Home > Cryptography > Why Cryptography is Easy to get Wrong!

Why Cryptography is Easy to get Wrong!

I have often read that cryptography and especially cryptographic protocols are easy to get wrong. That is why it is never recommended that you implement your own cryptographic protocols or algorithms. I always just took this at face value until I was sitting in class the other day and we were talking about EKE. Look at the EKE diagram taken from here:

EKE

Where could an implementer of this protocol mess up? The first thing I noticed is a huge problem depending on the mode of operation chosen. Let’s say we are using AES-ECB. If C1 and C2 are each 128 bits long (the blocksize of AES) can you see how things would get messed up? More specifically, an intruder could impersonate Bob. To impersonate Bob, simply send random numbers in msg2 and then return the 128 bit block corresponding to the encrypted version of C2 from msg3 for msg4.

While some might be thinking “But who ever uses ECB?”. Well, I’m sure there are plenty of developers out there who have no idea what ECB even is who would use it. Furthermore since CBC, CFB, OFB, and CTR modes all require either an IV or a nonce, which this protocol block doesn’t specify, they might assume ECB was the intended mode since no IV is required. Even if the developer chose another mode, without knowing what IV/nonce to use, they might decide to just use a static IV which is the same on both client and server ends which would result in even more problems (easily impersonating Alice without knowing W).

The point is, there are so many little ways to mess up that have huge consequences. A few examples of this: WEP, SSL v2, and many more.

Advertisements
Categories: Cryptography
  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: