Cryptology Annual News Update and Vignette
Bill Ricker
for BLU.org
Sept 20, 2023
Cryptology News Bulletins 2022-09 to 2023-08
“Abundance of Caution” is C-suite lingo for
“Oopsie, oh flying squirrel”
Integer Overflow in extended precision arithmetic
Changes for libgmpxx4ldbl versions: Installed version: None Available
version: 2:6.2.0+dfsg-4ubuntu0.1 Version 2:6.2.0+dfsg-4ubuntu0.1:
- SECURITY UPDATE: Integer overflow
- Debian/patches/CVE-2021-43618.patch: prevent integer overflow in
function mpz_inp_raw in mpz/inp_raw.c on 32-bit platforms.
- CVE-2021-43618
Version 2:6.2.0+dfsg-4:
[ Steve Robbins ] * Add breaks for packages known to be broken by GMP
6.2.0. Closes: #950608.
LastPass break update
[2022.12.26] Last August, LastPass reported a security breach, saying
that no customer information—or passwords—were compromised. Turns out
the full story is worse https://www.schneier.com/blog/archives/2022/12/lastpass-breach.html
possibly exploited to steal Craptocoyns ?!
Did victims have a weak passphrase, or were they actually victims
of a Wallet breach and blaming it on LastPass ?
Backdoor? in TETRA TEA1 encrypted Police radios
80-bit commercial export-semi-restricted TEA1 key has far less than
80 bits entropy, deemed intentional backdoor – one of 5 CVEs resulting
from reverse engineering.
The also found inadequate entropy in IV, using spoof-able network
time, in the protocol, so applies to all TEA{1..4} levels.
Incompetence or backdoor? Unclear.
ChatGPT implements Dunning-Kruger Crypto
Miguel
de Icaza
Tired: don’t implement your own cryptographic stack
Wired: have Chat-GPT write it for you
If you want greater efficiency in writing bugs …
Similarly, reports seen that AutoPilot etc will cough up someone
else’s secret key in suggested source code for a secret-key encryption
module. Because it memorizes whatever it sees, and regurgitates on
command.
Existence of Fernet Encryption implies Existence of Malört
Encryption?
Fernet is Python recipe for symmetric encryption with authentication,
using AES-128 CBC, SHA-256, PKCS#7 - so if
competently implemented and application key
mgt is likewise competent, could be better than Fernet/Malört simile
might imply.
Fernet also supported in Scala, Rust, Perl.
Malware has started using Fernet for their payloads!
Should Fernet-using Malware be called Malörtware ?
<SANS
ISC>
Key management is hard
<2023-08>
Expired Microsoft signing key exfiltrated, use to sign
code then accepted by Azure! Spin-off of Solar Winds network management
vulnerabilities, compounded by not checking for key expiry.
as usual, a bad fail is a chain of bugs and vulnerabilities that
amplify one another.
Micro-Star International Signing Key Stolen
<2023.05.15>
aka MSI—had its UEFI signing key stolen last month.
Github ssh fiasco
- <GitHub
Blog>; <MJG>;
<DF>;
<SANS
ISC>
- Lessons:
- Don’t add/push secrets to public repos.
- Comb private repos for secrets not just licenses+IP before
publishing
and q.v. Prime Trust below
Craptocoyns aren’t crypto and aren’t coins
It’s Ponzi all the way down.
Bitcoin - the most successful bug bounty program ever
… continued …
Craptocoyns: Wallet Key loss = bankruptcy
“Craptocoyn startup loses wallet key”
<2023-09>
The cryptocurrency fintech startup Prime Trust lost the encryption
key to its hardware wallet—and the recovery key—and therefore $38.9
million. It is now in bankruptcy.
ironic name!
I can’t understand why anyone thinks these technologies are a good
idea.
agree totally.
Craptocoyns: “MILKSAD”: Cryptographic Flaw in Libbitcoin Explorer
Cryptocurrency Wallet
More Dunning-Kruger crapto? or intentional backdoor to facilitate
thefts?
Low entropy, non-random seed (clock) renders a secure PRNG insecure;
lib docs supposedly have caveat not to use the bx seed but
general Bitcoin docs recommend using it for wallet generation.
“Never attribute to malice that which is adequately explained by
incompetence.”
But … as a scam it looks pretty smooth.
Crypto News Feature: updating Post Quantum Cryptography
Review: Kinds of Quantum Hardware
Review: We’re discussing PQC before QC?
Yes !
Quantum
Cryptography
- theoretically using entangled quantum states
- to create an encryption
- or an anti-eaves-droppable connection
Review: What’s the problem?
- Unbreakable ciphers aren’t always unbreakable, for always.
