The last day of briefings at Black Hat 2013 was full of new attacks that every enterprise needs to be aware of. The attacks on the trust that’s established by keys, certificates, and underlying cryptography displayed at Black Hat is both a recognition of the cybercriminal focus and their importance to everyday life.
While salacious and headline grabbing, one of most important sessions this year was Cryptopocalypse. The presenters from iSEC Partners detailed how academic advancement in mathematics have accelerated and new breakthroughs could happen any day that lead to the ability to factor RSA keys at key lengths thought adequate today. As an example, the panel presented how the Flame attack accelerated MD5 collisions orders of magnitude to fabricate seemingly valid Windows update certificates.
The presenters used humor to make an important point, saying:
“We should give Ron Rivest a break. One man, in one decade, developed what commerce around the world depends on.”
It’s been 40 years since many of the asymmetric cryptographic innovations we depend on everyday were made and guidance to move on is almost a decade old itself. When the NSA released Suite B cryptographic recommendations, they decided not to include the RSA algorithms, indicating the US government should make preparations to move away from RSA. It’s likely a good time for enterprises to review the recommendations.
While the compromise of any particular cryptographic method did not occur, the presenters did encourage enterprises to be prepared. Organization should understand where and how they use certificates.
The NIST guidance on CA Compromise provides a good set of detailed recommendations to prepare organization for dealing with compromised certificates –whether due to an attack on a CA or when particular cryptographic methods can no longer be trusted.