Cryptography on System Overlord

Ham Fisted Legislators

david@systemoverlord.com (David Tomaschik) — Sun, 10 Apr 2016 00:00:00 +0000

There’s fortunately been a lot of media coverage of a typically ham-fisted attempt to legislate technology:

The Senate’s Draft Encryption Bill Is ‘Ludicrous, Dangerous, Technically Illiterate’ | WIRED
Leak of Senate Encryption Bill Prompts Swift Backlash - Fortune
Leak of Senate encryption bill prompts swift backlash | Reuters
Senate’s Attempt at Encryption Bill Would Destroy the Very Idea of Cybersecurity - Hit & Run : Reason.com
www.usatoday.com/story/news/politics/2016/04/08/proposed-senate-bill-would-require-tech-companies-break-encryption/82798862/

For once, it’s not just been technology blogs: Fortune, Reuters, and USA Today are among those covering the legislative failure.

Parameter Injection in jCryption

david@systemoverlord.com (David Tomaschik) — Wed, 18 Jun 2014 01:00:00 +0000

jCryption is an open-source plugin for jQuery that is used for performing encryption on the client side that can be decrypted server side. It works by retrieving an RSA key from the server, then encrypting an AES key under the RSA key, and sending both the encrypted AES key and the RSA key to the server. This is not dissimilar to how OpenPGP encrypts data for transmission. (Though, of course, implementation details are vastly different.)

On the TrueCrypt Saga

david@systemoverlord.com (David Tomaschik) — Fri, 30 May 2014 00:52:47 +0000

If you’re anywhere near the security community, you’ve probably already heard about the (supposed) end of TrueCrypt that inspired a massive hunt for an explanation on Reddit. I’m going to drop my thoughts here, but these are all just speculation, so take them for what they’re worth (which is not much).

The Facts as We Know Them

TrueCrypt 7.2 dropped support for creating volumes. The code was massively changed, stripping out all volume creation options.
The website was updated with terrible instructions. The directions for alternatives generally point to proprietary options (BitLocker, File Vault, or, to paraphrase, “whatever you can find on Linux.”)
The new version is signed with the same key as previous versions. This implies whoever did the update is in possession of the key used for signing previous releases.
Sourceforge doesn’t think the account was compromised as posted here.

Popular Theories

The author was forced to backdoor TC and chose this instead. This seems to be the most popular theory, and given the Snowden revelations, it’s easy to see why. Assuming the adversary in question is the US Government, this seems awfully heavy-handed, and I’m not sure under which legal authority they would attempt to compel this participation. NSLs compel the production of business records, but don’t seem to allow them to force a backdooring. CALEA is for communications tools, TrueCrypt is used for storage at rest. Even those who refer to LavaBit are referring to warrants. First LavaBit was ordered to turn over messages, then encryption keys, but I’m not aware they were ever ordered to backdoor their software. It also seems odd that government agencies would choose to go after disk encryption, seems like communications encryption would be the bigger source of intelligence. There are those who have claimed “the government can force you to do anything”, which I suppose is true, but if we’re at the stage of “backdoor your code or we treat you as a terrorist” then the game’s already over, we’re off in Stasi territory, and I’m not sure that’s a world I could live in. I hope this is not the story.
The author tired of developing it and just gave up. This is a kind of odd approach, one would think they’d look for someone to hand the project to. I’m also not sure why someone who’d devoted years to developing secure encryption software would suddenly offer up terrible alternatives or otherwise deviate so strangely.
A developer was compromised. While this might give access to the PGP key, I’d have thought by now we’d have some sort of communication somewhere to claim this has happened. Unless the developer is completely out of the loop as well. Why would someone use the compromise to offer up terrible alternatives as opposed to releasing backdoored binaries quietly?
Off their meds. A couple of people have suggested that some sort of psychiatric problem is involved here. Actually seems a little reasonable, given the erratically written directions for alternatives, the sudden change in course, everything. Of course, there’s no evidence to support this, so it’s really just speculation.

I’ve turned off commenting as I think Reddit or Hacker News is a better place for such discussion, I just had a lot of thoughts I wanted to get out.

DEF CON 22 CTF Quals: Hackertool

david@systemoverlord.com (David Tomaschik) — Mon, 19 May 2014 03:32:11 +0000

Hackertool was one of the Baby’s First challenges in DEF CON CTF Quals this year, and provided you with a .torrent file, and asked you to download the file and MD5 it. Seems easy enough, so I knew there must be more to it. The torrent file itself was a whopping 4 MB in size, very large for a torrent file. Looking at it, we see it contains just one file, named every_ip_address.txt, and the file is ~61GB in size. Hrrm, there must be an easier way than torrenting 61GB, especially at <1k/s.

