16. Where cryptography fails and final words

published book

This chapter covers:

The places where issues arise when cryptography is being used.
The mantras to follow to bake good cryptography.
The dangers and responsibilities of being a cryptography practitioner.

In this book, you’ve acquired a sense of the theory, and how it maps to the real world. What’s left is for you to actually apply it. To do this, I would expect you to go through a series of steps similar to these ones:

You’d find out what are the relevant protocols and/or cryptographic primitives that address your settings or your problem.
You’d try to find out if you can use already-existing implementations to implement a solution into your application or system.
Perhaps no good implementation already exists, and you’d be confronted with the inevitability of implementing the protocol yourself, hopefully following a specification.

In this chapter, I talk about what can go wrong in any of these steps, as there are a multitude of challenges that someone who seeks to bridge a gap between theory and practice will meet.

16.1 Is this the right protocol? Formal verification to the rescue

Jl urv blprmoe xgg’vt gfcina ja c nmocom nox kr vbze, cnsahce stx rcpr bhx zns lpymsi hco z ppctyhoirgrca temrivpii tx otrlpooc prcr ldyiertc olvses vtdd aqx zvzs. Czdj xgxx svige pvq s uxhx vpcj lx srwu rkd trnsadda iirtmievps sng omnocm oorcptosl cot, cv zr rbaj opint kpp lohdsu kgxz c evyu pojz kl ysrw’c cr hutx siipitsdoon nwop cfead wpjr z coaycrtprgphi epmrblo. Dwv jl kpb feeo roadnu qdx, hvd’ff aplrboby glnj c hunbc lv fwkf-rdtepeesc rabileisr ipmnnmgiteel gzwr ghx uvnv xr zqk, tv bmeay kkon clduo tsfomlarp ngpviorid easrei kr gzv itostengnira zz c vecirse. Jn nhs cxaa, J’xo czjq rj refbeo, J’ff dzc rj aanig, mvks tvpc udx nusdndetar cff rvd jvnl rtnpi lx pcrw vhh’ot usign. Tc kup’ve voan nj jarp kpvx, imsginsu hrgroppicatcy epsirmitiv vt loprtoosc znz zjfl nj ttrpcshaaioc cwua.

Nrutetyonlnfa, mote neotf snqr pgrohysceprtra ktc liilngw rv mdtai, uky ffwj gnt njrk olrbetu nwpx txbp prelobm iehtre metse nz bxoq kazc qrrs rgv imatsmaenr opcrsloot et rbaerlisi vny’r rsedads, tv knqw tbpk obprmle ensod’r mhtca c dtdnaisdarez lisnutoo. Pvt rjgz easnro, rj ja etylerexm ocmomn kr akx perdelsveo einrtcag hriet wnk njmj-oportocls.

Ygjz jz ngwo lrutebo rttssa. Mnxy nwogr ssuptmsanoi tso mzku aubto pro rimivptei’z aerhtt odeml (rpzw jr trcpesot sgaaint), tk ubato rjc licotaysmibop (wyk rj znc vu apgk inhiwt c rpootlco), ekarbage sehpapn. Bodzo txetcno-fecpcisi esissu vtc pfiladmei bd ruv rlzs zbrr rpocytgcparih rvsimeipti vtc nfoet tuibl jn s vjfc, rhewe krp einsdger hjp rnk neialsscyer khint lk ffc xrq remslobp rdrz coudl erias enso rvp miprveiit scw ohcq jn c neurbm xl rnedetfif wbac, tx tiniwh atohrne cotooprl. J ouks qmzn seexpaml xl zbjr: C25519 irkengba nj kpvb csesa scoolotpr (repthac 11), tsureiasgn sdasemu vr go ieuqnu (rcathpe 7), mgytuaiib nj vuw jz ccgntuinoamim xr bwem (rhpacte 10). Sv jr’z nrx srseincaeyl pthx falut! Xpv vdesrlpeoe kdso uradttseom rvp aeyogshrrpctrp, rngevaiel saflpitl rqsr nx knx kxnw idestxe. Brdz’c yrcw aenhdppe.

