I’m teaching Computer and Network Security this semester, and I usually start out by covering crypto at a high level. My goal is not really to have the students understand the crypto itself (that what my semester-long Cryptography course is about) but primarily to have them understand how to properly use crypto.
The past few times I have taught a security course, I followed up my lectures on crypto with 2-3 lectures about how crypto gets broken in the real world. One obvious way is when it gets implemented wrong (e.g., the WEP attacks). But there are other, less obvious and more clever, ways as well. Several examples come to mind (and are covered in my class), but let’s name two: bad random-number generation, and what I’ll call a mismatch between the security provided by a cryptographic primitive and the requirements of the application.
With this in mind, it’s fortuitous to hear today about two such attacks:
- The flaw in the random-number generation that was apparently used for several real-world implementations of RSA-based cryptosystems (paper here). (Interesting side note: some news articles I’ve seen say that the paper will be presented at a conference in Santa Barbara in August. The Crypto deadline is 3 days away. Has the paper been accepted to Crypto before the review process has even started??)
- The attack on Google Maps over SSL. Summary: the researchers exploited the fact that even the best encryption leaks the length of the plaintext. This observation has been applied several times before in different contexts. While it may be “obvious” that encryption (practically speaking) can’t hide the plaintext length, I wish cryptographers, when teaching the definition of secure encryption, would point out that leaking the plaintext length is often a real problem.
More examples for me to cover in class!
On a separate note, two announcements:
- Steven Galbraith referred me to a wiki listing invited speakers at cryptography conferences. (The scope is to be interpreted as broadly as possible — if a conference is not listed, it just means he didn’t get around to it yet.) One purpose is to assist conference program chairs in the selection of invited speakers. Help is welcome from anyone who can fill in the gaps.
- Videos of the talks from the (infamous?) “Is Cryptographic Theory Practically Relevant?” workshop are now online. I’m glad to see that my blog got mentioned at the beginning of Vaudenay’s talk — see here (and especially the comments) for the history.