From Fish to Phishing

1
From Fish to Phishing

• Kenny Paterson
• Information Security Group
• Mathematics Department
• Royal Holloway, University of London

2
Overview

1. What is Cryptography?
2. Fish and Colossus
3. WEP and GSM
4. IPsec
5. Phishing
6. Concluding remarks

CINS/F1-01
3
1. What is Cryptography?

• Historically making (and breaking) codes and
  ciphers.
• Designed to scramble messages so they cannot be
  read by an enemy.
• The preserve of emperors and generals.
• Archetypes the Caesar cipher Kama Sutra code.
• Today a range of techniques for ensuring the
  confidentiality, integrity and origin of data.
• Mobile phones, chip and pin cards, Internet
  e-commerce.
• Industrial cryptography.

4
What is Cryptography?

• And a thriving academic discipline involving a
  blend of mathematics, statistics and computer
  science.
• Advanced encryption, signature, key exchange
  primitives.
• Secure multi-party computation.
• Private information retrieval from databases.
• Anonymous handshake protocols.
• Electronic elections and auctions.
• .

5
This Talk

• Cryptography is a powerful tool.
• Instrumental in increasing security and
  confidence in the digital age.
• But cryptography has many limitations.
• Human involvement.
• Changing adversaries.
• Difficulties of key management.
• Widening chasm between theory and practice.
• Our aim
• To illustrate some of these problems using a
  mixture of historical and current examples.

6
2. Fish and Colossus
Key K
Key K
Message M
Message M
Ciphertext C
Decryption Algorithm
Encryption Algorithm
Interceptor

• Usual assumption interceptor knows everything
  about the system.
• So security depends entirely on the secrecy of
  the key K.
• Kerckhoffs Principle.

7
Fish

• 1941 Germans begin to build pan-European
  wireless communications network.
• Linking Wehrmacht commands with general staff in
  Berlin.
• Using directional antennae and high-speed,
  non-Morse signalling for teleprinter traffic.
• Encrypted using Geheimschreiber machine.
• Lorenz SZ40/42 teletype attachment.
• Careful traffic analysis indicated possible high
  value of traffic.
• Traffic named Fish by Bletchley Park staff.
• Each link named after a different species Bream,
  Codfish,
• 1942 British start to systematically intercept
  Fish signals.
• And Bletchley Park begins to analyse ciphertext.
• But with virtually no information about the
  encryption method being used!
• Jan-May 1945 British decrypt 22 million
  characters of Fish traffic.
• Without ever having seen a Lorenz machine!

8
Breaking Fish

• Initial analysis suggested Fish traffic was being
  encrypted using a stream cipher.
• Message converted into numbers, A0, B1,, Z25.
• Message added character-by-character to
  keystream.

Key K
Key K
Key K
Keystream Generator
Keystream Generator
Keystream
Message M
Message M
12
,8
12
,8
19
,3
,21
7
7
,21
Ciphertext CKM mod 26
Decryption
Encryption
9
Breaking Fish

• In theory stream cipher known to be unbreakable
  if keystream is a truly random sequence of
  characters.
• Shannon (1949) H(MC)H(M).
• Ciphertext reveals nothing (statistically) about
  the message.
• In practice sender and receiver have to generate
  a pseudo-random keystream using a deterministic
  algorithm and a short key.
• Introducing statistical imperfections exploitable
  by cryptanalyst

10
Fishing at a Depth

• Fish message indicators preceding encrypted data
  were presumed to indicate initial setting of
  keystream generator.
• Equality of indicators would imply equality of
  keystreams.
• Known as a depth at Bletchley Park.
• So what if a depth occurred for two closely
  related messages?
• Should never be permitted because known to
  introduce security weakness.
• But operators make mistakes.
• With some inspired guess-work, this could allow
  the two related messages to be recovered