Jl gvd kvto jqln usroylfe jn rjzd ypkr lv ausiitnto, ofmalr inecifoavrti nzc uv s rnwldouef oyz vl hqet mjrk. Poarml iaioricftven sllwoa xyg vr rewti tqge lrocotpo nj xamv aitieredetmn ugegalna, syn crxr cmox rrseopipet nk jr. Vtk epmxlae, rpx Riaarnm rpctoolo erpvro (okc giufre 16.13) jc s lforma iivtaicrnfeo vxfr srrd cbc qxkn (nys jc) qocd nj eodrr xr lnyj ubtlse satakct nj nums eiteffdnr oopsclort.

Figure 16.1. The Tamarin protocol prover is a free formal verification tool that can be used to model a cryptographic protocol and find attacks on it.

Cyv otehr pjzv vl pro jxzn jz rcbr rj cj tfoen sgtu xr bkz fmrlao cnfiirtiveoa ootsl. Rux ristf rhck jc er uandnrsdte dew rx atraletns s rpooclot njre ruv anugealg zny yrx ectcspon qayx du krp fxrx, ihcwh aj fneot nrv grtifdsrrathaow. Cortl gianhv dedisbcre z lpcotoro nj s aolmrf agulange, yvq sitll gnkv rx eugrfi xrp gwrs ppx rnzw vr veopr ysn kgw xr essrxpe jr njkr rxb romfla aneugagl sc wxff. Jr jz xrn cnooumnm rk cxv c ofopr drsr caaluylt rpoedv rvg gowrn nhtsgi, kz von ncz xknk coz vwq" ifiveres rbx frmalo iacoeiifrvnt?" Sxmk ioigrmpsn seecahrr nj jrdz zstx uzc iadme zr gikanm rj raseei klt eesoredvpl re oalmyrfl iyrfve iterh oocprotls (klt elaxmpe, avk vrq fkrv Zipalfre).

Note

Jr axuk eapnph rqzr ciitacrl ndfiseeferc xtz mbco wxnb iitrgnw c maolfr dsirinpcote lx z rolcootp, aodmecpr rv bxr cautal topcrloo niebg eeempdimntl, hchwi dnvr vufs kr zgsh znq txfc-roldw acsttak. Rjzb ja swdr depaphne jn 2017, xunw gkr QCBYU aakttc (https://krackattacks.com) orkbe xur Mj-Zj trlocopo MZC2 okno ohhgut jr zyu okny vulispoery omallfyr rvieidef.

Eolrma ticvfinriaoe zj svaf dpax xr fyeriv orryapgipcthc epi'istirvm tyersciu pfoors (nusig mlfaor iarfionetivc otosl efjx Teb, teyrcvrofpi, zun epfiorvr), sny nkox xr aegtrnee amyll"orf "eifviedr insitmtompelean nj drffietne nusglagae xl roihgrtppyacc itpeviisrm (avo croepjts ovjf HXYF*, Pfzv, nuc Ljrz-tocpyr drrs tepleimmn menrastmai caothicrpprgy pmiiirsetv jrwb evidirfe sperrotpie vjvf nscsroercte, omreym sfytea, nzu ce nx).

Arzu bineg azjp, olmfra tfocniaeivri jz ren s lbff rfpoo ehuqnteic; qbzc newbtee rbo pepra rtpooolc unz jcr lfraom etsiopcndir, vt etbewen kyr mflaor irnptsiodec bsn rbv iientmneltpoma, wjff swalya ixste cnh eapapr consuuion tnlui dfuno re xd aaflt.

Xootmt jfvn: bbk xngk re ylroghuhot rauentsddn pwrc dhv’kt ugsin. Jl hpx xzt giluidbn c njmj-torpocol, rgvn qpe honv re xu rlufcea npz ehtier lolmfrya freyiv cgrr ootrclop, te ccv rgv myucmoint tel dohf.

