Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

NWEN ESIF 2006

April 29, 2006

I attended the Northwest Entrepreneur Network’s Early Stage Investment Forum 2006 this week and saw some pitches from many Pacific Northwest companies who are doing some amazing things.  One noticeable factor that struck me was the variety of industries represented by these companies.  Of course the PacNW has a major computer technology presence, but the influence of coffee, aerospace, and transportation was clear as well.

  1. I sampled a short cup brewed by The Coffee Equipment Company via what I presume was a Clover brewer.  The brew was very strong - like French press on steroids.  I highly recommend that you try coffee brewed that way at least once, especially if you’re one of those people who might enjoy knowing what good coffee actually tastes like (hint: not like a Starbucks latte).  Keep an eye out for this company and their brewing equipment, and don’t be surprised if you start to see it at high-end cafes and in gourmet home kitchens.  (Full disclosure: the coffee was so damn strong that I couldn’t finish it, but that’s probably because I usually drink decaf and I’d already had too much that day, anyway.)
  2. Okay, so my aerospace example is wrong, since ADI Thermal Power Corp isn’t actually in that biz.  But their President did work at Boeing for 20 years (and the prerequisite intellectual critical mass for significant innovation in mechanical engineering, such as the following, must have come from somewhere :)).  I’m not able to find a website directly affiliated with ADI, but here’s a reasonable description of their product, which is a high-efficiency Stirling engine.  My mental model of the product is this:  consider the diesel engines that power the refrigerators of many convenience stores.  Now suppose you can replace those diesels with an engine that’s quiet, cleaner from an emissions standpoint, and 10 - 15% more fuel efficient.  And, as I understand it, much of the efficiency and affordability gain is due to patented technology owned by ADI.  What really struck me about their pitch was the assertion that, given the forecast size of the so-called "Distributed Power" electricity generation market, this is a billion-dollar opportunity.
  3. Finally, check out Charter Bus America.  They’re taking the historically manual, paper-driven, and slow process of generating quotes for bus rentals and automating it online.  I keep thinking back to some of the employee morale events organized by my previous employer, for which the group administrators would have to charter a small fleet of those huge travel coaches.  Apparently, the process of even getting current pricing information from some individual bus companies took days.  This is an example of one of those problems just screaming for a web-based solution, and when you hear about it, all you can say is, Duh!  Anyway, CBA’s pitch was really solid, and they’re well-positioned to capitalize on a heck of an opportunity.
Permalink | Comments (0)

An article entitled Transit Safety in the April 2006 Information Security magazine made me realize that I didn’t really know the difference between SSL and TLS (note these are widely-used internet security protocols; see the little lock icon on your browser when you buy something on Amazon.com).  Unfortunately, it appears that free online access to that article is not readily available.  But, my comments are based on other available references.

The primary difference between SSL and TLS is that the SSL protocol, originally defined in 1994, is the intellectual property of Netscape.  TLS, which is based on SSL 3.0, is a much newer open standard defined by the IETF.  So much for the original question …

One interesting crypto-related tidbit came out of my research, though.

The TLS 1.1 proposal is currently in draft phase.  Interestingly, a primary reason for its existence is to replace the use of PKCS #1 v1.5, used by TLS 1.0, with PKCS #1 v2.1 (PKCS #1 is a data-padding standard for the RSA cryptosystem).  This is due to a cryptographic threat known as the Bleichenbacher attack.  Suppose an eavesdropper has captured the encrypted session key which the client (e.g. a web browser) sends to the server (e.g. a web server) during the TLS protocol setup phase.  The goal of the attack is to compromise that session key, at which point the data exchanged during the session (e.g. your credit card number) can be recovered by the attacker.  Note that the session key is encrypted such that, in theory, only the server’s RSA private key can decrypt it.

To accomplish the attack, a series of carefully chosen permutations of the RSA-encrypted session key are transmitted to the server.  The server’s response to each transmitted permutation is a single bit of information:  Valid or Invalid.  The Valid response indicates something remarkable – that the permuted, encrypted key, when decrypted via the server’s private key, resulted in a valid, correctly-padded message. 

Observe that in the client’s original plaintext/padded message, some byte values are fixed (e.g. the session key bytes, as well as a few of the padding bytes) and some byte values can vary (i.e. the remainder of the padding bytes).  Refer to PKCS #1 v1.5 for more info.

Consider the behavior of the padding in another way.  Suppose that by changing a specific bit in the ciphertext, I can affect a specific byte in the plaintext (I don’t claim that to be possible, at least not exactly).  There are three cases: 

  1. Variance in the session key bytes will still result in a valid padded message, but the server would end up with the wrong session key
  2. Variance in the fixed padding bytes would result in a message that fails to decrypt (more accurately, fails the padding check immediately after decryption). 
  3. Variance in the variable padding bytes would result in successful decryption and the correct session key. 

So, based on that, we can say that that PKCS#1 v1.5 is insufficiently plaintext aware.  In other words, it’s possible for the attacker, via trial and error, to discover a number of valid ciphertexts that correlate with a desired plaintext (that is, specifically the session key bytes of the plaintext). 

In summary, Bleichenbacher is an adaptive-chosen-ciphertext attack.  Bottom line:  if the server is using a 1024-bit RSA key, an estimated one million chosen ciphertexts can compromise a session.  Such an attack is well within the grasp of even a poorly funded hacker.

The PKCS #1 v2.1 RSA padding standard (see the PSS scheme, currently section 9.1), and hence TLS v1.1 which will adopt it, addresses this problem by being much more plaintext aware.  Per the v2.1 standard, a PSS padded message has only nine fixed bits.  Based on my analysis, all remaining bits of the padded message are in various ways derived from the base message (e.g. a session key).  In other words, and in contrast to v1.5, there are no variable padding bytes.  So case (1) above doesn’t apply and case (3) is exceedingly unlikely.  Hence, no Bleichenbacher!

Permalink | Comments (0)

Posts from my previous life can be found at my old blog.

Permalink | Comments (0)