rsa

12 Articles

This Week In Security: SSH, FTP, And Reptar

November 17, 2023 by 3 Comments

It’s time to strap on our propeller beanies, because we’re going to talk crypto. The short version is that some SSH handshakes can expose enough information for a third party to obtain the host’s private signing key. That key is the one that confirms you are connecting to the SSH server you think you are, and if the key validation fails, you get a big warning:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

The math that makes this warning work is public-private key cryptography. The problem we’re talking about today only shows up in RSA authentication. Specifically those that use the Chinese Remainder Theorem (CRT) to quickly calculate the modulos needed to generate the cryptographic signature. If something goes wrong during that calculation, you end up with a signature that is mathematically related to the secret key in a different way than intended. The important point is that knowing this extra value *significantly* weakens the security of the secret key.

This attack has been known for quite some time, but the research has been aimed at causing the calculation fault through power vaults or even memory attacks like Rowhammer. There has also been progress on using a lattice attack against captured handshakes, to make the attack practical with less known information. The real novel element of this week’s approach (pdf) is that it has been tested against SSH.

The paper’s authors performed weekly scans of the entire IPv4 public network space, capturing the handshake from any listening SSH server, and also had 5 years of historic data to draw from. And the results are mixed. There is a Cisco SSH server string that is extremely common in the dataset, and only once did one of these machines send a miscalculated handshake. Possibly a random ram bit flip to blame. And on the other hand, the string “SSH-2.0-Zyxel SSH server” had so many bad signatures, it suggests a device that *always* sends a miscalculated signature. Continue reading “This Week In Security: SSH, FTP, And Reptar”

Screenshot of the RSA calculator, showing the fields that you can fill into and the results as they propagate through the calculation

Lift The Veil On RSA With This RSA Calculator

July 8, 2022 by 2 Comments

Encryption algorithms can be intimidating to approach, what’s with all the math involved. However, once you start digging into them, you can break the math apart into smaller steps, and get a feel of what goes into encryption being the modern-day magic we take for granted. Today, [Henry Schmale] writes to us about his small contribution to making cryptography easier to understand – lifting the veil on the RSA asymmetric encryption technique through an RSA calculator.

With [Henry]’s calculator, you can only encrypt and decrypt a single integer, but you’re able to view each individual step of an RSA calculation as you do so. If you want to understand what makes RSA and other similar algorithms tick, this site is an excellent starting point. Now, this is not something you should use when roll your crypto implementations – as cryptographers say in unison, writing your own crypto from scratch is extremely inadvisable. [Henry] does say that this calculator could be useful for CTF players, for instance, but it’s also undeniably an accessible learning tool for any hacker out there wishing to understand what goes on under the wraps of the libraries we use.

In modern day, cryptography is instrumental to protecting our freedoms, and it’s a joy to see people work towards explaining the algorithms used. The cryptography tools we use day-to-day are also highly valuable targets for governments and intelligence agencies, willing to go to great lengths to subvert our communication security – so it’s even more important that we get acquianted with the tools that protect us. After all, it only takes a piece of paper to encrypt your communications with someone.

Understanding Elliptic Curve Cryptography And Embedded Security

July 4, 2019 by 26 Comments

We all know the usual jokes about the ‘S’ in ‘IoT’ standing for ‘Security’. It’s hardly a secret that security in embedded, networked devices (‘IoT devices’) is all too often a last-minute task that gets left to whichever intern was unfortunate enough to walk first into the office that day. Inspired by this situation, All About Circuits is publishing a series of articles on embedded security, with a strong focus on network security.

In addition to the primer article, so far they have covered the Diffie-Hellman exchange (using prime numbers, exponentiation and modular arithmetic) and the evolution of this exchange using elliptic curve cryptography (ECC) which prevents anyone from brute-forcing the key. Barring any quantum computers, naturally. All three articles should be understandable by anyone, with a simple, step-by-step format.

The upcoming articles will cover implementing security on microcontrollers specifically.  For those who cannot wait to learn more, Wikipedia has a number of articles on the topic of Elliptic Curve Cryptography (comparing it to the more older and still very common RSA encryption) specifically, as well as the Elliptic-Curve Diffie-Hellman key agreement protocol as discussed in the All About Circuits article.

A detail of note here is that the hardest problem in secure communications isn’t to keep the communications going, but to securely exchange the keys in the first place. That’s why a much much computationally expensive key exchange scheme using an asymmetric (or public-key) cryptography scheme  is generally used to set up the second part of the communications, which would use a much faster symmetric-key cryptography scheme, where both parties have the means to decode and encode messages using the same private key.

All the math aside, one does have to wonder about how one might denote ‘secure’ IoT. Somehow ‘SIoT’ doesn’t feel very catchy.

RSA Encryption Cracked Easily (Sometimes)

January 16, 2019 by 32 Comments

A large chunk of the global economy now rests on public key cryptography. We generally agree that with long enough keys, it is infeasible to crack things encoded that way. Until such time as it isn’t, that is. Researchers published a paper a few years ago where they cracked a large number of keys in a very short amount of time. It doesn’t work on any key, as you’ll see in a bit, but here’s the interesting part: they used an undescribed algorithm to crack the codes in a very short amount of time on a single-core computer. This piqued [William Kuszmaul’s] interest and he found some follow up papers that revealed the algorithms in question. You can read his analysis, and decide for yourself how badly this compromises common algorithms.

