Trap for hacking contests
In continuation of this topic and news about the competition from Telegram developers, I bring to your attention a translation of the 1998 article by Bruce Schneier . In the above-mentioned topic they referred to another of his articles, but this one, it seems to me, well reveals the topic of the senselessness of the undertaking with the competitions. By the way, it was Bruce who was one of the first, if not the first, to suspect a bookmark in the PRNG from the NSA affected there.
You hear about them all the time: "Company X will pay $ 1,000,000 to anyone who can break through their firewall / crack their algorithm / conduct a fraudulent transaction and use their protocol / anything else." These are hacking contests, and they are intended to show how the objects of these contests are protected and safe. The logic is as follows: we offered a lot of money for hacking our product, but no one hacked. Therefore, the product is safe.
')
By no means.
Contests are a terrible way to demonstrate safety. The product / system / protocol / algorithm that passed the competition is obviously no more reliable than the one that has never participated in competitions.
Best products / systems, etc. today were not the objects of competitions and, most likely, never will be. Contests do not produce any useful information. And there are main reasons for this.
Cryptanalysis implies that the attacker knows everything except the secret (password) . He has access to algorithms and protocols, source code, everything. He knows the ciphertext and source code. He may even know something about the key.
And the result of cryptanalysis can be anything. This may turn out to be a complete hack: a result that breaks the defense in a reasonable time. It may be a theoretical hack: the result is unsuitable for real hacking, but nevertheless it demonstrates that the protection is not as good as promised. Maybe something in between these two cases.
Most contests on cryptanalysis have despotic rules that determine what the attacker will have to work with and what a successful hack looks like. Jaws Technologies offered ciphertext and, without explaining how their algorithm works, offered a prize to anyone who could restore the original text. Cryptanalysis does not work that way; if no one wins such a competition, it will not mean anything.
Most contests do not reveal the algorithm. And since most cryptanalysts are not sufficiently savvy in reverse engineering (I personally find it boring and tedious), they don’t even try to analyze the system. That's why COMP128, CMEA, ORYX, Firewire encryption, DVD encryption, and Netscape PRNG have been hacked in a matter of months since they were made public (despite the fact that some of them have been widely used for many years). After the disclosure of the algorithm, the flaw is often easily visible, but it can take years before someone reaches their hands to unravel and publish the algorithm. And contests will not help here.
(The previous paragraph, of course, is not valid for military purposes. There are countless successful examples of reverse engineering [VENONA, PURPLE]. But the academic world lives according to other laws, fortunately or unfortunately.)
Unfair contests are not new. Back in the mid-80s, FEAL encryption algorithm sponsored a competition. They gave a ciphertext file and offered a prize for decryption. The algorithm has been repeatedly cracked by cryptographers through differential, and after linear cryptanalysis, and through other statistical attacks. Everyone agrees that the algorithm is hopelessly bad. But, the competition, however, no one won.
Contests are random tests. Can we assume that 10 people, each spent 100 hours on the break, accumulated 1000 hours of cryptanalysis together? Or did they try the same things? Are they competent analysts or are they just random people who learned about the contest and decided to try their luck? The fact that no one won did not mean that the object was reliable ... just no one won .
Cryptanalysis of an algorithm, protocol, or system may require a lot of time and effort. People who can do this are ready to do this for various reasons - money, prestige, boredom - but rarely only from the desire to win the competition. The crypto community is skeptical of contests: most companies that sponsor competitions are not well known, and people do not believe that the judging will be fair. Yes, and winning the competition, of course, is not guaranteed: someone can bypass you, leaving you without remuneration for all your work. Cryptanalysts are more likely to analyze systems where they are paid for their very work on analysis, or where they can publish an article explaining their results.
Let's look for interest in the economy. Take carefully $ 125 per hour for the work of a competent analyst, a prize of $ 10,000 is two weeks of work, it is often not enough even to properly understand the code. For $ 100,000, you can try to get involved, but the reverse engineering thing is tedious, and again, time is unlikely to be enough for careful work. $ 1000,000 looks interesting, but most companies cannot afford it. An analyst, meanwhile, has no guarantee of payment: he may not find anything, competitors may bypass him, or the company may change his mind and not pay at all. Should a cryptanalyst sacrifice his time (and good name) for the benefit of PR campaigns of the company?
Cryptanalysis contests are often no more than a PR tool. Sponsoring a competition, even honest, does not guarantee that people will truly analyze the object. Successful passage of the object of such a competition does not guarantee that there are no holes in it.
