In the 1980s we had great fun breaking a number of commercial encryption products. In a recent paper I described the ignorance and incompetence of vendors at that time but concluded that since then, with the growth of cryptology as an academic discipline and the emergence of standard encryption algorithms, “cryptology has grown up”.
This paper on the failures of Microsoft’s XBox security shows how wrong I was.
The XBox is essentially a PC with special-purpose hardware added. It is sold at a loss, with the aim of making back the money from the profits made on selling XBox games. Many people would like to have a cheap PC (never mind the games) and so the Linux community, in particular, had a strong interest in finding a way of breaking through Microsoft’s security measures and running programs other than games on the XBox.
The paper is detailed and in parts it is technical, but from a cryptologic point of view it shows that the old-fashioned errors can still be made, especially when changes are made at the last minute without realising the effect they can have on security. (For example, a late change from the RC5 to the RC4 encryption algorithm completely invalidated most of the protection that had been designed into the XBox). Still more, it shows that hurried corrections of security holes usually cause more trouble than they are worth.
Cardbox uses encryption in two ways. The Professional Edition has an encryption feature uses the AES encryption standard to encrypt databases. AES (Advanced Encryption Standard) was created as a result of an international competition that attracted contributions from most of the world’s foremost cryptographers and it is still considered to be secure. Of course, you have to choose an encryption key, and to that extent (a) the encryption costs you some effort and (b) the encryption is only as secure as the key you choose.
In addition, all communications between the Cardbox client and server (across networks or across the Internet) are automatically encrypted using a Diffie-Hellman key exchange protocol, which synthesizes a fresh random key every time a communication link is established. This protects against a passive eavesdropping attack. Moreover, as long as you use a user profile to protect access to your data, it also protects against a “man-in-the-middle” attack in which the attacker intercepts and forwards all communications between client and server. If a “man in the middle” is present, he will not be able to discover any passwords and his very presence will invalidate any password that the user enters. Because the passwords are rejected as long as the “man in the middle” is present, no sensitive data can be revealed. Best of all, this protection costs nothing: you do not have to think up a secure secret key and you do not have to turn on a special option to protect your communications.
This kind of behaviour requires a very delicate balance between the communications protocol and the encryption algorithm, and whenever a new behaviour is added to the Cardbox Server it is carefully audited to ensure that it does not compromise the security of communications.