Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Security IT Technology

Why We All Need To Agree That It Is Flat Out Unacceptable To Use RSA in 2019 (trailofbits.com) 188

An excerpt from a post on Trail of Bits: From major open source projects to exciting new proprietary software, we've seen it all. But one common denominator in all of these systems is that for some inexplicable reason people still seem to think RSA is a good cryptosystem to use. Let me save you a bit of time and money and just say outright -- if you come to us with a codebase that uses RSA, you will be paying for the hour of time required for us to explain why you should stop using it. RSA is an intrinsically fragile cryptosystem containing countless foot-guns which the average software engineer cannot be expected to avoid. Weak parameters can be difficult, if not impossible, to check, and its poor performance compels developers to take risky shortcuts. Even worse, padding oracle attacks remain rampant 20 years after they were discovered. While it may be theoretically possible to implement RSA correctly, decades of devastating attacks have proven that such a feat may be unachievable in practice.
This discussion has been archived. No new comments can be posted.

Why We All Need To Agree That It Is Flat Out Unacceptable To Use RSA in 2019

Comments Filter:
  • by cullenfluffyjennings ( 138377 ) <fluffy@iii.ca> on Monday July 08, 2019 @09:11AM (#58889878) Homepage

    Completely confused the problems of rolling your own crypto with the topic of if RSA or ECC is more secure.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      You missed the opportunity to call it a "Really Stupid Article".

    • by laird ( 2705 ) <lairdp@gm a i l.com> on Monday July 08, 2019 @10:00AM (#58890190) Journal

      Right. It's really a rant against rolling your own crypto, which is stupid. Using a solid crypto library that's widely used and thus published, reviewed, and more widely debugged by use in the field is smarter, no matter what the underlying algorithms.

      • by bill_mcgonigle ( 4333 ) * on Monday July 08, 2019 @11:08AM (#58890810) Homepage Journal

        Using a solid crypto library that's widely used and thus published, reviewed, and more widely debugged by use in the field is smarter, no matter what the underlying algorithms.

        QFT.

        Some knucklehead is going to try to implement lattice crypto to try to stay ahead of the quantum curve and speculation attacks and forget to address timing.

        This comment is worth more than the article, folks.

      • Re: (Score:3, Funny)

        by Anonymous Coward

        Quite right. You should all be using a known good implementation of Dual EC DRBG! It's NIST approved!

      • by phantomfive ( 622387 ) on Monday July 08, 2019 @03:31PM (#58892670) Journal

        Right. It's really a rant against rolling your own crypto, which is stupid.

        Unless it's OpenSSL. Then there's a good chance you could roll your own crypto better.

        • by kriston ( 7886 )

          Unless it's OpenSSL. Then there's a good chance you could roll your own crypto better.

          It's weird how much modern software still tolerate SSLeay, especially on Microsoft Windows. There are so many better libraries out there like Mozilla NSS, Botan, GnuTLS, and RSA BSAFE (excluding the SSL-C suite in BSAFE which is just a rebadged SSLeay).

    • Java has a problem: it's so good at error handling and memory protection that it's impossible for a non-technical manager to tell the difference between a good java programmer and a bad one. This has resulted in a large number of bad java programmers writing faulty code.

      You don't see as high a proportion of bad C programmers because the bad ones can't get their C programs to run without segfaulting. They move on to a more forgiving language. Like java.

      The article posits that RSA has the same problem: too ea

      • In C#, if you do something stupid, it might not compile. Sometimes the compiler is stupid, so you get things like declaring a variable without initialization and then a set of conditions that mathematically can't all be false to set the variable, then use it, and the compiler refuses to compile because it can't prove to itself that you're not using an uninitialized variable.

        In Java, you get a null pointer dereference with managed memory.

      • You don't see as high a proportion of bad C programmers because the bad ones can't get their C programs to run without segfaulting.

        There's a huge chasm between getting your C program to run without *obvious* segfaults, and actually being secure even in the face of deliberate attacks.

        I'm sure that at least 90% of your surviving C programmers are still in that chasm, but nevertheless think that their code is bulletproof.

      • There are plenty of bad C programmers, masses amount of copy and paste, no idea how to use or write a reusable library, there isn't even a standard map library in C it is 46 years old. Yes they do need to know how actual actual memory works, because almost every line in C requires you to think about it, but C if doing it diligently is about 90% error checking and handling and cleaning up if it fails, however that code never actually gets tested since random errors inside you code generally never happen.