- QC could theoretically break most PKI
- Schor’s Algorithm / Grover’s / VQF
- discrete log as well as prime factoring, even elliptic curves
Review: Generalization of Forward Secrecy
Review: NIST’s Post-Quantum Cryptography Standards
The goal of post-quantum cryptography (also called quantum-resistant
cryptography) is to develop cryptographic systems that are secure
against both quantum and classical computers, and can interoperate with
existing communications protocols and networks. –
NIST
Review: NIST PQC Competition
National Institute of Standards & Technology started a
multi-round competition, similar to with AES and SHA3 competitions
Quantum Cracking / PQC Update
[2023.02.28] CRYSTALS-Kyber is one of the public-key algorithms
currently recommended by NIST as part of its post-quantum cryptography
standardization process. Researchers have just published a side-channel
attack—using power consumption—against an implementation of the
algorithm that was supposed to be resistant against that sort of attack.
The algorithm is not “broken” or “cracked”—despite headlines to the
contrary—this is just a side-channel attack. What makes this work really
interesting is that the researchers used a machine-learning model to
train the system to exploit the side channel.
OTOH as seen in TETRA:BURST, a side-channel attack can be used to
extract key or algorithm from a piece of equipment that falls into
opponent lab.
REVIEW: Known weaknesses
- breaks have eliminated 62 of 69 entrants in Rounds 1 to 4
- including the two front-runners, Rainbow and SIKE
- 7 remain, will they survive?
- FALCON would be compromised by a lack-of-randomness in salt, or
failure to salt, as repeating same key and hash again gives too much
information.
No. It’s happened.
- Numerous implementations have failed to salt encryption of small
data despite warnings.
- DEBIAN broke system
random which compromised many
SSH keys.
- our historical vignette in prior years has discussed danger of key
reuse in WW2 and Cold War. Lack of Salt = Key Reuse.
History Vignette - Philips PX-1000Cr - NSA and the consumer
Text Lite “pocket telex” / pocket teletype
- 1980-1982 “Pocket Telex” PX-1000 text communicator for POTS network
- developed by NL “Text Lite BV” corp
- an OEM alphanumeric keyboard with one-line display, with onboard DES
encryption and acoustic coupler.
- 1983 Philips became the major seller of
- 1983(late) NSA/GCHQ objected to even 56-bit DES being available to
civilians.
- (At the time, Export Netscape was limited to 40-bit for naughty
countries. DES was fairly strong vs slow computers.)
- 1984 Crypto-free edition with calculator function released to
temporize
- crypto-free version had blue button instead of red key/text/code
button
- 1985 PX-1000Cr NSA-approved LSFR edition were developed in 1984 and
sold in 1985 and later
- and all unsold DES units and ROMs were “sold” to NSA at a
nice wholesale profit.
- 1985 C-Mail capable versions of both Calc and Crypto units
- followed by compatible improvements PX-1200
and PX-2000 (manufactured by Seiko/Epson for Text Lite), sold as Philips
and TEXT TELL brands.
Analysis Timeline
- In 2014, Ben Brücker’s Bachelor Thesis “Government intervention on
consumer crypto hardware: A look at the PX-1000 before and after the
NSA’s involvement” (working with Crypto Museum example).
- Disassembled & reverse-engineered and validated original DES
block cipher implementation
- Disassembled & partially analyzed the NSA LSFR code - determined
it was a stream cipher
- Raised question if this meant NSA compromised Nelson Mandela’s
support-team’s comms!
- 2019 NL Crypto Museum reports on the above research publicly.
- In 2021, Stefan “Stef” Marsiske completed analysis of the NSA LSFR
algorithm in the PX-1000Cr
- determined key-space was actually 32 bits
- and developed a full break: 17 chars of ciphertext yield the message
key
- which might or might not have been tractable back then
- and observed another weakness that might be 1980s backdoor.
- LSFRs are maximal length so not obviously suspect, but
- Leaks keystream bits, so detecting key reuse (plain-plain
compromise) is trivial
My talks
The YouTube of this presentation will be linked on
<BLU.org> along with these slides
and extended notes etc as <2023-sep> as per
usual.
Prior talks in
this series - most talks have slides &/or YouTube
attached, sometimes extras.
Alas the YouTube audio pre-pandemic wasn’t great, BLU will need a
donation of a wireless clip-on mike if we ever return to
Hybrid/In-Person meetings. Or we all need to wear a wired or BT headset
while presenting in person?
News + Focus
News and Focus sections have
embedded links.
Good security news streams to either research history or to follow
year round are https://www.schneier.com/crypto-gram/ and https://isc.sans.edu/, the
latter being less cryptologic and more operational in focus – but both
cover the wide span of vulnerabilities, tools, remediations, etc, not
just the cryptologic that I’m cherry-picking here.
Highly recommended.
Start your day with the 5 minute SANS Internet Storm Center
StormCast pod-cast; the Red Team is, so, so should you.
Historical Vignette - Bibliography specific for this year
Cryptologic History - general references
