Slashdot Mirror
IBM Crypto Up For Grabs?
An Anonymous Coward writes: "BBC Newsnight have tonight shown an article about a groups of hackers who are about to release details of the vulnerability of the IBM Cryptographical processors. ( Details here.) The BBC article can be watched online here.
Alan Cox makes a starring role ;)" windowlicker adds some detail: "Mike Bond and Richard Clayton, from Cambridge University, have cracked
IBM's 4758 crytoprocessor running the 'Common Cryptographic Architecture' (CCA). You can do the same with $1000-worth of hardware
and the info from here. Many banks use this system for protecting PINs." The video file requires Real software; here's the BBC's article online for those of us without.
You got the wrong end of the stick. They have already released the information. They told IBM about it a year ago.
I'm watching the video right now, and its taken a bit of time to find out where this segment is on the bbc news.
So, for those of you who don't feel like jumping around the video for this segment, it starts at about 22 minutes in the broadcast.
I'm not too worried about this. An electronic fraud is something that can be reasonably gotten out of, its the *banks* fault if their system eats your money. (Admittedly, I haven't read the small print of my own bank, but hey, its not the article, anyway).
The big problem I have with my bank, however, is the location and layout of their ATM machines to begin with:
1) ATM's are built into the wall, rather than in any kind of nook. The line generally forms directly behind the user. (This isn't so much of a problem for e.g. drive through atms, as the bulk of the car is obscuring view of the transaction).
2) The buttons on the keypad are almost two inches across! I know they have to make them 'easy to use', and big happy buttons are important for that, I imagine... but having to move my entire hand around to enter the code makes it trivial to watch someone's movements...as opposed to normal sized buttons where what is being pushed is generally obscured by your hand itself.
3) This is a general problem. Cards are *inserted* rather than *swiped*, which makes it almost trivial for people to rig the machines to prevent the card from being returned. A card swipe, where the card never leaves my hand, would be infinitely preferred to leaving my bank card at the mercy of any hoodlum with a bottle of soap and a pair of pliers.
4) Apparently the ATM card I recieved is more than I asked for... it is also a credit card AND a debit card AND who knows what all else... if they acquire it they can run me down even if I don't have any money left in the account proper.
At least, not relevant for this particular story.
1) The hackers themselves say "Until IBM fix the CCA software to prevent our attack...". According to the experts here, the fix is a software patch, not a hardware change-out.
2) This particular vulnerability only needs access to any single IBM 4758 running IBM's ATM. It does not depend on a whole set of them working together. In fact, given that you only need one, increased heterogeneity would increase the overall chance that a given network/organization has one exploitable system somewhere (although it does indeed decrease the overall chance that ALL your elements are exploitable).
Slashdot is entertaining like pro wrestling is entertaining
See, this is the problem...no upgrade. IBM was notified about the problem a year ago, with no fix. In reality a firmware update should do it (I believe the card is capable of it...) but they've done nothing. They didn't say the banks didn't know they just didnt say they did. Also you have to have physical access to the machine with the chip in it to do it. That's alot of banks to notify also!
Derek Greene
Its the protocol which is faulty (like usual).
For those interested, you can find how many bits a key with x values is using logarithms:
Where d is the number of decimal digits the key is. Therefore, a 4-digit PIN has 4/log(2) or precisely 13.287712379549449391481277717958 bits of cryptographic strength. Not much compared even to weak encryption such as 64-bit DES, or the 56-bit des-ii cracked by d.net.
Tired of free ipod spam sigs? Opt ou
Because most banks that I am aware of have a $300 limit on account withdrawls; also, with enough witnesses willing to provide affidavits, you can prove you were not in the location you said you were in at the time the withdrawl took place. The withdrawl limit is to prevent a person from physically accosting you from ATM to ATM trying to take all your money.
If you want more technical detail, check out the
paper on API-Level Attacks on Embedded Systems by Mike Bond and Ross Anderson.
Ross Anderson is the author of "Security Engineering" -- if you're interested in this story but haven't read the book, consider this a strong recommendation. More details inc. sample chapters at his website. Plus other fascinating stuff.
I used to work with some of those cards at my former employee.
,a href="http://www.missionimpossible.com/">Missio n Impossible kind-of-thing.
Ther are actualy 2 models, well, there were 2 models when I was there. They are called cryptographic 4758 and 4758-II.
The first (and older model) wasn't that good at being a fast crypto card. That good for 2001 standards, that's it. Back when they were developed were pretty darn good.
The newest model was better and more powerfull. It supports more and tougher encryption keys. It offloads any machine of the heavy-cpu-load encryption burden. And it is pretty good piece of technology.