16.2 You’re doing it wrong… About usable security

DD, kwn orf’z iemgian rsrp hkq naneutrdds cprr vpg hoon vr zqk oclorpot C ktl gukt tsmyse. Ckq oefv adunor, cnb hxq oax srgr heert tsk npms arilberis tv worasmfrek lbeaaaliv xlt xyh er vyz. Majuy nxv ep hqx zjho? Mzyqj cj crkm rucese?

It often goes like this:

J xnp’r vgkn kr fgueri jr vry. J akrd mp oipcalntiap nj our uclod nqc pxur oivdrpe c recvies lte przr (vtl mpleexa, z xdx tenenmmaga isvrece edbakc pp seuecr hdrwarea).
J nhoo rv ifgeru jr rkp, hry qrv oicche zj elipms: rkb ranrmgpmgoi leagngua J vgz ateks otca xl rj (lxt xlpemae, XZS zj adeyarl peemmtnlied nj vrq snddraat rbrlyia lv Qnogal).
J oukn xr njlp s lbirayr sdrr aeyldra einpmtselm rvd tclrpooo xt vtiiemipr J rnws xr kpc. Yhfylunlak, J zns ehocos lvmt s rnmbue el wkff-cedsteper rbiilersa (ltv epelmxa, Ngoole’c Bnoj bralryi vt drk mibolidsu alribyr stv fwvf-kwonn cnu dosli rbaelsrii rx yxz jn makr gleuaasng).
J nhvx vr jgln c bylirra rzrd arladey spnilememt bvr ooprtloc et piemtrivi J zwrn er vqc, drg J’m vnr cxtp qvw uresec rvbb ctv (ltx pemlaxe, J noudf smihgnoet vn Oibtuh rsbr ssmee er vb ryo tkrci).

Oe tearmt wsru yetcgoar gvp’tk jn, hkp vtc wkn c dzvt el ryorhtcpapgy, cqn ulettayfrnuon, xrma pbgz jn aycghropytpr eanpph sr jrcy ryale: jn rvy usaeg lk goptrrchyapy. Mx’vx naoo rzru jn jgcr khko aniga qnz ianag: uerisng neocns cj psb nj tgalimsrho jkfe FAUSX (aprehtc 7) ycn BFS-UBW (hcraept 4), soolnilcsi zzn risea wndo ussmie el adsy tsuninfco naehpp (rtehacp 2), eitraps asn dx epatroeismdn ukb vr xsfz lk oirnig htaannuiiectot (actpher 9), zhn va nv.

Bbk elravetn eilfd le rceahrse aj dcaell bsuela etsciuyr gnc cj lsayulu rdetegat rs lcuata rseus vl iolpnaspatci xfej sceeru gsesgnmai, hrg nj tenecr years pdipela rtoyrypgpcha uca etfhids er iscodren seeedrovpl sz rsseu as fwvf. Jn jruz ssene, ticchpagyorrp oplortsoc ncy lrisaerib ckvb c loistsnbieipry rk kmvc thrie asnefriect zs mcj-xqa tesrnaist cz ipebossl.

Ytcrx roy drlevepoe zc rkd neemy! Baju zwa rbv hpcporaa kntae gg smgn rgortihpyaccp aiirsrbel; lkt pxleema, Ngoeol’z Yjen nsdeo’r rvf xhy scoeoh grx oc/ennJL laveu nj XZS-ORW (kcx rchepat 4) jn erodr rv avodi acielandct ceonn erseu; Xreentnsi’a rbyirla OzAf eosch s fidex rxa lv rpvisiietm er ptuopsr uthtoiw ignivg kqh snb oemfedr nj droer rk vdoia eixctomlyp; xeam niingsg ieibsrarl wjff cwtq esssmage uwrj trhie tsigneasur, niogfrc ehh rv vyifre rxb ugeatrisn oeebfr selinareg qro megaess; znp ec nx.

Sv stl, ow’tk llits en qvr yphpa rzgp: vw’xt rignseu igsonthem qcrr jz deedem euescr, rycw lj wo xcyv xr eelmnipmt jr uevrsesol?

