Sept 20, 2023
“Abundance of Caution” is C-suite lingo for “Oopsie, oh flying squirrel”
https://www.phoronix.com/news/OpenSSL-1-November-2022
CVE-2022-37786 and CVE-2022-3602
Second-ever OpenSSL critical vulnerability teased, 10 years after Heartbleed
downgraded from critical to merely high; but still important.
Jill (NatickFOSS) notes that this makes things harder on Executors. It requires both physiology and BT devices.
How do you change phones securely but prevent *jacking a phone change?
(Bob (NatickFOSS) says Fido alliance can provide a backup dongle for executors that overrides eyeball+phone in range?)
Changes for libgmpxx4ldbl versions: Installed version: None Available version: 2:6.2.0+dfsg-4ubuntu0.1 Version 2:6.2.0+dfsg-4ubuntu0.1:
Version 2:6.2.0+dfsg-4:
[ Steve Robbins ] * Add breaks for packages known to be broken by GMP 6.2.0. Closes: #950608.
[2022.12.26] Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse https://www.schneier.com/blog/archives/2022/12/lastpass-breach.html
possibly exploited to steal Craptocoyns ?!
Did victims have a weak passphrase, or were they actually victims of a Wallet breach and blaming it on LastPass ?
“Zenbleed” bug affects all Zen 2-based Ryzen, Threadripper, and EPYC CPUs.
July: <Ars>;
<CVE-2023-20593>;
all Zen 2 products in shared use. Fix has up-to 15% performance impact
except gaming? (Your gaming system ought not be running others’ work
anyway!)
<Cloudflare
analysis + remediation>
& August: <HN: Collide+Power, Downfall, Inception>; <Google Security Blog: Downfall + Zenbleed>
80-bit commercial export-semi-restricted TEA1 key has far less than 80 bits entropy, deemed intentional backdoor – one of 5 CVEs resulting from reverse engineering.
The also found inadequate entropy in IV, using spoof-able network
time, in the protocol, so applies to all TEA{1..4} levels.
Incompetence or backdoor? Unclear.
They used a cache-timing side-channel attack to extract the firmware algorithm once, from the one compliant manufacturer that included the least reverse-engineering countermeasures; only needed doing once, and exposed the proprietary licensed algorithm used by all more careful manufacturers.
Once again, Kerckhoffs’s principle or Shannon’s Maxim is re-validated; secrecy of the mechanism or algorithm is a false protection. It protects proprietary manufacturers from competition, but it does not protect the users’ (customers’!!) data. (Their paper/Slide-deck has a long list of other failures from ignoring Kerckhoffs’s principle.)
TEA1 was advertised pre-1997 as export-allowed to export-restricted nations, so the “80bit key” should have been understood by those knowledgeable in the art back then to have had a max useful strength of 40 bits anyway. That it was 32 instead of 40 is only mildly shocking - 32 is such a convenient number of bits - and that it was 32 and therefor OK for export was even shared back in the day somewhat. (Without Internet, it didn’t spread far until messages were rediscovered.)
So, that the export-allowed product was WEAK should NOT have surprised any customer! Calling that a Backdoor may be an overstatement; assumption was any encryption allowed for export to hostile regimes was crap by law. (OTOH the missing 8 bits of Internet 1.0 max legal export key are a 232/2^40 = ⎄1/128 complexity factor, the difference between brute-force cracking N keys per day vs N keys per calendar quarter.)
That TEA1 was still sold - or worse, bought! - so weakened after 1997 128-bit limit is the only shocker.
The weak, spoof-able entropy in the IV (Initialization Vector in block cipher modes) OTOH is possibly an intentional back door to make key reuse/collision compromises blindingly obvious to State Actor cognoscenti - which makes message and key recovery trivial in specific cases, and depending upon keying, can break a whole network for a day, week, year after one pair of messages is broken.
Tired: don’t implement your own cryptographic stack
Wired: have Chat-GPT write it for you
If you want greater efficiency in writing bugs …
Similarly, reports seen that AutoPilot etc will cough up someone else’s secret key in suggested source code for a secret-key encryption module. Because it memorizes whatever it sees, and regurgitates on command.
Fernet is Python recipe for symmetric encryption with authentication, using AES-128 CBC, SHA-256, PKCS#7 - so if competently implemented and application key mgt is likewise competent, could be better than Fernet/Malört simile might imply.
Fernet also supported in Scala, Rust, Perl.
Malware has started using Fernet for their payloads!
Should Fernet-using Malware be called Malörtware ?
<SANS ISC>
<2023-08>
Expired Microsoft signing key exfiltrated, use to sign
code then accepted by Azure! Spin-off of Solar Winds network management
vulnerabilities, compounded by not checking for key expiry.
as usual, a bad fail is a chain of bugs and vulnerabilities that
amplify one another.
Micro-Star International Signing Key Stolen <2023.05.15> aka MSI—had its UEFI signing key stolen last month.