A real measure of reliability can be considered only the total amount of the analysis performed, and not whether a competition was held or not. And the analysis is a long and difficult process. People trust cryptographic algorithms (DES, RSA), protocols (Kerberos), and systems (PGP, IPSec) not because of contests, but thanks to years (even decades) of peer review and analysis. And these algorithms were analyzed not because of the elusive prize, but because they were interesting or widely used. Analysis of 15 candidates for AES will take several years ( remember, this is 1998 / approx. Lane / ). There is no such prize all over the world, because of which the best cryptanalysts will drop all their business and run to research the products of Meganet Corporation or RPK Security Inc. (two companies that recently announced hacking contests). It is much more interesting to find vulnerabilities in Java, Windows NT or cellular network protection.
The above three reasons are a general rule. Of course, there are exceptions, but they are few and few.
RSA competitions (both the factorization task and their symmetric brute force task) are good and fair competitions. They are good not because money stimulates to put numbers on factors or build machines for brute-force, but because researchers are already interested in factorization and brute-force. Competition only provides an excellent opportunity to express themselves.
The AES competition, although it is more a competition than a classic crypto competition, is also honest
Our own contest for cryptanalysis Twofish offers $ 10,000 for the best negative comments about the algorithm, not written by the authors. There are no arbitrary rules that are considered victorious. No ciphertext for hacking or keys for disclosure. We just want to encourage the most essential research, no matter how it is and how successful (or unsuccessful) it is. Once again, the competition is fair, because 1) the algorithm is completely known, 2) there are no voluntaristic rules, and 3) the algorithm in the public domain ( 4) it has another goal - NOT to prove the reliability of the algorithm / approx. lane / )
Contests, if properly organized, can provide much useful information and reward a specific area of study. But they can not be a measure of security. I could offer $ 10,000 to the first to break into my house and steal a book from the shelf. If no one does this until the end of the competition, I can hardly be calm for the safety of my home. It may turn out that decent robbers simply did not hear about my contest. Or maybe they are busy with other things. Or they could not break into the house, but figured out how to fake the right of ownership and issue it to themselves. Or they climbed into the house, but after looking around, they decided to wait and return when something better than $ 10,000 was at stake. The competition has not proved anything.
You hear about them all the time: "Company X will pay $ 1,000,000 to anyone who can break through their firewall / crack their algorithm / conduct a fraudulent transaction and use their protocol / anything else." These are hacking contests, and they are intended to show how the objects of these contests are protected and safe. The logic is as follows: we offered a lot of money for hacking our product, but no one hacked. Therefore, the product is safe.
')
By no means.
Contests are a terrible way to demonstrate safety. The product / system / protocol / algorithm that passed the competition is obviously no more reliable than the one that has never participated in competitions.
Best products / systems, etc. today were not the objects of competitions and, most likely, never will be. Contests do not produce any useful information. And there are main reasons for this.
1. Contests in most cases are dishonest.
Cryptanalysis implies that the attacker knows everything except the secret (password) . He has access to algorithms and protocols, source code, everything. He knows the ciphertext and source code. He may even know something about the key.
And the result of cryptanalysis can be anything. This may turn out to be a complete hack: a result that breaks the defense in a reasonable time. It may be a theoretical hack: the result is unsuitable for real hacking, but nevertheless it demonstrates that the protection is not as good as promised. Maybe something in between these two cases.
Most contests on cryptanalysis have despotic rules that determine what the attacker will have to work with and what a successful hack looks like. Jaws Technologies offered ciphertext and, without explaining how their algorithm works, offered a prize to anyone who could restore the original text. Cryptanalysis does not work that way; if no one wins such a competition, it will not mean anything.
Most contests do not reveal the algorithm. And since most cryptanalysts are not sufficiently savvy in reverse engineering (I personally find it boring and tedious), they don’t even try to analyze the system. That's why COMP128, CMEA, ORYX, Firewire encryption, DVD encryption, and Netscape PRNG have been hacked in a matter of months since they were made public (despite the fact that some of them have been widely used for many years). After the disclosure of the algorithm, the flaw is often easily visible, but it can take years before someone reaches their hands to unravel and publish the algorithm. And contests will not help here.
(The previous paragraph, of course, is not valid for military purposes. There are countless successful examples of reverse engineering [VENONA, PURPLE]. But the academic world lives according to other laws, fortunately or unfortunately.)
Unfair contests are not new. Back in the mid-80s, FEAL encryption algorithm sponsored a competition. They gave a ciphertext file and offered a prize for decryption. The algorithm has been repeatedly cracked by cryptographers through differential, and after linear cryptanalysis, and through other statistical attacks. Everyone agrees that the algorithm is hopelessly bad. But, the competition, however, no one won.
2. Analysis is not controlled.
Contests are random tests. Can we assume that 10 people, each spent 100 hours on the break, accumulated 1000 hours of cryptanalysis together? Or did they try the same things? Are they competent analysts or are they just random people who learned about the contest and decided to try their luck? The fact that no one won did not mean that the object was reliable ... just no one won .
3. Rewards in competitions are rarely good incentives.
Cryptanalysis of an algorithm, protocol, or system may require a lot of time and effort. People who can do this are ready to do this for various reasons - money, prestige, boredom - but rarely only from the desire to win the competition. The crypto community is skeptical of contests: most companies that sponsor competitions are not well known, and people do not believe that the judging will be fair. Yes, and winning the competition, of course, is not guaranteed: someone can bypass you, leaving you without remuneration for all your work. Cryptanalysts are more likely to analyze systems where they are paid for their very work on analysis, or where they can publish an article explaining their results.
Let's look for interest in the economy. Take carefully $ 125 per hour for the work of a competent analyst, a prize of $ 10,000 is two weeks of work, it is often not enough even to properly understand the code. For $ 100,000, you can try to get involved, but the reverse engineering thing is tedious, and again, time is unlikely to be enough for careful work. $ 1000,000 looks interesting, but most companies cannot afford it. An analyst, meanwhile, has no guarantee of payment: he may not find anything, competitors may bypass him, or the company may change his mind and not pay at all. Should a cryptanalyst sacrifice his time (and good name) for the benefit of PR campaigns of the company?
Cryptanalysis contests are often no more than a PR tool. Sponsoring a competition, even honest, does not guarantee that people will truly analyze the object. Successful passage of the object of such a competition does not guarantee that there are no holes in it.
A real measure of reliability can be considered only the total amount of the analysis performed, and not whether a competition was held or not. And the analysis is a long and difficult process. People trust cryptographic algorithms (DES, RSA), protocols (Kerberos), and systems (PGP, IPSec) not because of contests, but thanks to years (even decades) of peer review and analysis. And these algorithms were analyzed not because of the elusive prize, but because they were interesting or widely used. Analysis of 15 candidates for AES will take several years ( remember, this is 1998 / approx. Lane / ). There is no such prize all over the world, because of which the best cryptanalysts will drop all their business and run to research the products of Meganet Corporation or RPK Security Inc. (two companies that recently announced hacking contests). It is much more interesting to find vulnerabilities in Java, Windows NT or cellular network protection.
The above three reasons are a general rule. Of course, there are exceptions, but they are few and few.
RSA competitions (both the factorization task and their symmetric brute force task) are good and fair competitions. They are good not because money stimulates to put numbers on factors or build machines for brute-force, but because researchers are already interested in factorization and brute-force. Competition only provides an excellent opportunity to express themselves.
The AES competition, although it is more a competition than a classic crypto competition, is also honest
Our own contest for cryptanalysis Twofish offers $ 10,000 for the best negative comments about the algorithm, not written by the authors. There are no arbitrary rules that are considered victorious. No ciphertext for hacking or keys for disclosure. We just want to encourage the most essential research, no matter how it is and how successful (or unsuccessful) it is. Once again, the competition is fair, because 1) the algorithm is completely known, 2) there are no voluntaristic rules, and 3) the algorithm in the public domain ( 4) it has another goal - NOT to prove the reliability of the algorithm / approx. lane / )
Contests, if properly organized, can provide much useful information and reward a specific area of study. But they can not be a measure of security. I could offer $ 10,000 to the first to break into my house and steal a book from the shelf. If no one does this until the end of the competition, I can hardly be calm for the safety of my home. It may turn out that decent robbers simply did not hear about my contest. Or maybe they are busy with other things. Or they could not break into the house, but figured out how to fake the right of ownership and issue it to themselves. Or they climbed into the house, but after looking around, they decided to wait and return when something better than $ 10,000 was at stake. The competition has not proved anything.
Source: https://habr.com/ru/post/206738/
All Articles