Protecting the Fortune Cookie |
Is GIAC Enterprises' cryptography strong
enough to protect our information?
STI Group Discussion Written Project (GDWP)
Authors: Robert Comella, Brough Davis
Advisor: Stephen Northcutt
Presented: June 6, 2010
Executive Summary
A blog written last year has called into question the ability of AES to secure data in transit.
Another paper has called into question the security of the high end VPN quantum key
exchange mechanism used at GIAC as well. As the intellectual property transmitted across
the VPN is the lifeblood of GIAC Enterprise, Brough and Robert were asked to investigate
these issues and report how much of a threat they represent to the business.
With regard to the attacks against AES it is our conclusion that there is currently a small but
growing risk to the business. Researchers are able to decrease the number of steps
required to break AES-256 encryption but not to an extent that makes it feasible at this
time to break the encryption enough to make it useless. As time goes on the attacks will
become more serious and eventually AES will fail but not in the immediate future. More
good news here is the fact that simple steps on the part of GIAC can mitigate this issue
almost out of existence. First keys can be changed more frequently to make sure that the
attacker never has long enough to crack a key even if his technology improves. Second we
could request that the vendor improve their software to include alternate AES versions that
are actually more secure at this time. Finally GIAC should implement an aggressive
patching policy to take advantage of any improvements the vendor may distribute as soon
as they become available.
The problem with the quantum key exchange used in quantum key didtribution (QKD) is
more serious. Feihu Xu, a researcher from the University of Toronto, has found a way to
break this key exchange mechanism. His attack allows him to read the keys sent across the
network effectively rendering QKD unable to secure data. Luckily, though the attack is very
dangerous, it would be very difficult to mount. First an attacker must amass a great deal of
expensive equipment to execute the attack. Secondly, he must find a place to install his
equipment that will cause either no disruption in service or an explainable one. As QKD
only works over fiber it would be impossible for an attacker to tap the line without first
cutting it. This action would certainly alert our service provider causing them or us to take
action to see what had occurred. The only other option is for the attacker to try to break
the line at a junction site within a service provider building. Hopefully physical security at
these locations would prevent such an action. Even though this attack is dangerous it is our
opinion that the difficulty to implement it makes it a rather low risk. GIAC's mitigation
strategies are limited. Waiting for the vendor to create a patch and implementing it as soon
as possible is one approach. This may not be a viable solution as there is no telling when
the vendor may be able to overcome the engineering difficulties required to fix this security
hole. A more proactive approach may be to implement defence in depth. Installing an ssh
servers before and after the VPN connection will provide data security between the servers
and the printing appliances even if the attacker is able to capture the keys. For additional
layered security the web application traffic can be developed to use SSL encryption. By
embedding SSL ecryption into the application itself the application traffic flow between
contractor to database and then from database to bakery appliance can be fully encrypted.
Finally, given the current state of encryption technology described above, it is our opinion
that an attacker would have better chances if they were to focus their attack on the
computers and appliances outside of the company firewall. Attacks on the contractors
would be more difficult for us to mitigate but the amount of information that can be
obtained would be smaller. Attacks on the appliances are easier to mitigate with locked
down hardware controlled by GIAC but the amout of possible data is considerably higher.
Solutions exist that can increase the security on both ends ROBAM for the contracters,
payment options for the bakeries and SSL implementation on both ends would sigificantly
raise the bar.
Problem Description
GIAC Enterprises, is a small to medium sized growing business and it is the largest supplier
of Fortune Cookie sayings in the world. The Fortune Cookie authors are 1099 contractors
and submit cookie sayings via a web applications. The security of the submission system
has been evaluated and is considered acceptable as is the security of the database.
However, the CIO has been reading about malware for which there are no anti-virus
signatures, an increasing problem. Since there are a number of workers that process the
fortune cookie sayings, if malware could be placed on their desktops information could be
exfiltrated. In particular the CIO is concerned, he received an email message forwarded
from one of his peers. It referenced a blog posting by Bruce Schneier talks about attacks
against ten round AES 256:
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
He points out that even though he is just seeing the paper, it is almost a year old, there
have probably been other advances. GIAC's entire lifeblood is intellectual property. The
fortune cookie sayings have to be transmitted around the Internet, writers submit sayings,
editors approve them and sayings have to be supplied to the GIAC appliance that drives the
printer at fortune cookie bakeries. The VPN depends on quantum key exchange, but a
recent report by Feihu Xu and colleagues from University of Toronto indicates this may no
longer be secure enough as well. You have been assigned the task to assess the risk and
evaluate countermeasures.
