Skip to content

Page139

Implementation Attacks

An implementation attack exploits a mistake (vulnerability) made while implementing an application, service, or system. Bruce Schneier describes implementation attacks as follows: “Many systems fail because of mistakes in implementation. Some systems don’t ensure that plaintext is destroyed after it’s encrypted. Other systems use temporary files to protect against data loss during a system crash, or virtual memory to increase the available memory; these features can accidentally leave plaintext lying around on the hard drive. In extreme cases, the operating system can leave the keys on the hard drive. One product we’ve seen used a special window for password input. The password remained in the window’s memory even after it was closed. It didn’t matter how good that product’s cryptography was; it was broken by the user interface” [41].

Side-Channel Attacks

Side-channel attacks use physical data to break a cryptosystem, such as monitoring CPU cycles or power consumption used while encrypting or decrypting. Some purists may claim this is breaking some type of rule, but as Bruce Schneier said, “Some researchers have claimed that this is cheating. True, but in real-world systems, attackers cheat. Their job is to recover the key, not to follow some rules of conduct. Prudent engineers of secure systems anticipate this and adapt to it” [42].

Timing Attacks

Timing attacks are a type of side-channel attack that uses time to break a system or divulge sensitive data. Imagine a login form that returns these errors for an invalid login:

  • Invalid user/invalid password: “No such user”
  • Valid user/invalid password: “Password incorrect”

In that case a remote attacker could launch a username harvesting attack, trying a range of usernames (asmith, bsmith, csmith, dsmith, etc.), and note when the error “Password incorrect” is returned (signifying a valid username). The site designers use this logic to thwart username harvesting:

  • Invalid username: return “Login incorrect”
  • Valid username:
  • Hash the provided password, and compare with the user’s password hash
  • Valid password: authenticate user
  • Invalid password: return “Login incorrect”

That appears to make username harvesting impossible: both invalid user/invalid password and valid user/invalid password return “Login incorrect.” But the latter case takes longer: the server must check the hash (where the hash is not checked for an invalid user). This means fast response = invalid account and slow response = valid account. This timing difference would be difficult to measure using a fast hash algorithm such as SHA-3 but is much easier to detect when using a slow hash algorithm such as bcrypt (discussed previously).

Fault Injection Attacks

Side-channel attacks (discussed in the previous section) are passive: they monitor (read) a system. Fault injection attacks are physical attacks that are active: they change a system, typically by injecting energy such as electricity, light, or electromagnetic interference (EMI). Fault injection attacks (FIAs) perturb the device’s physical conditions beyond that which it was intended; for example, using intense electromagnetic (EM) pulses, high ambient temperatures, and under- and over-volting the device’s supply voltage. These attacks can induce errors in internal electronic components, which can be utilized to recover cryptographic keys and other secret data [43].