3

Do you know if is has already happened (since 1980), that someone (academic or not) has "broken" (even in a weak sense) some cryptographic assumption, but has chosen to not first publish and directly attack some security system of the physical world?

I'm really considering the cryptographic/algorithmic level, not a human mistake in which someone didn't use the appropriate standard according to the academic world.

ps: I'm not asking about exploits which are still unknown (it would be an absurd query)

Ievgeni
  • 2,585
  • 1
  • 10
  • 32
  • I was speaking about breach in a first time "not revealed", but in a second time discovered (the breach and the fact that it has been exploited). I edit my post to be more clear. – Ievgeni Oct 17 '19 at 14:25
  • 3
    Before 1980, there is differential cryptanalysis, which was kept under tight wrap until it was rediscovered independently. – fgrieu Oct 17 '19 at 14:32
  • I've chosen this date arbitrarily, because as far as I know, academic cryptography was not so important (relatively to military research), in the 70's and earlier. (But maybe I'm wrong). – Ievgeni Oct 17 '19 at 14:46
  • 3
    The 1970s were the decade in which academic cryptography essentially first began as a a field, with Ralph Merkle's crazy ideas in 1974 inspiring the entire field of public-key cryptography (setting aside the classified GCHQ proposals of James Ellis in 1969 and Clifford Cocks in 1973), and with the publication of Lucifer and Feistel cipher design in 1971 and the standardization of DES giving people something to put their teeth into and kicking off the academic study of symmetric cryptography. I would suggest 1970 as a better cutoff year. – Squeamish Ossifrage Oct 17 '19 at 15:39
  • 2
    Several people have voted to close this question as too broad. I'm not voting to close it because although there are many possible answers to this question, there are also specific criteria by which to evaluate an answer, so it is not an open-ended invitation for arbitrarily broad rambling. – Squeamish Ossifrage Oct 18 '19 at 01:06
  • @fgrieu It appears Meir Maor beat you to it anyway despite technically being outside the chronological scope of the question! – Squeamish Ossifrage Oct 20 '19 at 20:35

4 Answers4

13

In 2004, Xiaoyun Wang's team first publicly reported collisions in MD5, and in 2007, Marc Stevens, Arjen Lenstra, and Benne de Weger reported a chosen-prefix collision attack on MD5.

Around the same time, the governments of the United States and Israel developed the the Flame malware to sabotage Iran's nuclear program. Part of the scheme involved forging a Microsoft code-signing certificate using MD5 so that they could sign malicious software without leaving a trail pointing back to themselves.

While studying Flame in 2012, Marc Stevens discovered that the creators of Flame had used an independently developed chosen-prefix attack on MD5 (paywall-free preprint). We can presume it is independent because if the creators knew about the attack devised by Stevens' group, why would they bother to develop a different way to do the same thing?

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
  • Thank's a lot, I didn't know Flame was using cryptanalysis. Do you have other examples in asymmetric cryptography? – Ievgeni Oct 17 '19 at 14:41
  • @Squeamish Ossifrage: agreed. A lot of what seems to be his latest and (I hope for him) final word on that flies high above my head. Nevertheless I think I'll remove my statement relaying a debunked conspiracy theory (even though I never endorsed it, only said I heard about it; wait, that's how conspiracy theories go!). I'll leave (here): You beat me on that one. Glad you did! Also: it is debatable if it is a case of "someone didn't use the appropriate standard according to the academic world" or not. – fgrieu Oct 17 '19 at 15:22
  • @fgrieu Oh, that's a much better reference, thanks! – Squeamish Ossifrage Oct 17 '19 at 15:29
6

Differential cryptanalysis

In 1990 Eli Biham and Adi Shamir discovered a powerful technique capable of breaking a wide range of ciphers. When they applied it to the DES cipher developed by IBM and the NSA in 1975 it became apparent the designers of DES were aware of this technique.

In 1994 this was confirmed. Evidently IBM discovered this in 1974 and was asked by the NSA to keep it secret. And it remained a secret for 16 years.

In computer science 16 years is an eternity, and the fact the NSA can be 16 years ahead of the rest of the world is frightening. In many ways the Snowden revelations were reassuring in that they do not suggest any magical futuristic abilities. Only the same stuff everyone else is doing but but slightly better and bigger. This does not however rule out the possibility the NSA has some top secret technology the rest of us won't see for 20 years.

Think back what technology looked like 20 years ago. And think how far ahead the NSA might be

*This is an old quora answer of mine I copied here as it seemed suitable, despite the different audience.

Reference: http://www.cs.technion.ac.il/~biham/Reports/differential-cryptanalysis-of-the-data-encryption-standard-biham-shamir-authors-latex-version.pdf

Meir Maor
  • 11,835
  • 1
  • 23
  • 54
  • 1
    Can you add citations for the background? The Biham and Shamir papers, the declassified paper on the T-attack as IBM called it, retrospective commentary on the timing of events? Maybe contemporary commentary on concerns that NSA weakened DES by doing this? (Obviously NSA did weaken DES another way—by reducing the key space to 56 bits.) – Squeamish Ossifrage Oct 19 '19 at 01:41
  • 3
    I had the privilige of studying under both Biham and Shamir at different times, I learned this story from Biham. But a quick google produced the reference I added. note DES wasn't weakened due to differential cryptanalsis it was strengthened to be relatively resilient. Almost any change to DES would make it weaker. This identified by Biham and confirmed by Don Coppersmith from the DES team at IBM. Wikipedia also has some on the history of differential cryptanalysis – Meir Maor Oct 19 '19 at 06:56
5

In the early 2000s, Certicom and/or NSA developed Dual_EC_DRBG, a pseudorandom number generator built out of public-key elliptic-curve cryptography—which these days ‘everyone’ knows means built with a back door (after all, that's what a private key is!). At the time, however, elliptic-curve cryptography had a certain mystique around it, and many people fell into a common trap: the misconception that a rich mathematical theory like RSA makes a problem harder than an ad hoc construction like AES, when really it is exactly the opposite—it is much easier to make something like AES hard to break; the rich mathematical theory is needed only for the back door (public-key cryptography), and requires larger keys and worse performance to conceal it.

We know that Certicom knew about the back door in Dual_EC_DRBG because Dan Brown and Scott Vanstone patented it in 2005 (under the euphemism of ‘key escrow’), but these days patents have completely inverted their role as a forum for dissemination and become a forum for obfuscation instead (and I don't know when the patent application was first made public), so like the purloined letter nobody bothered to read it. So, despite this disclosure, and despite smelling something fishy early on, NIST didn't connect the dots and in 2006 adopted Dual_EC_DRBG in Special Publication 800-90A, the United States federal government standard for pseudorandom number generation.

The first problem the public academic community noticed was that Dual_EC_DRBG is just a lousy uniform bit generator. It wasn't long before someone publicly pointed out the back door design at the CRYPTO 2007 rump session, and then made noise about it in popular press. Nevertheless, Elaine Barker of NIST sent Bruce Schneier a stern rebuke for suggesting that there might be a back door, and the algorithm remained in the standard despite its obvious fishiness to every cryptographer on the planet who followed it.

Meanwhile, NSA bribed RSA, Inc. 10m USD to use Dual_EC_DRBG by default in the RSA-BSAFE cryptography library used commercially by various enterprises too big to care about fiddly little details like ‘cryptographic back doors’. It also wound up in Juniper's ScreenOS firmware—with nonstandard base points, suggesting a different back door from the standard one codified in NIST SP800-90A. To this day, nobody has publicly explained whose back door it is.

The charade lasted until joint reporting on Edward Snowden's disclosures by the New York Times, ProPublica, and the Guardian in September 2013 revealed smoking-gun memos that NSA had a program to deliberately sabotage cryptography standards. This convinced the world, and even NIST, that Dual_EC_DRBG is bad news.

For more information and references, see the Project BULLRUN Dual_EC web site, particularly a detailed chronicle of the background and history until 2015, and the timeline at the Wikipedia article on Dual_EC_DRBG.

Squeamish Ossifrage
  • 48,392
  • 3
  • 116
  • 223
-4

Given the $12B market in exploits, obviously it has. Many, many times. I don't have details of the originators of the exploits, but clearly they exist as the lucrative market is summarised in this Finding flaw in cryptographic protocol answer. You may be able to get to the underlying maths/electronics if you follow the above link(s) deeply enough. These are proper breaks/exploits that generate results, and not in any sense weak. That's why corporations/agencies pay for them.

As for using "good" standards, well that only applies to simple stuff like not using electronic code book constructs, unless warranted. Once you get in to the realm of iPhone 11's and the Signal protocol, there is no good standard as those are innovative designs in constant flux. And given the 2nd Law of Thermodynamics (entropy and causality), side channel attacks are impossible to nullify.

Of course it they didn't publish and used or banked the break secretly, we might never know.

Paul Uszak
  • 15,390
  • 2
  • 28
  • 77
  • 3
    I think "citation needed" is the relevant term here. The claims made in this answer are completely unsubstantiated by evidence. – Ella Rose Oct 17 '19 at 13:55
  • If I understand well, what you're pointing is more a matter of "modelling attack" (people use irrelevant models, because technology evolved). I'm more interesting about attack on the cryptographic assumptions themselves. – Ievgeni Oct 17 '19 at 13:56
  • 4
    I'm not even sure what the claims in this answer are that could be supported by citations. This doesn't seem to address the question: What cryptographic flaws have been exploited in practice prior to publication? – Squeamish Ossifrage Oct 17 '19 at 15:52
  • 1
    The exploit market does not deal in cryptographic weaknesses. I have never, ever seen a 0day or weaponized exploit that specifically targets a believed-strong algorithm. – forest Oct 31 '19 at 01:26
  • @forest Again, isn't that simply proof of you not being involved in said market? I've never bought 10,000 tons of soya, but I'm pretty sure that some countries operate commodities markets. No? If you read my linked articles, you will :-) – Paul Uszak Nov 07 '19 at 00:18