1. Cryptology News Bulletins
2. Post Quantum Cryptograpy update
3. Historic Vignette
4. Bibliography

Fedora: OpenSSL now distrusts SHA-1

• OpenSSL now distrusts SHA-1 for PKCS #1 signatures by default in Fedora41.
• this is a openssl.cnf option
  • which is set in Fedora41
  • probably advisable to set this on other systems?

FROST Threshold Signature IRTF proposal

June - RFC 9591 “FROST Flexible round-optimied Shnorr threshold signing protocol”

A cryptological protocol to allow a quorum of a distributed committee to sign a document.

• RFC 9591
• Informational RFC; not Standards Track (yet?)
• Evolution of “FROST: Flexible Round-Optimized Schnorr Threshold Signatures”, December 2020
• requires prior out-of-band secure distribution of n key fragments, m of which will be needed for a valid signature.
• not PQC; relies on Discrete Log

End of End to End ?

Matthew Green @matthew_d_green 2024-05-02

“Europe is maybe two months from passing laws that end private communication as we know it, and folks are looking the other way (understandably.) You’re not going to get a do-over once these laws are passed.”

Xhitter

• Related
  • 2024-09-xx Australia passed such a law in 2018, and in Sept. 2024 threatened to start invoking it
  • 2023-09-xx Signal vowed to withdraw from UK if mandatory backdoors bill passed techcrunch
  • 2024-02-14 European Court of Human Rights rules mandatory backdoors in message services against EU Human Rights
    • https://www.schneier.com/blog/archives/2024/02/eu-court-of-human-rights-rejects-encryption-backdoors.html
    • Ars
    • EU Court
  • 2023-10-05 1994 CALEA mandated backdoor
    • WSJ {paywall} “U.S. Wiretap Systems Targeted in China-Linked Hack / AT&T and Verizon are among the broadband providers that were breached”
    • TechCrunch CNN WaPo
  • 2024-02-26 Nevada sues [Meta] to deny kids access to Messenger encryption
  • 2023-12-05 Discussion - Center for European Policy Analysis (CEPA) - “Encryption: It’s Not About Good and Bad Guys, It’s About All of Us” “Most digital messages are encrypted to protect privacy and security. Governments around the globe seek to mandate access to and scan encrypted content. They should think again.”
  • Group Moderation Under End-to-End Encryption
  • Bugs in our pockets: the risks of client-side scanning (a blue ribon panel report)

XZ 1 — liblzma XZ backdoor to SSH (Easter Weekend)

• Backdoor social-engineered into SSH upstream dependency
  • announced on what was Easter Weekend for many firms and countries
• Mostly affected rolling distributions (and unstable)
  • Some Fedora, Debian Sid, Kali, openSSE need(ed) to rollback.
  • x86/64 arch only (this time)
• Quite luckily found quite early due to serious benchmarking regression on an unstable test system;
  • AndresFreundTec @AndresFreundTec@mastodon.social
  • OpenWall OSS-Security
  • CVE-2024-3094 NIST
    • XKCD:Dependencyexplained
    • @dfeldman@hachyderm.io
  • Everything I know about the XZ backdoor (endorsed by Brian Krebs; by @eb@social.coop)
  • ISC Podcast (Mon, Apr 1st): xz-utils Backdoor (CVE-2024-3094) ⇒ Diary 2024-04-01 by Bojan Zdrnja - The amazingly scary xz sshd backdoor

XZ 2 — Backdoor inserted into SystemD dependency to attack SSH

• Why does SSH need XZ?
  • Because SystemD uses XZ compression, and some branches of OpenSSH integrate with SystemD.
• May have been differently lucky. SystemD had w.i.p to reduce dependencies including dropping this one
  • which may have caused attacker to get sloppy fast, causing the performance regression.
• “Junk drawer” libraries are valuable targets
  • especially if they have C++ initializers, code that runs upon being loaded not explicitly called.
  • So OOPS is an Ooopsie.

