Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The 1998 Electronic Privacy Information Center (EPIC) Cryptography and
Privacy Conference took place on 8 Jun 1998 in Washington D.C. It was an
excellent program, but unfortunately the most memorable moment was a
response from Principal Associate Deputy Attorney General Robert Litt. Litt
appeared on a panel about US Encryption Policy. During the Q&A, he was
asked about the National Research Council's report last year on cryptography
policy, Cryptography's Role In Securing the Information Society ("CRISIS").
For those unfamiliar with the report, it's a monumental and thorough work.
The committee included a former deputy Secretary of State (Kenneth W. Dam),
a former deputy commander in chief of the European command in Germany (W.Y.
Smith), a former deputy director of NSA (Ann Caracristi), a former Attorney
General (Benjamin Civiletti). 13 of the 16 committee members had full
security clearances and received the much touted behind the scenes
briefings from the intelligence community. They concluded "debate over the
national cryptographic policy can be carried out in a reasonable manner on
an unclassified basis."
Nonetheless, Litt responded that it was written before he came on board and
therefore he didn't feel obliged to read it. The audience gasped.
Undersecretary of Commerce for Export Administration, William Reinsch,
sitting with him on the panel looked disgusted. Jim Bidzos, president of
RSA, later quipped it was "a gaff of EPIC proportions." The hallway talk
the rest of the day reflected shock at the combination of naivete and
arrogance that continues to pervade the Administration.
Steve Crocker, CyberCash, Inc., 2100 Reston Parkway, Reston, VA 20191
+1 703 716 5214 (Main number +1 703 620 4200) crocker@cybercash.com
[Note: There was no Subject: line on Steve's message as received. The
one above was added by the moderator, after checking with Webster. PGN]
In May of last year, a group of 11 cryptographers and computer security
researchers released a technical study of the risks, costs, and complexities
of deploying so-called "key-recovery" systems proposed by the U.S. and other
governments. The report, entitled "The Risks of Key Recovery, Key Escrow,
and Trusted Third Party Encryption", concluded that building a secure,
economical key-recovery infrastructure of the kind required would be "beyond
the current competency of the field."
In the year since the report was first issued, there has been a great deal
of government, industry, and research activity toward designing,
prototyping, and building key-recovery systems to meet government or
commercial requirements. We have revisited our study to take into account
the latest work on key recovery and have issued an updated study. The
report, published by the Center for Democracy and Technology, was released
at the 1998 EPIC Cryptography Conference in Washington DC on June 8th.
The 1998 edition of "The Risks of Key Recovery" report is now available on
the web at:
<http://www.crypto.com/key_study>
>From the report's preface:
One year after the 1997 publication of the first edition of this
report, its essential finding remains unchanged and substantively
unchallenged: The deployment of key recovery systems designed to
facilitate surreptitious government access to encrypted data and
communications introduces substantial risks and costs. These risks
and costs may not be appropriate for many applications of encryption,
and they must be more fully addressed as governments consider policies
that would encourage ubiquitous key recovery.
The reports authors include Hal Abelson, Ross Anderson, Steven M. Bellovin,
Josh Benaloh, Matt Blaze, Whitfield Diffie, John Gilmore, Peter G. Neumann,
Ronald L. Rivest, Jeffrey I. Schiller, and Bruce Schneier.
Information is now available online about three related attacks we have
developed at Cryptography Research: Simple Power Analysis, Differential
Power Analysis, and High-Order Differential Power Analysis.
The basic idea of the attacks is that the power consumption of a device
(such as a smartcard) is statistically correlated to the operations it
performs. By monitoring the power usage (or electromagnetic radiation,
etc.) during cryptographic operations, it is possible to obtain information
correlated to the keys. The collected data is then analyzed to actually
find the keys. The three attacks use increasingly sophisticated analysis
methods.
We have implemented these attacks against a large number of smartcards,
and at this point do not believe that any cryptographic smartcards on
the market are immune to these analysis techniques.