11
Fishing at a Depth
K
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1
Text1
Text2
M2
C2 5 3 20 23 23 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K
12
Fishing at a Depth
K
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1
Text1
Text2
M2
C2 5 3 20 23 23 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K
13
Fishing at a Depth
K
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1
Text1 C R Y P T O
Text2 C R Y P T O
M2
C2 5 3 20 23 23 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K
14
Fishing at a Depth
K
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14
Text1 C R Y P T O
Text2 C R Y P T O
M2 2 17 24 15 19 14
C2 5 3 20 23 23 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K
15
Fishing at a Depth
K 3 12 22 8 4 19
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14
Text1 C R Y P T O
Text2 C R Y P T O
M2 2 17 24 15 19 14
C2 5 3 20 23 23 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19
CKM mod 26
16
Fishing at a Depth
K 3 12 22 8 4 19
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14
Text1 C R Y P T O G R A P H Y
Text2 C R Y P T O
M2 2 17 24 15 19 14
C2 5 3 20 23 23 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19
17
Fishing at a Depth
K 3 12 22 8 4 19
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24
Text1 C R Y P T O G R A P H Y
Text2 C R Y P T O
M2 2 17 24 15 19 14
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19
18
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24
Text1 C R Y P T O G R A P H Y
Text2 C R Y P T O
M2 2 17 24 15 19 14
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19
CKM mod 26
19
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24
Text1 C R Y P T O G R A P H Y
Text2 C R Y P T O
M2 2 17 24 15 19 14
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5
Equality of Keysteams
20
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24
Text1 C R Y P T O G R A P H Y
Text2 C R Y P T O
M2 2 17 24 15 19 14 8 18 5 20 13 1
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5
CKM mod 26
21
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24
Text1 C R Y P T O G R A P H Y
Text2 C R Y P T O I S F U N B
M2 2 17 24 15 19 14 8 18 5 20 13 1
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5
22
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24
Text1 C R Y P T O G R A P H Y I S F U N B
Text2 C R Y P T O I S F U N B
M2 2 17 24 15 19 14 8 18 5 20 13 1
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5
23
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1
Text1 C R Y P T O G R A P H Y I S F U N B
Text2 C R Y P T O I S F U N B
M2 2 17 24 15 19 14 8 18 5 20 13 1
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5
Related messages
24
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1
Text1 C R Y P T O G R A P H Y I S F U N B
Text2 C R Y P T O I S F U N B
M2 2 17 24 15 19 14 8 18 5 20 13 1
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5
CKM mod 26
25
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1
Text1 C R Y P T O G R A P H Y I S F U N B
Text2 C R Y P T O I S F U N B
M2 2 17 24 15 19 14 8 18 5 20 13 1
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
Equality of Keysteams
26
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1
Text1 C R Y P T O G R A P H Y I S F U N B
Text2 C R Y P T O I S F U N B
M2 2 17 24 15 19 14 8 18 5 20 13 1 4 2 0 20 18 4
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
CKM mod 26
27
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1
Text1 C R Y P T O G R A P H Y I S F U N B
Text2 C R Y P T O I S F U N B E C A U S E
M2 2 17 24 15 19 14 8 18 5 20 13 1 4 2 0 20 18 4
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
28
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1
Text1 C R Y P T O G R A P H Y I S F U N B E
Text2 C R Y P T O I S F U N B E C A U S E
M2 2 17 24 15 19 14 8 18 5 20 13 1 4 2 0 20 18 4
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
Related messages
29
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1 4
Text1 C R Y P T O G R A P H Y I S F U N B E
Text2 C R Y P T O I S F U N B E C A U S E
M2 2 17 24 15 19 14 8 18 5 20 13 1 4 2 0 20 18 4
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
30
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5 13
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1 4
Text1 C R Y P T O G R A P H Y I S F U N B E
Text2 C R Y P T O I S F U N B E C A U S E
M2 2 17 24 15 19 14 8 18 5 20 13 1 4 2 0 20 18 4
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5
CKM mod 26
31
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5 13
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1 4
Text1 C R Y P T O G R A P H Y I S F U N B E
Text2 C R Y P T O I S F U N B E C A U S E
M2 2 17 24 15 19 14 8 18 5 20 13 1 4 2 0 20 18 4
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5 13
Equality of Keysteams
32
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5 13
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1 4
Text1 C R Y P T O G R A P H Y I S F U N B E
Text2 C R Y P T O I S F U N B E C A U S E
M2 2 17 24 15 19 14 8 18 5 20 13 1 4 2 0 20 18 4 8
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5 13
CKM mod 26
33
Fishing at a Depth
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5 13
C1 5 3 20 23 23 7 1 16 14 5 12 3 0 14 12 14 23 6 17
M1 2 17 24 15 19 14 6 17 0 15 7 24 8 18 5 29 13 1 4
Text1 C R Y P T O G R A P H Y I S F U N B E
Text2 C R Y P T O I S F U N B E C A U S E I
M2 2 17 24 15 19 14 8 18 5 20 13 1 4 2 0 20 18 4 8
C2 8 15 16 5 1 7 3 17 19 10 18 6 22 24 7 14 2 9 21
K 3 12 22 8 4 19 21 25 14 16 5 5 18 22 7 20 10 5 13
34
Deducing Fishs Structure