Reading List for 5/9/2014

david@systemoverlord.com (David Tomaschik) — Fri, 09 May 2014 07:00:00 +0000

###On XTS Mode for Disk Encryption Thomas Ptacek writes You Don’t Want XTS, and suggests that though XTS works well enough in practice, it is far from ideal for Full Disk Encryption, and should not be used at all for other encryption operations (i.e., anything that doesn’t resemble FDE). XTS is useful only in that it makes “random access” encryption more secure, as you need for a disk. For encryption of whole blocks of data at rest, you probably want CBC mode, and for anything on the wire, AES-GCM is the new hotness.

PlaidCTF 2014: mtpox

david@systemoverlord.com (David Tomaschik) — Mon, 14 Apr 2014 05:13:12 +0000

150 Point Web Challenge

The Plague has traveled back in time to create a cryptocurrency before Satoshi does in an attempt to quickly gain the resources required for his empire. As you step out of your time machine, you learn his exchange has stopped trades, due to some sort of bug. However, if you could break into the database and show a different story of where the coins went, we might be able to stop The Plague.

Weekly Reading List for 2/1/14

david@systemoverlord.com (David Tomaschik) — Sat, 01 Feb 2014 08:00:00 +0000

Previews for BSides SF 2014

A couple of new articles have been posted with previews of this year’s BSides San Francisco. Akamai has a preview of several talks and Tripwire previews a day in the life of an information security researcher.

Application Whitelist Bypass

@infosecsmith2 guest posts over at Room362 about using IEexec.exe to bypass application whitelisting.

Custom Wordlists

Chief Monkey over at IT Security Toolbox reports on a tool called SmeegeScrape that allows you to build a wordlist from the contents of a system. He reports on it in the context of a forensics task, but it seems like it would be a great option for penetration testing as well.

Ghost in the Shellcode 2014: Radioactive

david@systemoverlord.com (David Tomaschik) — Sun, 19 Jan 2014 20:21:46 +0000

Radioactive was a crypto challenge that executed arbitrary python code, if you could apply a correct cryptographic tag. Source was provided, and the handler is below:

#!python
class RadioactiveHandler(SocketServer.BaseRequestHandler):
 def handle(self):
 key = open("secret", "rb").read()
 cipher = AES.new(key, AES.MODE_ECB)

 self.request.send("Waiting for command:\n")
 tag, command = self.request.recv(1024).strip().split(':')
 command = binascii.a2b_base64(command)
 pad = "\x00" * (16 - (len(command) % 16))
 command += pad

 blocks = [command[x:x+16] for x in xrange(0, len(command), 16)]
 cts = [str_to_bytes(cipher.encrypt(block)) for block in blocks]
 for block in cts:
 print ''.join(chr(x) for x in block).encode('hex')

 command = command[:-len(pad)]

 t = reduce(lambda x, y: [xx^yy for xx, yy in zip(x, y)], cts)
 t = ''.join([chr(x) for x in t]).encode('hex')

 match = True
 print tag, t
 for i, j in zip(tag, t):
 if i != j:
 match = False

 del key
 del cipher

 if not match:
 self.request.send("Checks failed!\n")
 eval(compile(command, "script", "exec"))

 return

So, it looks for a tag:command pair, where the tag is hex-encoded and the command is base64 encode. The command must be valid python, passed through compile and eval, so you’ll need to send a response back to yourself via self.request.send.

PlaidCTF Compression

david@systemoverlord.com (David Tomaschik) — Tue, 30 Apr 2013 05:26:20 +0000

PlaidCTF 2013 had a level called "Compression". Here's the provided code for this level:

#!/usr/bin/python
import os
import struct
import SocketServer
import zlib
from Crypto.Cipher import AES
from Crypto.Util import Counter
 
# Not the real keys!
ENCRYPT_KEY = '0000000000000000000000000000000000000000000000000000000000000000'.decode('hex')
# Determine this key.
# Character set: lowercase letters and underscore
PROBLEM_KEY = 'XXXXXXXXXXXXXXXXXXXX'
 
def encrypt(data, ctr):
    aes = AES.new(ENCRYPT_KEY, AES.MODE_CTR, counter=ctr)
    return aes.encrypt(zlib.compress(data))
 
class ProblemHandler(SocketServer.StreamRequestHandler):
    def handle(self):
        nonce = os.urandom(8)
        self.wfile.write(nonce)
        ctr = Counter.new(64, prefix=nonce)
        while True:
            data = self.rfile.read(4)
            if not data:
                break
 
            try:
                length = struct.unpack('I', data)[0]
                if length > (1<<20):
                    break
                data = self.rfile.read(length)
                data += PROBLEM_KEY
                ciphertext = encrypt(data, ctr)
                self.wfile.write(struct.pack('I', len(ciphertext)))
                self.wfile.write(ciphertext)
            except:
                break
 
class ReusableTCPServer(SocketServer.ForkingMixIn, SocketServer.TCPServer):
    allow_reuse_address = True
 
if __name__ == '__main__':
    HOST = '0.0.0.0'
    PORT = 4433
    SocketServer.TCPServer.allow_reuse_address = True
    server = ReusableTCPServer((HOST, PORT), ProblemHandler)
    server.serve_forever()

So there's a few interesting things of note here: