Finding flaw in cryptographic protocol

Question

If you find a flaw or bug for example in Linux kernel you can create an issue in GitHub, or if you can solve it you can contribute.
How about Finding a flaw in cryptographic protocol?!

How can you report it or flag an issue?
If you can fix it, is it possible to contribute?

Ella Rose · Accepted Answer · 2018-10-03T23:23:24.907

22

If you find a flaw or bug for example in Linux kernel you can create an issue in GitHub, or if you can solve it you can contribute. How about Finding a flaw in cryptographic protocol?!

A protocol is slightly different than a concrete implementation of a piece of software like the linux kernel on GitHub. It is closer to a specification that may be followed by many different implementations.

How can you report it or flag an issue?

If you can fix it, is it possible to contribute?

This depends on whether the protocol is something that is deployed and in use, e.g. TLS, or is a protocol that has merely been proposed academically.

If it is a theoretical academic protocol, you would create a paper discussing the attack or relevant shortcomings of the protocol and publish it as appropriate.

If the protocol in question is actually in use in the real world, then you would find who the authors of the protocol are and email them privately. Exactly who you email might vary depending on circumstances: Companies, individual implementors, and standards bodies might all be relevant. Try looking for white papers/RFCs/working groups/etc to locate the appropriate people to contact.

Be sure to include the email:

A thorough description of exactly what the problem is
Who is affected
How serious the problem is
How long the problem has been present
An implementation of the attack (a.k.a proof of concept)
Recommendations for how to fix the problem

Vulnerability reporting and disclosure can have multiple, orthogonal approaches and vendor responses may vary. If it is a widely used protocol like TLS your approach and response may very well be different from some random individuals project on GitHub.

Oh, and apparently it's trendy to create a branding campaign for the vulnerability, including a name, logo, and website. Whether or not this is a good practice is debated.

edited Oct 03 '18 at 23:23

answered Oct 03 '18 at 21:36

Ella Rose

19,603
6
53
101

2

Would the anonymous downvoter care to explain? – Ella Rose Oct 03 '18 at 22:01
2

Note that even if the protocol is non-academic you can / should still publish a paper after the issue is fixed. – SEJPM Oct 04 '18 at 07:42
2

I disagree with the proof of concept being needed. Often it will be much more work to implement a proof of concept than to implement a fix. And in those cases you will be increasing the time to get the vulnerability fixed by spending time on writing a proof of concept. I know there are companies who refuse to fix security vulnerabilities until a proof of concept has been presented, but that's a bad attitude that we should try to reverse. If you found a vulnerability and want to write proof of concept, feel free to do so. But you shouldn't feel obliged to do it. – kasperd Oct 04 '18 at 11:46
5

@kasperd: I kind of agree, but while a proof of concept isn't (or at least should not be) necessary, it can be very helpful in getting people to accept that the issue you found is actually real and exploitable. Especially if you don't already have a reputation as a credible and competent security researcher. In an ideal world, you'd just point out the flaw and everyone would immediately go "oh, yes, that's wrong and we should fix it." In the real world, if the flaw is not obvious and you can't directly demonstrate its effects, that rarely happens. – Ilmari Karonen Oct 04 '18 at 12:02
1

@IlmariKaronen I don't question the effectiveness of a proof of concept in convincing others that a security vulnerability should be addressed. However I still think it is more productive to report vulnerabilities without implementing a proof of concept initially, and take such reports serious if you receive one. If you have reported a vulnerability without proof of concept and your report is not being taken serious, then you can consider whether it is worthwhile putting effort into a proof of concept. Sounds like for the most part we are in agreement. – kasperd Oct 04 '18 at 14:38
It was me (obviously). But I've come to realise that your position is entirely correct. So I apologise and I've undone it. Don't know who the other voter is. – Paul Uszak Sep 26 '21 at 02:14

fgrieu · Answer 2 · 2021-09-26T17:11:37.257

This relates how I dealt with this issue in 1999. I had found an attack on the ISO/IEC 9796(-1) signature scheme. It was closer to practical than another line of effort¹ to break that scheme.

The signature scheme was used by indirect business partners of my employer. It was thus a professional necessity not to make an hostile disclosure. I got internal clearance to contact by email the ISO/IEC committee working on such standard. Initially I was met with some skepticism about the correctness of my computations, and I was not even sure that my padding was exact down to the bit. I had to send an example forgery, which turned out to be correct.

I decided to write my first academic paper². In August 1999, I made on sci.crypt.research (a moderated usenet list for cryptographic research) this public disclosure of the existence of the attack and that I intended to get it published. I told what the attack does, but not how. I gave the hash of an example as commitment, not the example, which could have revealed how the attack works.

The paper was accepted at Eurocrypt 2000. In May 2000 it was published and I made my only (so far) presentation in a cryptographic conference³. In the short Q&A afterwards, when it came to repairing the flaw, a representative of the working group announced that the standard would be withdrawn, following the two attacks, and the lack of convincing repair strategy short of using a hash, as already in ISO/IEC 9796-2.