1. Is AES safe for GIAC's most proprietary and sensitive information?
2. Create a high level plan for the role of cryptography in the protection of
GIAC information over the next five years. The key to success will be
processes that allow GIAC to continue its successful and growing business.
Key Points:




contractors submit cookie sayings via a web applications
security of the submission system has been evaluated and is considered acceptable
as is the security of the database
The fortune cookie sayings have to be transmitted around the Internet, writers
submit sayings, editors approve them and sayings have to be supplied to the GIAC
appliance that drives the printer at fortune cookie bakeries.
The VPN depends on quantum key exchange
Assumptions:




Data kept on desktops is assumed too risky from malware concerns. No sensitive
data is kept on desktop systems (contractors, editors)
All sensitive information is submitted over web application via HTTP (not SSL)
Only Encryption being performed is by the IPSEC VPN tunnels using AES-256
encryption with Quantum Key Exchange
IPSEC VPN L2L (lan-to-lan) tunnels between
o Contractor network to corporate network where database is located
o corporate network and remote bakeries in which the appliances are located
Network Diagram:
Quantum Key Exchange
Quantum key distribution (QKD) uses quantum mechanics to guarantee secure
communication. It enables two parties to produce a shared random bit string known only to
them, which can be used as a key to encrypt and decrypt messages. An important and
unique property of quantum cryptography is the ability of the two communicating users to
detect the presence of any third party trying to gain knowledge of the key. This results from
a fundamental aspect of quantum mechanics: the process of measuring a quantum system
in general disturbs the system. A third party trying to eavesdrop on the key must in some
way measure it, thus introducing detectable anomalies.
The most well-known QKD protocols are the prepare and measure based Bennett-Brassard84 (BB84) and Bennett-92 (B92) protocols and the entanglement based Ekert-91 (E91)
protocol. Current vendors tend to favor the BB84 protocol.
Not many vendors offer VPN Quantum Key exchange products. The only vendors that could
be found that offered such devices were ID Quantique and MagiQ. Both vendors implement
the BB84 Quantum Key Exchange Protocol. Because the QKD protocols are sensitive to the
media both of these vendors require fiber connectivity between VPN devices.
MagiQ QPN 8505 Security Gateway
ID Quantique Cerberis
Vulnerability
Unconditional security proofs of various quantum key distribution (QKD) protocols are built
on idealized assumptions. One key assumption is the sender can prepare the required
quantum states without errors. However, such an assumption may be violated in a practical
QKD system. Feihu Xu, in his research paper, experimentally demonstrated a technically
feasible “intercept-and-resend” attack that exploits such a security loophole in a commercial
“plug & play” QKD system. The resulting quantum bit error rate is 19.7%, which is below
the proven secure bound of 20.0% for the BB84 protocol. Today, Feihu Xu, Bing Qi and
Hoi-Kwong Lo at the University of Toronto in Canada say they have broken a commercial
quantum cryptography system made by the Geneva-based quantum technology startup ID
Quantique, the first successful attack of its kind on a commercially-available system.
Impact
Quantum key exchange VPN appliances are very new and only small set of companies
manufacture these devices. QDK protocols, BB84 specifically, while theoretically impossible
to intercept, is very difficult to implement. The theory relies on errors being generated
solely from devices trying to intercept the traffic. Unfortunately because the technology is
very sensitive there are always errors created by the environment. The appliance vendors
and protocol authors try to account for this by making an error threshold of 20%.
Unfortunately, attackers were able to use the 20% error threshold as a cover to intercept
and resend the traffic without the QKD appliance noticing. It should be noted that this
would require physically access to fiber panels as well as a host of electronic and fiber optic
equipment which some of which are listed below.










