Chain of trust

Posted on by
Reply

Yesterday, I highlighted the focus on the chain of trust. I would like to come back to it.
Chain of trust is based on the concept that an authority is trusted. This authority then delegates its trust by signing a certificate to another authority. This is the way Public Key Infrastructures (PKI) do work. A Certification Authority has a root trust and all the certificates will cascade back to it.

In the case of downloaded/loaded software, it works in a similar way. The software to be downloaded is signed with the private key of an authority. The host, which should load the software, checks the signature using the corresponding certified public key. The certificate may be part of a hierarchical signature scheme. This seems extremely sound. Where is the problem?

From the cryptographic point of view, the trust model has mainly two assumptions (in addition to the traditional use of robust proven algorithms and secure implementation)
1- No private key involved in the signature schemes does leak. In reality, the assumption is mainly that the private root key does not leak. The other leakages can be coped through revocation.
2- The attacker cannot replace or add a new root public key.
The second assumption is often forgotten. Nevertheless, this seems still sound.

Unfortunately, the trust model is more complex. It adds a third assumption.
3- If a piece of software is signed, it means that this software is safe.

In an ideal world, assumption 3 means that the signing authority carefully checked the software and certifies that it is safe. Any developer knows how it is difficult to carefully review a small piece of software to find flaws, then reviewing the complete software…

In real world, if the host may receive many applications, for instance in game consoles, or future TPM based software for computers, we may assume that the signing authority will sign any piece of software presented by a software editor that it trusts. It means that the trust model has a fourth assumption:
4- A piece of software provided by a known software editor can be trusted.

Unfortunately, this assumption is rather weak. Many attacks or errors can invalidate it (malware insertion, security flaws, impersonation of the editor, …). It is why the chain of trust is not as efficient as we could expect in an environment that handles many applications.

The chain of trust may be stronger in more restricted environment such as Set Top Boxes.

No free Linux equal call for hack?

Posted on by
Reply

A presentation about XBOX security at last Chaos Computer Camp (CCC) in December 2007 sheds some interesting lights on the hack of game consoles.

During the first five minutes, Michael Steil analyses the latest hacks. According to him, the influence of the Linux community is important. PS3 is still not yet hacked perhaps because it authorized Linux community to play homebrew applications. Thus, the linux hacker community had no incentive to hack. According to his figures, where Linux community was involved, hack occurred faster. I would like to remind that DVD Jon claimed that he wrote DeCSS, the software breaking the protection of DVD, because DVD play back was not available under Linux.
After this introduction, Felix Domke detailed the hack of XBOX360. Some interesting statements, unfortunately true :Sad:

  • Hackers own the flash memory, in fact the hacker controls all
  • The chain of trust does not work

The analysis of the attacks and countermeasures is impressive. It is also a good introduction to secure coding techniques.

Once more, a perfect illustration of Law 1. A lesson is that game console designers should not assume that their console is trusted. The hackers may control it.
Second lesson: enthusiasm is better incentive for hacking than commercial incentive. This is true for serious hacking: reverse engineering. It is perhaps less true for IT hacking (spam, intrusion, defacing, malware, …)
How long will PS3 resist?

Many thanks to Yves for this link  :Happy:

KeeLoq hacked

Posted on by
Reply

KeeLoq is a RFID system that protects many anti-theft cards, and garage openers. Already some published cryptanalysis highlighted the weaknesses of the cipher. But the attack were not practical. A group of six German and Iranian researchers designed a set of very practical attacks.

Using Differential Power Attack (DPA), they were able to extract the device key . What is impressive is that they did the attack without the knowledge of the chip. They were working with a black box. For instance, they had to guess when the encryption process occurred. They extract the device key in less than one hour Of course, DPA required physical access to the emitting device. The performed a similar attack to extract the manufacturer from the receiver. It took less than one day.

With this information, by eavesdropping a receiver, it is possible to impersonate it. They extract the seed, the secret and the current counter value. The counter value has to been “loosely” synchronized with the one of the receiver. Of course, by impersonating the emitter, it is easy to desynchronize the receiver from the genuine emitter. The owner of the genuine emitter will have to push his key 2^15 times to open his door. Nice denial of service.

This is the second hack of RFID security in a month. Recently it was NXP Mifare that was hacked. Once more, the security of a RFID was too weak. It has at least two types of known flaws:

  • a weak LFSR based cipher
  • No protection against side channel attacks.