XZ 3 — Hilarity Ensued …

XZ 4 — Hilarity Ensued …

XZ 5 — Hilarity Ensued …

XZ 6 — Hilarity Ensued …

PuTTY Signature private key vulerable to key recovery compromise (April)

• PuTTY 0.68—0.80 affected, including derivative graphic tools; fixed in PuTTY 0.81
• HN
  • CVE-2024-31497
  • PuTTY advisory
• Revoke any NIST-P521 keys used with Putty before the 0.81 update. (And maybe don’t make new P521 either?)
• Root cause: attempt to generate nonces efficiently in virtualized environments resulted in sufficient bias the nonce fails to protect the private key.
• Moral: In Cryptology, efficiency is not the secret-keeper’s friend.

SSH breaks

Decades old attack still works on some SSHD implementations

• A related general SSH attack: Old attack believed not to affect SSH will in some cases
  • poor choice of SSH settings, lack of mitigations allows use of old attack anyway by which signature computation failure can leak private key
  • RSA SSH keys only; 1 in 3 chance. yet another reason to phase out RSA keys -
  • ePrint, Ars, Schneier
• OpenSSH & OpenSSL implementations already had countermeasures, despite theoretically not needed just to be prudent, so not affected.
  • morale: always test a signature is verifiable before sending it
  • (and always verify a recieved signatures, and don’t ignore failure!)
• older closed source e.g. embedded SSHd may be vulnerable?
  • especially if copy-pasta of example code instead of production quality code!

regreSSHion - OpenSSH broken again

or, Another Decades old OpenSSH server RCE remerges

• 2024-07-01 Race Condition in OpenSSHD allowed Remote Code Execution due to skipped if
  • regreSSHion OpenSSH server remote code execution vulnerability
  • signal handler race condition;
    critical if-statement bypassed in latest patches
• bug fixed in OpenSSH 4.4p1 (2006) un-fixed in 8.5p1 (2020), re-fixed 9.8p1 (2024).
  • CVE-2024-6387 (regression of CVE-2006-5051)
  • reported as glibc-based Linux OpenSSHd, and everyone patched. but
• “The Windows OS bundled version of OpenSSH appears to be vulnerable to CVE-2024-6387 aka regreSSHion - it is version 8.6.0.1.” (Kevin Beaumont)
  • “The Windows OS bundled version of OpenSSH appears to be vulnerable to CVE-2024-6387 aka regreSSHion - it is version 8.6.0.1.”
    • Microsoft Win11 PowerShell Issue

Telegram pot calls Signal kettle black, film at 11

Telegram MTProto 1.0 remains vulnerable to Chosen Ciphertext attack, and defualt is not end-to-end so subpeonable?

• It’s Time for Furries to Stop Using Telegram,
  • Soatok notes their chosen Telegram username is a protest IND_CCA3_Insecure
    • because Telegram MTProto 1.0 fails under Indistinguishability under chosen ciphertext attacks;
    • 2.0 status under discussion
    • Details
• Matthew D Green’s X thread followed of Elongated Muskrat + Telegram’s attack on Signal Protocol (Signal/WhatsApp/etc), seemingly to drive activists from Signal to “mostly unencrypted Telegram”.
  • Matthew Green’s blogpost: “Is Telegram really an encrypted messaging app?”
  • Kaspersky

“Unpatchable vulnerability in Apple chip leaks secret encryption keys”

Fixing newly discovered side channel will likely take a major toll on performance.

Dan Goodin - 3/21/2024 Ars

“Beware of hardware optimizations”

see also Schneier 3/28

Bad 4 digit PINs

A Study of 4 Digit PIN popularity, inspired by humor, using real leaked PIN collections, briefly went viral.

Bad 4 digit PINs (continued)

YubiKey Sidechannel (September)

YubiKey Sidechannel Attack

• sidechannel leaks sufficient information to clone a key.
  • this requires a YubiKey to be inserted into a hostile machine
  • e.g. portable device of industrial spy who finds YubiKey on your desk, or public library public access terminal
• so
  • do not leave unattended!
  • use a strong PIN he says
• NinjaLabs
• Yubico advisor 2024-03
• Ars

Blockchain garbage collection (fall 2013, retro publ. Jan 2014)

Blockchain garbage collection {paywall}

How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin’s Anonymity.

Once, drug dealers and money launderers saw cryptocurrency as perfectly untraceable. Then a grad student named Sarah Meiklejohn proved them all wrong—and set the stage for a decade-long crackdown.

• YT
• Dr Sarah Meiklejohn now (full) Professor of Cryptography and Security at UCL

Key sentence of abstract

Bitcoin has the unintuitive property that while the ownership of money is implicitly anonymous, its flow is globally visible.

TL;DR Built a mesh or map using Metadata of transactions to cluster public and supposedly private wallet IDs of inferred same actors.

Potpourri

• Windows belatedly eliminating RSA1024 internal keys via SANS ISC Microsoft announced deprecation of 1024 bit RSA Keys
• Recent work on Voynich Manuscript The Atlantic c/o Schneier’s summary
• Protocols, Implementations, and People are still the Achilles Heal of most implementations
  • 2024-07-10 Blast-RADIUS MITM attack on RADIUS authentication protocol Ars
  • Above mentioned race-condition due to code regression failure.
  • saving private credentials in published source-code (either coded in-line, or failure to .git-ignore the credential files in project dir)
  • XZ malware was social engineering
• Colossus:
  • New Images of Colossus released for 80th Anniversary
    • Ars
    • GCHQ official
  • Dollis Hill War Diary declassified;
    • Museum Crush ;
    • BT official;
    • Trent Park House of Secrets
      
• David Kahn (1930-2024)
  • funeral;
  • WaPo,
  • Schneir,
    
  • Cryptologia 48:3

Review: What’s Quantum Computing?

See last 2022 status

Quantum Superposition when used for computing.

• QC measured in “qubits” not bits
• 30% True, 70% False.

Review: Kinds of Quantum Hardware

• Quantum Annealing - big qubit counts, great for optimization problems

• Quantum Circuit/Logic - small numbers of qubits so far.

Review: We’re discussing PQC before QC?

Yes !

• Quantum Cryptography

  • theoretically using entangled quantum states
  • to create an encryption
  • or an anti-eaves-droppable connection

• Quantum Cryptanalysis

  • Using Quantum Computing to defeat classical PKI encryption

• Post Quantum Cryptography

  • new classical encryptions that can resist Quantum Cryptanalysis,
  • so read as Ready for post-(Quantum-Computing) Cryptography.

Review: What’s the problem?

• Unbreakable ciphers aren’t always unbreakable, for always.
• QC could theoretically break most PKI
  • Schor’s Algorithm / Grover’s / VQF
  • discrete log as well as prime factoring, even elliptic curves
• 2024-01-05 Improving Shor’s Algorithm
  • “Thirty Years Later, a Speed Boost for Quantum Factoring” (Quanta)
  • Oded Regev’s paper on arXive
  • and another team already reduced the memory penalty of the speed improvement arXiv

Review: Generalization of Forward Secrecy

• Classical “Forward Secrecy” - old messages not broken by later loss of host key

• Generalized: old saved messages not broken by later breakthroughs either.

• Realistic threat?

  • VENONA + GEE 1940s {BLU Sept 2018}
  • NSA Utah Data farm, 2013

Review: NIST’s Post-Quantum Cryptography Standards

The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. – NIST

Review: NIST PQC Competition

National Institute of Standards & Technology started a multi-round competition, similar to with AES and SHA3 competitions

• NIST announcement
  
• NIST Q&A
• Schneier on PQC

Review: Quantum Cracking 2023

• RSA2048 in play or not? - Chinese academic paper claiming 2k bit RSA within range of current gen NON-fault-tolerant QC, no great surprise given Qubits available and theoretical algorithm size. Schor and Schneier unconvinced - does it actually converge w/o FT? Schneier 2023-01

• Schneier “You Can’t Rush PQC Standards”

• Quantum resistant hybrid-signing FIDO2 keys for 2FA

• Side-Channel Attack against CRYSTALS-Kyber

[2023.02.28] CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. What makes this work really interesting is that the researchers used a machine-learning model to train the system to exploit the side channel.

OTOH as seen in TETRA:BURST, a side-channel attack can be used to extract key or algorithm from a piece of equipment that falls into opponent lab.

REVIEW: Known weaknesses

• breaks eliminated 62 of 69 entrants in Rounds 1 to 4
  
• including the two front-runners, Rainbow and SIKE
  
• 7 remain, will they survive?
• FALCON would be compromised by a lack-of-randomness in salt, or failure to salt, as repeating same key and hash again gives too much information.

Isn’t non-random or uniformly-blank Salt an unlikely failure?

TL;DR No. It’s happened. (see in notes)

NIST PQC Timeline

• 2022-04-28 How to Prepare Your PKI for Quantum Computing (April 28, 2022)
• 2023-03-03 ✓ Post-Quantum Cryptography Conference (Friday March 3, 2023 - Ottawa, Canada)
• 2023-03-16 (podcast) Root Causes 286: PKI and PQC in New White House Cybersecurity Initiative (Mar 16, 2023)
• 2023-08 ✓ FRN RFC Draft Standards FIPS 203, 204, 205.
• 2024-04 ✓ Fifth PQC Standardization Conference
• 2024-08-15 ✓ FIPS Standards; FIPS Allowed: NIST announced finalized PQC standards for 3 of 4 “winners” (3 more to come)
• 2025/26 FIPS certification for the PQC algorithms; FIPS Approved.

NIST PQC

2024-08-15 NIST Releases First Post-Quantum Encryption Algorithms

• As expected, on schedule
• FIPS 203, 204, 205
  • PQC key-encapsulation CRYSTALS-KYBER (ML-KEM)
  • two+ PQC Signature schemes CRYSTALS-Dilithium (ML-DSA), SPHINCS+ (SLH-DSA).
    • third PQC Signature FALCON (FN-DSA) finalization still w.i.p due this year
  • two other sets also w.i.p as backups.
• NIST
• Schneier

2024: Quantum Computing Export Control Conspiracy?

• 2024-07-03 NewScientist: Multiple nations enact mysterious export controls on quantum computers
  • “Identical wording placing limits on the export of quantum computers has appeared in regulations across the globe. There doesn’t seem to be any scientific reason for the controls, and all can be traced to secret international discussions[.]”
  • Matthew Green: “I’m curious whether this is a case of “national security types without enough information getting panicked” or if there’s any substance behind this.”

2024: Quantum Algorithm News

• 2024-04-10 Quantum Attack on PQC Lattice underpinnings announced
• 2024-04-19 … and fails, rapidly
  • Chen’s paper “Quantum Algorithms for Lattice Problems”
  • claimed “polynomial time quantum algorithm for solving LWE”
  • Algorithm in paper has a bug, unclear if fixable, so danger averted for now
    • but as we say “Attacks only get Better”
  • commentary — Matthew Green; Schneier weeks later
• 2023-12-22 IEEE Spectrum: “Quantum Computing’s Hard, Cold Reality Check”
  • “Hype is everywhere, skeptics say, and practical applications are still far away”
  • Spectrum ; Schneier response
• 2023-10-06 & 11-30 Matthew Green essay To Schnorr and beyond (Part 1) & (Part 2) discussing how signature protocols might work with PQC Dilithium algorithms.

2024: Chinese researchers Claim RSA, AES encryption break with a commodity quantum computer (1)

“If it sounds too good to be true…”

Claim is break of “military grade” RSA and symmetric algorithms (like AES) using the cheaper/simpler D-Wave Quantum Annealing computers.

“Interesting if true” as Cousin Millie taught us to say.

• 2024-10-14 MONDAY FUD at CSOonline
• Everyone except SCMP links an older paper!
  • with only an English abstract, rest Chinese;
• May 2024 paper claims factoring 50bit RSA-ish semiprime
  • “And we implemented the first 50-bit integer decomposition on D-Wave Advantage.”
    • n = 845546611823483 = (p×q) = 40052303 × 21111061 is correct.
    • 50bit is impressive only because this is on D-Wave Quantum Annealing, not per se Quantum Computing (QC)
  • their algorithm for factoring a 50bit semiprime with QAnnealing is highly unlikely to scale to RSA2048, RSA4096.

2024: RSA-ish small integer check

$ perl -Mbigint -E 'my $n=845546611823483; my $p=40052303; my $q=21111061; say  ($p*$q); say sprintf(q(%d x%x (%db)),$_,$_,length(sprintf(q(%b),$_))) for ($p, $q, $n); say $n-($p*$q);'
845546611823483
40052303 x263264f (26b)
21111061 x1422115 (25b)
845546611823483 x301052970537b (50b)

If they actually had scalable factoring with D-Wave Quantum Annealing, that would be shocking breakthrough. That is ^known^ to require real QC like IBM’s; factoring interseting numbers isn’t believed within D-Wave’s capability. Their demonstration of 50b does not appear to be a breakthrough.

2024 October Surprise: Chinese researchers Claim RSA, AES encryption break with a commodity quantum computer (2)

• South China Morning Post earlier this week SCMP {paywall}

Chinese scientists have mounted what they say is the world’s first effective attack on a widely used encryption method using a quantum computer. The breakthrough poses a “real and substantial threat” to the long-standing password-protection mechanism employed across critical sectors, including banking and the military, according to the researchers. Despite the slow progress in general-purpose quantum computing, which currently poses no threat to modern cryptography, scientists have been exploring various attack approaches on specialised quantum computers.

• The claim is that they can solve 3 modern “Military Grade” SNP block-ciphers is frankly far more interesting than a non-scalable solution to toy RSA integers.
  • SNP := Substitution/Permutation Network
  • But not backed by the facts seen so far.
  • Full rounds or reduced? Only Lightweight ciphers, not AES per se.

Breaking the Silk Dress Cryptogram

A cryptogram was found in the pocket of a 19thC silk dress.

Solution required understanding how synoptic meteorologic observations were collected done by telegraphy.

Published academically in August 2023, but released as a Christmas story echo Dec. 2023.

• UManitoba
  • MP4 🎞 17’
  • PDF

My talks

The YouTube of this presentation will be linked on BLU.org along with these slides and extended notes etc as 2024-oct as per usual.

Prior talks in this series - most talks have slides &/or YouTube attached, sometimes extras.
Alas the YouTube audio pre-pandemic wasn’t great, BLU will need a donation of a wireless clip-on mike if we ever return to Hybrid/In-Person meetings. Or we all need to wear a wired or BT headset while presenting in person?

News + Focus

News and Focus sections have embedded links.

Good security news streams to either research history or to follow year round are Scneier Crypto-gram and SANS ISC, the latter being less cryptologic and more operational in focus – but both cover the wide span of vulnerabilities, tools, remediations, etc, not just the cryptologic that I’m cherry-picking here.
Highly recommended.
Start your day with the 5 minute SANS Internet Storm Center StormCast pod-cast; the Red Team is, so, so should you.

Cryptologic History - general references

• Bletchley Park Podcast on your favorite pod server
  • FB
  • BPP Keyword index
    by me, current thru fall ’22
• Books
  • The Code Breakers, revised & updated; Kahn, David; 1996: NY S&S.
  • Decrypted Secrets; Bauer, F.L.; 1997: Heidelberg, Springer.
  • Schneier books
• Websites
  • Wikipedia
  • Cipher History
    
  • CryptoMuseum
    
  • NSA History
  • GWU NSArchive (Academic National Security Archive at GWU; FOIA Declassified)
  • Declassified post-WW2 TICOM reports (Signals and Cryptologic Intelligence equivalent of better-known Operation Paperclip, etc.)

Item {TEMPLATE}