Encryption Keeps Your Data Safe. Or Does It?

In the post-Snowden era, many people have come to believe that the only way to maintain privacy is through encrypting everything. (Well, as long as your encryption doesn't use the flawed RSA algorithm that gave the NSA a backdoor.) A fast-moving session at the Black Hat 2014 conference challenged the assumption that encryption equals safety. Thomas Ptacek, co-founder of Matasano Security, noted that "nobody who implements cryptography gets it completely right," and went on to demonstrate that fact in detail.

The Crypto Challenge This session was based on Matasano's crypto challenge, described as "a staged learning exercise where participants implemented 48 different attacks against realistic cryptographic constructions." According to Ptacek, more than 10,000 people have participated in the challenge.

How did it start? "There are people that I end up arguing with on Twitter," said Ptasek. "I want to share crypto knowledge, but I don't want to arm those people with my jargon." That was the origin of the challenge. Matasano researchers created six sets of eight challenges. To complete a set, you must successfully implement all eight challenges using the programming language of your choice. After you successfully complete one set, they'll send you the next. "To get the jargon, you have to code," explained Ptasek.

Eighth Grade Math Required You might expect that implementing and cracking various types of cryptography would require detailed knowledge of arcane mathematical disciplines. Ptasek listed five high-end topics, among them "fields, sets, and rings" and "Feistel and S-P network structure." He went on to explain that none of them are required. Most of the challenges require little more than high-school algebra, and some knowledge of coding.

Those taking the challenge submitted their work in a dizzying variety of programming languages. Some even stepped outside the realm of programming altogether. One participant submitted a solution coded as a simple Excel spreadsheet. Another solved one of the challenges using PostScript.

"There's going to be a lot of detail in this talk, and we'll talk fast," said Ptasek. "You won't walk out of this knowing how to exploit RSA, but I can show you how straightforward it is. Just let the math wash over you like the poetry of insecurity." I like that!

To Err Is Human The presentation went on to examine some specific and well-documented cryptographic blunders. One company solved the problem of encryption efficiency by setting an essential parameter to one, just one. Cryptocat, famously used by Edward Snowden, didn't go quite that that far, but by tweaking code for efficiency the developers vastly reduced the resources required to crack encrypted messages. And yes, the Cryptocat algorithm was at its worst between May 2012 and June 2013.

After a point, the session did indeed get quite technical. I did almost manage to understand a clever technique the Matasano folks devised to break RSA-encrypted credit cards. It involved submitting carefully selected numbers to the encryption server as if they were encrypted data and noting the reaction. Each number that was accepted as valid brought them closer to decrypting the text, and also narrowed the range of numbers for the next attempt. The resulting demo was a classic movie-style version of cracking encryption, with plaintext letters appearing one by one as binary bytes scrolled past.

Will You Take the Challenge? If you want to take the crypto challenge, send a note to cryptopals@matasano.com. Do note that the strict one-at-a-time rule for challenge sets has been suspended. You can now get all of the setsat once. In an announcement before the talk, Ptasek explained that "We're giving a talk about the challenges at Black Hat, and want our loyal cryptopals to see all the challenges before Black Hat ticketholders do." Going forward, the Matasano team plans a website devoted to the challenges, and even a book.

More here:
Encryption Keeps Your Data Safe. Or Does It?