The basis for public key cryptography is that you multiply two large prime numbers to form a product and post it publicly. Because it is computationally difficult to find prime factors of large numbers, this is reasonably secure because it is difficult to find those prime numbers that are selected randomly.

However, the random selection leads to an unusual attack. Public keys, by their very nature, are available all over the Internet. Most of them were generated with the same algorithm and random number generation isn’t actually totally random. That means some keys share prime factors and finding a common factor between two numbers isn’t nearly as difficult.

Continue reading “RSA Encryption Cracked Easily (Sometimes)”

Bad RSA Library Leaves Millions Of Keys Vulnerable

October 17, 2017 by 20 Comments

So, erm… good news everyone! A vulnerability has been found in a software library responsible for generating RSA key pairs used in hardware chips manufactured by Infineon Technologies AG. The vulnerability, dubbed ROCA, allows for an attacker, via a Coppersmith’s attack, to compute the private key starting with nothing more than the public key, which pretty much defeats the purpose of asymmetric encryption altogether.

Affected hardware includes cryptographic smart cards, security tokens, and other secure hardware chips produced by Infineon Technologies AG. The library with the vulnerability is also integrated in authentication, signature, and encryption tokens of other vendors and chips used for Trusted Boot of operating systems. Major vendors including Microsoft, Google, HP, Lenovo, and Fujitsu already released software updates and guidelines for mitigation.

The researchers found and analysed vulnerable keys in various domains including electronic citizen documents (750,000 Estonian identity cards), authentication tokens, trusted boot devices, software package signing, TLS/HTTPS keys and PGP. The currently confirmed number of vulnerable keys found is about 760,000 but could be up to two to three orders of magnitude higher.

Devices dating back to at least 2012 are affected, despite being NIST FIPS 140-2 and CC EAL 5+ certified.. The vulnerable chips were not necessarily sold directly by Infineon Technologies AG, as the chips can be embedded inside devices of other manufacturers.

Continue reading “Bad RSA Library Leaves Millions Of Keys Vulnerable”

Fake Certificate

Lenovo Shipped PC’s With Spyware That Breaks HTTPS

February 19, 2015 by 91 Comments

If you’ve ever purchased a new computer then you are probably familiar with the barrage of bloatware that comes pre-installed. Usually there are system tools, antivirus software trials, and a whole bunch of other things that most of us never wanted in the first place. Well now we can add Superfish spyware to the list.

You may wonder what makes this case so special. A lot of PC’s come with software pre-installed that collect usage statistics for the manufacturer. Superfish is a somewhat extreme case of this. The software actually installs a self-signed root HTTPS certificate. Then, the software uses its own certificates for every single HTTPS session the user opens. If you visit your online banking portal for example, you won’t actually get the certificate from your bank. Instead, you’ll receive a certificate signed by Superfish. Your PC will trust it, because it already has the root certificate installed. This is essentially a man in the middle attack performed by software installed by Lenovo. Superfish uses this ability to do things to your encrypted connection including collecting data, and injecting ads.

As if that wasn’t bad enough, their certificate is actually using a deprecated SHA-1 certificate that uses 1024-bit RSA encryption. This level of encryption is weak and susceptible to attack. In fact, it was reported that [Rob Graham], CEO of Errata Security has already cracked the certificate and revealed the private key. With the private key known to the public, an attacker can easily spoof any HTTPS certificate and systems that are infected with Superfish will just trust it. The user will have no idea that they are visiting a fake phishing website.

Since this discovery was made, Lenovo has released a statement saying that Superfish was installed on some systems that shipped between September and December of 2014. They claim that server-side interactions have been disabled since January, which disables Superfish. They have no plans to pre-load Superfish on any new systems.

Ambient Computer Noise Leaks Your Encryption Keys

December 20, 2013 by 65 Comments

[Daniel, Adi, and Eran], students researchers at Tel Aviv University and the Weizmann Institute of Science have successfully extracted 4096-bit RSA encryption keys using only the sound produced by the target computer. It may sound a bit like magic, but this is a real attack – although it’s practicality may be questionable. The group first described this attack vector at Eurocrypt 2004. The sound used to decode the encryption keys is produced not by the processor itself, but by the processor’s power supply, mainly the capacitors and coils. The target machine in this case runs a copy of GNU Privacy Guard (GnuPG).

During most of their testing, the team used some very high-end audio equipment, including Brüel & Kjær laboratory grade microphones and a parabolic reflector. By directing the microphone at the processor air vents, they were able to extract enough sound to proceed with their attack. [Daniel, Adi, and Eran] started from the source of GnuPG. They worked from there all the way down to the individual opcodes running on the x86 processor in the target PC. As each opcode is run, a sound signature is produced. The signature changes slightly depending on the data the processor is operating on. By using this information, and some very detailed spectral analysis, the team was able to extract encryption keys. The complete technical details of the attack vector are available in their final paper (pdf link).

Once  they had the basic methods down, [Daniel, Adi, and Eran] explored other attack vectors. They were able to extract data using ground fluctuations on the computers chassis. They even were able to use a cell phone to perform the audio attack. Due to the cell phone’s lower quality microphone, a much longer (on the order of several hours) time is needed to extract the necessary data.

Thankfully [Daniel, Adi, and Eran] are white hat hackers, and sent their data to the GnuPG team. Several countermeasures to this attack are already included in the current version of GnuPG.