Cryptology Annual News Update and Vignette

Bill Ricker

for BLU.org

Sept 20, 2023

Cryptology News Bulletins 2022-09 to 2023-08

“Abundance of Caution” is C-suite lingo for “Oopsie, oh flying squirrel”

OpenSSL 3 near-critical patch (Oct-Nov 2022)

https://www.phoronix.com/news/OpenSSL-1-November-2022

https://arstechnica.com/information-technology/2022/11/openssl-3-patch-once-critical-but-now-just-high-fixes-buffer-overflow/

CVE-2022-37786 and CVE-2022-3602

Second-ever OpenSSL critical vulnerability teased, 10 years after Heartbleed

downgraded from critical to merely high; but still important.

Passkeys

https://www.passkeys.io/

https://arstechnica.com/information-technology/2022/10/passkeys-microsoft-apple-and-googles-password-killer-are-finally-here/

Jill (NatickFOSS) notes that this makes things harder on Executors. It requires both physiology and BT devices.

How do you change phones securely but prevent *jacking a phone change?

(Bob (NatickFOSS) says Fido alliance can provide a backup dongle for executors that overrides eyeball+phone in range?)

Integer Overflow in extended precision arithmetic

Changes for libgmpxx4ldbl versions: Installed version: None Available version: 2:6.2.0+dfsg-4ubuntu0.1 Version 2:6.2.0+dfsg-4ubuntu0.1:

Version 2:6.2.0+dfsg-4:

[ Steve Robbins ] * Add breaks for packages known to be broken by GMP 6.2.0. Closes: #950608.

LastPass break update

[2022.12.26] Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse https://www.schneier.com/blog/archives/2022/12/lastpass-breach.html

possibly exploited to steal Craptocoyns ?!

Did victims have a weak passphrase, or were they actually victims of a Wallet breach and blaming it on LastPass ?

“ZENBLEED” - “Encryption-breaking, password-leaking bug in many AMD CPUs could take months to fix”

“Zenbleed” bug affects all Zen 2-based Ryzen, Threadripper, and EPYC CPUs.

July: <Ars>; <CVE-2023-20593>; all Zen 2 products in shared use. Fix has up-to 15% performance impact except gaming? (Your gaming system ought not be running others’ work anyway!)
<Cloudflare analysis + remediation>

& August: <HN: Collide+Power, Downfall, Inception>; <Google Security Blog: Downfall + Zenbleed>



Backdoor? in TETRA TEA1 encrypted Police radios

80-bit commercial export-semi-restricted TEA1 key has far less than 80 bits entropy, deemed intentional backdoor – one of 5 CVEs resulting from reverse engineering.

The also found inadequate entropy in IV, using spoof-able network time, in the protocol, so applies to all TEA{1..4} levels. Incompetence or backdoor? Unclear.


They used a cache-timing side-channel attack to extract the firmware algorithm once, from the one compliant manufacturer that included the least reverse-engineering countermeasures; only needed doing once, and exposed the proprietary licensed algorithm used by all more careful manufacturers.

Once again, Kerckhoffs’s principle or Shannon’s Maxim is re-validated; secrecy of the mechanism or algorithm is a false protection. It protects proprietary manufacturers from competition, but it does not protect the users’ (customers’!!) data. (Their paper/Slide-deck has a long list of other failures from ignoring Kerckhoffs’s principle.)

TEA1 was advertised pre-1997 as export-allowed to export-restricted nations, so the “80bit key” should have been understood by those knowledgeable in the art back then to have had a max useful strength of 40 bits anyway. That it was 32 instead of 40 is only mildly shocking - 32 is such a convenient number of bits - and that it was 32 and therefor OK for export was even shared back in the day somewhat. (Without Internet, it didn’t spread far until messages were rediscovered.)

So, that the export-allowed product was WEAK should NOT have surprised any customer! Calling that a Backdoor may be an overstatement; assumption was any encryption allowed for export to hostile regimes was crap by law. (OTOH the missing 8 bits of Internet 1.0 max legal export key are a 232/2^40 = ⎄1/128 complexity factor, the difference between brute-force cracking N keys per day vs N keys per calendar quarter.)

That TEA1 was still sold - or worse, bought! - so weakened after 1997 128-bit limit is the only shocker.

The weak, spoof-able entropy in the IV (Initialization Vector in block cipher modes) OTOH is possibly an intentional back door to make key reuse/collision compromises blindingly obvious to State Actor cognoscenti - which makes message and key recovery trivial in specific cases, and depending upon keying, can break a whole network for a day, week, year after one pair of messages is broken.


ChatGPT implements Dunning-Kruger Crypto

Miguel de Icaza

Tired: don’t implement your own cryptographic stack
Wired: have Chat-GPT write it for you

If you want greater efficiency in writing bugs …

Similarly, reports seen that AutoPilot etc will cough up someone else’s secret key in suggested source code for a secret-key encryption module. Because it memorizes whatever it sees, and regurgitates on command.

Existence of Fernet Encryption implies Existence of Malört Encryption?