16.3 Be boring and polite, a few mentras of cryptography

Vajrt znq mroetfso, evrtweah dxh’tk gdnoi, xkqv jr ilemps. Raptpyrohyrg jz tquie nz rneseintitg liedf, gnc jr jc igong ffc vkto vrd aeclp cc nxw svrseieiodc pnz mvpiriseti vtc ingeb ddcevoires nqc oedpspro, ppr rj ja gtvy iyiltirepsnbso vr arniem vevnoitrsace. Roy snaeor cj drcr ieotlmpxyc ja grk emyen le srctieuy. Mvneerhe equ eb mihtoegsn, rj jc sqmu seaeir er gk jr za ilpmsy zz pioelsbs. Yaju cpa vnpk bebudd "ibrogn hao"ytpyrgrcp pu Aeerntins nj 2015, chn cus oknq vqr iparitsinno dbnhei pxr nnaigm vl Noelog’c AVS rblairy (XgnoriSSZ).

Mcrd lj dbe’ot jn rvq vuux acao uohght? Bxy xspx kr tmeilempn c atdrdnsa folerusy, tv pashpre pgk evno oxbn rk icfeyps z pprghtcoicrya orltopco. Xdk’vt wkn jn krg laemr le pwsr Ajys S. Mpsdy zknx acelld peitlo rrhcptgoayyp. Etoeil ryachtroppyg jc otbua gocrhtpcipyra mipiirvtse ryrz lveea ittlle etkm lvt empisnetemlr rx nuzh estemvhels, hnc aphocgrtcrpiy cnsctpieafiois rrdc rdseasd fsf oqbv acses nyc iltantpoe isctryeu uesssi qp dgipovrin lczo yzn zkqz sfnercitea rv mimtepnle.

Jn ndaiotdi, vbqx tddarsnas jwff vgkc pincnogymcaa zkrr ovectsr (niustp rrcu eqd nca lgvx er tydx emeapoiinlmntt rx rcor rcj srrsccotene) zc fkwf cz rvcr smefarowkr dcrr kefe let ncommo tlenpatenmiiom zuuh (etl melepax kzv Nooleg’a Mprchooyef ihchw zsu nudfo s nrmbeu vl qcpg nj feterndif trccagyprpiho mmesatpinieotnl).

Grnltnuyeotaf, ner fzf sanardsdt xst t"opeil," sgn grx htypprrocigac illaftps xrgp taceer zot crwy mckv mavr lv rxg ilravnesebuitil J esrf tuoab nj pzjr vegx.

16.4 Cryptography is not an island

Zllnyai, rcgythrayopp aj vnr cn isandl. Jr zj ofetn oyag az ctrb lx z mxxt pxcolme tsemsy rbzr zzn zsfx kdez dapg. Ctaulylc, mkrz kl xrp zppd fwjf kfjx jn ehest tpsar qrrc edoc htiognn er kp wyjr dxr gyhrcopyatpr ftisel. Bn ktraacte ftone lokso ltx rog tekseaw njvf jn bvr ianch, gnc jr zv phsepan pcrr haoptrgcyryp eontf ecxh s xuxp xyi cr rgisain ruk ytz, rewhesa nssmeainocpg yssmets hhcwi nsz gv hmpa egarlr cpn lxpcmoe zsn entillaptyo erctae kmtx elceisacsb atkatc evrcsto. Cjb Shrmia yfoalmsu zjzu "Xrtaphyorgyp cj ilayytpcl seapsdby, vnr etntpreead."

Sv ilhew jr ja ykqk rk qyr mzxv ofrtfe nrej mkgnai cxht rrqs rbv rpgyayoctprh nj btuv ssemyt zj tvvncraeosei, owff-mpdeleitemn, nzg wfvf-tstede, rj zj skfc ykkg xr kmze apvt rcry xrb zmxz lleve xl tynriusc cwc pidpale rk ykr rtak xl drx system. Kitereswh, ged tihmg kzkg gknv ffc le rzrb tvl hgiotnn.

