Re: debunking snake oil

2007-09-03 Thread Erik Tews
Am Donnerstag, den 30.08.2007, 20:43 -0500 schrieb travis
[EMAIL PROTECTED]:
 If you have a break of some scheme you wish to contribute, please
 do forward me a URL and I'll link to it. 

Sorry, german, but definitely worth reading:

http://www.kryptochef.de/


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: How the Greek cellphone network was tapped.

2007-07-06 Thread Erik Tews
Am Freitag, den 06.07.2007, 02:52 -0400 schrieb silvio:
  http://www.spectrum.ieee.org/print/5280
 
 So what are the options these days (the article even mentions
 end-to-end
 encryption to make such an attack far more difficult)?
 Every crypto-phone offering seems to go stale and disappear after a
 while...perhaps related to the fact of being ridiculously expensive.
 Aren't run-of-the-mill cellphones these days powerful enough to use
 available software like OpenSSL to encrypt voice/datastreams?
 Again...what are the options for end-to-end cell encryption right now?

For example, I owne an Nokia E70 smartphone running symbian. There is an
application called fring, which is basically skype for symbian which
runs on the E70. Fring offers VoIP calls over skype with your mobile
phone. The data is send over the Cellular network (UMTS or so) or
Wireless LAN, which is supported by some phones too.

I don't know how much encryption Fring does (and I don't want to
speculate how secure it is here), but it shows, that you can do VoIP on
usual high end consumers hardware.

So writing an application, which does basically the same as fring and
uses extra cryptography should be possible. I have written some java
code for the E70, and I know that it can do AES, RSA and DH in a
reasonable time, even if all computations are done in Java.

But this is all just about end-to-end encryption, you could still try to
backdoor the phones firmware, or bug the phone itself (in hardware).
Additionally, you need some kind of public key infrastructure, if you
want to call arbitrary people securely.

-
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]


Re: AES128-CBC Question

2007-04-19 Thread Erik Tews
Am Mittwoch, den 18.04.2007, 23:29 -0700 schrieb Aram Perez:
 Hi Folks,
 
 Is there any danger in using AES128-CBC with a fixed IV of all zeros? This is 
 being proposed for a standard because that's how SD cards implemented it.

That depends. What would be a valid attack on a SD-card?


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: man in the middle, SSL

2007-02-03 Thread Erik Tews
Am Freitag, den 02.02.2007, 16:15 -0500 schrieb James Muir:
  You can find more and download Odysseus here:
  
  http://www.bindshell.net/tools/odysseus
 
 It is my understanding that SSL is engineered to resist mitm attacks,
 so 
 I am suspicious of these claims.  I wondered if someone more familiar 
 with SSL/TLS could comment.
 
 Isn't in the case that the application doing SSL on the client should 
 detect what this proxy server is doing and display a warning to the
 user? 

A unmodified SSL/TLS client should display a warning message, that the
server certificate is invalid or something similar. So this is not a
valid man in the middle attack agains SSL/TLS.

Perhaps you are going to use this tool for debugging purpose. If so, you
can perhaps generate a certificat with a private key. The certificate is
installed in your SSL/TLS client as a trusted certification authority
and the certificate and the private key is then used by odysseus to make
this warning messages go away.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: OT: SSL certificate chain problems

2007-01-25 Thread Erik Tews
Am Dienstag, den 23.01.2007, 20:47 -0600 schrieb Travis H.:
 Verify return code: 21 (unable to verify the first certificate)
 ---
 DONE
 
 I can't seem to get that certificate chain to have any contents other
 than what you see above, no matter what I do, and hence can't get rid
 of the Verify return code: 21... does anyone have any advice on what
 to do next?  URLs or references to other mailing lists welcome.

Did you try -CAfile, with this command you can give s_client a file with
CAs you trust. If the Thawte Consulting certificate is in this file, you
should have no problems with verifying.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: SSL Server needs access to raw HTTP data (Request for adivce)

2007-01-14 Thread Erik Tews
Am Samstag, den 13.01.2007, 19:03 -0800 schrieb Richard Powell:
 I was hoping someone on this list could provide me with a link to a
 tool
 that would enable me to dump the raw HTTP data from a web request that
 uses SSL/HTTPS.  I have full access to the server, but not to the
 client, and I want to know exactly/precisely what the client is
 transmitting. 

I think http://www.rtfm.com/ssldump/ should do the job. But this only
works in some configurations.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: A web site that believes in crypto

2007-01-13 Thread Erik Tews
Am Mittwoch, den 10.01.2007, 18:31 -0500 schrieb Steven M. Bellovin:
 I just stumbled on a web site that strongly believes in crypto --
 *everything* on the site is protected by https.  If you go there via
 http, you receive a Redirect.  The site?  www.cia.gov:

http://www.trustedcomputing.org/ does this for some time now.

A lot of years ago, http://www.ccc.de/ (german hacker club, something
like 2600 in the usa) switched to https only, but switched back to http
later. This happened when netscape 4.x was the most common browser and a
lot of users had problems with https.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: TPM disk crypto

2006-10-08 Thread Erik Tews
Am Freitag, den 06.10.2006, 17:29 -0400 schrieb Thor Lancelot Simon:
 On Thu, Oct 05, 2006 at 11:51:49PM +0200, Erik Tews wrote:
  Am Donnerstag, den 05.10.2006, 16:25 -0500 schrieb Travis H.:
   On 10/2/06, Erik Tews [EMAIL PROTECTED] wrote:
Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.:
 Anyone have any information on how to develop TPM software?
 http://tpm4java.datenzone.de/
Using this lib, you need less than 10 lines of java-code for doing some
simple tpm operations.
   
   Interesting, but not what I meant.  I want to program the chip to verify
   that the BIOS, boot sector, root partition conform to *my* specification.
   
  You can do that (at least in theory).
  
  First, you need a system with tpm. I assume you are running linux. Then
  you boot your linux-kernel and an initrd using the trusted grub
  bootloader. Your bios will report the checksum of trusted grub to the
  tpm before giving control to your grub bootloader.
 
 And the TPM knows that your BIOS has not lied about the checksum of grub
 how?

The TPM does not know that the BIOS did not lie about the checksum of
grub or any other bios component.

What you do is, you trust your TPM and your BIOS that they never lie to
you, because they are certified by the manufature of the system and the
tpm. (This is why it is called trusted computing)

So if you don't trust your hardware and your manufactor, trusted
computing is absolutely worthless for you. But if you trust a
manufactor, the manufactor trusts the tpms he has build and embedded in
some systems, and you don't trust a user that he did not boot a modified
version of your operating system, you can use these components to find
out if the user is lieing.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: TPM disk crypto

2006-10-06 Thread Erik Tews
Am Donnerstag, den 05.10.2006, 16:25 -0500 schrieb Travis H.:
 On 10/2/06, Erik Tews [EMAIL PROTECTED] wrote:
  Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.:
   Anyone have any information on how to develop TPM software?
   http://tpm4java.datenzone.de/
  Using this lib, you need less than 10 lines of java-code for doing some
  simple tpm operations.
 
 Interesting, but not what I meant.  I want to program the chip to verify
 that the BIOS, boot sector, root partition conform to *my* specification.
 
 I don't want binary-only hardware-enforced vendor lock-in, that went
 out of fashion
 with the mainframe and proprietary data[base] formats.

You can do that (at least in theory).

First, you need a system with tpm. I assume you are running linux. Then
you boot your linux-kernel and an initrd using the trusted grub
bootloader. Your bios will report the checksum of trusted grub to the
tpm before giving control to your grub bootloader. Your grub bootloader
will then report the checksum of your kernel and your initrd to the tpm
before giving control to them.

After your kernel has bootet and given control to your initrd, you can
checksum your root-partition (or do something similar, like just
checking if there are setuid binarys or checksum just your shadow-file)
and report that to the tpm using a little java-application and tpm4java.

Later, you can remotely query your system and get a report what has been
bootet on your system. You can do this query using a java application
and tpm4java.

All applications like linux, grub, tpm4java are open source (you will
need a java-vm, there are some open source vms, you should be able to
use with tpm4java). The only thing which is not open source is the bios
and the exact hardware design of your tpm chip in your pc.

One thing you should know is, that a tpm can never find out, if a
software meets some specifications, like does not have an buffer
overflow or does not execute code from the network or so. You just can
check is has not been altered.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: TPM disk crypto

2006-10-02 Thread Erik Tews
Am Sonntag, den 01.10.2006, 23:42 -0500 schrieb Travis H.:
 Anyone have any information on how to develop TPM software?

Yes, thats easy. We created a java library for the tpm chip. You can get
it at 

 http://tpm4java.datenzone.de/

Using this lib, you need less than 10 lines of java-code for doing some
simple tpm operations.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: Exponent 3 damage spreads...