laser diode
single photon detector
phase modulator
circulator
polarization beam splitter
classical photodetector
delay line
Faraday mirror
variable optical delay line
polarization controller
GIAC should consider the existing QDK VPN system as an acceptable level of security
because of the enormous cost and risk an attacker would have to undertake cracking the
GIAC QDK VPN system. However, if the information being communicated across the QDK
VPN was valuable enough to warrant an attacker taking the cost and risk, then GIAC may
want to consider a different Key Exchange Protocol such as IKE/ISAKMP and or have an
additional application specific encryption such as SSH or SSL.
Is AES Strong enough for your business?
In short: yes...for now. AES 256 has been broken, but not in such a way as to make it
possible for anyone to be able to read confidential data on the line. AES is however not as
secure as it was thought to be originally. Steps can be taken to make it more secure.
To understand why this is only concerning and not panic inducing, it is important to define
terms. AES is a block cypher. In other words all data that is to be encrypted thought using
AES must be broken up into groupings called blocks. Then each block is run through an
algorithm which turns the plain text into a garbled mess called cypher text. The cypher text
must then be run through another algorithm with turns it from cypher text back into normal
text. AES turns clear text into cypher text by running the text through a key based
algorithm. The algorithm is run repeatedly for a certain number of rounds. Given enough
time anyone can run the cypher text through the decrypt algorithm using every possible key
combination. They will eventually guess the correct key and the plain text will be revealed.
When a cryptanalyst finds a way to use less than all the keys to find the one that will
decrypt the data the encryption is considered broken. In many cases the reduced number is
not reduced enough to matter.
For example AES 256 has 2256 possible keys. Cryptanalysts found they only need to try 2119
passwords before they can guess the key. While that is a significant decrease it is still far
too many keys to try before getting results to be useful for today's computers. This then
begs the question, "What is considered reasonable?" According to the actual paper
referenced in the blog a value of 256 is reasonable. Keep in mind that it takes several
computer cycles to try each key so running this many keys would take approximately 264
computer cycles. In terms of computers and time, it would take 108 intel core i7 processors
about a year to do that many calculations. To do it in 24 hours, a person would need
40,000 processors. So even reasonable is still rather a lot.
There are three different versions of AES; AES 128, 192 and 256. The number refers to the
length of the key used when the data is encrypted. The other major difference between
them is the number of rounds each one puts the clear text through before producing
finished cypher text. AES 128 uses ten rounds, AES 192 twelve, and AES 256 fourteen.
Most of the attacks that are mentioned in the article are attacking special versions of AES
that do not put the clear text through all the rounds. When the blog mentions that they can
break 11 round AES 256 in 270 keys they are breaking a crippled version of AES. As time
goes on two things will occur; computers will get faster and the rounds will approach full
strength. When the day comes that researches find a way to break full strength AES 256 in
a reasonable amount of time the AES 256 will be useless as a security device and will need
to be phased out as DES is.
As of today the the three different AES versions stack up as follows:
AES 128: There are currently no known attacks that will reduce the number of key
combinations required to break this cypher. Attackers will need to try 2128 keys to break
this.
AES 192: This one has been broken. The best that this author could find was the number
mentioned in the blog 2176. This is far from reasonable and is rather secure. The
unfortunate part about AES 192 is that it is not supported on many pieces of hardware
AES 256: This one has also been broken. Again the best researches have published, to the
knowledge of this author, to date is in the blog. This can be broken using only 2119 keys
which actually makes it worse than AES 128. This is still not an issue yet but it is closer to
actually being broken than the rest.
Because of the issue with AES 256 the most secure version of AES at this time is AES 192
followed by 128 then 256. Unfortunately for GIAC Enterprises the vendors that supply
quantum key exchange have hard coded AES 256 as their chosen encryption offering.
In the end GIAC has little choice about which level of AES to utilize. The version that is
available at this time is still considered secure but there a much smaller safety margin than
was originally thought. Future versions of the vendor software may deal with this issue by
offering more encryption options.
As the blog suggests the AES algorithm could add rounds to their process to encrypt the
data further. This would also be something that the vendor would have to provide in future
releases of their product's software.
One method of mitigation within the control of GIAC is the ability to set the number of key
changes per time period. Both offer frequent key changes but MagicQ clearly outshines
here with the ability to rotate keys at an incredible rate of 100/sec as compared to ID
Quantique's 1/min. If the system constantly moves the target it will be more difficult to
hit.