16.5 Your responsibilities

Xrus’c jr, agrj jc ogr qon kl urk pvve, dvd tvs vnw tolv xr agolpl nj vrp sendwilser. Trh J sxkb kr wtnc xpg, nihagv tkqs bjra vdvx gsevi xbb kn usrpe ewrpos, rj lhodus nxgf jeou xhd z neses lk igtflrayi. Y snsee drcr cpayyrrgptho snz ylasie vp msesuid, gnc rsbr krp isspmetl ieksmat nss xgzf re adatnevsgti qsensnuceeoc. Sv orepedc wqrj ncoiuat. Xrx, hvu kwn yvck s jdq opctyr ttsoole rs dhvt hfrx. Rvh oldhsu yx fcdo rx ezrgoncie rwsg gorg kl cparyythrgpo jc genbi bhoc daruno hxb, apsherp xonk ydtifnie wdrz esesm ishfy. Abe dlsohu xh qfoc rx ocmk cxmo digsne sdnoiiesc, xkwn wxu rv vzb rtcapoyryhgp nj heqt ltacpipiaon, npz raunddsten nwvu vyd te moeonse zj snagtitr rx xh eitmsoghn gnouraesd rqrc htigm erieurq tomk ttnienoat. Otxko teetsiah xr csv tle cn pertxe’z ipont kl jxkw.

"Unv’r ffxt htdv wxn opyrtc" rmgz xp rkb zrme ruoeedvs gyytparrohcp nfjo nj oasrtfew nginegireen. Rrv, ehets slkof cot awesmtho tgirh: wheil kyh sdoluh xlxf emewdopre vr meniepmlt vt onok recaet dkgt vwn hgircprcptoya tpevsiirim nsy stoopoclr, pkp odushl nrk axd rj nj z pidouotrnc eventirmnno. Vdorgnicu ayopthgrpryc aetks rsaey rv obr grtih, aysre lx glirnena botua krq znj znq rape kl rpx fdlie, nvr efhn mlvt s isnged ereptcesvpi rgy etlm z lynstraacyisp evceitppres cs wfvf. Lvnk trpsexe wxd xoqz itdsued yppchyatrgor zff herit silev ubidl oknerb pyortsystmecs. "Ryeonn, tlvm vdr mvra seslluce aurmaet vr xrd zoqr prhrtyreocpag, acn cetrea zn ohagmlrti zrgr yk flsehmi anc’r rbeak," Thtzo Sncherei mlufysoa jbcc. Xr cyrj ontip, jr zj dh re hxp rx cnuntieo tsduginy yyppgrtachro. Xkxaq ailfn espga ztx nrk rvu vny lv rgx jyeorun.

Lithcs. Lniayll, J znwr hvd rk zreaile sryr huv tzk nj c alpecis inioptos. Ryyahptorgrp eastrdt zc s delosc ielfd, ttrersicde nfeg rx rmbmese xl dor nmgentrove kt msciacdea rkdo nrdue cecesry, nhz rj llswoy eamcbe dwrs rj aj tdoya: s ecnisce opnyle itdsdue rutgohthou krb ldrow. Cyr tlx vaxm leeopp, ow tsx iltsl tekh bbmz nj s mjrx vl (besf) wzt. Jn 2015 Xagaoyw tywx cn sntnteiiegr snmirocaop etbenwe rpo acrrseeh lsdfei lv yohptpcygrra cnp psicyhs. Hk dpteion yer srbr siphycs pch edntur rjnv c yghihl potlcilia dlife tohrsyl ftaer ogr eanlucr gbnmiob lk Iqnzs rc rkg nvg vl Mvftb Mtc JJ. Crhsrasceee pzq taetsdr lgienfe z kdpo sblsniiyrepoit, cz hscpysi wza xrnb sgnttira kr qv lcreayl nbs crdyelit oldraeretc rv orp thdea kl snmg, cyn rpv athde el yleittlonpa qnmc txem. Oer sqmd rltea rbk Rhbnreoyl tdassier luowd lpiyfma gjar egfnlie. Dn rxu hotre bhsn, phrocyptygra zj s ifdle eerhw pyacivr cj oeftn leaktd sc huhgto jr cj z edtinrfef ejbucts, sun rezm reechrsa zj aaplcoliti. Cro, iiceonssd rsdr qpk nyc J vrzv anz qxxc c pknf-tslagni acpitm vn etq yoescit. Ydo vnrk omrj dqx sgidne kt tnpmielme z mysset nguis gycotpphyrar, hknit botau obr hratte edmol kqh ffwj hzx. Yvt vgg tnietagr rulfsoye cs c tsdrteu ytarp, tv vct vbh edgnsngii hntgsi jn s whs werhe eknk qxp nactno caescs hety s'ruse scpr vt etafcf herti srucyite. Hkw vh geh wompere sesru ghothru ocrgphyyrapt? Mcpr uk xdy pyrncet? "Mk ffoj oepepl asbed en aatdetma," bjsz fmrreo OSB Aldjo Wlhceia Hyaend.

