In-brief: A report from Bruce Schneier and researchers at the Universities of Wisconsin and Washington surveys the (many) ways that cryptographic protections can be weakened or subverted, and calls for research on fool-proof technologies.
Wired’s Andy Greenberg picks up on a paper titled “Surreptitiously Weakening Cryptographic Systems” by Bruce Schneier and researchers from the Universities of Wisconsin and Washington. The full paper is here. (PDF)
Their goal: make a survey of the various methods that have been used (or could have been used) to subvert the protections provided by cryptography schemes. The methods range from exploiting ‘inadvertent’ vulnerabilities like Heartbleed to exposures due to improper configuration and deployment to purposeful subversion, like “Differential Workfactor Cryptography,” an NSA backdoor built into Lotus Notes to conform with U.S. export bans in the late 1990s.
Their conclusions? Doing good crypto is hard and there are many opportunities for determined adversaries to weaken its protections – either during the design or deployment phase.
The researchers argue for more research and experimentation on new design approaches for cryptographic standards, including public design competitions. Given that so many cryptographic standards are the product of committees – and that committees are subject to “influence” from bad actors – the authors also propose “an explicit review step for resilience to sabotage” into existing committee work.
Finally, agencies like NSF, DARPA, the ERC and others should introduce programs aimed at encouraging research on ways to subvert cryptographic standards – with a view identifying possible avenues of attack.