Protecting the Fortune Cookie |


Is GIAC Enterprises' cryptography strong enough to protect our information?

STI Group Discussion Written Project (GDWP)

Authors: Robert Comella, Brough Davis

Advisor: Stephen Northcutt

Presented: June 6, 2010

Executive Summary

A blog written last year has called into question the ability of AES to secure data in transit. Another paper has called into question the security of the high end VPN quantum key exchange mechanism used at GIAC as well. As the intellectual property transmitted across the VPN is the lifeblood of GIAC Enterprise, Brough and Robert were asked to investigate these issues and report how much of a threat they represent to the business.

With regard to the attacks against AES it is our conclusion that there is currently a small but growing risk to the business. Researchers are able to decrease the number of steps required to break AES-256 encryption but not to an extent that makes it feasible at this time to break the encryption enough to make it useless. As time goes on the attacks will become more serious and eventually AES will fail but not in the immediate future. More good news here is the fact that simple steps on the part of GIAC can mitigate this issue almost out of existence. First keys can be changed more frequently to make sure that the attacker never has long enough to crack a key even if his technology improves. Second we could request that the vendor improve their software to include alternate AES versions that are actually more secure at this time. Finally GIAC should implement an aggressive patching policy to take advantage of any improvements the vendor may distribute as soon as they become available.

The problem with the quantum key exchange used in quantum key didtribution (QKD) is more serious. Feihu Xu, a researcher from the University of Toronto, has found a way to break this key exchange mechanism. His attack allows him to read the keys sent across the network effectively rendering QKD unable to secure data. Luckily, though the attack is very dangerous, it would be very difficult to mount. Firstan attackermust amass a great deal of expensive equipment to execute the attack. Secondly, he must find a place to install his equipment that will cause either no disruption in service or an explainable one. As QKD only works over fiber it would be impossible for an attacker to tap the line without first cutting it. This action would certainly alert our service provider causing them or us to take action to see what had occurred. The only other option is for the attacker to try to break the line at a junction site within a service provider building. Hopefully physical security at these locations would prevent such an action. Even though this attack is dangerous it is our opinion that the difficulty to implement it makes it a rather low risk. GIAC's mitigation strategies are limited. Waiting for the vendor to create a patch and implementing it as soon as possible is one approach. This may not be a viable solution as there is no telling when the vendor may be able to overcome the engineering difficulties required to fix this security hole. A more proactive approach may be to implement defence in depth. Installing an ssh servers before and after the VPN connection will provide data security between the servers and the printing appliances even if the attacker is able to capture the keys. For additional layered security the web application traffic can be developed to use SSL encryption. By embedding SSL ecryption into the application itself the application traffic flow between contractor to database and then from database to bakery appliance can be fully encrypted.


Finally, given the current state of encryption technology described above, it is our opinion that an attacker would have better chances if they were to focus their attack on the computers and appliances outside of the company firewall. Attacks on the contractors would be more difficult for us to mitigate but the amount of information that can be obtained would be smaller. Attacks on the appliances are easier to mitigate with locked down hardware controlled by GIAC but the amout of possible data is considerably higher. Solutions exist that can increase the security on both ends ROBAM for the contracters, payment options for the bakeries and SSL implementation on both ends would sigificantly raise the bar.

Problem Description

GIAC Enterprises, is a small to medium sized growing business and it is the largest supplier of Fortune Cookie sayings in the world. The Fortune Cookie authors are 1099 contractors and submit cookie sayings via a web applications. The security of the submission system has been evaluated and is considered acceptable as is the security of the database.
However, the CIO has been reading about malware for which there are no anti-virus signatures, an increasing problem. Since there are a number of workers that process the fortune cookie sayings, if malware could be placed on their desktops information could be exfiltrated. In particular the CIO is concerned, he received an email message forwarded from one of his peers. It referenced a blog posting by Bruce Schneier talks about attacks against ten round AES 256:
http://www.schneier.com/blog/archives/2009/07/another_new_aes.html
He points out that even though he is just seeing the paper, it is almost a year old, there have probably been other advances. GIAC's entire lifeblood is intellectual property. The fortune cookie sayings have to be transmitted around the Internet, writers submit sayings, editors approve them and sayings have to be supplied to the GIAC appliance that drives the printer at fortune cookie bakeries. The VPN depends on quantum key exchange, but a recent report by Feihu Xu and colleagues from University of Toronto indicates this may no longer be secure enough as well. You have been assigned the task to assess the risk and evaluate countermeasures.

  1. Is AES safe for GIAC's most proprietary and sensitive information?
  2. Create a high level plan for the role of cryptography in the protection of GIAC information over the next five years. The key to success will be processes that allow GIAC to continue its successful and growing business.


Key Points:

  • contractors submit cookie sayings via a web applications
  • security of the submission system has been evaluated and is considered acceptable as is the security of the database
  • The fortune cookie sayings have to be transmitted around the Internet, writers submit sayings, editors approve them and sayings have to be supplied to the GIAC appliance that drives the printer at fortune cookie bakeries.
  • The VPN depends on quantum key exchange

Assumptions:

  • Data kept on desktops is assumed too risky from malware concerns. No sensitive data is kept on desktop systems (contractors, editors)
  • All sensitive information is submitted over web application via HTTP (not SSL)
  • Only Encryption being performed is by the IPSEC VPN tunnels using AES-256 encryption with Quantum Key Exchange
  • IPSEC VPN L2L (lan-to-lan) tunnels between
  • Contractor network to corporate network where database is located
  • corporate network and remote bakeries in which the appliances are located


Network Diagram:

Quantum Key Exchange

Quantum key distribution (QKD) uses quantum mechanics to guarantee secure communication. It enables two parties to produce a shared random bit string known only to them, which can be used as a key to encrypt and decrypt messages. An important and unique property of quantum cryptography is the ability of the two communicating users to detect the presence of any third party trying to gain knowledge of the key. This results from a fundamental aspect of quantum mechanics: the process of measuring a quantum system in general disturbs the system. A third party trying to eavesdrop on the key must in some way measure it, thus introducing detectable anomalies.
The most well-known QKD protocols are the prepare and measure based Bennett-Brassard-84 (BB84) and Bennett-92 (B92) protocols and the entanglement based Ekert-91 (E91) protocol. Current vendors tend to favor the BB84 protocol.
Not many vendors offer VPN Quantum Key exchange products. The only vendors that could be found that offered such devices were ID Quantique and MagiQ. Both vendors implement the BB84 Quantum Key Exchange Protocol. Because the QKD protocols are sensitive to the media both of these vendors require fiber connectivity between VPN devices.

MagiQ QPN 8505 Security Gateway / ID Quantique Cerberis


Vulnerability
Unconditional security proofs of various quantum key distribution (QKD) protocols are built on idealized assumptions. One key assumption is the sender can prepare the required quantum states without errors. However, such an assumption may be violated in a practical QKD system. Feihu Xu, in his research paper, experimentally demonstrated a technically feasible “intercept-and-resend” attack that exploits such a security loophole in a commercial “plug & play” QKD system. The resulting quantum bit error rate is 19.7%, which is below the proven secure bound of 20.0% for the BB84 protocol. Today, Feihu Xu, Bing Qi and Hoi-Kwong Lo at the University of Toronto in Canada say they have broken a commercial quantum cryptography system made by the Geneva-based quantum technology startup ID Quantique, the first successful attack of its kind on a commercially-available system.
Impact
Quantum key exchange VPN appliances are very new and only small set of companies manufacture these devices. QDK protocols, BB84 specifically, while theoretically impossible to intercept, is very difficult to implement. The theory relies on errors being generated solely from devices trying to intercept the traffic. Unfortunately because the technology is very sensitive there are always errors created by the environment. The appliance vendors and protocol authors try to account for this by making an error threshold of 20%. Unfortunately, attackers were able to use the 20% error threshold as a cover to intercept and resend the traffic without the QKD appliance noticing. It should be noted that this would require physically access to fiber panels as well as a host of electronic and fiber optic equipment which some of which are listed below.

  • laser diode
  • single photon detector
  • phase modulator
  • circulator
  • polarization beam splitter
  • classical photodetector
  • delay line
  • Faraday mirror
  • variable optical delay line
  • polarization controller


GIAC should consider the existing QDK VPN system as an acceptable level of security because of the enormous cost and risk an attacker would have to undertake cracking the GIAC QDK VPN system. However, if the information being communicated across the QDK VPN was valuable enough to warrant an attacker taking the cost and risk, then GIAC may want to consider a different Key Exchange Protocol such as IKE/ISAKMP and or have an additional application specific encryption such as SSH or SSL.


Is AES Strong enough for your business?

In short: yes...for now. AES 256 has been broken, but not in such a way as to make it possible for anyone to be able to read confidential data on the line. AES is however not as secure as it was thought to be originally. Steps can be taken to make it more secure.

To understand why this is only concerning and not panic inducing, it is important to define terms. AES is a block cypher. In other words all data that is to be encrypted thought using AES must be broken up into groupings called blocks. Then each block is run through an algorithm which turns the plain text into a garbled mess called cypher text. The cypher text must then be run through another algorithm with turns it from cypher text back into normal text. AES turns clear text into cypher text by running the text through a key based algorithm. The algorithm is run repeatedly for a certain number of rounds. Given enough time anyone can run the cypher text through the decrypt algorithm using every possible key combination. They will eventually guess the correct key and the plain text will be revealed. When a cryptanalyst finds a way to use less than all the keys to find the one that will decrypt the data the encryption is considered broken. In many cases the reduced number is not reduced enough to matter.

For example AES 256 has 2256 possible keys. Cryptanalysts found they only need to try 2119 passwords before they can guess the key. While that is a significant decrease it is still far too many keys to try before getting results to be useful for today's computers. This then begs the question, "What is considered reasonable?" According to the actual paper referenced in the blog a value of 256 is reasonable. Keep in mind that it takes several computer cycles to try each key so running this many keys would take approximately 264 computer cycles. In terms of computers and time, it would take 108 intel core i7 processors about a year to do that many calculations. To do it in 24 hours, a person would need 40,000 processors. So even reasonable is still rather a lot.

There are three different versions of AES; AES 128, 192 and 256. The number refers to the length of the key used when the data is encrypted. The other major difference between them is the number of rounds each one puts the clear text through before producing finished cypher text. AES 128 uses ten rounds, AES 192 twelve, and AES 256 fourteen. Most of the attacks that are mentioned in the article are attacking special versions of AES that do not put the clear text through all the rounds. When the blog mentions that they can break 11 round AES 256 in 270 keys they are breaking a crippled version of AES. As time goes on two things will occur; computers will get faster and the rounds will approach full strength. When the day comes that researches find a way to break full strength AES 256 in a reasonable amount of time the AES 256 will be useless as a security device and will need to be phased out as DES is.