[SystemSafety] Another KRACK at it.

[Peter Bernard Ladkin]

Matthew Green's blog on the KRACK vulnerability makes two points which have come up in this
community frequently.

https://blog.cryptographyengineering.com, article entitled "Falling through the KRACKs".

I make a few more at https://abnormaldistribution.org/index.php/2017/10/20/yet-another-krack/

One is that the IEEE standards business model makes it difficult for researchers to access
standards. We have had this discussion many times with regards to the cost of IEC 61508. I reference
John Knight's 2014 SSS Keynote - and note that ironically it is not accessible! (Wake up, Tim!)

Green notes that, had the protocol been more freely available, it is plausible that the flaw would
have been discovered much earlier.

The second is that the protocol had been "proven correct" by the Mitchell group in 2005. How come it
is flawed? Hint: the IEEE standard defines the protocol apparently by means of pseudocode, and there
is no specification of the state machine. So it is likely to be ambiguous, and assumptions you need
to disambiguate may not always hold in implementations. In this case, they apparently didn't even
hold at the level of the state machine!

Green seems to uphold the AdaCore/Altran UK business model as the necessary wave of the future.

PBL

Prof. Peter Bernard Ladkin, Bielefeld, Germany
MoreInCommon
Je suis Charlie
Tel+msg +49 (0)521 880 7319  www.rvs-bi.de





-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.techfak.uni-bielefeld.de/mailman/private/systemsafety/attachments/20171020/26e304f7/attachment.sig>