Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Sat, Aug 18, 2012 at 04:00:20PM -0700, coderman wrote: Dan just released DakaRand http://dankaminsky.com/2012/08/15/dakarand/ src http://s3.amazonaws.com/dmk/dakarand-1.0.tgz while admitting that Matt Blaze has essentially disowned this approach, and seems to be honestly horrified that I’m revisiting it and Let me be the first to say, I don’t know that this works. this mode would greatly reduce, maybe eliminate the incidence of key duplication in large sample sets (e.g. visibly poor entropy for key generation) the weak keys[0] authors clearly posit that they have detected merely the most obvious and readily accessible poor keys, and that further attacks against generator state could yield even more vulnerable pairs... you have been warned :P the solution is adding hw entropy[1][2] to the mix. anything less is doing it wrong! if you don't have hw entropy, adding dakarand is better than not. Lots of people are using haveged already, it operates on a similar principle. http://www.issihosts.com/haveged/ Ciao, Marcus ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
DakaRand seems to work inside of VM's too Dan, if you get any new revelations on it, please do make sure you post using a different subject line. This one's getting really congested. Thanks! -- Robert Q Kim, Trade Show Marketing Strategies VP Sparkah Destination Event Management http://www.youtube.com/watch?v=RrXcLCVkFds 2611 S Coast Highway San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
Indeed. When I first saw it, I thought someone was coming out of the closet! t On Aug 19, 2012, at 4:40 AM, Robert Kim App and Facebook Marketing evdo.hs...@gmail.com wrote: DakaRand seems to work inside of VM's too Dan, if you get any new revelations on it, please do make sure you post using a different subject line. This one's getting really congested. Thanks! -- Robert Q Kim, Trade Show Marketing Strategies VP Sparkah Destination Event Management http://www.youtube.com/watch?v=RrXcLCVkFds 2611 S Coast Highway San Diego, CA 92007 310 598 1606 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
Dan just released DakaRand http://dankaminsky.com/2012/08/15/dakarand/ src http://s3.amazonaws.com/dmk/dakarand-1.0.tgz while admitting that Matt Blaze has essentially disowned this approach, and seems to be honestly horrified that I’m revisiting it and Let me be the first to say, I don’t know that this works. this mode would greatly reduce, maybe eliminate the incidence of key duplication in large sample sets (e.g. visibly poor entropy for key generation) the weak keys[0] authors clearly posit that they have detected merely the most obvious and readily accessible poor keys, and that further attacks against generator state could yield even more vulnerable pairs... you have been warned :P the solution is adding hw entropy[1][2] to the mix. anything less is doing it wrong! if you don't have hw entropy, adding dakarand is better than not. 0. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices - Extended https://factorable.net/weakkeys12.extended.pdf 1. Intel RNG http://lists.randombit.net/pipermail/cryptography/2012-June/002995.html see also by thread: http://lists.randombit.net/pipermail/cryptography/2012-June/thread.html#2995 2. xstore http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/rng_prog_guide.pdf X. LD 50 radiation exposure of the common pigeon. entropy via carrier pigeon (DRAFT) ;P P.P.S: if you're not passing valid hw entropy into VM guests, you're also doing it wrong. even enough passed at boot is sufficient, provided key generation is secure. always a million caveats... and adding dakarand to guests is better than not. On Wed, Jul 18, 2012 at 12:35 PM, coderman coder...@gmail.com wrote: On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote: ... Don't we have hardware RNG in most motherboard chipsets nowadays? clearly not enough of them! 'Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices' https://factorable.net/weakkeys12.extended.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
Yeah, turns out RNG's *aren't* on most motherboards. Thus, DakaRand. The biggest surprise of this entire adventure is that DakaRand seems to work inside of VM's too. Didn't expect that at all. But then, I think it's going to take some time to analyze what's going on here. On Sat, Aug 18, 2012 at 4:00 PM, coderman coder...@gmail.com wrote: Dan just released DakaRand http://dankaminsky.com/2012/08/15/dakarand/ src http://s3.amazonaws.com/dmk/dakarand-1.0.tgz while admitting that Matt Blaze has essentially disowned this approach, and seems to be honestly horrified that I’m revisiting it and Let me be the first to say, I don’t know that this works. this mode would greatly reduce, maybe eliminate the incidence of key duplication in large sample sets (e.g. visibly poor entropy for key generation) the weak keys[0] authors clearly posit that they have detected merely the most obvious and readily accessible poor keys, and that further attacks against generator state could yield even more vulnerable pairs... you have been warned :P the solution is adding hw entropy[1][2] to the mix. anything less is doing it wrong! if you don't have hw entropy, adding dakarand is better than not. 0. Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices - Extended https://factorable.net/weakkeys12.extended.pdf 1. Intel RNG http://lists.randombit.net/pipermail/cryptography/2012-June/002995.html see also by thread: http://lists.randombit.net/pipermail/cryptography/2012-June/thread.html#2995 2. xstore http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/rng_prog_guide.pdf X. LD 50 radiation exposure of the common pigeon. entropy via carrier pigeon (DRAFT) ;P P.P.S: if you're not passing valid hw entropy into VM guests, you're also doing it wrong. even enough passed at boot is sufficient, provided key generation is secure. always a million caveats... and adding dakarand to guests is better than not. On Wed, Jul 18, 2012 at 12:35 PM, coderman coder...@gmail.com wrote: On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote: ... Don't we have hardware RNG in most motherboard chipsets nowadays? clearly not enough of them! 'Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices' https://factorable.net/weakkeys12.extended.pdf ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote: ... Don't we have hardware RNG in most motherboard chipsets nowadays? clearly not enough of them! 'Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices' https://factorable.net/weakkeys12.extended.pdf RSA and DSA can fail catastrophically when used with malfunctioning random number generators, but the extent to which these problems arise in practice has never been comprehensively studied at Internet scale. We perform the largest ever network survey of TLS and SSH servers and present evidence that vulnerable keys are surprisingly widespread. We find that 0.75% of TLS certificates share keys due to insufficient entropy during key generation, and we suspect that another 1.70% come from the same faulty implementations and may be susceptible to compromise. Even more alarmingly, we are able to obtain RSA private keys for 0.50% of TLS hosts and 0.03% of SSH hosts, because their public keys shared nontrivial common factors due to entropy problems, and DSA private keys for 1.03% of SSH hosts, because of insufficient signature randomness. We cluster and investigate the vulnerable hosts, finding that the vast majority appear to be headless or embedded devices. infosec comedy gold :P ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On 12/25/2010 08:10 AM, BMF wrote: On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote: Don't we have hardware RNG in most motherboard chipsets nowadays? Do we? By what mechanism do they operate? There are several external (USB/PCI) devices which operate either on analogous effects (using for example a PLL) or even digital effects such as circuit jitter. I've implemented this on an FPGA before using repeated open/close of a short circuit that contains several inverters. The result is based on the underlying logic blocks which contain jitter due to the production process. There are several papers available on that topic (search for true hardware RNG FPGA for example). As for internal (on-board) RNGs, there is for example the TPM. If you have a TPM on your mainboard, then you can use it as an RNG. The TPM specification recommends using clock jitter and thermal noise in the chip to seed a state machine that will perform the actual random number generation through hashing/mixing (so it's not a direct source of hardware randomness but rather a seeded PRNG). To find out about the quality of such an RNG, one can collect a sufficiently large sample and then run RNG tests on it, such as NIST's tests (http://csrc.nist.gov/groups/ST/toolkit/rng/index.html) or external tools like dieharder (http://www.phy.duke.edu/~rgb/General/dieharder.php). Best, Chris ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On 12/25/2010 04:47 PM, coderman wrote: a torrent of raw output is preferable to a smaller stream of whitened, more random bits. there are a million kitschy ways to collect entropy like lava lamp cams and Bernoulli effects across your spinning disks. Yes, and this is why professional cryptographers always leave the room as soon as the topic of entropy collection comes up: it inevitably ends up with a lot of amateurs arguing about the relative merits of diode junctions vs hamster cams. (oh yeah, I went there) http://www.youtube.com/watch?v=a1Y73sPHKxw There have been some high-profile breaks because of insufficient entropy, for example Netscape Navigator (Wagner 1996) and Debian OpenSSL (CVE-2008-0166). But those were total boneheaded screwups, I'm not aware of any cases where the implementers did halfway competent job of estimating entropy input, seeding with at least 128 bits of it before key generation, and the resulting system was broken. Somebody come up with some examples. So I'm not convinced that entropy collection is hard. I think it's probably more accurate to say: * Accurate estimation of collected entropy is hard * Gathering entropy quickly after power-on in WRT-54G hardware is hard * Communicating the assumptions of sufficient entropy made by other parts of the system is hard. This is important to get right because when people hear entropy collection is hard they become willing to throw common sense to the wind and adopt cures which are worse than the disease. E.g. OpenBSD substituting RC4 keyed by 64Kbit LFSRs for an established design. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
