Has cryptography reached the development level where social engineering is the only reliable method of attack?

Question

Note that for the purpose of this question, "social engineering" means extracting information from humans, be your methods compliant with Geneva Conventions or not.

Simply put: Do cryptographic methods exist that are so strong and easy to use that attackers - be they individuals or organizations - make no attempts to crack them, and instead immediately focus on comprising the human link as the only possible attack vector?

More colloquially, is there any encryption scheme out there that can be readily used (not super slow to generate) and upon detection will make the NSA throw up its hands and say "well, screw it"?

Answer 1

Strong: yes; easy to use: no.

A cryptographic algorithm provides a precise functionality, and for most functionalities we do know algorithms which, when implemented properly, are strong enough (which means: nobody has a clue about how to break them with non-sci-fi hardware). However:

• It turns out to be quite hard to implement any given cryptographic algorithm "properly".
• Assembly of cryptographic algorithms into protocols is still hard. You do not automatically get a secure transport protocol by slapping together AES, HMAC/SHA-256 and RSA; you still need to take care of an awful lot of tricky details. SSL/TLS, as of version 1.2, is believed "reasonably strong", but it took more than 12 years of breaks and fixes.
• Even when the algorithm is utterly strong, it still has a limited scope. For instance, if you use 2048-bit RSA signatures, nobody knows how to break that; but the signature only binds that which is signed to "the private key corresponding to a given public key"; whereas the system's security would require a binding to "a specific human user". Cryptography does not do the whole job, only a part of it.

Since a given system ultimately contains a human being at some point, it necessarily is somewhat weak. When a three-letter-agency wants to break a code, it costs at most about one million dollars: either to fund some hardware effort which exploits a weakness in the implementation or usage of the cryptographic algorithms, or to bribe the operator. Whichever is cheaper.

Answer 2

Modern ciphers and hashing algorithms are practically impossible to crack in a reasonable amount of time. There are other attack vectors though, like integration of the cipher in a practical system, block modes, random number generator, key management. Then there are non-cryptographically related attack vectors, which are the most commonly used vectors to compromise a system like improper permission checks, XSS, CSRF, clickjacking, SQL injection and many others. If all attempts to gain access to the system/information using this attack vectors fail, then an agency with malicious intent, like NSA, might resort to social engineering and failing that, rubber-hose cryptanalysis.

Answer 3

Modern ciphers, like AES are practically impossible to decipher without the key. I don't have the exact numbers, but trying to crack the key will take too long with the current hardware available.

This does not mean that the same cipher would be secure in the future. Moore's Law comes into play. Hardware will get better, which will reduce the time needed to crack the key. People might also discover weaknesses in the cipher which will allow it to be cracked much easier.

However, the most pressing concern for any crypto scheme is its implementation. Implementation is tricky to get right. Aspects such as key management, the use of cryptographically insecure RNGs are two amongst many many implementation details that might be prone to weaknesses. This is why you should always use a well tested implementation that has withstood attempts to break it instead of cooking up your own. See: Why shouldn't we roll our own?

In short, modern ciphers are safe enough by today's standard - provided the implementation is correct. I won't go as far as to say that the human vector is the only possible attack vector, but with a properly implemented crypto system, the encryption aspect is the least of your worries.

Answer 4

I would say that social engineering is one of the last ways that attackers will try to get at password information, and that technical means are usually tried first. They'll try to exploit vulnerabilities in OSs, Java, and adobe products before attempting to "hack the human" as these methods are more stealthy, faster, and often work. I am including spear phishing in technical attacks because although that does use some social engineering to get you to click on a link to an infected site, it's the infected site that does the actual exploit.

There are some crackers out there who are genuinely talented social engineers who might go for the social engineering option right away, but most crackers are not socially talented in any way and would go to great lengths to avoid that option, and let's face it, there are enough technical methods to gaining that information that they don't have to.

Answer 5

Cryptography is about more than just primitives like hash functions, encryption algorithms, signing methods, and the like. It's also about the schemes that use those base building blocks. It's kind of a gray area where "cryptography" ends and "implementation" begins sometimes, but there will always be specs that piece together cryptographic building blocks for a security purpose, and I think those qualify as "cryptography".

The recent Flame worm used a cryptographic attack to forge a signature and propagate via falsely signed Windows Updates. (In specific, it used an MD5 collision.) That's a cryptographic attack against an actual cryptographic primitive.

The Beast attack made use of a cryptographic flaw in how the encryption worked. (Bad CBC IV choices.) You could chalk it up to an implementation flaw, but I think it makes more sense to think of it as a cryptographic flaw since it was the design itself, not just the code, in an open and widely used spec that was wrong.

The XML padding attack was able to effectively cheat around the encryption and recover plaintext through what is arguably an implementation flaw. It worked regardless of the encryption algorithm.

The cryptography primitives are pretty good right now and have been for a while. Breaks in them are not only uncommon, but rarely a surprise (aka, we know something will be broken before it actually is and we've had sufficient time to move away from them). There aren't very many primitives, we don't replace them frequently, and they are designed by the best people available. We'll probably have a surprise or two about a cryptographic primitive here and there, but it seems unlikely that we'll be caught off guard more than once or twice a decade.

Cryptography schemes/protocols have a less stellar track record, they're more complicated to design, not always done by the right people, and not analyzed for as long before going into live environments. Worse yet, sometimes various security concerns are only added later on. Flaws in schemes and protocols will probably always persist so long as new ones are being developed.

Cryptographic attacks are certainly not a thing of the past. But cryptography is also rarely the weakest link in the chain.

(Also see this related question on crypto.se.)

Answer 6

According to Wired

[...] the NSA made an enormous breakthrough several years ago in its ability to cryptanalyze, or break, unfathomably complex encryption systems employed by not only governments [...]

and they are building USA's biggest data center to take advantage of this breakthrough.

So no, I think nothing short of a one time pad with pen, paper and dice rolls is safe from the NSA.

If we're talking about other government agencies, I would trust Truecrypt as good enough.

Answer 7

Yes it did, however the social engineering is not what you think about. It has to do with social science, but not with social engineering as widely known at all.

Internet today is being analysed and modelled into self-aware systems, which can think on it's own therefore they can predict / show next move or even thought of a single person / organisation or even a country.

Such technology is used extensively by NSA and it's designed by major advanced research companies for last 20 years. Such project for example was Total Information Awareness and the same pattern does apply for many other US government security systems.

Other use for such systems is AI, like iphone Siri, but not only linguistic, these are all self-learning systems, they are adapting to the new information, have awareness of social and business relationships actually can make models, and with all of that information at the samme time connected in database, they can normally run AI on that which process information in various ways.

There have been dr Who episode with a woman who was speaking ahead of the person. This is such a system, who can actually teach itself and predict the behaviour / speech etc or another person. It is SCI-FI, but actually history of information processing as well advancement in science allow to build such systems cheaply and there is huge market already, and the IT Security is one of them.

As with the latest Wired hack, it was exposed that actually chaining your accounts and not storing backup on separate location is plain fatal. Think about as extreme naiveness of technology, same with security, people think that their email or phone account is secure and chaining, while breaking this chain in single place breaks everything. Same with cryptography, people think that if it's encrypted, it's not possible to read it. It is also completely fatal with today technology. It is not possible to obtain identical plaintext, but who needs it, if it can be recovered 99.999% correct ahead of time it was written? This makes cryptography across all the layers not a bullet-proof solution if you dont really consider what can be done today, and it's role is not really the ultimate protection, but actually helping the authentication between the layers in the chain. And chaining them with silly self-recovery passwords to physical items is just plain stupid.