The Risks Digest

The RISKS Digest

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Volume 17 Issue 53

Monday 11 December 1995

Contents

o Announce: Timing cryptanalysis of RSA, DH, DSS
Paul C. Kocher
o Spectrum Insanity
Lauren Weinstein
o Risks of automated library circulation systems
Richard I. Cook
o "Computer Crime: A Crimefighter's Handbook", Icove/Seger/VonStorch
Rob Slade
o Denial of service attack: sabotaged electrical panel
Jon Mellott
o Re: False Alarms in Digital Systems
Todd W Burgess
o Re: Alarm and alarm-silencing risks in medical equipment
Rob Seaman
o Re: Alarm and alarm-silencing risks
Bob Schuchman
o InfoWarCon (Europe) '96
Winn Schwartau
o ABRIDGED info on RISKS (comp.risks)

Announce: Timing cryptanalysis of RSA, DH, DSS

Paul C. Kocher <pck@netcom.com>
Sun, 10 Dec 1995 13:34:50 -0800

I've just released details of an attack many of you will find interesting since quite a few existing cryptography products and systems are potentially at risk. The general idea of the attack is that secret keys can be found by measuring the amount of time used to to process messages. The paper describes attacks against RSA, fixed- exponent Diffie-Hellman, and DSS, and the techniques can work with many other systems as well.

My research on the subject is still in progress and the current paper does not include many of my findings. I will eventually publish a full paper, but am releasing a preliminary draft now to alert the community as quickly as possible. A copy of the abstract is attached at the end of this message and the full text can be downloaded in PostScript format from:

ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps ftp://ftp.cryptography.com/pub/kocher_timing_attack.ps.gz

I've also made an HTML version which is accessible at:

http://www.cryptography.com

(The HTML uses subscripts and superscripts which aren't supported in older web browsers. The PostScript version is the "official" one and looks nicer.)

The results have already been seen by Matt Blaze, Martin Hellman, Ron Rivest, Bruce Schneier, and many others. While the full significance of the attack is not yet known, I think everyone who has seen it considers it important (including Netscape who awarded me a $1000 bugs bounty prize).

ABSTRACT. Cryptosystems often take slightly different amounts of time to process different messages. With network- based cryptosystems, cryptographic tokens, and many other applications, attackers can measure the amount of time used to complete cryptographic operations. This abstract shows that timing channels can, and often do, leak key material. The attacks are particularly alarming because they often require only known ciphertext, work even if timing measurements are somewhat inaccurate, are computationally easy, and are difficult to detect. This preliminary draft outlines attacks that can find secret exponents in Diffie- Hellman key exchange, factor RSA keys, and find DSS secret parameters. Other symmetric and asymmetric cryptographic functions are also at risk. A complete description of the attack will be presented in a full paper, to be released later. I conclude by noting that closing timing channels is often more difficult than might be expected.

Paul Kocher
*********************************************************************
VERY IMPORTANT: If you send me e-mail, please understand that I probably won't have time to respond to all who write. Please keep messages SHORT and send them to pck@cryptography.com (**not** my netcom address -- misdirected messages will be ignored). PGP when used for e-mail is not vulnerable to the attack. Please state in your note whether you would like a reply.
********************************************************************
Paul C. Kocher Independent cryptography/data security consultant
E-mail: pck@cryptography.com (please see above before replying)
[Paul's paper makes superbly interesting reading. Its implications are quite far reaching. PGN]

Spectrum Insanity

Lauren Weinstein <lauren@vortex.com>
Sat, 9 Dec 95 12:39 PST

Spectrum Insanity [Originally written for TELECOM]

Greetings. With so much of the country's attention (rightly) focused on the budget battles regarding Medicare, Medicaid, Environmental and Education funding and similar critical issues, it's easy to forget some of the other issues that play directly into the ongoing budget debate--issues that directly affect telecommunications.

The new telecommunications rewrite, which is nearing completion in Congress, shows signs of having many of the same negative attributes as the screenplay with too many authors, or the animal designed by committee. In short, it's highly questionable whether it will do more good than harm. Its various aspects have become so controversial that various news outlets have started refusing to run ads supporting one side or the other, for fear their own interests will be compromised.