There is now an initial summary on Differential Power Analysis on our web
page at http://www.cryptography.com/dpa, and more information will be put on
the website as it becomes available. A condensed text version is also
attached below. Paul Kocher
INTRODUCTION TO DIFFERENTIAL POWER ANALYSIS
Paul Kocher, Joshua Jaffe, Ben Jun, Cryptography Research
Introduction: Power Variation
Integrated circuits are built out of individual transistors, which act as
voltage-controlled switches. Current flows across the transistor substrate
when charge is applied to (or removed from) the gate. This current then
delivers charge to the gates of other transistors, interconnect wires, and
other circuit loads. The motion of electric charge consumes power and
produces electromagnetic radiation, both of which are externally detectable.
Therefore, individual transistors produce externally observable electrical
behavior. Because microprocessor logic units exhibit regular transistor
switching patterns, it is possible to easily identify macro-characteristics
(such as microprocessor activity) by the simple monitoring of power
consumption. DPA type attacks perform more sophisticated interpretations of
this data.
Simple Power Analysis (SPA)
In SPA attacks, an attacker directly observes a system's power
consumption. The amount of power consumed varies depending on the
microprocessor instruction performed. Large features such as DES rounds, RSA
operations, etc. may be identified, since the operations performed by the
microprocessor vary significantly during different parts of these
operations. At higher magnification, individual instructions can be
differentiated. SPA analysis can, for example, be used to break RSA
implementations by revealing differences between multiplication and squaring
operations. Similarly, many DES implementations have visible differences
within permutations and shifts (e.g., the PC1 permutation or rotates of the
C and D registers), and can thus be broken using SPA. While Cryptography
Research found many smartcards to be vulnerable to SPA analysis, it is not
particularly difficult to build SPA-resistant devices.
The figure [see web site] shows SPA monitoring from a single DES operation
performed by a typical smartcard. The upper trace shows the entire
encryption operation, including the initial permutation, the 16 DES rounds,
and the final permutation. The lower trace is a detailed view of the second
and third rounds.
Differential Power Analysis (DPA)
DPA is a much more powerful attack than SPA, and is much more difficult to
prevent. While SPA attacks use primarily visual inspection to identify
relevant power fluctuations, DPA attacks use statistical analysis and error
correction techniques to extract information correlated to secret keys.
Implementation of a DPA attack involves two phases: Data collection and data
analysis. Data collection for DPA may be performed as described previously
by sampling a device's power consumption during cryptographic operations as
a function of time. For DPA, a number of cryptographic operations using the
target key are observed.
The following steps provide an example of a DPA attack process for technical
readers. (More detailed information will follow in the near future.) The
following explanation presumes a detailed knowledge of the DES algorithm.
1. Make power consumption measurements of the last few rounds of
1000 DES operations. Each sample set consists of 100000 data
points. The data collected can be represented as a two-
dimensional array S[0...999][0...99999], where the first index
is the operation number and the second index is the sample. For
this example, the attacker is also assumed to have the
encrypted ciphertexts, C[0...999].
2. The attacker next chooses a key-dependent selection function D.
In this case, the selection function would have the form
D(Ki,C), where Ki is some key information and C is a
ciphertext. For the example, the attacker's goal will be to
find the 6 bits of the DES key that are provided as the input
to the DES S box 4, so Ki is a 6-bit input. The result of
D(Ki,C) would be obtained by performing the DES initial
permutation (IP) on C to obtain R and L, performing the E
expansion on R, extracting the 6-bit input to S4, XORing with
Ki, and using the XOR result as the input to the standard DES
S4 lookup operation. A target bit (for example, the most
significant bit) of the S result is selected. The P permutation
is applied to the bit. The result of the D(Ki,C) function is
set to 0 if the single-bit P permutation result and the
corresponding bit in L are equal, and otherwise D(Ki,C) yields 1.
