Jefferson's Wheel

Forbes has an excellent interview with Karsten Nohl: Codebreaker Karsten Nohl: Why Your Phone Is Insecure By Design, Andy Greenberg, Forbes, 12 August 2011.

Nohl’s findings aren’t only meant to demonstrate that Nohl is an uber-skilled codebreaker. He argues that his work shows, more importantly, that phone encryption is made to be broken. Whether intentionally or unintentionally, he says, GPRS included flaws that its designers must have known about.

[Added 21 August] The Economist’s Babbage Blog also has an interesting article summarizing Karsten’s work on mobile phone security over the past few years: Living on the EDGE, 18 August 2011.

Dr Nohl stresses that the 11 minutes was just a first pass at writing the cracking software, and that his group used only modest equipment with no financial motive. Criminals, by contrast, could benefit mightily from accelerating the crack, he says, one reason his group has refrained from expounding the technique in detail. It has, however, pointed to some specific holes which ought to be plugged. The group found some networks disabled all security features, relying on the highly misguided notion that traffic could not be easily intercepted except by mobile operators. Having no security from the phone to a base station on a mast makes it easier to filter and monitor traffic.

In 2009 Dr Nohl and colleagues pointed out significant weaknesses to the base GSM standard. Their new attack focuses on General Packet Radio Service, better known as GPRS—a modest improvement to GSM—introduced commercially in 2000. GPRS allows rates of tens of kilobits per second (Kbps), while a subsequent tweak known as EDGE allows downstream rates of 200 to 400 Kbps. GPRS and EDGE are commonly referred to as 2.5G, sitting in between 2G and 3G network speeds.

Yan Huang’s talk on Faster Secure Two-Party Computation Using Garbled Circuits at USENIX Security 2011 is now available: [PPTX] [PDF].

You can also download our framework and try our Android demo application.

The New York Times is covering Karsten Nohl’s work on vulnerabilities in cellular data networks: Hacker to Demonstrate ‘Weak’ Mobile Internet Security, New York Times, 9 August 2011.

Karsten Nohl, who published the algorithms used by mobile operators to encrypt voice conversations on digital phone networks in 2009, said during an interview he planned to demonstrate how he had intercepted and read the data during a presentation Wednesday.

Mr. Nohl said he and a colleague, Luca Melette, intercepted and decrypted wireless data using an inexpensive, modified, 7-year-old Motorola cellphone and several free software applications. The two intercepted and decrypted data traffic in a five-kilometer, or 3.1-mile, radius, Mr. Nohl said.

The interceptor phone was used to test networks in Germany, Italy and other European countries that Mr. Nohl declined to identify. In Germany, Mr. Nohl said he was able to decrypt and read data transmissions on all four mobile networks — T-Mobile, O2 Germany, Vodafone and E-Plus. He described the level of encryption provided by operators as “weak.”

In Italy, Mr. Nohl said his interceptions revealed that two operators, TIM, the mobile unit of the market leader, Telecom Italia, and Wind did not encrypt their mobile data transmissions at all. A third, Vodafone Italia, provided weak encryption, he said.

Technology Review also has an article: Researchers Hack Mobile Data Communications, Technology Review, 10 August 2011.

Phones might be the most familiar devices affected by the research, says Karsten Nohl, founder of Security Research Labs, a Berlin-based research consultancy that conducted the work. But the standard is also used in some cars, automated industrial systems, and electronic tollbooths. “It carries a lot of sensitive data,” Nohl says.

Security researchers haven’t looked at the GPRS standard much in the past, Nohl says, but since more and more devices are using GPRS, he believes the risk posed by poor security is growing.

Nohl’s group found a number of problems with GPRS. First, he says, lax authentication rules could allow an attacker to set up a fake cellular base station and eavesdrop on information transmitted by users passing by. In some countries, they found that GPRS communications weren’t encrypted at all. When they were encrypted, Nohl adds, the ciphers were often weak and could be either broken or decoded with relatively short keys that were easy to guess.

The group generated an optimized set of codes that an attacker could quickly use to find the key protecting a given communication. The attack the researchers designed against GPRS costs about 10 euros for radio equipment, Nohl says.

The Register also has this story: Hackers crack crypto for GPRS mobile networks, The Register, 10 August 2011.

The details will be presented at Chaos Communications Camp today (August 10).

Peter Chapman presented our paper on Privacy-Preserving Applications on Smartphones at the 6th USENIX Workshop on Hot Topics in Security today. Here are the talk slides [PDF].

The CommonContacts demonstration app is now available in the Android Market.

Project Website

Jonathan Burket presented GuardRails at USENIX WebApps 2011. Here are his slides: [PPTX] [PDF]

See http://guardrails.cs.virginia.edu for more information and to download GuardRails.

Today, we are releasing our secure computation framework. Our Java-based framework and library enable programmers to build efficient and scalable privacy-preserving applications using Yao’s garbled circuit techniques.

