An open letter to the Infosec community regarding Crown Sterling

Background: 

Last week in Vegas, there was a new vendor on the expo floor at Black Hat. Not that unusual, but this one in particular stood out. They were offering some sort of next generation cryptography, and after some fairly lengthy discussions with their folks in the booth, I walked away feeling like something wasn’t quite right here. 

I went to their launch party on Wednesday night to learn more, and also attended a presentation the next day by their founder, Robert Grant. That presentation culminated with a well-respected cryptography expert, Dan Guido, standing up and shouting at Robert, calling him a fraud, and being ejected from the talk. Many of us left the room at the same time. 

Now, I don’t typically condone shouting at presenters, but I do understand Dan’s frustrations. The presentation was more style than substance, imho, and numerous bold claims were made without any convincing evidence or proof. I’ll get into that shortly.

It has also come to my attention that after Dan and the rest of us left, Robert Grant finished his talk by saying something along the lines that when you invent something that challenges the status quo, people are going to attack you, and those are usually not the people who build things. While that may be generally true, and I do understand the instinct to defend oneself after a public outburst, that is kind of a bold statement to make on the floor of Black Hat, especially considering that many of those who are skeptical are the ones who helped build the security industry in the first place.

And yes, I am aware that this was a paid talk, not something that passed the Black Hat review board. But I think that’s all the more reason to reflect and critique what we saw, as a community. 

A little context:

Now that I’ve had some time to unwind from Vegas and reflect on all this, I’d like to offer some thoughts. I don’t make it a regular practice of publicly critiquing vendors, but this one is a bit of a special case.

I also wouldn’t normally lead with my bio, but lest this gets dismissed by people on the Crown Sterling side who claim I’m poking holes without being someone who builds things, please indulge me for a second while I point out some things that give me a bit of credibility on this topic:

• I started in the IT industry in 1989, and spent the first half of my career building things. I’ve designed, built and shipped real software products.
• In the mid 90s, I worked for a company called Open Market, who built one of the first secure web servers, and invented both the internet shopping cart and http-based session management. This is where I first learned about crypto and got my start in security.
• In the late 90s, I was the tech lead on a team that rolled out a production public key infrastructure for a state health care system, key signing ceremony and all.
• In the early 2000s, I was a Managing Security Architect at @stake, and was one of the very first consultants there. In case you don’t know @stake, we broke things for the Fortune 500 and employed some of the very best of the best in the Information Security industry, many of whom have since risen to the highest levels of both the public and private sectors.
• During that time, I wrote LC4, a version of the award-winning L0phtcrack password cracking software, and I spent a year on the R&D team that eventually became Veracode. I also conducted and led countless penetration tests, and secure architecture, design and code reviews for Fortune 500 companies.
• I have since then started two security companies, I’ve taught information security topics in person to over 25,000 people around the world, and I am the Executive Director of the long-running SOURCE security conference. 

All that said, I do know my limitations. I’m far more of a consumer of cryptography products than a creator or breaker of them (though I have in fact written some crypto code before), and I’ll be the first one to admit that I’m not a professional cryptographer or mathematician. So I’ll leave the nitpicking of the math and low level crypto details to my good friends in the field who focus their full-time energy on that. 

But I have been an Infosec consultant and trainer for over 20 years, and I do understand how the stuff I’ve used and deployed works. With that in mind, Robert’s presentation left me with lots of questions. To keep this as brief as possible, there are two primary claims that Crown Sterling made that I’d like to comment on here:

• Claim #1: Crown Sterling has broken factor-based encryption (i.e., RSA)
• Claim #2: Crown Sterling claims to have invented something new and better over the Christmas break to replace it.

So let’s dive into each one of these a little bit further.

Claim #1: Crown Sterling has broken factor-based encryption

The first claim is based on Robert Grant’s assertion that he has discovered a novel way to generate infinite prime numbers. Much words were expended in an attempt to convince us of this, and he claims to have approached the problem from a brand new angle. "New math”, “quasi-primes”, a link to musical scales, and the significance of the number 24 were all concepts that were discussed during the talk and by Crown Sterling in their booth. 