      • by jeremyp ( 130771 )

        Actually, a Java program is just as likely, if not more likely, to crash than a C program. It may not seg fault but if you dereference a null pointer, it will throw an exception, just like C. On the other hand, if you reference memory outside an array bound, it will throw an exception, just like C... oh wait, no, the C program will likely carry on as if nothing is the matter.

        There's a world of difference between writing code that won't crash because of such basic errors and writing code that is cryptographi

        • Java throws an exception and you catch it. No data corruption has occurred. C generally segfaults after a series of mistakes has irredeemably corrupted memory. Even if you catch the signal, the program can't continue.

    • I read TFA to say RSA is intrinsically more difficult to implement safely than more recently developed systems. Thus implementations, even libraries long in the public domain, are more likely to have critical problems.
      • by ceoyoyo ( 59147 )

        The article doesn't really back up that point very well. They mostly rail against parameter selection in RSA, while admitting that their suggested alternative, ECC, can also be screwed up by poor parameter selection. ECC has fewer parameters... is that better?

        RSA has been around for a long time, and is used very extensively. Many of those libraries have been very well tested. ECC is younger, so less well tested.

        The article seems to be aimed at developers who don't really understand what they're doing (elli

        • The article seems to be aimed at developers who don't really understand what they're doing

          No, because developers who don't really understand what they're doing are likely to take on an RSA implementation. This is more for project managers, designers, and OSS cowboys who may not have the math or security background to realize that just because a coder can produce code "on deadline" doesn't mean they can count on coding bugs or QA to catch a flawed RSA implementation.

          • by ceoyoyo ( 59147 )

            I think I agree with you, but it would have been better to start your post with "Yes, because...." The article assumes that the developer, or whoever, doesn't know what they're doing and thus decides coding their own cryptography would be a good idea.

        • by tlhIngan ( 30335 )

          The article doesn't really back up that point very well. They mostly rail against parameter selection in RSA, while admitting that their suggested alternative, ECC, can also be screwed up by poor parameter selection. ECC has fewer parameters... is that better?

          RSA has been around for a long time, and is used very extensively. Many of those libraries have been very well tested. ECC is younger, so less well tested.

          The article seems to be aimed at developers who don't really understand what they're doing (ellip

          • by ceoyoyo ( 59147 )

            RSA is more resistant to quantum attacks than is ECC. ECC is faster and (usually) requires less memory. But more importantly, the RSA libraries that exist are generally older and better tested than ECC. Both algorithms are mathematically secure, so practical attacks come down to implementation details.

            ECC isn't really more complicated than RSA, provided you get the fairly elementary generalization that you can do modulo arithmetic over groups other than trivial subsets of the natural numbers. It's equally

    • How many times have we have input validation done wrong and we get a SQL or JSON attack? It's not that you can't do validation correctly but it's as noted, like juggling chainaws in the dark for most people. They don't know what they can't see.

      If there's a lot of number theory issues like if P is a prime but P-1 is easily factored then P was a bad prime to choose. Or if the binary representation of P has a lot of zeros. Or P and Q share the same set of upper bits (because gueass what they are the same si

      • "if P is a prime but P-1 is easily factored": This is *always* true, isn't it? If P is a prime, then it's either 2 or an odd number, so P-1 is either 1 or an even number. And you can get at least two factors of even numbers quite easily... (I'll leave the factorization of 1 to the student.)

    • Or perhaps you're confused over what development managers and security specialists should be aware about RSA implementation concerning reliability. This is an article equivalent to explaining why a programmer shouldn't use GOTO even though it may be available instruction. Its possible to write a reliable programs using GOTO/JMPs; but it doesn't mean project managers should consider such coding choices acceptable for code submission.

  • by Anonymous Coward

    coward

  • by Anonymous Coward

    I stopped reading after that.

  • by ctilsie242 ( 4841247 ) on Monday July 08, 2019 @09:21AM (#58889928)

    If crypto is used as per a standard, RSA is pretty secure. For example, if I use OpenSSL or the OpenPGP format for securing files, this is solid against many attacks.

    Rolling your own is bad, but RSA is still a solid crypto algorithm. Yes, you can implement it badly, just like using ECB with AES, but that is what crypto standards are for.

    • by account_deleted ( 4530225 ) on Monday July 08, 2019 @09:47AM (#58890086)
      Comment removed based on user account deletion
      • Speaking of repeating things (it works for DES, but not everything in general): here's an example of why you shouldn't roll your own (except to educate yourself): what happens if you hash the hash of a value?

        Welp, most people new to crypto assume that it's okay. But because a hash function takes a large input space and returns a smaller one, you've just limited the input space of your 2nd output hash to the output space of the first hash function--making life simpler for an attacker.

        Moral of the story: lear

        • In the 1990s, when people didn't trust hashes, one company I worked for would take the first 64 bits of the MD2/MD4 hash, use the first 48 bits of that as the key, use the second 64 bits as an initialization vector, and encrypt a bunch of 0s with DES, giving a 128 bit output. This is functionally similar to the crypt(3) function that was used around that time to secure passwords in /etc/passwd before machines moved to /etc/shadow, and it did help ensure that the hash used was a lot more sturdy, crypto-wise

      • You're actually not far off from the truth. RSA and other sophisticated encryption algorithms are very slow. Too slow for real-time communication of things like remote desktop sessions. So instead what they do is use [fancy encryption algorithm] to exchange a one-time-pad between the two computers - an AES key.

        That AES key is then used to encrypt communications between the computers. The fancy algorithm is only used for the initial AES key exchange. And as computers have gotten faster (making cracki
    • Could someone explain this to me as a public service?

      Doesn't it require a secure prior key exchange which is the problem public keys solve?

      • by ceoyoyo ( 59147 )

        Elliptic curve cryptography [wikipedia.org] can do a bunch of things. One of those is Diffie-Hellman key exchange [wikipedia.org], which is a protocol for two people to agree on a secret key using a public channel. You can then use that secret key for symmetric encryption. RSA is often used similarly, to secure the exchange of a symmetric key, which is used subsequently.

        Very basically, you have some operation that is easy to perform but hard to undo. For RSA it's multiplying primes / factoring composites; for ECC it's the discrete logarit

        • by pjt33 ( 739471 )

          To be pedantic, for RSA the believed-hard operation is also discrete logarithm. Factoring the modulus would trivialise the logarithm, but I believe it's still an open question whether fast discrete logarithms would give fast factorisation.

          • by ceoyoyo ( 59147 )

            To be extra pedantic....

            I'm not a cryptographer, but my understanding is this:

            RSA depends on both factorization and the discrete log. If you can factor the divisor, you can generate the private key from the public, and thus decrypt any message. If you can solve the discrete log you can recover the message, but that doesn't necessarily get you the private key. The whole-thing-is-broken algorithm for RSA is factorization, and discrete log for ECC. BUT, under certain circumstances, you can use a fast discrete

    • Rolling your own is bad, but RSA is still a solid crypto algorithm. Yes, you can implement it badly, just like using ECB with AES, but that is what crypto standards are for.

      The author didn't say RSA is an insecure or hopelessly broken crypto algorithm; he said that RSA is subject to many more attacks caused by implementations that are code correct, but vulnerable to attacks which requires a greater cognizance of security issues. That's why he recommends "code monkeys" move to other algorithms, like ECC with a vetted library, who's implementation can still be fucked up, but won't be vulnerable to the same exploits caused by imperfectly implemented code using an RSA library. I

      • by ceoyoyo ( 59147 )

        The things he's complaining about are mostly related to key generation with RSA. If you're using a decent crypto library it will also do the key generation for you, properly. Same thing with ECC... if you (for some reason) roll your own ECC key generation, there are gotchas.

        If you're paranoid, ECC has the additional issue that, unless you want to do a whole bunch of work, you pretty much have to use a curve that's been precalculated for you by the NSA... I mean NIST. You might be a bit suspicious of those

  • Do you have an alternative option?

    I'm a pretty decent software developer. So I
    a) am going to need some crypto-solution from time to time and
    b) I know that I must not write my own.

    In other words I don't care if I have to integrate RSA, ABC or XYZ, but I need a clear decision path on which solution to use. Tell me what's state of the art and I'll use it. I'm not attached to RSA in any way, if I use it it may be simply because the best article I read online during evaluation was from 6 years ago.

    • The end of the featured article recommends using an elliptic curve cipher instead of RSA. For the common application of RSA to authenticate parties negotiating session keys, you can use Diffie-Hellman over Curve25519 [wikipedia.org]. For digital signatures, use EdDSA over Curve25519 [wikipedia.org]. TLS 1.3 incorporates both.

      • Both are weaker than 4096 bit RSA.
      • by ceoyoyo ( 59147 )

        The article suggests using DSA or ECC because they're (supposedly) harder to screw up if you don't know what you're doing and you insist on writing your own. That is the only merit considered.

        The article doesn't even fathom that you might not make the colossally stupid mistake of writing your own amateur cryptography library.