This paper describes the framework in more detail:

Yan Huang, David Evans, Jonathan Katz, and Lior Malka. Faster Secure Two-Party Computation Using Garbled Circuits, 20th USENIX Security Symposium, San Francisco, CA. 8-12 August 2011. [PDF, 16 pages]

Abstract. Secure two-party computation enables two parties to evaluate a function cooperatively without revealing to either party anything beyond the function’s output. The garbled-circuit technique, a generic approach to secure two-party computation for semi-honest participants, was developed by Yao in the 1980s, but has been viewed as being of limited practical significance due to its inefficiency. We demonstrate several techniques for improving the running time and memory requirements of the garbled-circuit technique, resulting in an implementation of generic secure two-party computation that is significantly faster than any previously reported while also scaling to arbitrarily large circuits. We validate our approach by demonstrating secure computation of circuits with over 10⁹ gates at a rate of roughly 10 microseconds per garbled gate, and showing order-of-magnitude improvements over the best previous privacy-preserving protocols for computing Hamming distance, Levenshtein distance, Smith-Waterman genome alignment, and AES.

The framework and applications are available under the MIT open source license: Download Fast Garbled Circuits Framework.

Yan Huang will present the paper at USENIX Security Symposium in San Francisco this August.

The Special Issue of IEEE Security and Privacy Magazine that I co-edited with Sal Stolfo on The Science of Security is now available.

It includes:

• David Evans and Sal Stolfo. Guest Editor’s Introduction: The Sciecne of Security [PDF].
• Sal Stolfo, Steven Bellovin, and David Evans. Measuring Security [PDF]

as well as three selected special issue articles: Security Modeling and Analysis (by Jason Bau and John Mitchell), On Adversary Models and Compositional Security (by Anupam Datta, Jason Franklin, Deepak Garg, Limin Jia, and Dilsun Kaynar), and Provable Security in the Real World (by Jean Paul Degabriele, Kenneth G. Paterson, and Gaven J. Watson).

I also gave a presentation about A Research Agenda for Scientific Foundations of Security at the NITRD Federal Cyber-Security Research event organized at Oakland 2011. 25 May 2011, Berkeley CA. [PPTX, PDF]

The first release of the GuardRails source code is now available at https://github.com/guardrails/guardrails. GuardRails was developed by Jonathan Burket, Patrick Mutchler, Michael Weaver, and Muzzammil Zaveri.

GuardRails is a web application framework that extends Ruby on Rails to provide automatic support for data-centric security policies. Developers add annotations to their data models to describe their security policies, and GuardRails performs a source-to-source transformation to enforce those policies throughout the application. There will be a paper at USENIX WebApps 2011, GuardRails: A Data-Centric Web Application Security Framework, available soon, that provides more details.

I’ve posted the slides from my recent talk at CMU:

Secure Computation in the Real(ish) World. CyLab Seminar, Carnegie Mellon University, Pittsburgh, PA. 20 April 2011. [Abstract, PPTX, PDF]

Here’s the abstract:

Alice and Bob meet in a campus bar in 2016. Being typical CMU students, they both have their genomes stored on their mobile devices and, before expending any unnecessary effort in courtship rituals, they want to perform a genetic analysis to ensure that their potential offspring would have strong immune systems and not be at risk for any recessive diseases. But Alice doesn’t want Bob to learn about her risk for Alzheimer’s disease, and Bob is worried a future employer might misuse his propensity to alcoholism. Two-party secure computation provides a way to solve this problem. It allows two parties to compute a function that depends on inputs from both parties, but reveals nothing except the output of the function.

A general solution to this problem have been known since Yao’s pioneering work on garbled circuits in the 1980s, but only recently has it become conceivable to use this approach in real systems. Our group has developed a framework for building efficient and scalable secure computations that achieves orders of magnitude performance improvements over the best previous systems. In this talk, I’ll describe the techniques we use to design scalable and efficient secure computation applications, and report on some example applications including genomic analysis, private set intersection, and biometric matching.

Jonathan Burket, Patrick Mutchler, Michael Weaver, and Muzzammil Zaveri will present GuardRails: A (Nearly) Painless Solution to Insecure Web Applications at the RubyNation conference in Reston (near Washington, DC), on April 2.

With web applications continuing to grow in popularity and frameworks becoming simpler to use, creating a web application is easier than ever. While building an application may be straightforward, ensuring that it is secure requires both a deep understanding of subtle security vulnerabilities as well as tedious and careful insertion of security checks. We propose GuardRails, an open source source-to-source tool for Ruby on Rails applications that adds extra layers of security to web applications with only minimal effort from the developer. GuardRails works by attaching security policies to the data itself. These policies are automatically enforced throughout the application, without the need for the developer to write large amounts of code. Our system helps prevent against a variety of security vulnerabilities from CrossSite Scripting to faulty access controls without requiring the developer to have a sophisticated knowledge of web security.