
ROCA vs. ROBOT: An Eternal Golden Braid - wolf550e
https://latacora.singles/2018/08/08/roca-vs-robot.html
======
baby
My personal top, all of these were all good research but my favorite one is
ROCA.

1\. ROCA: A very clever attack on a too-clever RSA key generation reversed
from a hardware module. The whole thing is super interesting and the
consequences are devastating.

2\. Efail: A complete ownage of PGP. Nothing surprising for many people, but
nice ways to achieve exploitation.

3\. KRACK: how to break a protocol 101 with an interesting exploitation on
some implementations.

4\. ROBOT: A twist on the old Bleichenbacher attack with a lot of consequences
on the wild.

5\. IOTA: nothing surprising but an hilarious response from the main
developers, deserve its own category.

PS: About the practicality of ROCA. It sounds like there are ways to implement
extremely practical attacks.

~~~
tptacek
I agree, I personally thing Efail is very underrated, but it falls sort of in
the middle between "degree of difficulty" and "impact". My original gut
feeling was that Efail should win in a walk, but the Slack talked me down from
it.

I think KRACK deserves a lot more love too.

A really good year for applied crypto research.

~~~
baby
Or a pretty bad year for applied crypto:

1\. RSA keygen is broken

2\. PGP is broken

3\. WIFI is broken

4\. SSL/TLS is broken

5\. Cryptocurrencies are broken

~~~
tialaramex
RSA: The more shortcuts you take in your RSA keygen, the more likely it is
that an adversary can just guess your keys without (impossibly) trying all the
possibilities. This necessarily follows from how such shortcuts work, and
should be guarded against in an implementation.

In that sense ROCA is the same as the Debian Weak Keys. And so the Web PKI did
the same thing about both, the CA examines the public key, it makes the same
determination an attacker would make, but rather than attacking you it rejects
your certificate request. You can actually read the code in Boulder (the Let's
Encrypt software) to see this in action‡.

If you actually pick random numbers that are roughly the right size, reject
composites, and use your random primes to make an RSA key, this method works.
But it's slow. And it's obvious that you needn't pick the whole number at
random, the bottom bit must be '1' because it's prime. And once you start
optimizing you soon have a very complicated key generation which opens lots of
opportunities for things to go wrong...

‡
[https://github.com/letsencrypt/boulder/pull/3189](https://github.com/letsencrypt/boulder/pull/3189)

Edited to add:

The work that eventually led to ROCA is really fascinating. The researchers
spent lots of time characterising RSA key generators. Their first paper is
basically "If you show me fifty keys you made, I can guess how you made them"
and that's already pretty interesting in some applications. In that work they
found that a particular type of key generator was doing something _very
strange_ but deadlines are deadlines and so their paper stops at remarking how
strange it is. ROCA is basically what they found when they kept investigating.

------
tptacek
ROBOT won.

------
mkesper
Efail did not break PGP. It did show problems of interaction between email
agents and gnupg. Efail was the most overblown report with absolutely crazy
"fixes".