But what Robert didn’t get into were the details of how they claim to have cracked RSA keys, and the details that were shared did not exactly inspire confidence. According to Robert, all factor-based encryption would fall to his methods, including RSA, Elliptical Curve Cryptography (ECC) and SHA-3 (his words, not mine). Trouble is, ECC is not factor-based at all (that’s kind of the point of it), and SHA-3 isn’t even an encryption algorithm, it’s a cryptographic hash. Robert was very clear in the presentation that this affects factor-based encryption algorithms only, so 2 of the 3 algorithms that were identified by him clearly won’t be broken by these methods. Perhaps an oversight, but basic errors like that aren’t exactly confidence-inspiring. 

In addition to that, the one algorithm that does apply here (RSA) hasn’t actually been convincingly demonstrated to have been broken. As proof, the company has claimed that they can factor a 512 bit number, and Robert has issued challenges to several people on twitter in this regard. Robert claims that he’s withholding demonstrations of stronger keys in order to be responsible, so we are essentially being asked to just trust him on this.

But there are some major problems here. One, nobody uses 512 bit keys in the real world, and larger key sizes than that have been cracked many years ago. Also, the strength of RSA rises exponentially with increased key size, so even if they have a way to efficiently crack 512 bit keys, it means literally nothing if they can’t demonstrate an ability to scale that up to production-strength keys.

However, no algorithm was presented and no real proof offered to link the claimed prime number generation mechanism from the presentation with a way to actually break factor-based encryption algorithms. That was the leap of faith we were being asked to make, and that was precisely where this presentation fell flat for me. There was hyperbole, and stories of friends choking on sandwiches and needing the Heimlich maneuver performed - twice! - upon hearing of this new breakthrough, but no real details. It made for an entertaining presentation, but no real proof. 

For what it’s worth, here are some important questions I would ask of anyone claiming to have broken RSA:

• What is the maximum key size that has been cracked, and how long does it take to crack it? Key size and time to crack is everything here.
• How long does it take to crack production-strength keys (i.e., 2048 and ideally, 4096)? 
• Is this something you can reproduce at will with any arbitrary key?
• If you can break production-strength keys, are you going to release a proof of concept to demonstrate and prove such a groundbreaking discovery?

Aside from being willing to challenge people on twitter to see who can factor 512 bit numbers the fastest, these critical questions have so far been left unanswered. 

This is a key gap because if RSA has not, in fact, fallen, then there’s little point in replacing it, now is there? Crown Sterling's entire pitch is predicated on this very point.

Claim #2: Crown Sterling has invented a replacement encryption algorithm

The second claim is that Robert invented a replacement algorithm over the Christmas break to replace what they have supposedly broken. Here, we were left with scant details other than bizarre-sounding hyperbole. Claims of merging the past and the future using electrons and positrons, quantum cryptography on non-quantum computers, using musical scales to generate uncrackable keys, and a hint towards some sort of biometric as well. But no real details of how this is actually meant to work as far as I could tell. 

So, a few thoughts here:

• Breaking something doesn’t necessarily qualify you to build its replacement. Building good cryptography is actually hard, and probably the thing that makes me most skeptical here is the claim that the replacement was built “over the Christmas break”. While that may be true, it definitely doesn’t inspire confidence, and the presentation would probably have been more convincing without that little detail. The people I know who focus their professional careers on crypto spend years, and usually decades on this stuff. Whipping up a novel new crypto algorithm while on holiday seems pretty unlikely. Possible, yes. Plausible, no. 
• There’s a reason for skepticism here. Many of us have seen countless examples of people rolling their own crypto and failing spectacularly. I remember once back when 3DES was still in fashion, a customer of mine tried to convince me that their home-grown algorithm was stronger than DES simply because it had more bits in the key. Spoiler alert: it wasn’t, not even close. 200 bits of entropy quickly became 6 upon closer inspection. That’s just one example of many.
• Peer review is especially valued in cryptography for this reason. Creating good crypto is a hard problem, and it’s very easy to make a mistake. Even if you start with a known good algorithm, it’s easy to make an implementation mistake in your code. For these reasons, one of the biggest red flags for security professionals assessing systems is if folks invented or implemented their own crypto. It’s almost always a fail, and we explicitly advise people not to do so. 
• Crown Sterling is, by their own admission, new to the security industry. As far as I can tell, they don’t have anybody on their team with actual Infosec experience, and their Director of Cryptography’s claim to fame, from his own bio, is “decoding secret messages in Shakespeare that unlock secrets to the Great pyramid of Giza”. I’m paraphrasing a bit because they have since removed any reference to him from their web page. Not exactly the kind of cryptography experience I’d expect from someone creating the next generation of crypto, and the fact that they removed him from their website is even more suspect. 
• The entire need for this new product is of course based upon the assumption that factor-based encryption has been broken by Crown Sterling, which like I mentioned above, remains unproven. They claim that they don’t plan on monetizing anything around cracking RSA so they don’t need to release a proof of concept. But if they haven’t cracked RSA, then the need for this product evaporates. So they actually are trying to monetize based around fear that they’ve broken a key algorithm that secures the internet. There’s a term for this, and it’s called FUD.
• There are many other issues and questions, such as how they plan on generating and protecting the keys, how does one implement their product, use cases where it's applicable, etc, etc, but I don’t think it’s worth diving into those questions without the most basic questions answered first.
• Robert was questioned on whether he would follow the academic peer review process during the Q&A after his talk, and his response was “I don’t have to.” Well, technically that’s true, free country and all. But it's probably worth pointing out that in 2019, it should generally be considered negligent to deploy unproven cryptography in a production environment, especially when a trusted alternative still exists. 