• Just such a depth was intercepted on 30th August
  1941.
• Two messages with same indicator HQIBPEXEZMUG.
• Abbreviations, misspellings and corrections were
  inserted by wireless operator when forced to
  retransmit a long message.
• Operator should have chosen new message
  indicator, but did not.
• Analysis by Tiltman then recovered the two
  messages.
• More importantly a sequence of nearly 4000
  keystream letters was obtained.
• From this sequence, Tutte (later assisted by
  others) determined the entire structure of the
  Lorenz machine.

35
Lorenz SZ40 Structure
Keystream bits
Chi Wheels
Clock
23
41
31
29
26
Motor Wheels
61
47
53
51
59
43
37
Psi Wheels
36
Lorenz SZ40 Structure

• 5 parallel bits of keystream produced per clock
  pulse.
• Bit-by-bit combined with message in Baudot coded
  form.
• 12 pinwheels, arranged in two groups of five (chi
  and psi) plus two motor wheels, M1 and M2.
• Output bits taken from XOR sums of chi and psi
  wheels.
• Chi wheels of lengths 41, 31, 29, 26, 23, clocked
  regularly.
• Psi wheels of lengths 43, 47, 51, 53, 59, clocked
  irregularly, according to output of M1.
• M1 of length 37 clocked irregularly according to
  output of M2.
• M2 of length 61 clocked regularly.
• Modern interpretation irregularly clocked
  circulating shift registers.
• 2501 possible keys.
• Monthly (later daily) setting of pins on each
  wheel.
• Per message key initial rotational offset of
  each wheel.

37
Lorenz SZ40
Size51cm 46cm 46cm (20in 18in 18in)
38
Fish and Colossus

• In 1943, Max Newman raised the possibility of
  using a machine to automate the breaking of Fish.
• Ideally suited to repetitive calculations
  involved in statistical analysis developed by
  Tutte, Turing, and many others.
• But initial all-mechanical machines were slow and
  unreliable.
• Tommy Flowers proposed and led the build of a
  rival electro-mechanical design, Colossus.
• Based at Post Office Research Station, Dollis
  Hill, London.
• Using 1500 state-of-the-art thermionic valves,
  thyratrons, and photomultipliers.
• Implementing shift registers, systolic arrays,
  configurable Boolean operations on data,
• But not a Turing-complete machine.

39
Mechanised Cryptanalysis of Fish

• Colossus Mark I delivered 18th January 1944.
• Rapidly followed by first Colossus Mark II (2400
  valves and 5 times as fast).
• Eventually 10 Colossi in 24-hour operation at
  Bletchley Park, with 11th in production.

40
The Value of Fish Traffic

• By 8th May 1945, Bletchley Park had broken 13508
  messages on 718 keys, obtaining 63 million
  plaintext characters.
• Fish yielded information of great strategic
  value
• Strategic appreciations, order of battle,
  strength of individual Wehermacht divisions.
• German situation reports for the entire Russian
  front.
• German strategic plans to hold on to Italy.
• Information about likely success of D-Day
  landings
• 8th May 1944, Field Marshall von Rundstedt to
  general staff, Berlin an Allied assault on
  Normandy would be the enemys pre-requisite
  condition for a subsequent descent on the Channel
  coast.
• Revelation of plans for counter-attack at Anzio
  beach-head.
• Insight into Hitlers mental state.

