Click through to the paper. I could not be more thrilled; we had been looking for an excuse to publish Cryptopals challenges for differential attacks, and Alex had even written one, but we opted not to because they'd never been valuable to us in a real-world setting. Now we can build a small sequence of them.
I rag on people's crypto projects a lot, but it's worth knowing that almost nothing you could reasonably do with your own crypto could so thoroughly bone you. This paper has three different key recovery attacks from both controlled and partially inferred plaintexts (chosen and known plaintexts, in the jargon). Chosen plaintext attacks are common. Key recovery attacks? Less common. This is masterfully terrible cryptography.
Looking forward to digging into the attacks in actual code.
> I rag on people's crypto projects a lot, but it's worth knowing that almost nothing you could reasonably do with your own crypto could so thoroughly bone you.
Unless you ALSO wrote it in Javascript and dropped it on an HTTP-only webserver ;)
It was "masterfully terrible". Can you predict whether it was intentionally terrible or just incompetence at play? My impression is that the NSA likes their key leaking and similar approaches to be more subtle.
"The Open Smart Grid Protocol (OSGP) is a family of specifications published by the European Telecommunications Standards Institute (ETSI) used in conjunction with the ISO/IEC 14908 control networking standard for smart grid applications."
Not sure who to blame if it is deliberate, but seems unlikely to be NSA, and not just because of the unsubtlety (though NSA was also behind the quickly-spotted Dual EC DRBG).
Even back before the Crypto Wars the NSA usually tried to have their cake and eat it too though, trying to make their crypto breakages to types of breakage that could only be exploited by a state-level adversary like themselves. Leaving 3 different key recoveries available is 2 more than NSA would have needed, and the additional weaknesses simply make it more likely that a first-year CS student would eventually figure out the problems.
Most likely it was created by the biggest SCADA vendors (which will remain unnamed) and know as much about computer security, best practices and modern developments as I know about 17th century Japanese history...
Doubt it's NSA in the sense that they suggested weak crypto, but I do believe NSA is to blame. They are the ones beating their chests how we need MORE CYBERSECURITY to protect our "critical infrastructure from cyberwar and cyberterrorists". And then proceed to:
1) do actually nothing to further security for critical infrastructure
2) push for more surveillance laws in disguise as "cybersecurity laws"
I mean for crying out loud WhiteHouse.com didn't even use HTTPS until people on Twitter started a public shaming campaign against them. THAT'S how pathetic the real "cybersecurity" is in the US. And they have absolutely no real plan to change that right now. Who's going to come up with one anyway? This guy?
I rag on people's crypto projects a lot, but it's worth knowing that almost nothing you could reasonably do with your own crypto could so thoroughly bone you. This paper has three different key recovery attacks from both controlled and partially inferred plaintexts (chosen and known plaintexts, in the jargon). Chosen plaintext attacks are common. Key recovery attacks? Less common. This is masterfully terrible cryptography.
Looking forward to digging into the attacks in actual code.