Or, I should say, a big week in cryptography.
Adobe announced the remediation of a big exploit, NIST finally announced the winner of a nearly five-year competition, and Microsoft pushed out some sweeping restrictions.
Some threat, as yet undescribed openly, broke into a system at Adobe. Once they had a foothold inside Adobe, they moved laterally to illicitly use a machine used within Adobe for software builds. On July 10th, they submitted two pieces of malicious software for signing on Adobe’s software certificate signing system — the Windows password hash dumper pwdump7 and the malicious ISAPI filter myGeeksmail.dll. The software signing infrastructure trusted the compromised build server submitting the request, and generated valid Adobe certificates that would lead systems and their human administrators to trust the malware as valid Adobe software.
On September 27, Adobe announced the breach, explaining that the signing server and signing keys themself seem to be uncompromised, and announcing that all certificates signed since July 10th would be revoked on October 4th.
On October 2nd, NIST announced that Keccak (pronounced “catch-ack”) was the winner from the original 63 submissions in the Secure Hash Algorithm or SHA-3 competition. Keccak was created by Guido Bertoni, Joan Daemen, and Gillems Van Assche of STMicroelectronics and Michaël Peeters of NXP Semiconductors. Yes, the same John Daemen who was the co-inventor of the Rijndael algorithm chosen as the Advanced Encryption Standard cipher.
Back in July, Microsoft had announced that all RSA and DSA keys less than 1024 bits in length would no longer be trusted starting October 9th. After that date, Windows operating systems and applications would block:
An exception is made for that last case, as applications signed before January 1, 2010 would still be accepted.
This was more fall-out from the Flame malware, which relied on forged Microsoft certificates using digital signatures based on MD5. Microsoft had internally disallowed MD5 back in 2009, but failed to follow their own requirement in their Terminal Server Licensing Service.
Meanwhile NIST is recommending that 1024-bit RSA and DSA keys be replaced with significantly longer ones by December 31, 2013.
More on this next week, especially Keccak and where we go next!