The ROCA RSA key generation flaw or ROBOT, the “Return Of Bleichenbacher” attack: which is most deserving of the “Best Cryptographic Attack” Pwnie award at the 2018 Black Hat USA conference? Only one can survive. Let us consider.

Assume for the moment that it’s down to those two: ROBOT and ROCA. But first take a moment to consider the best cases for the “runners up”. They are all excellent; it was a very good year for crypto research.


The Efail attack broke PGP email. Also: S/MIME. All encrypted email! That is, by itself, a headlining cryptographic vulnerability. The case for Efail as Pwnie winner:

  • The Efail Pwnie might do the most good for the community of all the Pwnie winners. The encrypted email ecosystem is broken, and has been known to be broken for over a decade. The Efail researchers took vulnerabilities we knew about and weaponized them to break actual email clients. In this sense, Efail looks a lot like BEAST, which weaponized work Bard had done years earlier that nobody had paid attention to. The TLS ecosystem needed a kick in the ass to move away from SSL 3.0, and so too does the messaging community with PGP.

  • Efail is an elegant attack. It’s all exploit work! It’s based on the individuated quirks of a whole ecosystem of clients. It’s the cryptographic equivalent of the work clientside RCE people do memorizing all the offsets in Windows 7’s OLE DLLs.

So why won’t Efail win? Because cryptographers didn’t take PGP email seriously to begin with.

Among serious cryptography researchers, Efail was met with a shrug, not because the attack wasn’t important or powerful, but because cryptographers had written off the PGP and S/MIME ecosystems long before — and for all the reasons pointed out in the Efail paper.

Assume, arguendo, that Efail is out of the running.


IOTA de-pantsed a custom cryptosystem built for a crypto-as-in-currency. The case for IOTA:

  • It’s hi-larious. It is serious komedy gold. What are the Pwnies if not a key meant to unlock the safe in which our field keeps its joy?

  • It involves a relatively serious cryptographic undertaking, a real understanding of attacks on cryptographic primitives. We don’t get to break crypto primitives all that often! Even the worst cryptosystems in the world tend to use SHA-2 and AES. Not IOTA! They built their own hash function, optimized (somehow, I assume, from the marketing material) for computation in ternary. You’re a crypto pentester, you kind of dream of finding a project dumb enough to make up a new hash function.

  • “Optimized for ternary”. See point one.

  • The IOTA community and its response to the work. See point one. If IOTA wins, there will be jubilation.

Why not IOTA? Are the Pwnies a serious thing or not? In a very boring year for cryptographic attacks you could make the case for “both”, but not this year. Take IOTA out of the running.


KRACK breaks WPA2. Everyone uses WPA2. Obviously, KRACK should be a finalist:

  • KRACK leverages a nonce collision, which is practically as fundamental to cryptographic software as memory corruption is to software built in C and C++. A cryptographic researcher at a university might say: “yes, that’s why it shouldn’t win: it’s just another instance of a very well known attack”. Allow me to retort: everybody knows that you can’t copy a 200 byte string into a 100 byte buffer in a C program. We’ve known that since the mid-1990s. Is memory corruption dead? No! Attackers evolved, from noticing “hey, those extra bytes have to go somewhere” to “here is an elaborate sequence of steps involving the sequence of allocations and frees and the way numbers are represented on an X86 processor, that take a program that was coded defensively to avoid a class of attacks and revives that very attack against it”.

  • That’s KRACK. The WPA2 designers knew that you couldn’t simply repeat nonces during handshaking. KRACK figured out a way to trick them into doing that.

  • So I would argue: KRACK is the future of cryptographic vulnerability assessment: the recognition of a fundamental bug class and its application to systems built with that understanding. Every old crypto bug will become new again when someone figures out how to trick a target into reviving it.

But, as with PGP, cryptography researchers wrote off WPA2 long ago. News flash: they’ve written off WPA3 as well! Good luck with those wireless networks.

Which brings us to the main event: ROCA or ROBOT?

Remember what the Pwnie for “Best Cryptographic Attack” represents. It’s “the most impactful cryptographic attack against real-world systems, protocols, or algorithms.” It’s not meant to be theoretical, but rather “requires actual pwnage”.

In this corner: ROCA

ROCA broke all the Yubikeys. Also, Estonia. There will be ROCA-vulnerable RSA keys hidden in mission-critical infrastructure systems for the next 20 years. The real-world impact of ROCA is immense.

The problem with ROCA is that it’s a problem with an exploit that takes core-years to execute. It’s a real vulnerability, but it’s closer to theory than any previous Pwnie nomination.

And in this corner: ROBOT

ROBOT broke Facebook, Paypal, Cisco, a bunch of people running F5 middleboxes, Citrix, BouncyCastle, Erlang, WolfSSL, and Unisys ClearPath MCP. ClearPath! Someone finally broke it!

The problem with ROBOT is that it’s cryptographically less interesting than ROCA. It exploits one of the better-known vulnerabilities in cryptography engineering: Bleichenbacher’s 1998 RSA oracle.


ROCA is complicated. Complicated is good. The Pwnies are a celebration of elegant, high-degree-of-difficulty exploitation. ROCA is that. A lot of cryptography engineers who read the ROCA paper still don’t have their heads around the exploit.

ROBOT is practical. Practical is good. The Pwnies are about “pwnage”; they’re about things that offensive security people can actually accomplish in the field, against real world systems. ROBOT broke the Unisys ClearPath MCP.

ROCA is “practical” in a cryptographic sense. As a cryptosystem, the Infineon RSA generator it targets is a smoking crater. But put yourself in the shoes of a red team in 2018. Assume you’ve actually identified a vulnerable key to target. How long will it take you to factor that key? For a 2048 bit key, it’s around “100 CPU-years”.

But ROCA is so bad that Estonia had to change its name and reissue new identity cards for the new nation of “post-ROCA Estonia”. All the Yubikey 4s got recalled. That’s impact. Impact is good.

ROCA breaks hardware. Hardware is good. Exploit development against custom hardware is an elite skill. The Pwnies should celebrate elite skill. ROBOT took talent and finesse; the world is not full of Hanno Böcks finding systemic crypto vulnerabilities all across the Internet. But the degree of difficulty on ROCA is higher.

On the other hand: ROCA affects just one hardware device. The error Infineon apparently made to wind up with the ROCA vulnerability is itself pretty elaborate. The bug was found during a survey of a large group of hardware and software RSA generators; Infineon was the only vendor with this problem. I could go into more detail here but the details are boring. No future vulnerability researcher is going to pull the ROCA paper out of their stack and find an equivalent vulnerability in a new target.

ROBOT, different story. ROBOT is based on an older vulnerability, but the ROBOT research finally completes the weaponization of that vulnerability — not just in exploiting a single target in a single set of circumstances, but also in detecting it in the first place. In fact, in doing that, they found new ways to tickle the Bleichenbacher vulnerability, uncovering it in systems thought to be secure. The ROBOT methodology probably will get used by smart crypto testers in the future; it contributes to the craft in a broader way than ROCA.

The crypto nerd in me wants ROCA to win.

But if I put my “the spirit of the Pwnies” hat on, I’d probably have to give it to ROBOT.