Github ssh fiasco
and q.v. Prime Trust below
It’s Ponzi all the way down.
Bitcoin - the most successful bug bounty program ever
… continued …
“Craptocoyn startup loses wallet key”
<2023-09>
The cryptocurrency fintech startup Prime Trust lost the encryption key to its hardware wallet—and the recovery key—and therefore $38.9 million. It is now in bankruptcy.
ironic name!
I can’t understand why anyone thinks these technologies are a good idea.
agree totally.
More Dunning-Kruger crapto? or intentional backdoor to facilitate thefts?
Low entropy, non-random seed (clock) renders a secure PRNG insecure;
lib docs supposedly have caveat not to use the bx seed but
general Bitcoin docs recommend using it for wallet generation.
“Never attribute to malice that which is adequately explained by incompetence.”
But … as a scam it looks pretty smooth.
The cryptocurrency wallet entropy seeding mechanism used in Libbitcoin Explorer 3.0.0 through 3.6.0 is weak, aka the Milk Sad issue. The use of an mt19937 Mersenne Twister PRNG restricts the internal entropy to 32 bits regardless of settings. This allows remote attackers to recover any wallet private keys generated from “bx seed” entropy output and steal funds.
(Affected users need to move funds to a secure new cryptocurrency wallet.)
NOTE: the vendor’s position is that there was sufficient documentation advising against “bx seed” but others disagree.
NOTE: this was exploited in the wild in June and July 2023.
From https://milksad.info/ :
Popular documentation like “Mastering Bitcoin” suggests the usage of
bx seedfor wallet generation.
Why the silly “Milk Sad” name? Running bx seed on 3.x versions with a system time of 0.0 always generates the following secret:
milk sad wage cup reward umbrella raven visa give list decorate bulb
gold raise twenty fly manual stand float super gentle climb fold parkWhen?
The main theft occurred around 12 July 2023, although initial exploitation likely began at a smaller scale in May 2023.
A separate but similar vulnerability in another wallet software was detected in November 2022 and actively exploited shortly after, which may be the prequel to this story.
See last year’s status
Quantum Superposition when used for computing.
Such bits are in quantum superposition of True and False, which is a bug in classical computing but a feature in QC.
This allows non-deterministic algorithms.
Quantum Annealing - big qubit counts, great for optimization problems
but not cryptology. (?yet?) Not general purpose.
Quantum Circuit/Logic - small numbers of qubits so far.
In theory, algorithms for these hardware types can use non-deterministic parallelism to evade classical performance limits, and in particular, could allow factoring fast enough to be dangerous, provided big enough quantum circuits can be made to work.
Yes !
(Chinese Space Agency claimed to have demonstrated?)
Quantum Cryptanalysis
Every unbreakable cipher has been broken eventually (at least partially1).
20thC RSA and other PKI not guaranteed proof against either of:
<Schor’s Algorithm> in theory would factor fast on enough quantum circuits but 21 is not a large number yet. (see also Wikipedia. Some say 433 bits on IBM Osprey QC is enough for RSA2048 with Schor’s algo needing 372 Qubits (with pre-processing and post-processing), but will it work? Schneier and Schor doubt it. Shouldn’t someone try it?)
Other probabilistic quantum algorithms (Grover, GEECM, Variational Quantum Factoring (VQF)) can do some much bigger numbers (which may just define new class of unsafe primes??), and with classical pre-processing, can use a much smaller number of qubits than the ^obvious^ log2N.
not clear this will ever be able to generally break RSA4096, but it’s not impossible, so prudent to plan for that day.
Classical “Forward Secrecy” - old messages not broken by later loss of host key
Generalized: old saved messages not broken by breakthroughs either.
Realistic threat? 
* VENONA: It worked Once! {[BLU Sept 2018](http://blu.org/meetings/2018/09/)}
* We now have a Vacuum Cleaner of Holding (_Greenpeace photo c/o Wikimedia_)So yes, it can happen again.
Normal Forward Secrecy requires that if e.g. the Host Key is compromised later, any retained cryptograms sent with nonce keys negotiated with the compromised Host Key aren’t also compromised.
This is nice, but we’d also like to protect against advances of technology, e.g. fast factoring or solutions of discrete logs.
This may not be within your threat model, yet, but in dystopian plausible futures, things you’ve already discussed/downloaded might be retroactively illegal/disloyal and oops.
The goal of post-quantum cryptography (also called quantum-resistant cryptography) is to develop cryptographic systems that are secure against both quantum and classical computers, and can interoperate with existing communications protocols and networks. – NIST
… and have it ready for use not only before quantum breakthrough but early enough (roughly now) that anyone who wishes to avoid save-intercepts-now-to-break later; although it may already be too late WRTO NSA archive?
National Institute of Standards & Technology started a multi-round competition, similar to with AES and SHA3 competitions
NIST, the Bureaucracy formerly known as NBS.
