21 points by wolf550e 7 months ago
My personal top, all of these were all good research but my favorite one is ROCA.
1. ROCA: A very clever attack on a too-clever RSA key generation reversed from a hardware module. The whole thing is super interesting and the consequences are devastating.
2. Efail: A complete ownage of PGP. Nothing surprising for many people, but nice ways to achieve exploitation.
3. KRACK: how to break a protocol 101 with an interesting exploitation on some implementations.
4. ROBOT: A twist on the old Bleichenbacher attack with a lot of consequences on the wild.
5. IOTA: nothing surprising but an hilarious response from the main developers, deserve its own category.
PS: About the practicality of ROCA. It sounds like there are ways to implement extremely practical attacks.
I agree, I personally thing Efail is very underrated, but it falls sort of in the middle between "degree of difficulty" and "impact". My original gut feeling was that Efail should win in a walk, but the Slack talked me down from it.
I think KRACK deserves a lot more love too.
A really good year for applied crypto research.
So the award says it is supposed to be for researchers who discovered the "most impactful cryptographic attack against real-world systems, protocols, or algorithms"
Seems like that leaves us to figure out first whether something is a "cryptographic attack" (binary condition) and from there we only care about impact against real-world stuff.
All the candidates pass the boolean. I think EFail passes by the thinnest margin, because in many ways the cryptography is the least interesting part of the work. But they're all clearly cryptography not just "Eh, we found an RCE in this program which happens to do crypto".
So then it's down to impact. Efail loses there because even if you thought it was safe nobody actually does PGP or S/MIME. I've worked at places that had spent a lot of money setting up S/MIME, and still didn't use it. I wish I could say they did something better, but of course they didn't.
I feel like KRACK ought to have won on impact, because in reality it made a big splash (actual TV news mentions, that sort of thing) and even though you go in with WPA2 being vulnerable in plenty of ways, and come out having patched with WPA2 still vulnerable in plenty of ways, people did those patches.
ROCA's impact is too concentrated, if you're an Estonian crypto nerd with a Yubikey it feels like it's everywhere and destroyed everything. If you're my mother it had no impact on you whatsoever. In the Web PKI the main real impact was we found out that lunatics are connecting sensitive infrastructure stuff to the Internet with TLS, in many ways them being vulnerable to ROCA is the least worrying part. If the FIDO design used RSA maybe this would have turned out very differently.
Nobody cares about IOTA. This had no real world impact. There are (were?) Pwnies to celebrate "epic pwnage" and so-on, and IOTA could have been nominated for those if anybody cared. It's still a fun piece of work, but it doesn't need a "cryptography" award even from the Blackhats.
Or a pretty bad year for applied crypto:
1. RSA keygen is broken
2. PGP is broken
3. WIFI is broken
4. SSL/TLS is broken
5. Cryptocurrencies are broken
RSA: The more shortcuts you take in your RSA keygen, the more likely it is that an adversary can just guess your keys without (impossibly) trying all the possibilities. This necessarily follows from how such shortcuts work, and should be guarded against in an implementation.
In that sense ROCA is the same as the Debian Weak Keys. And so the Web PKI did the same thing about both, the CA examines the public key, it makes the same determination an attacker would make, but rather than attacking you it rejects your certificate request. You can actually read the code in Boulder (the Let's Encrypt software) to see this in action‡.
If you actually pick random numbers that are roughly the right size, reject composites, and use your random primes to make an RSA key, this method works. But it's slow. And it's obvious that you needn't pick the whole number at random, the bottom bit must be '1' because it's prime. And once you start optimizing you soon have a very complicated key generation which opens lots of opportunities for things to go wrong...
Edited to add:
The work that eventually led to ROCA is really fascinating. The researchers spent lots of time characterising RSA key generators. Their first paper is basically "If you show me fifty keys you made, I can guess how you made them" and that's already pretty interesting in some applications. In that work they found that a particular type of key generator was doing something _very strange_ but deadlines are deadlines and so their paper stops at remarking how strange it is. ROCA is basically what they found when they kept investigating.
That's blowing things way out of proportion.
Efail did not break PGP. It did show problems of interaction between email agents and gnupg.
Efail was the most overblown report with absolutely crazy "fixes".