41
Other Aspects of the Fish Story

• Destruction of Colossi at the wars end.
• Colossus re-build project recently completed.
• Wartime work gave British scientists and
  engineers a head-start in the fledgling computer
  industry.
• Fish/Colossus story only began to emerge in the
  mid-1970s.
• Several key documents only recently declassified.
• Including General report on Tunny.
• Whole story masterfully told in Paul Gannons
  Colossus Bletchley Parks Greatest Secret
  (Atlantic Press, 2006).

Tommy Flowers MBE 1905-1998
42
Fishing Lessons

• Kerckhoffs Principle not applicable, but lack of
  system knowledge only delayed the breaking of
  Fish.
• A single human error provided the key to
  unlocking Fish.
• Keystream repetition for two closely related
  messages.
• At least three major intellectual achievements
• Initial decryption from a depth (Tiltman).
• Deriving the Lorenz machines structure from
  keystream alone (Tutte et al.).
• Development of mechanised cryptanalysis (Newman,
  Flowers).

43
3. WEP and GSM

• In the late 1990s, wireless equipment became
  cheap enough to be used in mass-market networking
  equipment.
• IEEE developed 802.11 family of WirelessLAN
  standards.
• Operating in free for all unregulated
  frequencies.
• Recognition that encryption is needed because of
  broadcast nature of signals.
• IEEE 802.11bg included WEP (Wired Equivalent
  Privacy) mechanisms.
• Encryption.
• Integrity protection for data.
• Authentication of network nodes.

44
WEP (In)security

• World War Drive 2004
• Survey of 228,537 networks
• 140,890 (60) configured to use Open System
  Authentication.
• Meaning no encryption or authentication enabled.
• Demonstration of vulnerability.
• Legality of demo doubtful!

45
WEP (In)security

• WEP requires end-user to configure a shared key
  in every communicating device.
• Easy in a small home network of 2 or 3 devices.
• More difficult in a corporate environment with
  many devices.
• Updating keys a major headache.
• A classic key management problem.
• Worse still, the entire WEP design is seriously
  flawed.
• Authentication is trivial to defeat.
• Encryption shown to be weak by Fluhrer, Mantin
  and Shamir.
• Cracking tools (Airsnort, WEPcrack) are widely
  available on Internet.
• Can recover WEP key in a matter on minutes.
• What went wrong?

46
GSM Security

• GSM second generation mobile phone system.
• 1.9 billion customers.
• GSM networks in over 210 countries.
• Cryptography integrated as part of GSM from the
  start.
• Algorithms and architecture designed by experts.
• Security almost entirely hidden from end-users.
• This security (especially key management) is not
  cost-free.
• Operators had a strong economic incentive to get
  the GSM security design right.
• Protect revenue stream so as to recoup investment
  in licences purchased from national governments.
• Desire to avoid embarrassing breaches of personal
  privacy occurring in first generation networks.

47
Lessons from WEP

• Economic incentives are often a major driver for
  adoption of security measures.
• GSM using paid-for frequencies, 802.11 using
  free-for-all frequencies.
• Lack of incentive led to sloppy design in WEP.
• Employ security experts to design security
  systems, not enthusiasts.
• Good key management is hard and best not left to
  end-users.

48
Lessons from WEP

• But designers of WiMAX have recently repeated
  most of the same errors made in WEP design
• Those who cannot learn from history are doomed
  to repeat it.
• George Santayana, Reason in Common Sense, The
  Life of Reason, Vol. 1.
• You must learn from the mistakes of others. You
  can't possibly live long enough to make them all
  yourself. Sam Levenson

49
4. IPsec

• IPsec provides cryptographic protection for IP
  packets.
• Encryption and integrity protection.
• An important system for protecting Internet
  traffic.
• e.g. widely used in Virtual Private Networking
  applications.
• Specified in IETF RFCs 4301-4309 and related
  documents.
• RFCs are (essentially) standards for the
  Internet.
• Very complex set of documents with many options.
• 300 pages of very technical text.

50
IPsec

• IPsec uses industrial-strength cryptography.
• Yet we still managed to break IPsec in certain
  encryption-only configurations.
• Ciphertext-only attacks.
• Attacks demonstrated in the lab.
• Paterson and Yau (Eurocrypt 2006), Degabriele and
  Paterson (IEEE Security and Privacy 2007).