Summary, and a personal note to Robert Grant and Crown Sterling

You showed up at one of the most prestigious security conferences in the world, and you made some extraordinary claims. If you left confused as to the reaction you got, consider that you did the functional equivalent of showing up at an aerospace conference, claiming that you had found unquestionable proof of malevolent aliens, that you couldn’t share the proof for fear of panicking the public, but that you had spent a few weeks over the Christmas break developing an anti-evil alien ray to defend yourself from them that everyone needs to buy. 

Extraordinary claims require extraordinary evidence. That’s just how this works. And at top security conferences, if you make extraordinary claims, without proof, people will call you out for it, and as you discovered, some of them aren’t going to be so nice about it. 

If you have in fact done what you say, it's amazing and game-changing, and I mean that sincerely. Prove it, and you’ll not only be remembered as a security innovator, but you’ll be remembered throughout history for your mathematical achievement. But you need to do better next time. Less hyperbole, more evidence, more proof. Don’t forget, many of us at this show are the people who the Fortune 500 companies trust to make recommendations on security, including on things like cryptography. If you can’t convince us, you’re going to have a hard time convincing those who rely on us for recommendations.

I know you’re new to this industry, so here’s something else you should probably know about us. Many of us do this not just for the money, but because we are genuinely passionate about keeping the Internet secure and safe. It’s not just financial transactions that are protected by cryptography, but people’s lives. This stuff is no joke, and we tend to be additionally skeptical of things like cryptography when life and liberty may be on the line. And if we think someone is trying to push an unproven, potentially insecure product into the market by trying to fool people with smoke and mirrors, we will dig in further and we won’t easily or quietly go away.  

When pressed, you expressed a potential willingness to release things for peer review, which is great, but this is where you needed to start. It’s not too late. Prove your claims that you have broken RSA, and release your crypto algorithms for peer review, and we, as an industry, can have a much more productive conversation about this.

Cryptography is a process as much as it is a product, and RSA will eventually fall, just like all cryptography eventually does. If you want to be among the players who get the opportunity to replace it when it does, you need to follow the same process as everyone else, or the serious crypto people simply won’t take you seriously. I sincerely hope that this has been constructive feedback, and I am eager to see how you proceed.

Comments to those who will ask why spend time on this

Some people have already asked things like “Why waste time on this? Let the market figure it out.“ It’s a fair question. Others may have different reasons, but here are some of mine:

• This a teachable moment. The security industry grows year after year, and as new vendors join, it would be great if those jumping in learned how the industry works first. If you’re a new vendor, please understand the field that your entering, and the level of proof that will be expected if you claim to have the replacement product for the thing you just claimed to have broken. 
• IF this is a scam, as many have alleged, it could cause harm to unsuspecting people. It’s important that dubious claims not go unchecked at prestigious security conferences. Ignoring it won’t make that better, and it can allow people to leverage the reputation of the conference to further their market goals.
• Those of us who live this stuff are, in many ways, the immune system for the security industry. If vendors make dubious claims, without challenge, it just encourages more to show up and do the same. "See something, say something” definitely applies here. We saw something, we said something. 

Now, of course, IF this all turns out to be true, it’s amazing and game-changing, and Crown Sterling will probably become a household name. But findings such as these need to be presented in a way that people will actually trust. If Crown Sterling wants to try again, with more convincing evidence, more details, and a proof of concept of production-strength RSA keys being cracked, I’m open to hearing about it. 

But if they simply proceed to the next conference without changing their approach, they should expect at least as much pushback as they got here, and probably more.