¹ That other attack worked against a 1-bit variant of the scheme. Unknown to me, it had just been extended to a fully working (if theoretical) attack.

² Also my first use of LaTex. That was a serious obstacle, especially when it came to making the indispensable and relatively complex figure.

³ That was chaotic. The presenter before me got way past schedule, ignoring the moderator's pleas that he concludes. He only finished because he literally fell backstage with a loud noise, which combined with the audience's reaction did allow my presentation to start, only about when it was supposed to end. To try compensate, I flew over the start, which further lowered the percentage of the audience that got my point. I had my share of laughter when I candidly explained that I didn't knew exactly when my own attack worked.

kelalaka · Answer 3 · 2018-10-04T11:06:01.747

0

First of all, if the protocol is under use, you have to warn them before publicly announce. Otherwise, there can be very catastrophic results. First day attacks are very common.

Demonstrating only the flaw is a half paper, with countermeasures you will have a good paper. Of course, you have to give time to people to deploy the countermeasures.

update: on examples due to valueble comments;

Example Bleichenbacher's CCA attack on PKCS#1
Example NeedhamSchroederr

edited Oct 04 '18 at 11:06

answered Oct 03 '18 at 15:58

kelalaka

48,443
11
116
196

good answer but one of my question remains without answer or maybe i did not got it,If you can fix it, is it possible to contribute? – R1w Oct 03 '18 at 21:14
2

Why is RSA mentioned next to Dual_EC_DRBG? Why is Dual_EC_DRBG mentioned at all (as it is not a protocol)? – Ella Rose Oct 03 '18 at 21:27
@EllaRose isn't it part of a protocol? – kelalaka Oct 04 '18 at 05:27
3

@kelaka : No. Dual_EC_DRBG is an algorithm. Also, Heartbleed is not a flaw in a protocol, it was an implementation bug in a widely deployed library. – Martin Bonner supports Monica Oct 04 '18 at 10:21
@MartinBonner So are you saying that; when we talk about a protocol attack, we don't consider the implementation or the underlying insecurity of the algorithms? So only consider attack as the mitm-attack or as in needham schroeder protocol? – kelalaka Oct 04 '18 at 10:37
2

Yes. Heartbleed was entirely equivalent to a flaw in the Linux kernel, and was reported to the OpenSSL team. A flaw in an underlying algorithm is not the same as a protocol flaw, but it is much more similar (in that both are a specification flaw). The Bleichenbecher attack on PKCS #1 v1.5 is the sort of thing I would describe as a protocol flaw. – Martin Bonner supports Monica Oct 04 '18 at 10:49

Paul Uszak · Answer 4 · 2021-09-26T02:04:58.500

-3

Or, you try to cash in on it.

If you're any good at finding flaws, there is a lucrative (and legal) yet very grey market in vulnerabilities and zero day exploits. The New York Times have listed some prices and companies that resell these. Outfits like Zerodium in Washington; Netragard in Acton, Mass.; Exodus Intelligence in Austin, Tex.; and ReVuln, and a Virginia start-up named Endgame. Typical exploits sell for 35,000 to 160,000 dollars, but you can get up to 500,000 dollars for Apple’s iOS.

All of the security agencies pay to get these, presumably under some form of non disclosure agreements/secrecy legislation. The NSA seems to be the largest client, but the FBI also buys exploits such as for back dooring Firefox/Tor. If you're really good, you should be able to sell the same exploit to multiple buyers. It depends on your contacts as to whether you are able to access this market though.

In the war on terror, it could literally be catastrophic to not exploit such flaws. Hawks would argue that it's your patriotic duty to pass such information onto the security agencies. Stuxnet, Flame and Duqu have all capitalised on zero day exploits with great success at disrupting Iran's nuclear program. It's to protect the children too. Or so the ideology goes. As the whether it's moral/ethical, those issues have been formalised by Obama's Special Assistant to the President and Cybersecurity Coordinator, Michael Daniel:-

How much is the vulnerable system used in the core internet infrastructure, in other critical infrastructure systems, in the U.S. economy, and/or in national security systems?
Does the vulnerability, if left unpatched, impose significant risk? How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
How likely is it that we would know if someone else was exploiting it?
How badly do we need the intelligence we think we can get from exploiting the vulnerability?
Are there other ways we can get it?
Could we utilize the vulnerability for a short period of time before we disclose it?
How likely is it that someone else will discover the vulnerability?
Can the vulnerability be patched or otherwise mitigated?

This policy is called NOBUS in the US and is for "investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit internet traffic." Examples of it are Dual_EC_DRBG, cracking Diffie-Hellman and EternalBlue in Windows. Quoting, "as a general rule, tries to focus on exploiting vulnerabilities used in its targets’ software".