Security for devices outside the firewall
With the countermeasures in place protecting the data in transit, as well as the knowledge
that the web application and data storage processes are secure the most vulnerable point
for the company are the systems outside of the firewall located at the contractors' homes
and the bakeries.
On the back end the physical appliances at the bakeries are possible points of attack. These
systems will need to be physically protected as physical access usually equates to root
access. The OS should be locked down so that there should be only one open port (SSL)
across which the data travels. Otherwise it would be possible to sniff the cookie data off
the copper between the VPN router and the device itself. It would also be wise to set the
pricing structure of our business to be based on the number of sayings the customer
retrieves. This way our clients will be motivated to use their own resources to protect the
appliance.
The front end is more difficult to defend due to the nature of the client. But an attack on
the contractor would only yield information stored or entered from that machine which
would be only a small portion of the total intellectual property. Due to the insecure nature
of browsers a workstation that is utilized to both surf the Internet and access our web
application can never be totally trusted. One idea we may wish to explore is a ROBAM (read
only bootable access media). If we distribute a ROBAM specifically configured to provide
access to our site it is less likely that attackers could intervene in the communication. A
ROBAM is a complete operating system loaded from the CD rom which provides a secure
environment each time it is used to boot the machine. An attacker would need to
compromise the machine between the time the machine is booted from the disk and the
time the user uses our web application. Further if the contracters are limited to data entry
only and no retrieval then security is increased. Our web application programmers must
then be very vigilant in scrubbing incoming data from the contracters.
Five year Plan
There are three main ares of attack with which GIAC enterprises must concern themselves.
The first is the breakdown of the AES algorithm itself. It is our opinion that if the key
rotation is kept high there is little chance that advances in computer technology and
mathematical attacks will lower the security of even the AES 256 to impact security.
The more troubling attack is the attack on the quantum key exchange. Since it attacks the
light beam in the fiber itself it is possible for the attacker to read the keys as they are sent.
This means that no matter how often new keys are generated the attacker has the ability to
see them. Luckily though this attack requires both physical access to the line as well as a
significant array of equipment in order to succeed. The physical access would most like
have to be at a junction area of telecomunications sites as cuts in fiber are generally
detectable.
The answer to both of the first two issues is an aggressive stance on vendor upgrades. The
vendor can implement different AES encryption levels, specifically AES 192 to increase
security immediately. In the future the vendor will need to implement any protocol changes
that require more rounds to increase security. With the quantum key attack there is little
that GIAC can do but wait while the vendor creates a technology that will reduce the error
buffer to a more reasonable size. If GIAC relies solely on this technology then for the
foreseeable future it has been compromised, even if it is at great expense.
The final area of possible infiltration would be at the devices located outside of the firewall.
These systems are the most vulnerable and therefore should receive some elevated
attention. As time goes on it is important that some sort of ssl encryption be implemented
if it is not already to secure the data as it travels from the appliance/workstation to the vpn
router. Updates and patches should be maintained and if ROBAM is used then new disks
should be send out on a regular (quarterly at least or immediately if a critical vulnerability is
discovered).
GIAC enterprises may wish to consider adding "defense in depth" by adding some
alternative encryption method before or and after the QKD. A simple implementation of SSL
or SSH will make the QKD attack useless. The data even if cracked would be useless to the
attacker.
References
Quantum Cryptography in Wikipedia. http://en.wikipedia.org/wiki/Quantum_cryptography
as on June 5, 2010
Another New AES Attack (July 30, 2009).
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html as on June 5,
2010.
Quantum Cryptography Cracked (May 18,2010). https://infosecurity.us/?p=14506 as on
June 5, 2010
Schneier, Bruce. (2000, Janurary). Self-study course in block cipher crytanalysis. Retrieved
from http://www.schneier.com/paper-self-study.pdf
Wikipedia, . (2010, June 5). Advanced_encryption_standard. Retrieved from
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard
Comella , RL., Farnham, G., & Jarocki, J. (2009, October 3). Protecting your business from
online banking. Retrieved from
http://www.sans.edu/resources/student_projects/200910_05.pdf
STI Group Discussion Written Project - June 2010