History: the secure line between Kremlin and Elysée

Posted on by
Reply

In January 1968, France sold to USSR equipment to securely cypher the direct line between Kremlin and Elysée (The French equivalent of US White House). The price of the equipment was about 125,000F. The simplified description of the equipment clearly shows that it is based on One Time Pad. The devices were encrypting and decrypting with random tape (appareils de chiffrement et de déchiffrement par bandes aléatoires).

It was common knowledge that the protection of White House and Kremlin’s direct line was one time pad. It was also the case for the line between France and USSR but with French equipment.

Are they still using one time pads? or less theoretically secure systems but more user friendly?

For more information, read Quand l’Elysée équipait le Kremlin (in French)

Big gun is back (conclusion of the story?)

Posted on by
Reply

Recently I reported the on-going lawsuit between Echostar and NDS. (see the news). On the 19th May, the court of Santa Ana, California, settled down the case. The jury estimated that NDS violated federal and state laws prohibiting piracy, but did not use it for seeding piracy of the operator. NDS will have to pay $1,500 (1,000€) of damages to Echostar. Echostar estimated the loss around 900M$. NagraStar, who accused NDS to have broken into its network, was awarded no damages.

NDS acknowledged that it used former hacker to enhance the security of conditional access systems. NDS must be relieved. This court decision is a good signal to every industrial and academic security teams that act has white hacker.

Predictable random generator in Debian’s OpenSSL

Posted on by
Reply

On 13th may, Debian announced that Luciano Bello discovered a weakness in the random generator used for OpenSSL. A line of software was removed “for quality reasons”.

/*
* Don’t add uninitialised data.
MD_Update(&m,buf,j); /* purify complains */
*/

Checking tools such as Purify or Valgrind complained that variable buf was not initialized. Thus, it was decided to remove this line. Unfortunately, the random generator used two parameters as random seed: its process ID and this random buffer buf! The range of value of process ID is 32,768. In other words, without the contribution of buf, the seed of the random generator was too small. The random generator was predictable. The keys generated by DEBIAN OpenSSL are predictable, thus weak.

Of course, the mistake has immediately been corrected. The first weak version has been published in September 2006. All cryptographic keys generated by these versions of OpenSSL should be treated as compromised material. New keys should be generated with the latest version. Other distributions of OpenSSL are not concerned. Nevertheless, they may handle DEBIAN generated keys and thus be in danger when using these keys.

Conclusions:

  • Quality checking tools are useful tools. Nevertheless, their results have to be used with judgment. This is specially tool in the field of security where sometimes it is mandatory to “violate” quality heuristics. A typical example is code obfuscation which objective is to artificially increase the complexity of software (whereas quality requests to reduce the complexity)
  • It took more than 18 months for somebody to detect the impact of this modification.
  • Being paranoid, I would say this delay is rather sufficient for a well organized attacker to maliciously had some reasonably smart trapdoor in an open source package and then exploit it against her target.
  • Open source allowed to detect this weakness :Happy: Open source allowed also to introduce this weakness :Sad: Nevertheless, I believe that the pros are higher. Probably there is a critical size of reviewers to reach for gaining some confidence.
  • Not everybody is able to write (and understand) security code.

Thanks to Gomor for the link.

Designing and implementing malicious hardware

Posted on by
Reply

A group of researchers from the University of Illinois (USA), led by Samuel KING, disclosed a new breed of stealth attacks at the Usenix Workshop on Large-Scale Exploits and Emergent Threats. They have implemented in a SPARC CPU two stealth functions. A first function allows bypassing the privilege protection of memory access. A second function, more complex, puts the processor in a shadow mode that may execute some tiny shadow program while being invisible to the external hardware. The added complexity was less than 0.1% of logical gates.

Obviously, these functions break all the security assumptions on which most (if not all) systems are based. It is then rather “easy” to generate exploits. They demonstrated a privilege escalation (through the memory access), and how to steal passwords by hooking write function (through the shadow mode). Interestingly, these attacks operate beneath system and OS. thus they are deeper than rootkits and may be stealthier. If well designed the modifications of the chip are extremely difficult to detect from outside. The only efficient method is reverse engineering that is costly.

How dangerous is this attack?