BMF wrote: Dan Kaminsky d...@doxpara.com wrote: Don't we have hardware RNG in most motherboard chipsets nowadays? Do we? By what mechanism do they operate? Thermal noise seems the easiest way to go although I have always preferred the idea of sampling random radioactive decay simply for the purity of the immediate result. What is the quality of the entropy of the devices you speak of? How fast do they generate entropy? I have heard nothing about this. How could I tell if my machine had hw rng built in? Some i810 series chipsets have hw rng. There is also the Intel 80802 Firmware Hub chip that nobody seems to use anymore. I have heard of people pointing webcams at lava lamps and such to get random numbers. Check out Markus Jacobsson et al, A Practical Secure Physical Random Bit Generator, 1998, using the turbulence of airflow inside the drive as the source of randomness. Can't do much better than that. -- Charles Polisher ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Sat, Dec 25, 2010 at 2:12 PM, cpol...@surewest.net wrote: Check out Markus Jacobsson et al, A Practical Secure Physical Random Bit Generator, 1998, using the turbulence of airflow inside the drive as the source of randomness. Can't do much better than that. I read that when it came out. I am quite familiar with turbulent boundary layers. Nobody sells hardware (hard drives, in this case) which actually implements the technique. All of my original queries still stand. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote: Don't we have hardware RNG in most motherboard chipsets nowadays? On Fri, Dec 24, 2010 at 11:10 PM, BMF badmotherfs...@gmail.com wrote: Do we? By what mechanism do they operate? Thermal noise seems the easiest way to go a plethora of options abound. a torrent of raw output is preferable to a smaller stream of whitened, more random bits. there are a million kitschy ways to collect entropy like lava lamp cams and Bernoulli effects across your spinning disks. the key idea being that an entropy daemon (reduced priv. in userspace) will validate the incoming raw stream to satisfaction, guarding against physical errors (hw producing stream of 0 bits) or degredation (abrupt / unacceptable level of bias sanity checks failing raw stream - see FIPS long runs, monobit, other basic it's not clearly broken checks. [0] incidentally marsh ray, this is why no hw to kernel random feed is a feature, not a bug, regarding your earlier post. as long as an entropy daemon has a mechanism to feed into the kernel pool you are golden - this is the proper way to incorporate a hw source into overall host / application entropy needs. (can be as easy as writing to /dev/random and handling writable state events on fd to replenish kernel pool for all uses.) and as always, you can never prove something is random or guarantee an entropy density. at best you're making an educated guess and weeding out what is clearly not random. (this fact makes for fun complications) ... although I have always preferred the idea of sampling random radioactive decay simply for the purity of the immediate result. so elegant. just harder to get on die *grin* What is the quality of the entropy of the devices you speak of? How fast do they generate entropy? my favorite is the XSTORE instruction in padlock engine. it is good quality with published design and independently validated implementation capable of 120Mbps+ on newer processors - more than you'll ever need. n2rng on SPARC T2 also great. there are many decent hw sources in various platforms from AMD, Intel, SPARC, and hardware security modules / crypto accelerators from numerous others. all depends on your application and kit... also many that suck. do your homework :) How could I tell if my machine had hw rng built in? cat /proc/cpuinfo for flags, lspci | lsusb for accelerator / bus devices, and/or start host entropy service (rngd, mtrngd, cryptoki, etc.) sadly, these physical sources are not nearly as plentiful as they should be, and even if present rarely does the host operating system and applications make use of it. ... I have heard of people pointing webcams at lava lamps and such to get random numbers. there should be an award for creative entropy; this is one of the saner sources people have built ;) 0. Sanity checks on hw sources to include, but not limited to: - volume of at least 80 megabits under consideration and 1500 Byte to 4kB validation before mixing with host pool. - FIPS 140-1 suite - run length variance - column, overall, block means - random walk test - spectral analysis w/ high, med, low, smoothing and correlation adjustment - 8,16 bit Maurer tests - 4,8,16 bit monkey tests - Komologorov-Smirnov trend test - anything else useful? this still leaves the difficult task of determining the acceptable limits and tunable parameters for your specific hardware sources, entropy daemon settings, and profile of entropy consumption in applications, network stacks, and kernel. did i mention good entropy is hard? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Sat, Dec 25, 2010 at 2:12 PM, cpol...@surewest.net wrote: ... Check out Markus Jacobsson et al, A Practical Secure Physical Random Bit Generator, 1998, using the turbulence of airflow inside the drive as the source of randomness. Can't do much better than that. how much turbulence does my SLC FDE make? the reason i prefer on die is that pre-boot operations and/or host init can make use of these sources via built-in facilities without need for additional drivers to external devices that may in turn require bus initialization and interrupt allocation, and so on, etc. likewise, if bootstrapping a secure network requires strong random numbers a network based entropy distribution setup to hosts without their own physical sources is not so useful for that task. there are many other considerations weighting toward on-die implementations, like clock and sample rates, but proper hardware entropy engineering is a verbose tangent way too long for this already meandering discussion... [0] :) 0. if you're really curious, check out Cryptographic Hardware and Embedded Systems proceedings, any hw design texts by authors of these proceedings, and then you'll know what your known unknowns are and can brazenly blaze forward into the esoteric or halt early satisfyingly convincing yourself that you could give two shits about what it takes to build proper kit. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
Sent from my iPhone On Dec 25, 2010, at 2:38 PM, BMF badmotherfs...@gmail.com wrote: On Sat, Dec 25, 2010 at 2:12 PM, cpol...@surewest.net wrote: Check out Markus Jacobsson et al, A Practical Secure Physical Random Bit Generator, 1998, using the turbulence of airflow inside the drive as the source of randomness. Can't do much better than that. I read that when it came out. I am quite familiar with turbulent boundary layers. Nobody sells hardware (hard drives, in this case) which actually implements the technique. All of my original queries still stand. Making noisy diodes isn't all that hard, AFAIK. You eliminate bias by only returning difference bits -- 01 is a 0, 10 is a 0. Whether the underlying silicon is in fact doing that...well, that's a question for the chip reversers. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
i should have just linked to dieharder: http://www.phy.duke.edu/~rgb/General/dieharder.php On Sat, Dec 25, 2010 at 2:47 PM, coderman coder...@gmail.com wrote: 0. Sanity checks on hw sources to include ... - anything else useful? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Sat, Dec 25, 2010 at 2:43 PM, Dan Kaminsky d...@doxpara.com wrote: ... Making noisy diodes isn't all that hard, AFAIK. You eliminate bias by only returning difference bits -- 01 is a 0, 10 is a 0. Whether the underlying silicon is in fact doing that...well, that's a question for the chip reversers. noisy diodes, free spinning oscillators, ring oscillators, sub samplings of above in complex structures, lots of options without lava lamp or spinning platter craziness. [0] as for eliminating bias, the von Neumann whitener as you describe works well, but has unpredictable throughput. (that is, one word/buffer may take longer to fill than the next depending on generated bits, and at best you've got a significant reduction in throughput.) this is one reason it is preferable to read raw biased entropy at maximum rate from the hardware source into an entropy daemon which then validates hardware output before whitening, compressing, and/or digesting read bits. best regards, happy holidays, done beating this dead horse for now... ;) 0. there's a nice survey/list in chapter 4 of Cryptographic Engineering. http://books.google.com/books?isbn=0387718168 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
I agree that there's a good paper in this, I would love to see the entropy added by the multi-consumer model quantified, or even an upper bound placed on it. In the past when I've given my talk on randomness in the OpenBSD network stack, I've discussed this and I always ask for someone to come forward with such a paper. So there are these many hundreds of lines of entropy management code in OpenBSD implementing what is claimed to be a novel architecture for random number generation and yet this guy, who is going around giving talks on it, is expecting someone else to quantify it and come forward with a paper? This is the kind of stuff that just doesn't make a bit of sense. Unfortunately I don't get the impression that the amateur cryptographers questioning the OpenBSD PRNG are qualified to produce such a paper (if they were, they wouldn't be mailing here, they'd be submitting it to real cryptographers for peer review) The burden of proof lies with the amateur cryptographers making the security claims about it, not those questioning them. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
Hello full disclosure!!! I'd like to warn you about many things but not bucketing. However is you must read and not be troll for you is to understand this for your own. musntlive cannot be all everyone's guide to common sense. A Provably Secure And Efficient Countermeasure Against Timing Attacks http://eprint.iacr.org/2009/089.pdf Vulnerability Bounds and Leakage Resilience of Blinded Cryptography under Timing Attacks http://users.cis.fiu.edu/~smithg/papers/csf10.pdf In is musntlive's interpretation is everyone miss OpenBSD big picturuski: a1) Hiding in plain sight a2) Developer Deception Is musntlive establish (proven: this is not theory) that developers lied all along. So while is many cry troll, musntlive laugh and think of Cassandra. b1) Is OpenBSD not audit anything otherwise this not happen b2) For those trolls (Schmehl) who state: `Someone would have caught it` - they is forget that crypto is highly specialized and is all a part of the corruption machine, there is none to catch [is see Juvenal quote who watching watchers] b3) We is now privy to see how Theo via foreign financial accounts is tied into this - he can disprove this is he like but he is likely stay shut b4) Theo is come clean not to show public `I come clean I not know` but more is to say `is I come clean before is beans spilled, everyone is believe me` [Response a1] Is because crypto implementation very hard is difficult for to someone to audit is code. In normal programming a simple operator can is change the entire game. Is difference between and is say is all one need. For this we is now take into account 'salami attacks' (do not is say musntlive not warn you) [Response a2] Is everyone forget KGII (key goal is indicators) of everything. Money is talk (see b3) and when is everyone is on the same ledger[payroll] and is give geek dream job of one being superspyman, egos run stupid. Geeks is like Jason is stupid for to government say: Give is stupid nerd some Mountain Dew, mousepad, new laptop, he ours! versus old school he is wants Ferrari, cash and ladies (see Mafiosi requirements for cash). When money is motivator is one be surprised at what someone is capable of is... is. Is everyone too stupid to remember this or do everyone is believe no one is above corruption particularisly FOSS developers. (I is pity you is you think this) [Response b1] Is who will come clean when all is dirty on the developer team. 3 people on code all on the same covert team and is one head honchoruski (Theo see b3) is getting kickbacks in covert accounts [Response b2] For Paul Schmehl and other trolls I is like to introduce you to is Cassandra Complex http://en.wikipedia.org/wiki/Cassandra_(metaphor) [Response b3] http://www.youtube.com/watch?v=bjZRAvsZf1g [Response b4] Theo is not to be believed on this whole matter see Cassandra Complex Happy Merry Jolly and is Merry Happy New Year. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
I is Love musntlive. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of ?? Sent: 24 December 2010 13:05 To: coderman Cc: full-disclosure@lists.grok.org.uk; mic...@lucifer.net Subject: Re: [Full-disclosure] how i stopped worrying and loved the backdoor Hello full disclosure!!! I'd like to warn you about many things but not bucketing. However is you must read and not be troll for you is to understand this for your own. musntlive cannot be all everyone's guide to common sense. A Provably Secure And Efficient Countermeasure Against Timing Attacks http://eprint.iacr.org/2009/089.pdf Vulnerability Bounds and Leakage Resilience of Blinded Cryptography under Timing Attacks http://users.cis.fiu.edu/~smithg/papers/csf10.pdf In is musntlive's interpretation is everyone miss OpenBSD big picturuski: a1) Hiding in plain sight a2) Developer Deception Is musntlive establish (proven: this is not theory) that developers lied all along. So while is many cry troll, musntlive laugh and think of Cassandra. b1) Is OpenBSD not audit anything otherwise this not happen b2) For those trolls (Schmehl) who state: `Someone would have caught it` - they is forget that crypto is highly specialized and is all a part of the corruption machine, there is none to catch [is see Juvenal quote who watching watchers] b3) We is now privy to see how Theo via foreign financial accounts is tied into this - he can disprove this is he like but he is likely stay shut b4) Theo is come clean not to show public `I come clean I not know` but more is to say `is I come clean before is beans spilled, everyone is believe me` [Response a1] Is because crypto implementation very hard is difficult for to someone to audit is code. In normal programming a simple operator can is change the entire game. Is difference between and is say is all one need. For this we is now take into account 'salami attacks' (do not is say musntlive not warn you) [Response a2] Is everyone forget KGII (key goal is indicators) of everything. Money is talk (see b3) and when is everyone is on the same ledger[payroll] and is give geek dream job of one being superspyman, egos run stupid. Geeks is like Jason is stupid for to government say: Give is stupid nerd some Mountain Dew, mousepad, new laptop, he ours! versus old school he is wants Ferrari, cash and ladies (see Mafiosi requirements for cash). When money is motivator is one be surprised at what someone is capable of is... is. Is everyone too stupid to remember this or do everyone is believe no one is above corruption particularisly FOSS developers. (I is pity you is you think this) [Response b1] Is who will come clean when all is dirty on the developer team. 3 people on code all on the same covert team and is one head honchoruski (Theo see b3) is getting kickbacks in covert accounts [Response b2] For Paul Schmehl and other trolls I is like to introduce you to is Cassandra Complex http://en.wikipedia.org/wiki/Cassandra_(metaphor) [Response b3] http://www.youtube.com/watch?v=bjZRAvsZf1g [Response b4] Theo is not to be believed on this whole matter see Cassandra Complex Happy Merry Jolly and is Merry Happy New Year. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
Well that makes one of you!!! ;-) Gary B On 12/24/2010 09:18 AM, McGhee, Eddie wrote: I is Love musntlive. -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure-boun...@lists.grok.org.uk] On Behalf Of ?? Sent: 24 December 2010 13:05 To: coderman Cc: full-disclosure@lists.grok.org.uk; mic...@lucifer.net Subject: Re: [Full-disclosure] how i stopped worrying and loved the backdoor Hello full disclosure!!! I'd like to warn you about many things but not bucketing. However is you must read and not be troll for you is to understand this for your own. musntlive cannot be all everyone's guide to common sense. A Provably Secure And Efficient Countermeasure Against Timing Attacks http://eprint.iacr.org/2009/089.pdf Vulnerability Bounds and Leakage Resilience of Blinded Cryptography under Timing Attacks http://users.cis.fiu.edu/~smithg/papers/csf10.pdf In is musntlive's interpretation is everyone miss OpenBSD big picturuski: a1) Hiding in plain sight a2) Developer Deception Is musntlive establish (proven: this is not theory) that developers lied all along. So while is many cry troll, musntlive laugh and think of Cassandra. b1) Is OpenBSD not audit anything otherwise this not happen b2) For those trolls (Schmehl) who state: `Someone would have caught it` - they is forget that crypto is highly specialized and is all a part of the corruption machine, there is none to catch [is see Juvenal quote who watching watchers] b3) We is now privy to see how Theo via foreign financial accounts is tied into this - he can disprove this is he like but he is likely stay shut b4) Theo is come clean not to show public `I come clean I not know` but more is to say `is I come clean before is beans spilled, everyone is believe me` [Response a1] Is because crypto implementation very hard is difficult for to someone to audit is code. In normal programming a simple operator can is change the entire game. Is difference between and is say is all one need. For this we is now take into account 'salami attacks' (do not is say musntlive not warn you) [Response a2] Is everyone forget KGII (key goal is indicators) of everything. Money is talk (see b3) and when is everyone is on the same ledger[payroll] and is give geek dream job of one being superspyman, egos run stupid. Geeks is like Jason is stupid for to government say: Give is stupid nerd some Mountain Dew, mousepad, new laptop, he ours! versus old school he is wants Ferrari, cash and ladies (see Mafiosi requirements for cash). When money is motivator is one be surprised at what someone is capable of is... is. Is everyone too stupid to remember this or do everyone is believe no one is above corruption particularisly FOSS developers. (I is pity you is you think this) [Response b1] Is who will come clean when all is dirty on the developer team. 3 people on code all on the same covert team and is one head honchoruski (Theo see b3) is getting kickbacks in covert accounts [Response b2] For Paul Schmehl and other trolls I is like to introduce you to is Cassandra Complex http://en.wikipedia.org/wiki/Cassandra_(metaphor) [Response b3] http://www.youtube.com/watch?v=bjZRAvsZf1g [Response b4] Theo is not to be believed on this whole matter see Cassandra Complex Happy Merry Jolly and is Merry Happy New Year. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Fri, Dec 24, 2010 at 1:53 AM, Marsh Ray ma...@extendedsubset.com wrote: ... So there are these many hundreds of lines of entropy management code in OpenBSD implementing what is claimed to be a novel architecture for random number generation and yet this guy, who is going around giving talks on it, is expecting someone else to quantify it and come forward with a paper? given the OpenBSD architecture and entropy consumption the performance and characteristics of random number generation and use is very context and architecture specific. while i agree this guy should have access to either his own or remotely accessible compatibility test cluster, he clearly is lacking applied test and measurement with sufficient detail for a paper. in any case, did i mention good entropy is hard? :) The burden of proof lies with the amateur cryptographers making the security claims about it, not those questioning them. sure. perhaps the most frequent misconception is the model around entropy consumption in OpenBSD vs. most other unix and windows variants. OpenBSD in particular assumes significant and sustained use of random numbers in across kernel and userspace domains. this is a distinction conveniently negligible if you've got fast true random hardware entropy sources available. speaking of Cassandra complex, coming up on a decade of hw entropy advocacy [0] and still about the same level of progress as IPv6 core deployment... how many of you have a competent userspace entropy daemon funneling hardware sources into host pool? *grin* 0. VIA Padlock C5XL, C5P XSTORE http://www.mail-archive.com/openssl-dev@openssl.org/msg18264.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Fri, Dec 24, 2010 at 4:27 PM, coderman coder...@gmail.com wrote: how many of you have a competent userspace entropy daemon funneling hardware sources into host pool? It would be nice if there were inexpensive hardware sources available and a means to distribute the entropy among hosts in one's own trusted infrastructure. I have a mail server, a name server, an ntp server (usually several), among various other sorts of pieces of infrastructure which serve hundreds or even thousands of servers. Why not an entropy server? It would be nice if I could setup an entropy generating black box somewhere and attach it via USB to my entropy server host then install a package with a config file on all of my machines pointing to the entropy host. But so far I know of no such thing. Do you? BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Fri, Dec 24, 2010 at 4:37 PM, BMF badmotherfs...@gmail.com wrote: On Fri, Dec 24, 2010 at 4:27 PM, coderman coder...@gmail.com wrote: how many of you have a competent userspace entropy daemon funneling hardware sources into host pool? It would be nice if there were inexpensive hardware sources available and a means to distribute the entropy among hosts in one's own trusted infrastructure. I have a mail server, a name server, an ntp server (usually several), among various other sorts of pieces of infrastructure which serve hundreds or even thousands of servers. Why not an entropy server? It would be nice if I could setup an entropy generating black box somewhere and attach it via USB to my entropy server host then install a package with a config file on all of my machines pointing to the entropy host. But so far I know of no such thing. Do you? Don't we have hardware RNG in most motherboard chipsets nowadays? (Not that you should exclusively trust it, but the nature of RNG's is that it's easy to mix in sources.) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On 12/24/2010 07:08 PM, Dan Kaminsky wrote:
Don't we have hardware RNG in most motherboard chipsets nowadays?
(Not that you should exclusively trust it, but the nature of RNG's is
that it's easy to mix in sources.)
Haha, you're going to love this:
http://code.bsd64.org/cvsweb/openbsd/src/sys/dev/rnd.c?rev=1.106;content-type=text%2Fplain
switch(minor(dev)) {
case RND_RND:
ret = EIO; /* no chip -- error */
break;
case RND_SRND:
case RND_URND:
case RND_ARND_OLD:
case RND_ARND:
arc4random_buf(buf, n);
break;
default:
ret = ENXIO;
}
- Marsh
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
Such a gay thread subject, ain't it?
On Fri, Dec 24, 2010 at 11:24 PM, Marsh Ray ma...@extendedsubset.com wrote:
On 12/24/2010 07:08 PM, Dan Kaminsky wrote:
Don't we have hardware RNG in most motherboard chipsets nowadays?
(Not that you should exclusively trust it, but the nature of RNG's is
that it's easy to mix in sources.)
Haha, you're going to love this:
http://code.bsd64.org/cvsweb/openbsd/src/sys/dev/rnd.c?rev=1.106;content-type=text%2Fplain
switch(minor(dev)) {
case RND_RND:
ret = EIO; /* no chip -- error */
break;
case RND_SRND:
case RND_URND:
case RND_ARND_OLD:
case RND_ARND:
arc4random_buf(buf, n);
break;
default:
ret = ENXIO;
}
- Marsh
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Marcio Barbado, Jr.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky d...@doxpara.com wrote: Don't we have hardware RNG in most motherboard chipsets nowadays? Do we? By what mechanism do they operate? Thermal noise seems the easiest way to go although I have always preferred the idea of sampling random radioactive decay simply for the purity of the immediate result. What is the quality of the entropy of the devices you speak of? How fast do they generate entropy? I have heard nothing about this. How could I tell if my machine had hw rng built in? Some i810 series chipsets have hw rng. There is also the Intel 80802 Firmware Hub chip that nobody seems to use anymore. I have heard of people pointing webcams at lava lamps and such to get random numbers. BMF ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] how i stopped worrying and loved the backdoor
http://mickey.lucifier.net/b4ckd00r.html how i stopped worrying and loved the backdoor first of all i have to mention that netsec involvement was indirectly one of the first financial successes of theo de raadt (later mr.t for short) as the sale of 2500 cds through the EOUSA project (one for each us-ins office in the country) brought openbsd to profitable state and allowed mr.t to finance his living by means of the openbsd project. but let us get back to our sheep (so to speak). as the disclosure from herr gregory perry mentioned the parts involved were ipsec(4)) and crypto(4)) framework and the gigabit ethernet stack. but see? there is no such thing as gigabit ethernet stack. moreover back then all the gigabit ethernet drivers came from freebsd. they were written almost exclusively by bill paul who worked at columbia.edu. he himself does not always disclose where he gets the docs or other tech info for the driver development. drivers were ported to openbsd by jason@ (later mr.j). angelos@ (later mr.a) (who was contracted by netsec to work on the crypto framework in openbsd) was a post-grad student at upenn.edu at the time had contacts at columbia such as his friend and fellow countryman ji@ who worked there. ji@ wrote the ipsec stack initially (for bsd/os 2.0) in 1995. mr.a was porting it to openbsd. if memory serves me right it was during the summer of 2002 that a micro-hacking-session was held at columbia.edu. for less than one week participating all the well known to us already mr.t and mr.j and mr.a with an addition of drahn@ and yours truly. primary goal was to hack on the OCF (crypto framework in openbsd). this does not affect crypto algorithms you'd say right? but why try to plant subtle and enormously complicated to develop side channels into math (encryption and hashing) when it's way easier to just make the surrounding framework misbehave and leak bits elsewhere? why not just semioccasionally send an ipsec(4)) packet with a plain text key appended to it? the receiver will drop it as broken (check your ipsec stats!) and the sniffer in the middle has the key! how would one do it? a little mbuf(9)) underflow combined with a little integer overflow. not that easy to spot if more than just one line of code is involved. but this is just a really crude example. leaking by just tiny bits over longer time period would be even more subtle. here are just some observations i had made during ipsec hacking years later... some parts of ipsec code were to say at least strange looking. in some places tiny loops were used where normally one would use a function (such as memcpy(3)) or a bulk random data fetch instead of fetching byte by byte. one has to know that to generate 16 bytes of randomness by the random(4) driver (not the arc4 bit) it would take an md5 algorithm run over 4096 bytes of the entropy pool. of course to generate only one byte 15 bytes would have to be wasted. and thus fetching N bytes one-by-one instead of filling a chunk would introduce a measurable time delay. ain't these look like pieces of timing weaknesses introduced in ipsec processing in order to make encrypted data analysis easier? some code pieces created buffer underflows leaving uninitialised data or in other words leaking information as well. a common technique to hide changes was (and still is sometimes) to shuffle the code around the file or betweeen different files and directories making actual code review a nightmare. but to be just lots of those things had been since fixed (even by meself). as the great ones teach us an essential part of any cryptographical system is the random numbers generator. your humble servant was involved in it too and right there in yer olde brooklyn. one breezy spring night i wrote the openbsd random(4) driver that was based on the linux driver written by theodore tso. and of course the output has never been statistically analysed since the day i wrote it. no doubt i ran some basic tests with help of mamasita (she's keen on math and blintzi). later the arc4 part was added by david maziers (dm@) who was also a friend of mr.a at the time and an openbsd developer. since then a number of vulnerabilities were discovered in the arc4 algorithm and subsequently the driver. most notably this potential key leak. meanwhile in calgary... wasting no time netsec was secretly funnelling security fixes through mr.t that he was committing stealth into openbsd tree. (this i only knew years later when i was telling mr.t over a beer about the funny people i met on a west-coast trip (see later)). stealth means that purpose of the diffs was not disclosed in the commit messages or the private openbsd development forums except with a few trusted developers. it was a custom to hide important development in the openbsd project at that time due to a large netbsd-hate attitude (which also existed from the other side in form of openbsd-hate attitude; just check out this netbsd diff and an openbsd fix later; or a more recent
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On 12/23/2010 10:01 PM, Григорий Братислава wrote: http://mickey.lucifier.net/b4ckd00r.html how i stopped worrying and loved the backdoor Note that much of that is backed up by CVS history. I'd seen some of those strange loops and bulk reformatting while reviewing the code commits last week. For example, as he mentions in P2 the entropy pool extraction functions are implemented in such a way as to require 156 times more invocations of the MD5 block compression function than are necessary. This remains in the code today. I even pointed some of this out the other day on this thread: http://marc.info/?l=openbsd-techm=129298665720095w=2 Perhaps the reaction speaks louder than words. I'd had mickey's name on my short list -- and had written 'not netsec' beside it. :-) This is either something really interesting going on or the most spectacular trolling in net history. - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Thu, Dec 23, 2010 at 10:00 PM, Marsh Ray ma...@extendedsubset.com wrote: ... how i stopped worrying and loved the backdoor Note that much of that is backed up by CVS history. ... For example, as he mentions in P2 the entropy pool extraction functions intelligently constraining key space and / or leaking key bits is the Right Way (tm) to do a backdoor. it requires knowledge of the particulars to execute and provides more robustness than a class break / full key leak. i hear they've got clusters of key crackers for searching reasonable spaces ;) also, this may not be limited to entropy pool. it would make much sense to combine elements of hardware accelerated crypto drivers with entropy reduction or key leakage to target specific installations or further obfuscate effects, as mentioned in the thread so linked. (and you could be pretty precise with such key space degradation, if desired!) I even pointed some of this out the other day on this thread: http://marc.info/?l=openbsd-techm=129298665720095w=2 Perhaps the reaction speaks louder than words. good entropy is hard, is the theme of that thread. how do you measure entropy? a few bytes and i've turned terabytes of entropy into simple order. the debian openssl weak key debacle underscores just how difficult and obscure such technicalities are in the face of random human failures. a well funded adversary with specific targets and significant skill would enjoy plentiful opportunity and success. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] how i stopped worrying and loved the backdoor
On Thu, Dec 23, 2010 at 10:57 PM, coderman coder...@gmail.com wrote: ... good entropy is hard, is the theme of that thread. http://marc.info/?l=openbsd-techm=129304878126089w=2 I agree that there's a good paper in this, I would love to see the entropy added by the multi-consumer model quantified, or even an upper bound placed on it. In the past when I've given my talk on randomness in the OpenBSD network stack, I've discussed this and I always ask for someone to come forward with such a paper. Unfortunately I don't get the impression that the amateur cryptographers questioning the OpenBSD PRNG are qualified to produce such a paper (if they were, they wouldn't be mailing here, they'd be submitting it to real cryptographers for peer review) perhaps musnt live will respond with a formal proof of entropy bound in obsd... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
