaries. It's a good time to review a few highlights of last year's results in applied crypto and take stock of what needs to be done to stay secure in 2016.
Weak Crypto Algorithms
This was the year collisions in the SHA-1 hash function came a step closer. Browser vendors are already marking SHA-1 certificates as insecure. We also saw more practical attacks on the RC4 cipher. Additionally, an ASIACRYPT paper gave full details of how exactly MD5 collisions were used in the FLAME attack (PDF).
TLS Implementation Attacks
We are now in a phase where TLS attacks are announced every few months. The first SMACK-TLS attacks, exploiting bugs in the state machines of common TLS implementations, became public in January when OpenSSL announced a security advisory. One variant of the attacks, which allowed a man-in-the-middle attacker in a TLS session to downgrade the key-exchange to 512 bit RSA encryption, was named FREAK and demonstrated on the website of the NSA. Less well-publicised was the SKIP-TLS variant affecting Oracle JSSE TLS (widely used in corporate networks) that allowed an attacker to bypass both client and server authentication, giving a man-in-the-middle attacker complete control of the supposedly secure channel. Later in the year came details of the LOGJAM attacks on small Diffie-Hellman groups, more state-machine attack variants, and invalid-curve attacks.
Thanks in part to the work on FREAK and LOGJAM, we also saw factoring of small RSA keys and discrete log solving in small groups become a commodity tool (you can even get 512-bit discrete log solved by a twitter bot). Meanwhile, at Cryptosense, we used the well-known batch-GCD method to factor SSH keys on GitHub. Batch GCD was also used on the 512-bit RSA keys of servers vulnerable to FREAK (PDF). On a ZMAP scan of all internet-facing TLS keys, 0.14% of keys were found to be vulnerable compared to 0.15% in 2012.
SSH Crypto Updates
OpenSSH 7.0 was released in August, retiring (by default) some legacy crypto including 1024 bit Diffie-Hellman groups and DSA host and user keys (note that in SSH, DSA keys are limited to 1024 bits in size). Version 7.2 will (probably) retire more legacy crypto including RC4.
Crypto Hardware Attacks - HSMs and Smartcards
There were two private-key extraction vulnerabilities on commercial CC and FIPS 140 certified HSMs revealed last year. At Cryptosense, we collaborated on a study of low-level smartcard protocol vulnerabilities - though you'll have to wait until the responsible disclosure process closes to get the full details of the affected manufacturers.
What to Do in 2016
As Matt Green's invited talk at CHES 2015 explained (PDF), Cryptography used to be the part of system security you didn't have to worry about, but now we understand it's better viewed as a highly critical part that is extremely tricky to get right. Fortunately, more and more attention is being paid to finding and fixing applied crypto flaws. We have tools at Cryptosense that can help you weed out weak crypto from applications, from network crypto services and from cryptographic hardware.