The industry of secure processors is aware of these types of weaknesses for about one decade and fights them. It is time, that RFID industry adapts also to them. Is it compatible with the price constraints.

A paper at Eurocrypt08 will present this attack. The details of the attacks are available on Ruhr University site

Private copy levy or piracy levy?

Posted on by
Reply

French government asked the Conseil d’Etat to review the calculation rules of the levy for private copy. Currently, the government levies a tax on every non volatile storage units. This tax is a levy for private copy. It applies to recordable CD, recordable DVD, hard disks, USB flash memory, memory cards, … Its value is defined by the Commission d’Albis. As an example, the tax for iPhone would be of 7€ (i.e. about $10). The tax is redistributed to rights owners.

In January, three associations of consumers complained to this authority about this levy. The controversy is that the levy takes into account the estimated level of piracy. A recent survey claimed that 40% of the content store on recordable media where coming from P2P. If the levy takes into account piracy, then it covers both private copy (of a legally acquired content) and illegal copy (of P2P downloaded content). Thus, P2P download should not be anymore illegal because integrated in the tax. Meanwhile, the representatives of the consumer electronics boycotted the commission d’Albis for mainly the same arguments.

Thus, they require either to make P2P download legal or reduce the levy. The answer of the wise men will be extremely interesting.

Open source and Kerckoffs law

Posted on by
Reply

In a recent post, at TechRepublic, Chad Perrin argued that open source is definitely a better security solution than proprietary solution because it complies with Kerckoffs Law.

Although, it is true most of the time, it is not an absolute truth in security (as usual). It depends on the trust model of the security system. I will take an example: OpenSSL. The trust model of SSL is that Alice and Bob trust each other and they want to avoid that Eve spies them or tampers their messages. Thus, OpenSSL uses cryptographic algorithms. The OpenSSL cryptographic toolbox is well studied and perfect. But only under the above mentioned trust model.

Let us now suppose that Alice wants to control the access of Bob to an information stored on Bob’s computer. She does not trust Bob. Thus, she will cipher the information with a secret key and gives a decryption program to Bob. Nevertheless, for obvious reasons, she wants to keep the secret key secret from Bob. She cannot use the cryptographic toolbox of OpenSSL (although it is good and has no flaws) because Bob, being a good hacker, will easily extract the secret key by knowing where and when it is used in OpenSSL.

This example is a simplified illustration of the problem of DRM. Therefore, it is impossible to design an open source DRM for B2C or B2B applications. The final user is not trusted. It may have sense in a C2C model (Consumer To Consumer).
Open source is perfect if the trust model of the system assumes that the “owner” or “operator” of the corresponding software is trusted. If it is not the case, then Open source is not the right answer. Then, we enter in the realm of secure coding and tamper resistant software which is another story.

Nevertheless, even for proprietary implementations, it is recommended to use well known and studied algorithms and protocols. Here, security by obscurity is bad. For implementation issues, it is another story (remember AACS hack)

TorrentSPy: one round for studios

Posted on by
Reply

On Friday 28th March, TorrentSpy, one of the main torrent tracker sites definitively closed. According to the site, the legal burden was becoming too heavy. Having the feeling that they could not preserve the interests of their users, they closed their site. Since 2006, MPAA was suing TorrentSpy for facilitating piracy.

Will it change something? Probably not much. Many tracker sites are available. TorrentSpy will disappear from toolbars and from filters of tools such as BitChe.

A theoretical interesting question: does the closing of a major site help or reduce piracy. On one hand, a wealth of torrent trackers have vanished. On the other hands, more people will connect on the currently available torrents thus making them more efficient in terms of sharing.

Extension of Copyright in Europe?

Posted on by
Reply

EU commissioner McGreevy proposes to extend the copyright lifetime for performers from 50 years to 95 years. Interestingly copyright lifetime for composers is of 70 years after his/her death. In most of the world, the default length of copyright is the life of the author plus either 50 or 70 years.
The current limit of 50 years means that many songs from still alive performers will soon enter in public domain. According to some estimations, this extension represents a gain of 3 to 10% for the European phonographic industry. Electronic Free Foundation (EFF) has launched an online petition against this initiative.

Copyright lifetime expiration is an interesting problem for DRM. What happens for a protected song when it enters the public domain? Normally, they should be no more protected. Extension of 45 years may delay this technical issue for several years?  :Wink: