Security Embedded is 15+ years of experience in building secure systems. Learn more about how we can help you by exploring Phil's blog or contacting us.

Crypto is a Munition* for a Reason

Phil Vachon
Principia Securitas, Crypto Disasters

If there's one thing that is often screwed up, in all systems, it's cryptography. It's amazing what people will do in the name of being "clever":

  • devising their own "cryptographic" algorithms (note the quotes)
  • bad implementation of fundamental primitives
  • using non-standard cryptographic primitives
  • lack of self-tests for cryptographic primitives
  • use of a fixed symmetric key in a protocol or firmware update.
  • The list goes on. Bad cryptography is everywhere, unfortunately.

I'm going to go on the record and say that cryptography is hard. Dealing with certificates can get complicated (forget about X.509 and DER encoding). Key stewardship is tricky, to say the least. Key generation is fraught with peril.

On top of that, cryptographic primitives are slow. AES might take a few 10's of cycles per byte to execute in software. An RSA private key operation can take seconds on a slow microcontroller. And slow means power hungry, so this is a problem for many embedded systems.

The errors we see are more fundamental though. There's no need to include your private key on a device. Firmware updates should use HMAC for validation, and some sort of digital signature scheme to verify their origin. Secure wire protocols shouldn't rely on fixed keys, identical across all devices. This is all just sloppiness. Of all the key components to a security model, cryptography is the most prone to cargo cult behavior. But when cargo-cultism and laziness converge, you're in for a world of hurt.

There's no silver bullet to learn about cryptography in real-world systems. I tend to recommend that people read Practical Cryptography, by Schneier and Ferguson. It's not panacea, but it will leave the reader skeptical of any 'clever' cryptographic solutions. With any luck, the reader will also have a better grasp of how HMAC, AES, RSA and other primitives work and when they should be used.

And on the subject of inventing your own cryptographic primitives:

"Anyone, from the most clueless amateur to the best cryptographer, can create an algorithm that he himself can't break." -- Bruce Schneier

Just don't. I'll just leave that one to sink in for now. I'll be writing more about how to avoid some less human pitfalls in some followup posts.

* I'm not a fan of the classification of cryptographic devices and mechanisms as a munition for export purposes. It makes for a pretty funny title though, since crypto is a good way to shoot your foot off.

Write and Execute: Never at the Same Time

Principia Securitas: How to Mitigate Threats