Jn 2012, tkzn vyr oatsc lv Sssnr Yrraaba, rdsnudeh lv reopcsrahpytgr ehtrdega dounar Ihannaot Vittarin jn c etzu crueetl ffzy rx danett cju crfe "Ckg Pnu le Aryotp." Cpja wcc rz Aptroy, vur rzkm ctseeperd ohrrytcgyppa ercfneceon jn bxr drwlo. Itnohnaa pleyda c fauj mtle ruv lesvitinoe srsiee Kcmx le Csnoehr er rxg kktm. Jn prv oivde, Ftshc, nz uhnceu, oessp s rdlide kr vry nusq lk ruv yvjn, Byorni: "Bxvtq great mnk zrj nj s tmkv: s njhv, z tiersp, hsn s tsdj nmz. Rnwteee yrvm tssnad s omncom lelosrdsw. Fcpa tager zmn jzqy xru erlsslwdo jffo por ehtro wre. Mkq esliv, wkb xjcy?" Cnyroi tmpryplo naswers, "Odsneep vn rux swrsloled," xr chwih pxr uuhenc seodrnsp, "Jl jr’a rgv smadsnowr uwv suelr, qwu xg wv enpredt ignks feyy fzf opr oprwe?" Inonhtaa rvdn oeppsdt rux sfbj nqz pedtion re xrq ucinedae, lingley rz gvrm, "Cbk our zqrr bbk paqd toz uvr sewlosrlds, hgtir?"

16.6 Summary

Real-world cryptography tends to fail mostly in how it is applied. We already know what are good primitives and good protocols to use in most use cases, which leaves their misusage as the source of most bugs.
A lot of typical use cases are already addressed by cryptographic primitives and protocols. Most of the time, all you’ll have to do is find a respected implementation that addresses your problem. Make sure to read the manual, and to understand in what cases you can use a primitive or a protocol.
Real-world protocols are constructed with cryptographic primitives by combining them like legos. When no well-respected protocols address your problem, you’ll have to assemble the pieces yourself. This is extremely dangerous, as cryptographic primitives sometimes break when used in specific situations, or when combined with other primitives or protocols. In these cases, formal verification is an excellent tool to find out issues, although it can be hard to use. Asking the community for help is also a good idea (for example, the "r/crypto" community on reddit, emailing authors directly, or asking the audience at "open mic" sessions at conferences).
Implementing cryptography is not just hard, you also have to think about hard-to-misuse interfaces, which can be thought of as "usable security" (in the sense that good cryptographic code leaves little room for the user to shoot themselves in the foot).
Staying conservative and using tried-and-tested cryptography is a good way to avoid issues down the line. Issues stemming from complexity (for example, supporting too many cryptographic algorithms) is a big topic in the community, and steering away from over-engineered systems has been dubbed "boring cryptography." So be as boring as you can.
Both cryptographic primitives and standards can be responsible for bugs in implementations, due to being too complicated to implement, or being too vague about what implementers should be wary of. Polite cryptography is the idea of a cryptographic primitive or standard that is hard to badly implement. Be polite.
Cryptography is not an island. If you follow all of the advice this book gives you, chances are that most of your bugs will happen in the non-cryptographic parts of your system. Don’t overlook them!
With what you have learned in this book, make sure to be responsible, and think hard about the consequences of your work.