  1. This is an extremely complex attack. It requires knowledge in IC design and CPU architecture. Not for script kiddies or even garage hackers
  2. It requires access to the design of a chip. The researchers used a Field Programmable Gate Array (FPGA) with the open source Leon processor. Thus, the attack is feasible in case of an FPGA with access to the initial design. If the IC is a full custom, like normal CPUs, then it is more complex. Attacker needs access to full custom design system, masking facilities and silicon foundry.
  3. It requires physical access to the device to be hacked to ensure that it will use a circumvented IC rather than a genuine one.
  4. Thus, clearly it is an attack that could only be mounted by organized and well funded teams such a s government agencies or mafia.

It is also interesting the note the use of an idea disclosed in a recent patent to load bootstrap the shadow mode code. Searching information and ideas everywhere is the hacker true mindset.

Mininova will reach the 5 billions downloads

Posted on by
Reply

Many torrent tracker sites compete. Thus, they publish data such as number of available torrents, of registered users, of seeders and leeches. One of the most important sites, mininova publishes the number of downloaded torrents: 4.918.964.636. At their current pace, mininova will reach the threshold of 5.000.000.000 downloaded torrents in a few days.

I find this figure more interesting than the other ones. For instance, the number of available torrents is not really meaningful. Many torrents are not active (thus the health bar on any site). Mininova publishes other data. The distribution of the type of downloaded contents is interesting. 39% are on TV series, 22% on movies, and 20% for music. The most downloaded torrent is episode 17 of Heroes’s first season. This craze torrents of TV series is extremely interesting and should be carefully analyzed by broadcasters.

In any case, BitTorrent is really the protocol of choice. Many progresses have been done both by the software themselves and by tools allowing search (BitCHe, TorrentFinder toolbar, …), making them easier to use.

The first 256-bit AES protected hard disk

Posted on by
Reply

Fujitsu launched the first AES 256 bits protected hard disk. The processor of the hard disk encrypts and decrypts every stored data. It is announced that the 256-bits never leaves the embedded processor. An interesting feature is the fast secure erasing of the full hard disk in less than 1 second. It seems that it is performed by simply erasing the secret key. Thus, the stored data are useless (if of course the key is securely erased)

The use of AES-256 bits rather than AES 128 bits is only a marketing argument. Seagate offers AES 128 bits protected hard disk. Currently, the cryptographic community estimates that AES 128 is secure for the next 20 years (until we find an attack :Wink:) Is this solution really more secure than software based encryption as claimed in the press release? I have some doubts. It will depend on the way the encryption is activated.

  • If the decryption is automatic at boot without presentation of any passphrase/password, then it is rather useless. The protection of the data then relies on the login of the computer.
  • If the decryption is activated by the presentation of a passphrase/password, then the security relies on this protection. It will not be stronger than the implementation of this checking
  • If the decryption is activated after the control of a pairing with the host computer, then there is a risk to loose every data in case of failure of the host computer.
  • If the description is activated by a remote RFID, as for easy nova hard disk, then the security is the one of the RFID

Unfortunately, the public information does provide no details.

Hacking the pacemaker

Posted on by
Reply

A team of University of Amherst (Massasuchets, USA) studied the security and privacy of commercial pacemaker. They discovered that it was weak. Current pacemakers and implantable cardiac defibrillators have some means to wirelessly communicate with external programmer device. The programmer device can collect patient data and adapt the therapy of the patient. Furthermore, it can generate fibrillations in test mode.

The communication is not protected. Of course, through eavesdropping, the team was able to reverse engineer the protocol. Then, they were able, through simple replay attacks to get patient data, change the therapies of the patient, and even to induce fibrillations. Another attack was a denial power attack where continuous communication diminished the lifetime of the implanted battery.

The hack itself is not extremely interesting (from the technical point of view). Hacking an unprotected wireless link is not a big deal. Is it really dangerous? In any case, any person who would be ready to play with an implanted pacemaker is necessarily murder minded (and then he has other means perhaps more efficient at his disposal)

The problem is more interesting when looking how to secure it. Due to the specific characteristics of the target, there are some important constraints:
– The power consumption is important. Replacing the battery require surgery! Cryptography requires power. Strong cryptography requires even more power. Furthermore, this type of devices is very sensitive to power denial attacks.
– The access to the pacemaker must be easy and fast for every practitioner. He must not have to look through many credentials, and secure database to find the right key in case of emergency.
– It must be reliable.
In this case, there is a tradeoff to find between security and practicability.

With the advent of the wireless interconnected area, this type of challenge will become extremely common. There will be more and more power supplied constrained devices to protect. Low power consumption cryptography: A new field of exploration?