Their mision is to take over the CPU when dealing with encryption. That is, encrypt stuff before being sent or decrypt stuff received. It can seen not a big deal. But think of e-commerce and/or bank transactions: litearly hundreds of encrypt/decrypt processes.
The card is (was) a computer-in-a-card. It has a CPU with the power of a 486 (it does not use a 486 cpu). And it costs lotsa money.
Not so long ago, I heard that IBM was considering dumping the propietary OS of those cards, and use instead embeded secure Linux.
Now, I want to believe that they have craked the older model. If it is the newer model, well, it is pretty bad. This banks means not being able to trust each other. And I'm serious.
Nevertheless, to access one of those cards installed in a sensitive system, you must have phisycal access to the card. And this is not easy. It's like a real-life
If there's any problem with it, I'm pretty sure that the crypto team has worked and solved this thing.
It has been argued that security via obsurity is not really secure at all... just secret. Yet clearly obscurity is secure.... however... its biggest weakness is the obscurity.
Security by obscurity is security, until the veil of obscurity is lifted. There is no question whatsoever that the absolute best in security is achieved by building something that would be completely secure if published, and then keeping it a complete secret. Obscurity creates an enormous extra work factor for would-be attackers.
Openness actually weakens the security of systems that cannot be modified, however, because it removes the work factor created by security, but the systems cannot benefit from the quick defect corrections provided by openness. Maybe for sufficiently simple non-modifiable systems the best approach is still openness, with substantial public analysis and discourse before any systems are fielded.
These systems undergo the best scrutiny..... the enemy
No, I disagree. The enemy does not provide the best scrutiny, for one simple reason: the enemy won't tell you if your system is broken.
I wonder if it would be possible to add Blowfish to the kit? YOu say you knwo the guys that work on this.... have they said anything about using non-DES (aka non-IBM and the goverment with their backdoors) type of ciphers??
It would be trivial to add additional ciphers like Blowfish. The purchaser of a 4758 can buy a developer's kit and do it himself, even.
However, I would not recommend Blowfish for high-security applications. It's too young. Although slow, 3DES is actually the best cipher we have right now. DES has withstood almost 30 years of intensive cryptanalysis by the best academic cryptographers in the world. Not only has it not been broken, it hasn't even showed the tiniest hint of a hairline fracture. Sure, the keys are too small these days, but 3DES fixes that up nicely, and its properties are very well understood.
If you need a more modern, faster block cipher, I would actually recommend AES or the AES candidates, not Blowfish. Twofish is Bruce Scheier's successor to Blowfish and although it is a couple years newer than Blowfish it has almost certainly had more intense scrutiny thanks to its status as an AES finalist.
Finally, every professional cryptographer I know put that old spectre of NSA backdoors in DES to bed years ago. It is almost inconcievable that the NSA 30 years ago was so far ahead of the current state of public cryptanalytic art that something as significant as a back door could still escape notice. Also, the NSA didn't *need* a back door. They forced a small key size, and they have more computers than anyone.
It is vaguely possible that 3DES is crackable now by the NSA using a meet-in-the-middle attack, which is computationally feasible but requires truly phenomenal storage requirements. If you're trying to keep secrets from governments, though, good luck, because cipher strength is the least of your worries.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
Thanks for responding... I enjoy our talks... to bad we have to use slashdot as a medium......
Welcome. You can judge from the ludicrously large number of posts I've made to threads under this article just how much I like talking about this stuff :) And my e-mail address should be on the header of all my posts.
I only read the Applied Crypto book by Bruce
Not a bad place to start, although it's a bad place to end. As Schneier says in his intro to "Secrets and Lies", "Applied Cryptography" has cause more bad cryptography to be implemented than any other book. It's a good book, but people read it and then think they're qualified to build stuff. I highly recommend the self-study course in block cipher cryptanalysis he has on his web site. Not that I've completed it, but just working through a little bit of it really gives you some insights, both into the world of crypto and into your own lack of knowledge of the same.
I sure wish this type of tech were marketed to the small fry, like myself.... if IBM were smart... they could capitalize on this press coverage to their advantage.
The boards are cheap relative to their class, but not cheap by consumer standards. Most of the competition is (or was, at least, they're being forced to lower their prices) in the $25-$50K range, per device. The 4758 is $2K-$3K, depending on whether you get the level 3 or level 4 version. Based on the complexity of manufacturing the level 4 boards, I doubt they'd be much under a grand even if volumes were huge. I can see that the level 3 boards could get down to consumer price levels (say, $200), though, if volumes were large enough. Note that I'm a software guy, so these are wild guesses.
Note to ACs: I usually delete AC replies without reading them. If you want to talk to me, log in.
You're assuming that all 10,000 combinations are valid. Most systems exclude 'first guess' combinations such as 0000,1234, etc. This reduces the number to 9000 and some.