Bagong Botante X-Post: A sample RAQ

crossposted from Bagong Botante:

You’re familiar with F.A.Q.s (Frequently Asked Questions) but rarely do you encounter — R.A.Q.s – (Rarely Asked Questions) – you can find an example of this in Paul Graham’s RAQ. I was browsing COMELEC Spokesperson James Jimenez’ blog post about the alleged vulnerability of AES, to quote:

“…More than a mere briefing, the Commission would appreciate a copy of your “19-page, 3-month policy study on the Automated Election System of the COMELEC,” together with the full documentation as per your claim of having the “first comprehensive study.” This should properly support your findings on the alleged “disturbing vulnerabilities in the AES…”


Here’s a rarely asked question:

What papers are the available circa 2009 that document a legitimate attack on AES*?


We’ll that’s a simple Google Search and here would be the top 10 (click the links for PDF/Google cache links):

Alex Biryukov and Dmitry Khovratovich’s conclusions on their AES-192/256 attack is telling:

“We presented related-key boomerang attacks on the full AES-192 and the fullAES-256. The differential trails for the attacks are based on the idea of findinglocal collisions in the block cipher. We showed that optimal key-schedule trailsshould be based on low-weight codewords in the key schedule. We also exploitvarious boomerang-switching techniques, which help us to gain free rounds inthe middle of the cipher. However, both our attacks are still mainly of theoretical interest and do not present a threat to practical applications using AES.


For those unfamiliar who Alex Biryukov is, he wrote the paper together with Adi Shamir (yes! of RSA fame) and David Wagner on how to PRACTICALLY decrypt the A5/1 algorithm, the same encryption used on GSM phones, on a mere PC. In fact as their paper, Real Time Cryptanalysis of A5/1 on a PC, says on it’s abstract:

“The first attack requires the output of the A5/1 algorithm during the first two minutes of the conversation, and computes the key in about one second. The second attack requires the output of the A5/1 algorithm during about two seconds of the conversation, and computes the key in several minutes. The two attacks are related, but use diffrent types of time-memory tradeoff. The attacks were verified with actual implementations, except for the preprocessing stage which was extensively sampled rather than completely executed.”



Okay. So how does that make you feel warm, fuzzy and comfortable about Smartmatic’s automated elections? First, it assumes that you can perform a man-in-the-middle attack at exactly the same time that the PCOS is transmitting, you would only have around 2 minutes to actually capture the transmission, decrypt it, re-encrypt it and then transmit it. And that’s for EVERY INDIVIDUAL PCOS, since every PCOS has different cipher. You’d be better off getting the memory card off the PCOS at 7AM, decrypt the information on the card, figure out what the tables are, re-encrypt it again and try to re-insert it JUST BEFORE the poll closes at . THat’s assuming you can figure out a way to go around normal CRC checks and the like.  Is there a way around a CRCK check? Now, that’s another rarely asked question.



*AES – here refers now to Advanced Encryption System and NOT to Automated Election Systems – that’s why this is a RAQ and not a FAQ – hat-tip to Jay Fajardo for pointing it out!


Posted by Paul Pajo


Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s