51
Breaking IPsec

• Capture ciphertexts from the network.
• Modify ciphertexts so as to produce predictable
  changes to underlying messages.
• Bit flipping weakness of CBC mode encryption.
• Messages now have small, attacker-induced faults.
• Inject modified ciphertexts into the network.
• IPsec decryption results in faulty IP packets.
• IP produces ICMP error messages when these faulty
  packets are further processed.
• ICMP messages are not encrypted and carry
  portions of faulty IP packets.
• These can be intercepted.

52
Breaking IPsec
Key K
Key K
Message M
Message M
Ciphertext C
Decryption Algorithm
Encryption Algorithm
53
Breaking IPsec

• The encryption-only configurations that we broke
  were already known to have theoretical
  weaknesses.
• Bellovin (1995, 1996), using ideas of Wagner.
• So why were they still allowed in the standards?

54
Breaking IPsec

• RFC 4303
• Using encryption-only for confidentiality is
  allowed by ESP. However, it should be noted that
  in general, this will provide defense only
  against passive attackers.
• ESP allows encryption-only because this may
  offer considerably better performance and still
  provide adequate security, e.g., when higher
  layer authentication/integrity protection is
  offered independently.

55
Breaking IPsec

• From the IPsec administrator's guide of a
  well-known vendor
• If you require data confidentiality only in
  your IPSec tunnel implementation, you should use
  ESP without authentication. By leaving off the
  authentication service, you gain some performance
  speed but lose the authentication service.
• http//www.cisco.com/en/US/docs/security/security_
  management/vms/router_mc/1.3.x/user/guide/U13_bldg
  .htmlwp1068306 (last accessed 16/2/2008).

56
IPsec Lessons

• Cryptography is only ever a component in a secure
  system and should not be viewed in isolation.
• Encryption on its own is not sufficient to
  provide confidentiality.
• Be aware of shifts in the adversarys
  capabilities.
• Complexity and flexibility are the enemies of
  security.
• Sacrifice backward compatibility if security is
  the primary objective.
• Gulf in understanding between theoreticians,
  standards writers, implementers, and users.
• Security message gets lost in translation.

57
5. Phishing

• Demonstration lets take an on-line test.
• http//www.sonicwall.com/phishing/
• An attack of this general type is known as a
  phishing attack.
• 6 Billion phishing e-mails are sent world-wide
  each month.
• Average loss per successful attack is estimated
  at 1200 (Federal Trade Commission).
• Junk e-mail is a lot cheaper to send than junk
  mail.
• So even if only a tiny fraction are successful,
  its still economically viable for the attacker.

58
Phishing

• Phishing exploits a mixture of human gullibility,
  technological naivety, fear, and sometimes greed.
• Users trust that From address in e-mail is a
  guarantee of origin, and that link in e-mail is a
  guarantee of destination for their sensitive
  data.
• Arguably, cryptography is of no use at all in
  preventing this form of attack.
• Unless we had a global authentication
  infrastructure that is used universally to prove
  the origin of all e-mails.

59
Phishing Lessons

• Cryptography has its limitations.
• Dont rely on a technology to do a job for which
  it was never designed.
• Smart banks never use e-mail to ask their
  customers to do anything sensitive.
• Unfortunately, their customers dont all know
  this yet.
• Much more research is needed in the area of
  humans and security.
• How humans take security-sensitive decisions, and
  how they can be guided towards making better ones.

60
6. Concluding Remarks

• Cryptography is one of the most powerful tools we
  have in our security armoury.
• Implementing, deploying and managing effective
  cryptography is difficult and expensive.
• Key management may be hardest of all.
• In theory, theory and practice are the same. In
  practice, they are not.
• Eliminate humans (and human error).
• Watch out for changing adversaries.
• Recognise the limitations of cryptography.
• Learn from history.

61
Thanks

• Thanks to Marta Baker and her staff.
• Many thanks to colleagues and students for making
  the ISG such a special place to work.
• Many, many thanks to Fred Piper for his
  immeasurable and constant support over the years.
• And thank you all for coming.