Tuesday, November 29, 2011

History of Security Failures 101: Crypto Flaws

While going over various examples of failed standardized security systems I realized it would be very useful to have an open online database of security system failures that could be used by security professionals to analyze the root cause of such failures and learn how to prevent them in the future. I was thinking "Someone" should build such a database. Not knowing who this "Someone" could possibly be I left it at that.

Thankfully, Matthew Green has prepared a short list covering a subset of such failures - specifically cryptography flaws that were exploited by non-government attackers.

The following is from Matthew Green's blog:

Over on Web 1.0, Steve Bellovin is asking an interesting question:
Does anyone know of any (verifiable) examples of non-government enemies exploiting flaws in cryptography?  I'm looking for real-world attacks on short key lengths, bad ciphers, faulty protocols, etc., by parties other than governments and militaries.  I'm not interested in academic attacks -- I want to be able to give real-world advice -- nor am I looking for yet another long thread on the evils and frailties of PKI.
Here are a few of the responses that sound pretty reasonable. They're (mostly) not mine, and I've tried to give credit where it's due:
  1. Cases of breached databases where the passwords were hashed and maybe salted, but with an insufficient work factor enabling dictionary attacks.
  2. NTLMv1/MSCHAPv1 dictionary attacks.
  3. NTLMv2/MSCHAPv2 credentials forwarding/reflection attacks.
  4. The fail0verflow break of poorly-nonced ECDSA as used in the Sony PlayStation 3.
  5. DeCSS.
  6. Various AACS reverse-engineering efforts.
  7. The HDCP master key leak.
  8. GSM decryption, which seems to have gone beyond the academic, but I have no specific knowledge of attacks "in the wild".
  9. Factoring of the Texas Instruments 512-bit firmware signing key for calculators, and Elcomsoft's factoring of the Quicken backup key.
  10. Key recovery in WEP.
  11. Exploits on game consoles: the original XBox, Wii software signing.

I'm not sure I would categorize all of the above as cryptography flaws (for example, CSS was DeCSSed not because of any weakness in the cryptography but because it was trivial to reverse engineer CSS from a specific implementation). To the above list I can add the following from memory:
             12.  Mifare Classic
             13.  The ASP.net padding oracle exploit
             14.  The MD5 collision attack [PDF] on certificate authorities
             15.  This brute force attack [PDF] on the Nagravision analog video scrambling algorithm
             16.  G Stor Plus proprietary encryption [German article]
             17.  Car immobilisers

I'm sure there's much more. For example, Thomas Ptacek and Michael Tracy gave four real world examples of attacks on web application security failures due to cryptography flaws in their "Crypto for Pentesters" session at BlackHat US this year, though they didn't reveal the details of the web applications that were vulnerable to these attacks.

This list is a nice start for a security failures database - and I'm considering being that "Someone". So if you can think of other security systems that failed due to cryptographic flaws, please use the comments below or send a message to my gmail account (security.fails.db).


  1. I think it'd be great to have a database like this. I kept my list to things that were deployed in the wild, so I left collision-finding attacks, etc. off of it. But there's no reason to make the distinction when it comes to a database.

  2. Thanks for providing recent updates regarding the concern, I look forward to read more.
    Security Systems