3. A differential average trace T[0...63][0...99999] is
constructed from the data set S using the results of the
function D. In particular: [See web site for formula]
4. The attacker knows that there is one correct value for Ki;
other values are incorrect. The attack goal is to identify the
correct value. In the trace T[i][0...99999] where i=Ki,
D(i,C[k]) for any k will equal the value of the target bit in L
of the DES operation before the DES F function result was
XORed. When the target device performed the DES operations,
this bit value was stored in registers, manipulated in logic
units, etc. — yielding detectable power consumption
differences. Thus, for the portions of the trace T[i=Ki] where
that bit was present and/or manipulated, the sample set T[i]
will show power consumption biases. However, for samples T[i !=
Ki], the value of D(i,C[k]) will not correspond to any
operation actually computed by the target device. As a result,
the trace T[i] will not be correlated to anything actually
performed, and will average to zero. (Actually, T[i != Ki] will
show small fluctuations due to noise and error that is not
statistically filtered out, and due to biases resulting from
statistical properties of the S tables. However, the largest
biases will correspond to the correct value of Ki.)
5. The steps above are then repeated for the remaining S boxes to
find the 48 key bits for the last round. The attack can then be
repeated to find the previous round's subkey (or the remaining
8 bits can be found using a quick search.)
While the effects of a single transistor switching would be normally be
impossible to identify from direct observations of a device's power
consumption, the statistical operations used in DPA are able to reliably
identify extraordinarily small differences in power consumption.
The figure below [see Web site] is a DPA trace from a typical smartcard,
showing the power consumption differences from selecting one input bit to a
DES encryption function used as a random number generator. (The function of
D was chosen to equal the value of plaintext bit 5.) The input initial
permutation places this bit as part of the R register, affecting the
first-round F function computation and results. Round 2 effects (due to the
use of counter mode) are also strong. The trace was produced using 1000
measurements, although the signals would be discernible with far fewer.
High-Order Differential Power Analysis (HO-DPA)
While the DPA techniques described above analyze information across a single
event between samples, high-order DPA may be used to correlate information
between multiple cryptographic suboperations. Naive attempts to address DPA
attacks can introduce or miss vulnerabilities to HO-DPA attacks.
In a high-order DPA attack, signals collected from multiple sources, signals
collected using different measuring techniques, and signals with different
temporal offsets are combined during application of DPA
techniques. Additionally, more general differential functions (D) may be
applied. More advanced signal processing functions may also be applied. The
basic HO-DPA processing function is thus a more general form of the of the
standard DPA function.
Today HO-DPA are primarily of interest to system implementers and
researchers, since no actual systems are known that are vulnerable to HO-DPA
that are not also vulnerable to DPA. However, DPA countermeasures must also
address HO-DPA attacks to be effective.
Solving the Problems
Cryptography Research has undertaken a substantial development effort to
understand hardware security issues and their countermeasures. Cryptography
Research has pending patents directed to the technologies and techniques
below.
DPA and related attacks span the traditional engineering levels of
abstraction. While many previously-known cryptanalytic attacks (such as
brute force) can be analyzed by studying cryptographic algorithms, DPA
vulnerabilities result from transistor and circuit electrical behaviors
which propagate to expose logic gates, microprocessor operation, and
software implementations. This ultimately compromises the cryptography.
Techniques for addressing DPA and related attacks can be incorporated at a
variety of levels:
Transistor: No feasible alternatives to semiconductors are available today,
but alternate computation technologies (such as pure optical computing) may
exist in the future. Cryptography Research has developed gate-level logic
designs that leak substantially less information.
Circuit, Logic, Microprocessor, and Software: In physically large systems,
well-filtered power supplies and physical shielding can make attacks
infeasible. For systems with physical or cost constraints, Cryptography
Research has developed hardware and software techniques that include ways of
reducing the amount of information leaked, introducing noise into
measurements, decorrelating internal variables from secret parameters, and
temporally decorrelating cryptographic operations. In applications where
attackers do not have physical possession of the device performing
cryptographic operations, such techniques can be effective. However, because
externally-monitorable characteristics remain fundamentally correlated to
cryptographic operations, we do not recommend these approaches as a complete
solution for applications where attackers might gain physical possession of
devices.
Software and Algorithms: The most effective solution is to design and
implementing cryptosystems with the assumption that information will
leak. Cryptography Research has developed approaches for securing existing
cryptographic algorithms (including RSA, DES, DSA, Diffie-Hellman, ElGamal,
and Elliptic Curve systems) to make systems remain secure even though the
underlying circuits may leak information. In cases where the physical
hardware leaks excessively, the leak reduction and masking techniques are
also required.
Paul Kocher, President, Cryptography Research, 870 Market St., Suite 1088
San Francisco, CA 94102 415-397-0123 (FAX: -0127) paul@cryptography.com
[This work has enormous potential as one more technique for breaking
weakly designed and badly implemented systems, and consequently represents
one more forcing function that must be recognized in trying to achieve
better systemic security. Unfortunately, it also can break some good
good systems. The most important lesson is that computer-communication
security is a weak-link problem, and at present, computer-based systems
are riddled with weak links. There will always be some weak links, but
today there are far too many. PGN]
The Stanford Linear Accelerator Center (SLAC) computer system was the victim of an intrusion on 2 Jun 1998 that touched about 50 files. The intruder logged in with a password (guessed? sniffed? borrowed?), and left as evidence only a new zero-length file (perhaps set up with write privileges?). In response, SLAC cut its computers off the Internet until yesterday while they tried to figure out what had happened, with 30 people working overtime. [Abstracted from *Palo Alto Daily News*, 10 Jun 1998, p. 3]
Recently, I noticed that the Japanese maker of audio and other electronics goods, Pioneer, have begun magazine ads campaign (in Japan) notifying the users of their old GPS-based automobile navigation aids of the problem of their old ROM firmware. (I am sure there are similar systems in USA. The automobile navigation system essentially shows the map on a small display and indicates where you are and where your target is, etc..) The one page black and white ads states that certain old models of their GPS-based systems won't show correct positions beginning on 22 Aug 1999, and urge the users of such systems to contact Pioneer office for upgrading the ROM. It does not bother to explain the reason for the problem, i.e., rollover of the week count, etc.. I think it is all right since the ads page is meant for general public. My father has a similar system in his car, but I doubt if he cares about the integer overflow, etc.. I submit this to RISKS because I feel Pioneer is doing the right thing and should be commended. That it uses black and white subdued layout seems to me that they are trying to place the ads in as many magazines as possible within their budget. I just wonder if there are other old models used widely from other companies which will begin malfunctioning, i.e. posting incorrect positions after that date. Ishikawa, Chiaki, Personal Media Corp, Shinagawa, Tokyo, Japan 142 ishikawa@personal-media.co.jp.NoSpam Chiaki.Ishikawa@personal-media.co.jp.NoSpam [The GPS bit-overflow problem in certain receivers was noted in RISKS-18.24, whereby the date will reset to 6 Jan 1980 at the end of 21 Aug 1999. PGN]
The New Jersey Department of Motor Vehicles installed a system upgrade to improve performance over the weekend. After one hour of use Monday morning it crashed, preventing field offices from processing new licenses, registrations and titles. A spokesman was unable to provide any details. The state extended a June 30 deadline to July 7 for anyone affected. Apparently no data was lost, and the system did function properly during weekend tests. [New York Times electronic edition, "Bureau's Computer Crash Strands Thousands of Car Owners" June 9, 1998. dkw stark abstracting.] --David Wittenberg dkw@cs.brandeis.edu
The June 6th edition of the Albany (NY) Times Union reports that 3 men from Saratoga County, NY were charged with conspiracy after a woman intercepted the cordless phone conversation of 2 of them planning to rob and beat an elderly woman in her home. After hearing the first names of the men on her scanner, she called police who believed they knew the identity of the men and followed one of the suspects to a neighborhood where they circled around several times and left. Police investigators found an elderly lady living alone in that neighborhood who identified one of the suspects as someone who did work on her deck previously. The woman who reported the conversation wished to remain anonymous. Which is interesting, because as I understand FCC law, she could also be charged with a crime because she was monitoring a cordless phone conversation (made illegal a few years) and she disclosed the content of that conversation to someone else (which I believe has been illegal for even longer). The risks? When you are using that cordless phone, someone else may be listening, even if it's illegal. --Matthew Delaney
