Backward Insecurity: Network Externalities Strike Back
Or why we will observe downgrade attacks, again.
In an information economy driven by economics of networks, an inescapable tension exists between benefiting from positive network externalities and addressing in a comprehensive way defects and faults of processes to which we entrust our businesses.
Large networks have a higher appeal with users than small ones. This applies equally well to both real networks, such as communications and transport networks, and virtual ones, such as the user bases of any given software. As the value of a network to each of its members is proportional to the number of other users, in the event of a discovery of a design fault, it becomes important to retain backward compatibility with existing customers and systems, and to do not deny them access to the network even if, overcoming switching costs, stronger security mechanisms becomes available.
Unfortunately, backward compatibility with broken security mechanisms fosters downgrade attacks. Downgrade attacks refers to an attack that forces the target to revert to a vulnerable security mechanism which remains supported for backward compatibility reasons.
Network protocols and systems experienced these attacks over and over again. Just to name a few of them: SSH v2 (Secure SHell) and PPTP (Point-to-Point Tunnelling Protocol) can be forced to make use of weaker authentication mechanisms during their negotiation phases. The IPSEC (Internet Protocol SECurity) suffers from downgrade attacks, if the client is configured in rollback mode and the attackers prevents the bootstrap of the IPSEC channel by blocking the ISAKMP key exchange. Downgrade attacks threatens also GSM (Global System for Mobile Communications). The most widespread standard for mobile telephony has adopted over the years a number stream ciphers to protect the confidentiality of communications. They all share the same key derivation algorithm and this makes possible to use a semi-active downgrade attack to retroactively break previously recorded traffic, protected by a stronger cipher. It first happened between A5/1 and A5/2, an algorithm intentionally made weak and now withdrawn, after eight years since its first public cryptanalysis in 1999. The same attack can be carried out between A5/3 and A5/1, now that open-source tools exist to intercept and break A5/1 communications - repetita (non) iuvant. Communication networks are not the only to be affected, Blu-ray players and set-top boxes are liable to downgrade attacks too. While any of today's HDCP (High-bandwidth Digital Content Protection) enabled TVs remain in use, set-top boxes and digital televisions will need to support HDCP encryption standard to exchange protected contents. However, the master key for the HDCP has been leaked and confirmed to be real by Intel, contributing towards the design of an uncompressed multimedia data capture system able to decrypt HDCP contents. As noted by Paul Kocher: "Even if new TVs supported a better protocol, attackers could always trick the set-top box into using the old protocol".
Perhaps there is a pattern emerging here: backward compatibility with broken security mechanisms becomes "backward insecurity" for the user base awaiting the withdrawal of the vulnerable standards.
The list of protocols and products found to suffer downgrade attacks is neither exhaustive, nor - and more importantly - destined to stop growing. As long as market players will entrust their business to processes later found not to provide the required security guarantees, network externalities will strike back.