| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Dec 16 00:58:45 2005
From: coderman at gmail.com (coderman)
Subject:
[JRSA_0x2fbcd0251e8d606ebbb595dccb685f9446f441a7320f912666fd8b3362f3bffe_15-Dec-2005]
Software Based Cipher Implementation Vulnerabilities Security
Advisory 15-Dec-2005
Software Based Cipher Implementation Vulnerabilities
Random (tm) Security Advisory 15-Dec-2005
by J. Random Expert, CPA, CISSP, CISM, CISA, CCNA, CCSE, CCSA, GCIA,
GCIH, GCFW, GIAC, GSNA, GCFA, GCUX, GSEC, GSUX, QUE, GQUE, WTFBBQ.
contact: null@...il.com
I. BACKGROUND
We are experts on information security dedicated to bringing the public
the highest quality imitation products and services to protect against
all those dire security risks and impending integrity breeches that will
bankrupt and publicly humiliate you unless you purchase our services for
a reasonable recurring fee paid up front or net 30.
II. DESCRIPTION
Cryptography is the mysterious and complicated art of making information
look like entropy. While the theory behind block and public key ciphers
is straight forward the implementations are often flawed due to various
oversights. We have empirically verified a class of cache and host
based timing side channel attacks against common processors and operating
systems which allows for 3DES, AES, RSA, DSA, ElGamal and Diffie Hellman
secret key recovery remotely or via local exploit. Hyper-threading
capabilities in newer processors can also be used to make local attacks
even more effective.
The basis for these attacks is the use of high resolution timing
information related to processing of specially crafted cipher texts or
specific memory regions to discern secret key material based on its
representation in processor memory caches during encryption or decryption
operations.
This timing mechanism can be implemented across a low latency network or
using a local unprivileged helper process on the target host. For the
technical details and theory behind these attacks please refer to the
following published materials:
http://cr.yp.to/antiforgery/cachetiming-20050414.pdf
http://www.daemonology.net/hyperthreading-considered-harmful/
http://eprint.iacr.org/2005/368
III. ANALYSIS
Successful exploitation of the described vulnerabilities allows
unauthenticated remote attackers and authenticated local users to recover
key material used on the host for various private communication channels.
Compromise of these channels can lead to privilege escalation and / or
remote exploitation of vulnerable systems.
To gauge the feasibility of this attack we hired world renowned black
hat 'MacGyver' to demonstrate this exploit on actual systems owned by a
competitor of ours. We can confirm that key recovery and full remote
exploitation of their IPsec VPN was attained using gcc, duct tape, and a
roll of cinnamon flavored dental floss. Incriminating email evidence of
their pool dying prank at our annual Christmas party was recovered as
proof of our l33t'ness. Suck it you losers, we knew it was you.
The Electronic Frontier Foundation has also independently verified this
vulnerability and launched a new 'Software Ciphers Suck!' campaign to
educate the public on the privacy dangers of using leaky cipher
implementations. Sony BMG in particular was anxious to add this key
recovery exploit to their audio disc DRM rootkit. Please contact our
sales department with exploit licensing inquiries.
IV. DETECTION
If you are using software cipher implementations on Intel, AMD, IBM or
Sparc processors you are vulnerable to this attack. Other architectures
may have similar weaknesses but nobody gives a shit about them anyway.
All known operating systems executing on the afore mentioned processors
are also assumed to be vulnerable.
NOTE: Those fortunate enough to live in a region where only mint or plain
dental floss is sold may not be vulnerable to the MacGyver remote key
recovery exploit.
Unix, BSD and Linux users can use the psrinfo utility or /proc/cpuinfo
file for more detailed processor identification. Windows users have
bigger security holes to worry about. Move along, move along...
V. WORKAROUNDS
Special program modifications that add redundant execution loops and
stack / heap padding can obfuscate timing information related to memory
cache and bus communication latencies. In particular a general technique
described in the following paper can be used to reduce or eliminate the
potential for this attack:
http://eprint.iacr.org/2005/368
Remember: five times slower and twice as fat is a feature, not a bug!
The use of perfect forward secrecy and frequent key rotation may reduce
the potential for successful exploitation.
If at all possible hardware cipher implementations for offload of
cryptographic processing is highly recommended. VIA's Padlock Engine
is particularly attractive:
http://www.via.com.tw/en/initiatives/padlock/hardware.jsp
You losers stuck with Intel/AMD/IBM/Slowlaris procs can always buy a PCI
based crypto accelerator:
http://www.soekris.com/vpn1401.htm
The are unsubstantiated reports that a properly designed tin foil hat
placed directly above the processor fan may protect L1/L2 cache lines in
the Intel family of processors. Please see the following for details on
proper foil hat engineering:
http://people.csail.mit.edu/rahimi/helmet/
VI. VENDOR RESPONSES
The following vendors were contacted and their responses are provided
in whole:
<Intel> We suggest buying the latest Itanium processors for the best
in cryptographic throughput and innovative computing!
<AMD> We suggest buying the latest 64bit AMD processors for the best
in cryptographic throughput and innovative computing!
<IBM> We suggest buying the latest Power5 space heaters for the best
in cryptographic throughput and innovative computing!
<Sun> We suggest using Java to deploy secure software solutions!
<$TLA> How much to shut you up, Random? Everybody has a price and we've
got one phat fiscal budget with very little oversight...
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project publishes the CVE
list (http://cve.mitre.org), which standardizes names for security
problems. They laughed at us when we reported this serious
vulnerability. Clearly they have sold out to The Man.
VIII. DISCLOSURE TIMELINE
04/20/1984 Initial vendor notification
06/05/2003 Initial vendor responses
12/15/2005 Full disclosure
IX. CREDITS
This class of vulnerability was discovered by Marian Rejewski a good
seventy years ago.
Become a paid corporate security whore:
http://www.iDefense.com/poi/teams/vcp.jsp
Learn to h4x0r like the best kiddies around:
http://www.sans.org/index.php
Special thanks to n3td3v who will take credit for this advisory despite
no understanding of side channel attacks or even cryptography in general.
X. LEGAL NOTICE
Copyright (C) 2005
J. Random Expert Information Security Enterprise Consortium, Inc.
Permission is granted for the redistribution of this advisory
electronically or in any other manner you so desire. It may not be
edited in any way without the express written consent of J. Random
Expert Information Security Enterprise Consortium, Inc. and filed in
triplicate with a registered notary public.
Disclaimer: The information in this advisory is believed to be snarky and
accurate at the time of publishing based on currently available
information. There are no warranties or expectations of quality with
regard to this information. The author nor the publisher accepts any
liability for any direct, indirect, or consequential loss or damage
arising from use of, or reliance on, this information. All trademarks
and registered names are the property of their respective owners.
Amen.
Powered by blists - more mailing lists