The bill covers a lot of ground, but I'd like to focus here on only one aspect--what happens when politics attempts to drive technology. In the search for the holy grail of simultaneously crafting a "balanced budget", tax cuts, and technological reforms, the concept of "spectrum auctions" has moved into center stage. A simple concept really: He has the most bucks gets the spectrum. One thing's for sure, if this sort of policy had been in effect during the formative years of broadcasting, the multitude of non-pay, commercially-sponsored television and radio outlets we have today would be very unlikely to exist, and the stifling effects on technical innovation would be difficult to predict.

But now a fascinating development is occurring which could directly affect every radio and television listener/viewer. In case you haven't noticed, the hot topic in broadcasting these days is "digital broadcasting". Experiments are in progress regarding both satellite and terrestrial digital radio broadcasting, with a range of both technical and "political" arguments surrounding every step. The FCC wants terrestrial television broadcasters to convert to digital as well. The promises of the technology are indeed seductive--"perfect" (?) pictures, multiplexing of multiple channels in the bandwidth currently used for one channel, and so on. Of course, the standards for these transmissions have yet to be completely nailed down, the cost of the technology will be high for the short to medium term at least (and this *isn't* necessarily HDTV we're talking about), and it's decidedly unclear whether consumers are really all that interested--at least when it comes to either buying expensive converter boxes (just what most people want, more boxes hanging off their sets!) or junking all their TVs, VCRs, and other related equipment for new expensive digital ones.

The cost to broadcasters to meet such an FCC mandate will be very high. It was recognized early on that if such a conversion was ever to succeed, a transition period, which the FCC initially pegged at 20 years, would be necessary. Broadcasters would be allocated a new slice of spectrum that they could use for digital services while simultaneously continuing their existing analog transmissions on their existing channel. At the end of the (presumably successful) transition period, they would turn the analog spectrum back to the government for reassignment. Not only will the broadcasters need to spend vast amounts for this conversion, the cost to consumers, over the 20 year transition period, could be enormous.

But as Congress has searched for new revenue sources, the idea came up that rather than provide the non-pay, commercially sponsored broadcasters with the spectrum for the transition, that spectrum should be "auctioned off" instead to the highest bidders. There are a number of problems with this, including the fact that it says nothing about public interest--it speaks only to who has the most bucks. And while many broadcasters aren't exactly poor (though many operate on surprisingly thin margins) there are other interests (mainly cellular, PCS, and other services whose main income stream is derived from well-heeled business users and investors) who have vast financial resources and could probably out bid anyone else for anything.

The arguments over this have been raging. And now, it appears that the latest plan floating around is that the broadcasters won't have to try out bid for spectrum necessary to meet FCC mandated digital transition requirements. But here's the kicker--the new idea is to force the transition to occur in only *seven* years. By 2002, everyone is supposed to have converted to super-deluxe digital broadcasting. That's the television broadcasters *and* all consumers. Does it seem just a wee bit unlikely that such a schedule can be met? Are consumers going to be willing to see all their television equipment converted to door stops in a rush to provide "digital quality" pay-per-view and home shopping channels?

And what of the quality of technology that will result from this sort of politically driven "mad rush" towards the future? This all makes about as much sense (and is as likely to succeed) as the laws on the books in California that have mandated that something like 20% of the cars sold in the state must be electric powered within the next 7 years or so. The fact that no such vehicles exist with specs, performance, or affordable prices that could meet such goals didn't deter the enactment of the laws.

When technology is driven by artificially created non-technological constraints, the result is frequently confusion, often poor design, and almost always massive waste. It's time to take a step back and start applying some real thought and logic to these issues, rather than letting them be driven largely by political rhetoric. Otherwise, we're all likely to be paying through the nose for a long time to come.

--Lauren-- http://www.vortex.com

Risks of automated library circulation systems

Richard I. Cook, M.D. <ri-cook@uchicago.edu>
Thu, 7 Dec 1995 16:26:58 -0600

I received two recall notices for two books from the University of Chicago science library. The recall notices were mailed in separate envelopes and each listed the call number, abbreviated title, and three ID numbers identifying the item, the loan and the patron [me]. Because faculty have indefinite loan periods, a recall notice indicates that other patron wants this book. Our library has a very nice bar code reading system for both the patron's card and the book ID, making checkout and return simple and efficient. All I needed to do was get the books and return them to the main library which is three blocks from my home.

