A Diagram for Sabotaging Cryptosystems

In my line of work, I enjoy finding and exploiting subtle defects in systems that could be used to compromise the assets those systems are entrusted to protect. It’s extremely rewarding (and challenging) to dive deep into a system built for an unfamiliar problem domain so that I can understand it just enough to undermine its assumptions and gain unauthorized access.

Inspired by the Underhanded C Contest, I like to think about how innocent-looking code can behave maliciously. Learning about how cryptosystems can be weakened is occasionally a part of that. Simply put, a cryptosystem is a set of algorithms used to implement encryption and decryption in order to protect the confidentiality of sensitive data. Examples range from the trivial Caesar cipher to modern systems, such as RSA and AES.

Sabotaged cryptosystems make it easier to crack and tamper the ciphertexts produced. Some weaknesses like the predictable PRNG in Debian OpenSSL appear seemingly unintentional but are easily remediated. On the other hand, some like DUAL EC DRBG appear suspiciously intentional but can remain effective.

Whether you want to undermine or secure a cryptosystem, reading the IACR paper by Schneier, Kohno, Ristenpart, and Fredrikson (2015) is a good start to understanding a taxonomy for which cryptographic systems can be secretly weakened. If you already know what it’s about, you can skip to the chart I created based on the paper.

In the paper, “Surreptitiously Weakening Cryptographic Systems”, the authors detailed a taxonomy of cryptographic weaknesses to compare different approaches to sabotage. A cryptosystem saboteur can introduce vulnerabilities into the system, either accidentally or intentionally. Attackers can use the weaknesses to exploit the system. Sometimes, the attackers are also the saboteurs exploiting weakness they introduced. Weaknesses make it easier to undermine a cryptosystem and the assets the system attempts to protect.

In order to efficiently sabotage a system and in turn make a system more resistant to sabotage, you have to assess a cryptosystem’s risk for attack. To do that, you should categorize each weaknesses potential to cause damage. In the paper, the authors categorized the potential for damage of different weaknesses based on three factors:

  1. Secrecy: Level of difficulty to discover the weakness.
  2. Utility: Conditions and amount of work required to exploit the weakness.
  3. Scope: Number of users impacted by the weakness.

They created a taxonomy that “characterizes weaknesses by their ‘features,’ at least according to the point of view of a saboteur.” As you analyze a system for weaknesses, you can also indirectly understand the motivation of a saboteur through the weakness characteristics that manifest in the system.

After reading the paper, I created an interactive diagram to provide another way of conveying how the weakness categories rate against the dimensions of the taxonomy laid out in the paper. It’s a visual way to understand how a saboteur’s motivations could map to the options they would consider to weaken a system. Whether you are part of a red team, blue team, or a saboteur, you can use this chart to model threats for your cryptosystem and determine which weaknesses are most likely to manifest.

To use this diagram:

  1. Identify the characteristics that apply to you as a saboteur.
  2. Hover over the weaknesses to see which conditions they can satisfy.
  3. Read the paper for more information about each weakness.
Your browser does not support SVG. It's 2016 already.

If you have feedback or suggestions to improve it, feel free to contact me.