This competition was “more brutal” than prior; of 69 candidates, peer cryptanalysis has broken 62. So far.
RSA2048 in play or not? - Chinese academic paper claiming 2k bit RSA within range of current gen NON-fault-tolerant QC, no great surprise given Qubits available and theoretical algorithm size. Schor and Schneier unconvinced - does it actually converge w/o FT? <Schneier 2023-01>
[2023.02.28] CRYSTALS-Kyber is one of the public-key algorithms currently recommended by NIST as part of its post-quantum cryptography standardization process. Researchers have just published a side-channel attack—using power consumption—against an implementation of the algorithm that was supposed to be resistant against that sort of attack. The algorithm is not “broken” or “cracked”—despite headlines to the contrary—this is just a side-channel attack. What makes this work really interesting is that the researchers used a machine-learning model to train the system to exploit the side channel.
OTOH as seen in TETRA:BURST, a side-channel attack can be used to extract key or algorithm from a piece of equipment that falls into opponent lab.
FIPS Allowed.FIPS Approved.https://www.nist.gov/programs-projects/post-quantum-cryptography
No. It’s happened.
random2
which compromised many SSH keys.Lack of randomness failure isn’t just hypothetical, lots of SSH keys got invalidated in 2008 because they were well-known-primes.
(WTF? Yep. Debian packagers applying normal best practices where they shouldn’t even touch had removed the entropy-harvesting because Valgrind and Purify gave “accessing uninitialized memory” warnings. Well yeah, that’s how we harvest entropy! Another problem (mostly solved?) is host key generation at VM start - the VM’s entropy is rather deterministic at that point. Similarly, optimizing compilers removing zeroing memory prior to releasing it can allow keys to leak into the memory pool. Cryptographic software is an ongoing a battle against computer ^science^ that ^knows better^.)
And failure to salt wouldn’t surprise me when non-specialists (applications developers, database programmers, protocol developers) who should stick to packaged PKI use-case libraries (e.g. NaCl) try to use cryptographic primitive routines directly to avoid dependencies.)
And 2023 has a few more low-entropy initialization examples added to the list!
As far as I understand it, Marsiske converted the encryption scheme into a Boolean function, which he was able to solve using a SAT solver. – Klaus Schmeh
(SAT solver=“theorem prover” ie. analogous to Prolog and related resolution theorem provers, but specifically optimized for the “Boolean satisfiability problem”; NP-complete in general but tractable in normal cases. 50 seconds on a single modern thread might have been too slow for easy NSA cracking in 1985-1995, but likely still cheaper on NSA’s CRAY-1, CRAY-MP, & CRAY-2, than DES key search. Effectively solving multiple equations but over binary variables instead of natural numbers or wild floats.)
DES by Brute Force: Estimated cost of a specialized
hardware dedicated DES cracker dropped from $20M(1977) to $1M(1993), but
that was theory as far as the open literature knows. One might
presume NSA and GCHQ could afford at least custom unit between them
since they apparently could and did afford multiple CRAY-1 at $8M@, and
so likely should be presumed to have had at least one and
eventually several. But use of a singular or scarce resource would have
had to have been prioritized, so unless a message was believed important
it might never have been cracked. Practical custom hardware didn’t
appear publicly until 1998 (EFF $250k). First open literature crack was
1997, using Internet screensaver cycles. As of 2012, and still on offer
in 2023, a commercial custom server ($100K build) offered multiple
levels of service and SLA (95% chance free if your NTLM challenge uses
their known plaintext 1122334455667788 for which
they boast “world’s largest rainbow table” (amortized cost of $20 if it
fails 5% of time is $1@), and from $20 up-to $1000 for full keyspace
search for other network tokens. Same or similar server presumably could
attack full blocks at potentially higher prices, but that’s not turnkey
there⎄. https://crack.sh/get-cracking/ https://crack.sh/#faq
The YouTube of this presentation will be linked on <BLU.org> along with these slides and extended notes etc as <2023-sep> as per usual.
Prior talks in
this series - most talks have slides &/or YouTube
attached, sometimes extras.
Alas the YouTube audio pre-pandemic wasn’t great, BLU will need a
donation of a wireless clip-on mike if we ever return to
Hybrid/In-Person meetings. Or we all need to wear a wired or BT headset
while presenting in person?
News and Focus sections have embedded links.
Good security news streams to either research history or to follow
year round are https://www.schneier.com/crypto-gram/ and https://isc.sans.edu/, the
latter being less cryptologic and more operational in focus – but both
cover the wide span of vulnerabilities, tools, remediations, etc, not
just the cryptologic that I’m cherry-picking here.
Highly recommended.
Start your day with the 5 minute SANS Internet Storm Center
StormCast pod-cast; the Red Team is, so, so should you.
See our prior discussions of GEE, VENONA for breaks of One Time Pad↩︎
DSA-1571-1 openssl predictable random
number generator <CVE-2008-0166>
<Schneier>
↩︎