I recognized one of the titles but the other seemed strange. Its title was an anglicized version of Arabic, a language that I don't read. I guessed that a scanner had misread either one of the books I took out or someone else's ID card had been misread as mine and the book had been mistakenly charged to me instead of to the actual borrower. I also, briefly, considered the most horrid of possibilities: that I had exactly the same patron ID as another faculty member who was charging out lots of books of which I (with indefinite loan privileges) was unaware and that one day I would be required by a severe looking woman with reading glasses on a chain around her neck to produce a large number of books containing not a single character in an alphabet I recognize.

I went off to the library and explained my situation to a student helper who looked at me as though I were a pederast and called the supervisor. The supervisor, a most helpful and calming influence, was easily convinced that I had not knowingly taken out a book in Arabic. She called up my patron ID and then rapidly called up a series of screens on the computerized circulation system. She said, after a few minutes work, that she thought she knew what had happened. She disappeared into the stacks and, a few minutes later, brought out a little blue book, in Arabic, that was the one being recalled. After weeping uncontrollably at the relief of being saved from some the horrific effort of phoning a lot of embassies trying to find a replacement copy of a paperback book whose title and author I could not pronounce or spell, I asked this goddess Diana to explain what had happened.

It seems that the library circulation system is organized around the "piece ID" for each item. Piece IDs uniquely identify items and are assigned in the order in which books enter the library. The piece ID for the book I actually had and the one in Arabic differed by a single digit and it seems likely that the clerk entering the recall for my book mistyped the piece ID. But how could this happen? Wouldn't entry of a piece ID for some book that was not charged generate some sort of error message? Well, it turns out that the system actually handles recalls by checking the requested book IN and then immediately charging it OUT again to the same patron ID for a week's loan. Since one has 7 days to return a recalled book, this has the effect of changing the indefinite loan period to a week and setting up the necessary conditions for the automatic generation of a series of late notices, fines, larger fines, really big fines, invalidation of library priveleges, expulsion from the faculty, firing squads, etc. Because, in effect, the book has to be returned to the library (from the computer's point of view) and then charged out for a limited time, it is quite possible for a mistyping to generate the conditions I encountered.

I was relieved to not have to visit in turn each of the Middle Eastern faculty in the University in search of the little book. The librarian (who had taken on the aspect of the Venus de Milo) assured me that I had only seven books charged against my ID and that all these had reasonable call letters derived from more placid, familiar regions of the stacks. With a sigh and mental note to spend more time reading in the library and less at home, I went past the human monitor checking briefcases, through the metal detector, past the turnstile, and out into the cold, clear winter air.

Richard I. Cook, MD ............. Cognitive Technologies Laboratory
Department of Anesthesia and Critical Care ** University of Chicago

"Computer Crime: A Crimefighter's Handbook" by Icove/Seger/VonStorch

"Rob Slade" <roberts@mukluk.hq.decus.ca>
Wed, 01 Nov 1995 17:15:30 EST

BKCMPCRM.RVW 951004 [Apologies for the delay. PGN.

"Computer Crime: a Crimefighter's Handbook", David Icove/Karl Seger/William VonStorch, 1995, 1-56592-086-4, U$24.95

%A David Icove
%A Karl Seger
%A William VonStorch
%C 103 Morris Street, Suite A, Sebastopol, CA 95472
%D 1995
%G 1-56592-086-4
%I O'Reilly & Associates, Inc.
%O U$24.95 519-283-6332 800-528-9994 rick.brown@onlinesys.com 800-998-9938
%O 707-829-0515 fax: 707-829-0104 nuts@ora.com
%P 464
%S Computer Security
%T "Computer Crime: a Crimefighter's Handbook"

As a guide for law enforcement personnel and systems managers, this provides a good overview and introduction to computer crime and the actions to take against it. Touching on crime, prevention and prosecution, the book is practical and helpful to those needing to get a quick handle on the problem.

It is, however, easily evident that the authors are law enforcement, rather than systems, professionals. Those expecting a technical discussion, from the O'Reilly imprimatur, will be disappointed. The book started life as an official FBI training manual. The explanations and concepts are elementary -- and are intended to be so. Thus, while it might be possible to argue
(rather weakly) for the definitions of viruses, worms and other malware as described in the book, security experts will likely feel a bit uncomfortable with them. The abdication of discussion on encryption is not going to help those who want to help protect their systems. (On the other hand, there is nothing to indicate any political bias in regard to encryption.) The bibliography, though, is of good quality, and should make up for the technical shortcomings in this work.

I am delighted to see, for once, not only mention but actual listings of computer laws from outside of the US. The coverage is still a bit lopsided, with 130 of US federal and state statues and less than twenty devoted to the rest of the world, but it's a start.

copyright &copy; Robert M. Slade, 1995 BKCMPCRM.RVW 951004

DECUS Canada Communications, roberts@decus.ca, slade@freenet.victoria.bc.ca
Author "Robert Slade's Guide to Computer Viruses" 0-387-94311-0/3-540-94311-0

Denial of service attack: sabotaged electrical panel

"Jon Mellott" <jon@alpha.ee.ufl.edu>
Fri, 8 Dec 95 10:59:46 EST

Here at the University of Florida we appear to have been the victims of a new variant of the "pull the fire alarm before the exam" attack. This week has been the week before finals -- known locally as "dead week" -- when many major projects and papers are due.

On Monday afternoon someone sabotaged the main circuit breaker to the entire Computer Science and Engineering (CSE) building. The building houses the computer science department, elements of the electrical engineering department, a huge computer lab and a VAX cluster used by the general student population, and the campus network operations center. A new breaker had to be ordered from the manufacturer in Iowa. Apparently the breaker is not a stock item but a custom manufacturing job.

By Tuesday morning power had been restored by borrowing a breaker from the Marston Science Library (MSL) -- really part of the same building but with an independent main electrical panel. While power was being restored to the CSE, the MSL had to be closed, because it didn't have power at that point. A planned power outage was scheduled for 10p-midnight so that the new breaker, due to arrive late Tuesday, could be installed. Unfortunately, at about 6:00p Tuesday the vandal struck again and vandalized the same breaker. At
this point we had no functioning circuit breakers on site. Another breaker was ordered from the manufacturer at this point. Since we had been stung twice the campus police became very aggressive. The building was declared "sealed" by the police although no stronger measure than locking the doors was taken to "seal" the building. The police ejected staff members who were on site to ensure that when power was restored things would be started correctly and in a timely manner.

Another planned outage was scheduled for Wednesday night 10pm-3am so as to allow the second new breaker to be installed in the MSL. By Thursday morning we were on the path to a full recovery. There were no signs of forced entry to the electrical closet where the main panel is housed (so we've been told) in both of the events. After the panel was sabotaged the second time the panel was kept under guard by the University Police until the lock had been changed. At this point nobody has been arrested. Given that this attack caused a great deal of hardship for a lot of students, staff and faculty, the culprit would be a fool to advertise his or her daring. It's also worth noting that the culprit probably put his or herself in danger in sabotaging the panel since he or she did not cut the power at the main before sabotaging the main breaker.

Jon Mellott, High Speed Digital Architecture Laboratory,
University of Florida (jon@alpha.ee.ufl.edu)

False Alarms in Digital Systems

Todd W Burgess <tburgess@uoguelph.ca>
Tue, 5 Dec 1995 21:40:08 -0500 (EST)

All this talk about false alarms in digital systems reminded me of a statistic I came across while doing some research into a report on the application of microprocessors in home security systems. The False Alarm Rate (FAR) of a home security system is 98%. As well, it would seem the more complex the sensors, the greater the FAR. The risks of high FARs are obvious. After numerous false alarms, people will become conditioned not to respond. As a result, home security alarms receive low priority by police departments. As witnessed by several RISKS readers, alarms in hospitals receive low priority by the care givers. While it is better to be safer then sorry in a security or medical environment there is something to be said about making your margin of error too big. If we have to use such large margins of error perhaps we need to re-think how we use digital systems in a highly complex analog world.

University of Guelph, Computer Science Major E-mail: tburgess@uoguelph.ca
URL: http://eddie.cis.uoguelph.ca/~tburgess

Re: Alarm and alarm-silencing risks in medical equipment

Rob Seaman <seaman@noao.edu>
Tue, 5 Dec 95 11:44:55 MST

There has been a lot of good discussion in this thread about delivering the right alarms - to the right people - at the right time - in the right order - so as to have them dealt with in the right way (in a hospital setting, in this case).

Kenneth Albanowski identified a separate risk of the direct harm caused to patients from the simple existence of all these competing alarms from their own and other patients' equipment. Anybody who has ever visited a hospital, let alone been a patient, knows the reality of this second risk.

Unfortunately, proper handling of the first, more immediate, cluster of risks requires that the second risk not be mitigated. Several writers have told anecdotal stories of hospital staff treating alarms in inappropriate ways. Most of us could probably add to the list of situations in which harmful (or fatal) consequences were only avoided through the intervention of the patients themselves, or hospital visitors, or even other patients. The patient is the only one involved who is unable to pass the buck - either to another person or to the machinery.

The patients and hospital visitors cannot be denied exposure to most alarms - these people are a critical part of the safety net. In fact, alarms should be designed to be intelligible to a lay person, and this is also one way to address the question of sensory overload - intelligible alarms provide more peace-of-mind than random, unexplained panic warnings.

Note that more generally, hospital staff are not much more technically talented than the population as a whole - health care workers largely choose their careers for reasons unrelated to technology. There is also no particularly strong trend to weed technically challenged doctors and nurses out of the workforce (as we can see). The patient is often as competent as, or more competent than, the doctor at decisions that lie outside narrow medical limits.

My own anecdote for this thread is that during the birth of our first child, my wife was administered pitosin - the dreaded "pit", a drug to increase the productivity of labor. Her contractions were monitored using a simple strip chart recorder attached to some equally simple transducer. This particular device appeared to be new to the nurses, but I don't think their interpretation of the trace would have benefited from any training. There was a complete lack of understanding of the difference between a smooth sinusoid and a (very) flat-topped trace - both peaked at 100% according to the nurses. Most of my poor wife's contractions were pinned well above that level. We could not get them to understand why they should turn down the drip if they planned to agree with the doctor's instructions (which we had also been present to hear, of course - another part of the safety net).

Finally they turned down the flow rate of the drug - but only because we were making such a fuss (nurses that let themselves be bullied by patients is another risk).

Rob Seaman (seaman@noao.edu)

seaman@noao.edu, http://iraf.noao.edu/~seaman NOAO, 950 N Cherry Ave, Tucson AZ 85719, 520-318-8248


Re: Alarm and alarm-silencing risks

Bob Schuchman <bobs@cts.com>
Fri, 8 Dec 95 00:51 PST

I had a summer job while in college as a radio serviceman with a railroad. Part of my duties required going from one station to another in the cab of a diesel-electric locomotive. The equivalent of alarm-silencing which I observed, was the placing of a heavy weight, such as a toolbox, on the engineer's dead-man pedal. Apparently it was too much of a strain to keep one foot on that pedal to avoid stopping the train.

[Although this case is not particularly computer-relevant, and is indeed a very old problem, it is included here as another reminder of the intricacies in designing safety mechanisms.

There were too many messages on this subject to include all of them. However, let me editorialize on some conclusions. One of the lessons of the RISKS archives is that no matter how many mechanisms are in place, they can still be subverted. There is also an issue involving what happens when a safety mechanism fails, such as a sensor. When one fails, the system risk probabilities change, and must be reevaluated. The best policy is to replace a faulty component as soon as possible, rather than relying on the seeming independence of events to preclude the NEXT failure... PGN]


InfoWarCon (Europe) '96

Winn Schwartau <winn@Infowar.Com>
Fri, 8 Dec 1995 16:35:55 -0500

InfoWarCon (Europe) '96
Defining the European Perspective
Brussels, Belgium
May 23-24 1996

Sponsored by:

National Computer Security Association
Winn Schwartau, President and CEO, Interpact, Inc.
Robert David Steele, Chairman & CEO, OPEN SOURCE SOLUTIONS

Information Warfare represents a global challenge that faces all late-industrial and information age nation states. It also represents the easiest and cheapest way for less developed nation-states and religious or political movements to anonymously and grievously attack major nations and international corporations.

[Contact Winn Schwartau - Interpact, Inc.
Information Warfare and InfoSec
V: 813.393.6600 / F: 813.393.6361
Winn@InfoWar.Com
for the full program and other details regarding this conference. PGN]

Please report problems with the web pages to the maintainer