Fernet is Python recipe for symmetric encryption with authentication, using AES-128 CBC, SHA-256, PKCS#7 - so if competently implemented and application key mgt is likewise competent, could be better than Fernet/Malört simile might imply.

Fernet also supported in Scala, Rust, Perl.

Malware has started using Fernet for their payloads!

Should Fernet-using Malware be called Malörtware ?

<SANS ISC>

Key management is hard

Craptocoyns aren’t crypto and aren’t coins

It’s Ponzi all the way down.

Bitcoin - the most successful bug bounty program ever

… continued …

Craptocoyns: Wallet Key loss = bankruptcy

“Craptocoyn startup loses wallet key”

<2023-09>

The cryptocurrency fintech startup Prime Trust lost the encryption key to its hardware wallet—and the recovery key—and therefore $38.9 million. It is now in bankruptcy.

ironic name!

I can’t understand why anyone thinks these technologies are a good idea.

agree totally.

Craptocoyns: “MILKSAD”: Cryptographic Flaw in Libbitcoin Explorer Cryptocurrency Wallet

More Dunning-Kruger crapto? or intentional backdoor to facilitate thefts?

Low entropy, non-random seed (clock) renders a secure PRNG insecure; lib docs supposedly have caveat not to use the bx seed but general Bitcoin docs recommend using it for wallet generation.

“Never attribute to malice that which is adequately explained by incompetence.”

But … as a scam it looks pretty smooth.


The cryptocurrency wallet entropy seeding mechanism used in Libbitcoin Explorer 3.0.0 through 3.6.0 is weak, aka the Milk Sad issue. The use of an mt19937 Mersenne Twister PRNG restricts the internal entropy to 32 bits regardless of settings. This allows remote attackers to recover any wallet private keys generated from “bx seed” entropy output and steal funds.
(Affected users need to move funds to a secure new cryptocurrency wallet.)

NOTE: the vendor’s position is that there was sufficient documentation advising against “bx seed” but others disagree.
NOTE: this was exploited in the wild in June and July 2023.

From https://milksad.info/ :

Popular documentation like “Mastering Bitcoin” suggests the usage of bx seed for wallet generation.

Why the silly “Milk Sad” name? Running bx seed on 3.x versions with a system time of 0.0 always generates the following secret:

milk sad wage cup reward umbrella raven visa give list decorate bulb 
gold raise twenty fly manual stand float super gentle climb fold park

When?
The main theft occurred around 12 July 2023, although initial exploitation likely began at a smaller scale in May 2023.
A separate but similar vulnerability in another wallet software was detected in November 2022 and actively exploited shortly after, which may be the prequel to this story.


Crypto News Feature: updating Post Quantum Cryptography

Review: What’s Quantum Computing?

See last year’s status

Quantum Superposition when used for computing.


Such bits are in quantum superposition of True and False, which is a bug in classical computing but a feature in QC.

This allows non-deterministic algorithms.


Review: Kinds of Quantum Hardware


In theory, algorithms for these hardware types can use non-deterministic parallelism to evade classical performance limits, and in particular, could allow factoring fast enough to be dangerous, provided big enough quantum circuits can be made to work.


Review: We’re discussing PQC before QC?

Yes !

(Chinese Space Agency claimed to have demonstrated?)

Review: What’s the problem?


Every unbreakable cipher has been broken eventually (at least partially1).

20thC RSA and other PKI not guaranteed proof against either of:

<Schor’s Algorithm> in theory would factor fast on enough quantum circuits but 21 is not a large number yet. (see also Wikipedia. Some say 433 bits on IBM Osprey QC is enough for RSA2048 with Schor’s algo needing 372 Qubits (with pre-processing and post-processing), but will it work? Schneier and Schor doubt it. Shouldn’t someone try it?)

Other probabilistic quantum algorithms (Grover, GEECM, Variational Quantum Factoring (VQF)) can do some much bigger numbers (which may just define new class of unsafe primes??), and with classical pre-processing, can use a much smaller number of qubits than the ^obvious^ log2N.

not clear this will ever be able to generally break RSA4096, but it’s not impossible, so prudent to plan for that day.


Review: Generalization of Forward Secrecy


* VENONA: It worked Once! {[BLU Sept 2018](http://blu.org/meetings/2018/09/)}
* We now have a Vacuum Cleaner of Holding (_Greenpeace photo c/o Wikimedia_)

So yes, it can happen again.

Normal Forward Secrecy requires that if e.g. the Host Key is compromised later, any retained cryptograms sent with nonce keys negotiated with the compromised Host Key aren’t also compromised.

This is nice, but we’d also like to protect against advances of technology, e.g. fast factoring or solutions of discrete logs.

This may not be within your threat model, yet, but in dystopian plausible futures, things you’ve already discussed/downloaded might be retroactively illegal/disloyal and oops.


Review: NIST’s Post-Quantum Cryptography Standards

The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. – NIST


and have it ready for use not only before quantum breakthrough but early enough (roughly now) that anyone who wishes to avoid save-intercepts-now-to-break later; although it may already be too late WRTO NSA archive?


Review: NIST PQC Competition

National Institute of Standards & Technology started a multi-round competition, similar to with AES and SHA3 competitions


NIST, the Bureaucracy formerly known as NBS.

This competition was “more brutal” than prior; of 69 candidates, peer cryptanalysis has broken 62. So far.


PQC 2023

Quantum Cracking / PQC Update

[2023.02.28] CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. What makes this work really interesting is that the researchers used a machine-learning model to train the system to exploit the side channel.

OTOH as seen in TETRA:BURST, a side-channel attack can be used to extract key or algorithm from a piece of equipment that falls into opponent lab.

NIST PQC Schedule

https://www.nist.gov/programs-projects/post-quantum-cryptography

REVIEW: Known weaknesses

Isn’t non-random or uniformly-blank Salt an unlikely failure?

No. It’s happened.


Lack of randomness failure isn’t just hypothetical, lots of SSH keys got invalidated in 2008 because they were well-known-primes.

(WTF? Yep. Debian packagers applying normal best practices where they shouldn’t even touch had removed the entropy-harvesting because Valgrind and Purify gave “accessing uninitialized memory” warnings. Well yeah, that’s how we harvest entropy! Another problem (mostly solved?) is host key generation at VM start - the VM’s entropy is rather deterministic at that point. Similarly, optimizing compilers removing zeroing memory prior to releasing it can allow keys to leak into the memory pool. Cryptographic software is an ongoing a battle against computer ^science^ that ^knows better^.)

And failure to salt wouldn’t surprise me when non-specialists (applications developers, database programmers, protocol developers) who should stick to packaged PKI use-case libraries (e.g. NaCl) try to use cryptographic primitive routines directly to avoid dependencies.)

And 2023 has a few more low-entropy initialization examples added to the list!


History Vignette - Philips PX-1000Cr - NSA and the consumer

Text Lite “pocket telex” / pocket teletype

NSA Logo + PS1000 mashup by Klaus Schmeh
red-code-button - Crypto Museum.jpg


Analysis Timeline


PX-1000 internals NL Crypto Museum.jpg

As far as I understand it, Marsiske converted the encryption scheme into a Boolean function, which he was able to solve using a SAT solver. – Klaus Schmeh

Boolean functional equivalent - Stef

(SAT solver=“theorem prover” ie. analogous to Prolog and related resolution theorem provers, but specifically optimized for the “Boolean satisfiability problem”; NP-complete in general but tractable in normal cases. 50 seconds on a single modern thread might have been too slow for easy NSA cracking in 1985-1995, but likely still cheaper on NSA’s CRAY-1, CRAY-MP, & CRAY-2, than DES key search. Effectively solving multiple equations but over binary variables instead of natural numbers or wild floats.)

DES by Brute Force: Estimated cost of a specialized hardware dedicated DES cracker dropped from $20M(1977) to $1M(1993), but that was theory as far as the open literature knows. One might presume NSA and GCHQ could afford at least custom unit between them since they apparently could and did afford multiple CRAY-1 at $8M@, and so likely should be presumed to have had at least one and eventually several. But use of a singular or scarce resource would have had to have been prioritized, so unless a message was believed important it might never have been cracked. Practical custom hardware didn’t appear publicly until 1998 (EFF $250k). First open literature crack was 1997, using Internet screensaver cycles. As of 2012, and still on offer in 2023, a commercial custom server ($100K build) offered multiple levels of service and SLA (95% chance free if your NTLM challenge uses their known plaintext 1122334455667788 for which they boast “world’s largest rainbow table” (amortized cost of $20 if it fails 5% of time is $1@), and from $20 up-to $1000 for full keyspace search for other network tokens. Same or similar server presumably could attack full blocks at potentially higher prices, but that’s not turnkey there⎄. https://crack.sh/get-cracking/ https://crack.sh/#faq


Bibliography & Footnotes

My talks

The YouTube of this presentation will be linked on <BLU.org> along with these slides and extended notes etc as <2023-sep> as per usual.

Prior talks in this series - most talks have slides &/or YouTube attached, sometimes extras.
Alas the YouTube audio pre-pandemic wasn’t great, BLU will need a donation of a wireless clip-on mike if we ever return to Hybrid/In-Person meetings. Or we all need to wear a wired or BT headset while presenting in person?

News + Focus

News and Focus sections have embedded links.

Good security news streams to either research history or to follow year round are https://www.schneier.com/crypto-gram/ and https://isc.sans.edu/, the latter being less cryptologic and more operational in focus – but both cover the wide span of vulnerabilities, tools, remediations, etc, not just the cryptologic that I’m cherry-picking here.
Highly recommended.
Start your day with the 5 minute SANS Internet Storm Center StormCast pod-cast; the Red Team is, so, so should you.

Historical Vignette - Bibliography specific for this year

Cryptologic History - general references


  1. See our prior discussions of GEE, VENONA for breaks of One Time Pad↩︎

  2. DSA-1571-1 openssl predictable random number generator <CVE-2008-0166> <Schneier> ↩︎