In summary, there's lots of money to be made. And you'd be contributing to your country's security as JFK asked of us all.

Update:

Latest (March 2019) NY Times estimate of this market now puts it at \$12B. Salaries >> \$200,000 working for companies like Darkmatter or NSO Group breaking WhatsApp and Skype traffic.

Update2:

Zerodium is now offering up to $2,500,000 per exploit. Ka-ching:-

edited Sep 26 '21 at 02:04

answered Oct 03 '18 at 20:51

Paul Uszak

15,390
2
28
77

3

I confused how legal is to sell zero-day exploit and what is the difference between selling it to those people or in darknet? – R1w Oct 03 '18 at 21:04
2

@R1w Good question. I guess that those who have power over us determine what's legal or not. It's a very grey area. And don't forget that nothing is illegal until you're caught. This applies equally to agencies and individuals. Realpolitik. – Paul Uszak Oct 03 '18 at 21:33
1

And if you found an exploit as a private individual it sort of put's the lie to NOBUS. – Oct 04 '18 at 01:49
5

@R1w In some countries, selling zero-days is indeed illegal and may even be considered a terrorist act. Therefore, I would generally advise anyone contemplating to engage in such activity to first check the laws of current geo-location (read: ask a local lawyer first). – e-sushi Oct 04 '18 at 03:31
6

-1 until this answer properly hedges the legal claim, and has some acknowledgement of how deeply unethical this course of action is. Also would be worthwhile to provide more ideological context to the claims in the second paragraph. ("Hawks would argue..." gets at this but could be made more explicit) – user371366 Oct 04 '18 at 03:59
1

@dn3s Why is it unethical? I didn't mean it make it sound so. Cryptography is first and foremost a munition, which is why it falls under weapons legislation. And the purpose of military weapons is to kill the enemy. "Ask what you can do for your country" blah, blah. It's why we have armies and intelligence agencies. It applies to programmers too. It's not all sailing, team building and skiing as the recruitment adverts go. It's important to understand the fundamental purpose of cryptography. – Paul Uszak Oct 04 '18 at 09:15
6

"Cryptography is first and foremost a munition" - citation needed. – Martin Bonner supports Monica Oct 04 '18 at 10:23
5

In the war on terror, it could literally be catastrophic to not read and control everyone's mind – gbr Oct 04 '18 at 11:13
4

@PaulUszak i guess it's ethical if one considers the interests of the state that happens to have power over you to be the same thing as morality. There's a name for that kind of thinking though that you probably wouldn't like. – user371366 Oct 04 '18 at 16:37
2

@MartinBonner Numerous nations either currently or previously branded cryptography a munition – user2768 Oct 05 '18 at 11:40
2

@user2768 I know that. What I wanted was a citation for "first and foremost". – Martin Bonner supports Monica Oct 05 '18 at 12:09
2

@MartinBonner Can such a citation include any country that currently enforces such arcane rules? I'm not sure about the US these days, but some European nations, including the UK, does have such rules that apply to new cryptographic algorithms (very few in the UK are aware of the rules and probably even fewer pay any attention to them) – user2768 Oct 05 '18 at 13:05
4

@user2768 No. The fact that some (or even all) countries treat something a munitions, does not mean that is what it is "first and foremost". High explosives are certainly treated as munitions, but I would argue that first and foremost they are about mining and similar activities. – Martin Bonner supports Monica Oct 05 '18 at 13:10
1

@MartinBonner I think we're in danger of delving into the ambiguities of natural language. Perhaps Paul Uszak can elaborate on the intended meaning. – user2768 Oct 05 '18 at 13:18
3

As someone who actually dealt with this market (for private buyers, not for government contractors), I can confidently say that no one sells cryptographic weaknesses. It's pretty much all software bugs or leaked/stolen source code. I don't even know of rumors of people with 0days for cryptography. – forest Oct 06 '18 at 04:33
2

@forest So you're not in that market then, but talking about it with authority? I envy your chutzpah. Oh, the NY Times has heard some rumours about it. Did you read that? You can click on the blue words and hyper links will take you to seven relevant articles :-) – Paul Uszak Oct 06 '18 at 12:20
2

@PaulUszak I find your suggestion I am kidding offensive. I didn't say high explosives were not used as munitions, just that that is not their primary use. – Martin Bonner supports Monica Oct 07 '18 at 11:44
2

@PaulUszak I think you completely misunderstood what I said. – forest Oct 08 '18 at 02:05
@PaulUszak I know this post is years old, but I'd suggest you remove the link to the Zerodium website and the other "defense" contractors. I don't think it's a good idea to drive more traffic to their site or boosting their SEO ranking (I'm saying this as someone who dislikes corrupt governments using 0days against people, not as a mod. I just figured you and I would both agree that these companies are evil). – forest May 14 '22 at 00:41

Finding flaw in cryptographic protocol

4 Answers4

Linked