        • Re: (Score:3, Insightful)

          by tepples ( 727027 )

          The article doesn't even fathom that you might not make the colossally stupid mistake of writing your own amateur cryptography library.

          When the widely vetted open source libraries won't fit into the memory of the 8-bit microprocessor that has been chosen for you, what alternative is there to coding your own crypto?

          • When the widely vetted open source libraries won't fit into the memory of the 8-bit microprocessor that has been chosen for you, what alternative is there to coding your own crypto?

            If you want it to be actually secure, hire someone who's specializes in such things, probably for a lot of money. If you don't mind it being only a bit secure, then implement it yourself.

          • by Bert64 ( 520050 )

            Find a crypto library that has been written for 8-bit microprocessors, there are plenty out there.

          • by ceoyoyo ( 59147 )

            1. Simple Google search. There are lots of embedded crypto libraries.
            2. Use a processor that can handle the library you like. Memory is cheap.
            3. Add external memory.
            4. Use a microcontroller with built in cryptography.
            5. Use an external cryptography chip.
            6. Hire someone who knows what they're doing.
            7. Study hard and acquire sufficient knowledge yourself.

            You might also ask why you're trying to do public key encryption in an 8-bit severely memory constrained embedded application in the first place.

    • Do you have an alternative option?

      Their alternative seems to be paying them to spend an hour telling you why they don't want to use RSA.

      • I should adopt that business model.

        • by ceoyoyo ( 59147 )

          I've very occasionally had the opportunity to get paid to tell people what they shouldn't do. It's really great. Unfortunately, most of the time I get paid (or not) to tell people it's okay to do whatever the hell they want. With numbers, to make it more truthy.

  • I notice when I look at the details of the cert, it is signed with SHA-256 With RSA Encryption
    • by ceoyoyo ( 59147 ) on Monday July 08, 2019 @09:34AM (#58890006)

      The certificate for the linked company blog where this stupid article appears is also RSA.

      • A lot of TLS certs use RSA, though I do see (slow) (OK, very slow) movement away from RSA in that area. I just thought the usage of RSA in TLS certs was worth noting.
        • by ceoyoyo ( 59147 )

          Agreed. I was pointing out that the company that published this rant against using RSA uses it to secure their website. With a certificate from Let's Encrypt, no less.

    • by ottdmk ( 1376807 )
      So yeah, it's signed with SHA-256 With RSA Encryption. The public key itself, though, is Eliptic Curve (specifically prime256v1 aka secp256r1), and Firefox 67.0.4 is connecting with TLS 1.2, using the TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cypher suite. I could definitely be wrong, but I think the whole "With RSA Encryption" just means the signature was done with a public key.
  • RSA is a cryptosystem based on an algorithm. As such, it is possible to criticize: (a) the algorithm itself (b) a particular implementation (c) examples of lazy attempts to use it. i assume the author is not claiming that finding the factors of the product of two large primes is easy, or that the algorithm is fundamentally flawed. so i think what he is really saying is...anyone?...bueller? ...actually i am not sure what his point is. but given that he has decided to write in a shock-jock advertising styl
    • so i think what he is really saying is...anyone?...bueller?

      The author is saying if you roll your own RSA implementation, you'll probably screw it up.

      Oddly enough, it appears the author did not consider the much, much, much, much more common case where you use someone else's RSA implementation.

    • ... so i think what he is really saying is...anyone?...bueller? ...actually i am not sure what his point is. but given that he has decided to write in a shock-jock advertising style, i am almost certain that he probably has one.

      The point is FUD.

      When a salesman has an inferior product and is trying to switch customers away from something substantially superior and robust, he dan't make valid, concrete comparisons of the comparative virtues and vices of the two. If he did, he'd just lose, and everybody's tim

  • by sinij ( 911942 ) on Monday July 08, 2019 @09:41AM (#58890054)
    There is nothing wrong with RSA, just don't to write your own RSA code (or any other crypto code for that matter) and use many known-good implementations. Also, unless you really have to have backwards compatibility with ancient stuff, disallow RSA keys shorter than 2048-bits.
  • Crypto does a barely adequate job of keeping communications safe in transit. I say barely adequate because you have to be paying attention to make sure even that works without someone secretly able to decrypt your traffic. When it comes to other things like "trust" the whole crypto world is insane from the start. We should trust giant corporations who've been shown to *not* be doing the things they are supposed to do (like properly checking entities apply for SSL certs with well known domain names). That's
    • by skids ( 119237 )

      Do this: try to figure out what the optimal tradeoff point for performance versus security is for an arbitrary setting for a tunable cryptographic parameter for TLS, SSH, or IPSec.