Tabloid magazine *Neue Revue* quotes a survivor, Wolf-Rüdiger Schliebener, confirming earlier news that passengers heard strange noises about two minutes before the disaster, while the train started rocking and shaking. As the broken wheel (thought to be the cause of the disaster) was located somewhere in the second unit, the driver up in front didn't notice anything. After the wheel broke, the train continued going on for two minutes at its cruise speed of 200 km/h, until the broken wheel destabilized the whole train and the last part of it went off the rail and hit a bridge. The point Schliebener made was that passengers noticed something was wrong, but the train lacked appropriate emergency brakes or any other means of telling the driver that there was something wrong. Which is true? AFAIK: there are two emergency brakes located at the doors, but none within the cabin (which, for non-Germans, looks pretty much like a airplanes cabin, whith two rows of seats on each side). Schliebener told *Neue Revue* he wondered why the driver did not start to brake. In effect, he never did: the train was stopped automatically after all but the first unit went off the rails. The driver seemed surprised - he hadn't noticed anything until the train stopped automatically. Frank Drieschner, our reporter who went to cover the disaster, was told by railway staff that the train's steering electronics prevent the driver from doing anything meaningful (letting the computer do everything instead) at speeds over 160 km/h, so if there had been emergency brakes near, they'd probably have been disabled automatically at high speeds. Another thing Frank told me was that the cable on the rails used by the train control system was completely destroyed between the point where the wheel broke and the point where the train hit the bridge. An interruption of the cable should make the train brake automatically, railway staff told him. So far, there have not been any definitive conclusions on the accident. [Added comment:] Whatever resonance one can imagine interferes with the operation of trains, the presence of proper "something is going wrong" feedback systems (either from the passengers via an emergency break, as I suggested, or a automatic one, as the next issue of Der Spiegel claims is installed in British high-speed trains and was dropped by the German railway authorities because it was too expensive) would have been of help in this case. Only imagine the passengers in the train having to remain passive as the train went on shaking and rattling at 200 km/h for two minutes before the crash. On the other hand, there can be a "too much flashing warning lights in the cockpit" problem, as several reconstructions of airplane crashes have shown. Martin Virtel, DIE ZEIT im Internet (http://www.zeit.de) +49 (0)40-3280-562 [The German train disaster toll is now up to 102 people killed.]
ICE crash: Seems the Bahn had not actually been inspecting the rim wheels by ultrasound, but by "laying on of hands". If they did not feel good, then they would be tested. A few years ago an engineer made the suggestion to use ultrasound for every inspection. It was not implemented because of the high cost. *Now* it will be standardized. Rail service is not expected to stabilize until June 21, as all of the Type 1 ICE trainsets have to be inspected. Berlin S-Bahn: They were down to just 10-minute delays on the regional and ICE trains traveling over the S-Bahn tracks and proudly gave a press conference to that respect... on the same day that the new computer system for controlling the switches crashed again and needed 45 minutes to begin functioning again. Berlin election software: Turns out, the software is not exactly for counting votes, but for printing the election registers and the announcements. The statistics office had been implying that the elections were endangered in the hopes of finally getting a much needed equipment update.... Prof. Dr. Debora Weber-Wulff, Technische Fachhochschule Berlin, FB Informatik, Luxemburger Str. 10, 13353 Berlin, Germany http://www.tfh-berlin.de/~weberwu/