      Unless you have invested a lot of time in building a background in cryptography, you'll either end up wondering whether you should really base your decision off what some guys says on a reddit thread, or lost trying to figure out what the domain-specific notation used in an academic paper means.

      More useful than this article would

      • I like your attitude, but I think we fundamentally disagree. I think crypto is simply too complex to trust in almost all the situations where it's been deployed. It's too likely that the folks who can afford to pay cryptographers aren't going to have my interests in mind. I also believe there is too much emphasis by cryptographers on fixing every potential theoretical threat that they forget that it still has to be something your average coder like me can understand well enough to implement without breaking
        • by skids ( 119237 )

          I read a bit on the lattice based kex and it seemed like something that should be understandable in two and three dimensions, and then you just explain that the complexity to crack it goes up thusly every time you add a dimension.

          The paper was using some notation with a carrot that wasn't in any other literature I could find and I couldn't manage to google anyone explaining that usage, so I couldn't quite come to grips with it entirely, and was having trouble picturing it. The security proof just maps it t

          • Sounds like you have deeper experience than I do. I've mostly just integrated public domain C code for secure variants of TEA or SERPENT (and a few hashing algos) and just blindly trusted the functions while bounds, type, and sanity checking the living crap out of everything I get in and out of it. I disassembled TEA once on an old M68040. Strangely, I understood more of what it was doing but probably only due to my familiarity with that platform. My last real foray into the math was trying to learn how an
  • I don't understand (Score:5, Insightful)

    by PPH ( 736903 ) on Monday July 08, 2019 @10:39AM (#58890580)

    if you come to us with a codebase that uses RSA

    What does this mean? If I come to you .... as what? A prospective employee? Then I don't have to 'agree' to anything. You are building a product spec'd to use ROT13. Then it's up to me to build the best ROT13 implementation I possibly can.

    If I come to you looking for a development shop, then the shoe is on the other foot. I'm the customer. If I come in with a codebase, I'll expect you to work with it. There are lots of other shops who won't argue with me.

    If you are the end user and I am a salesman, then it's up to me whether I want to rewrite my codebase to suit your requirements (on your nickel). Or show you the door. IMO, more software vendors need to take whiny customers and escort them off the premises.

    • You are building a product spec'd to use ROT13.

      If you're going to use something as weak as ROT13, then at least make sure you run it twice.

  • The only thing we all need to agree on is how foolish it is whine about how hard it is to roll your own crypto in 2019.

  • RSA is an intrinsically fragile cryptosystem containing countless foot-guns which the average software engineer cannot be expected to avoid.

    That's why coders should use the updated finger-guns version -- problem solved. (pew, pew pew)

  • by Anonymous Coward

    This article is right about the problems with RSA, but it's not like discrete log (including elliptic curve discrete log) systems are much better.

    It's not an exact one-to-one correspondence, but there are equivalent subtle implementation gotchas with every public-key algorithm. if you generate a private key with a bad RNG, it's crackable. If you choose bad parameters, it's crackable.

    Quite simply, public-key encryption just barely works, and must be implemented with great caution and exacting input validat

  • by holophrastic ( 221104 ) on Monday July 08, 2019 @04:08PM (#58892818)

    My front door has a lock. It is easily defeated with a card. It has a dead-bolt. It is easily defeated with some lock picks.

    Still doesn't matter, because there are glass windows everywhere. Maybe you live with bars on your windows.

    Still doesn't matter, the door/window frames that hold the bars aren't strong, your garage door isn't strong, I can smoke you out through your own ventilation system, and even using your own smoke.

    My air conditioner is outside of my house, and for weeks every year you can kill me just by turning it off -- with the safety switch on the outside.

    I drive 140 kph surrounded by other cars going 140 kph, and separated from on-coming 140 kph cars by nothing more than a yellow strip of paint.

    Our lovely IT industry is a protection racket, of which any organized crime ring must be so proud.

    We entered a world where machines were unreliable and needed maintenance, we made them completely reliable with no moving parts and zero maintenance required, then we spawned groups of people to simply attack everything, so that other groups of people could tell us that we need more security.

    And there's no law enforcement action against any of it.

    I'll remind you that law enforcement is the only thing that stops us from having the wild wild west today. It's the only reason that you don't steal windshield wipers, shrubbery, and pets.

    If you're upset that someone is using old security, just be happy that they're using any security at all. Most of the rest of life isn't secured by anything ever.

    There's a parking lot full of windshield wipers right across the street from you. Think about that the next time you buy a set.

news: gotcha

Working...