2006-09-28 Thread Erik Tews
Am Montag, den 25.09.2006, 01:28 +0200 schrieb Philipp G├╝hring:
 Hi,
 
 We have been researching, which vendors were generating Exponent 3 keys, and 
 we found the following until now:
 
 * Cisco 3000 VPN Concentrator
 * CSP11
 * AN.ON / JAP (they told me they would change it on the next day)
 (perhaps more to come)
 
 My current estimate is that 0.26% of the certificates in the wild have 
 Exponents =17

I did a little survey one month ago for my bsc. thesis.

I found out, that round about 1.19% of all https-server-certs use an
exponent = 17. I did choose round about 32,000 random webservers for
this survey.

What is intresting is what happens when it comes to imap-ssl. Here, only
0.1% of all servers use a server-cert with exponent = 17. Imap-ssl
users seem to be the better ssl-users, tls 1.0 is more widespread there,
small rsa-modulus-sizes are more seldom, and ssl 2.0 is not so common
there too.

I will publish some more details later.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


RE: Real World Exploit for Bleichenbachers Attack on SSL fromCrypto'06 working

2006-09-15 Thread Erik Tews
Am Donnerstag, den 14.09.2006, 22:23 -0700 schrieb Tolga Acar:
 You need to have one zero octet after bunch of FFs and before DER encoded
 has blob in order to have a proper PKCS#1v1.5 signature encoding.
 
 Based on what you say below, I used this cert and my key to sign an
 end-entity certificate which I used to set up an webserver, it appears that
 implementations you used don't check for this one zero octet, either.

Yes, I have, I counted this to the ASN1DataWithHash part. I did not
theck if it works without.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Re: Real World Exploit for Bleichenbachers Attack on SSL from Crypto'06 working

2006-09-15 Thread Erik Tews
Am Freitag, den 15.09.2006, 00:40 +0200 schrieb Erik Tews:
 I have to check some legal aspects before publishing the names of the
 browser which accepted this certificate and the name of the
 ca-certificates with exponent 3 I used in some hours, if nobody tells me
 not to do that. Depending on the advice I get, I will release the
 sourcecode of the exploit too.

OK, so here are the names of the browsers I tried:

  * Mozilla Firefox Version 1.5.0.6 and all previous versions
including all old versions like netscape 4 seem to be affected.
They don't display any kind of warning message at all, nor has
the user the possibility to see something if he looks at the ssl
connection properties. Firefox 1.5.0.7 was released yesterday
and contains a fix. Netscape is not longer supported and
netscape phoned me and suggested switching to another browser
like seamonkey.
  * Opera 9.01 is affected. Opera is going to release 9.02 very very
soon which will contain a bugfix. Opera users are automatically
notified once a week when a new version is available.
  * Konqueror from the kde project uses openssl for ssl-connections.
They are affected, but after having patched openssl, konqueror
is fixed too.

The following certs could be used in the attack:

Starfieldtech has issued the following certificate:

Issuer: L=ValiCert Validation Network, O=ValiCert, Inc., OU=ValiCert Cla ss 2 
Policy Validation Authority, CN=http://www.valicert.com//emailAddress=info@ 
valicert.com
Subject: C=US, ST=Arizona, L=Scottsdale, O=Starfield Technologies, Inc.,  
OU=http://www.starfieldtech.com/repository, CN=Starfield Secure Certification A 
uthority/[EMAIL PROTECTED]
X509v3 Basic Constraints: CA:TRUE
Serial Number: 260 (0x104)
RSA Public Key: (1024 bit)
Exponent: 3 (0x3)

This can be used to create an CA certificate which seems to be signed by 
Starfieldtech

There is another certificate by default in a lot of browsers:

Issuer: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits 
liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server 
Certification Authority
Subject: C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref. (limits 
liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net Secure Server 
Certification Authority
RSA Public Key: (1024 bit)
Exponent: 3 (0x3)
X509v3 Basic Constraints: CA:TRUE
Serial Number: 927650371 (0x374ad243)

This one can be used too.

Depending on the browser you use, there are some other certificates.
Here is a list of all Subject DN of all CA certs we have found so far,
which seems to be affected:

  * C=US, O=Digital Signature Trust Co., OU=DSTCA E1
  * C=US, O=Digital Signature Trust Co., OU=DSTCA E2
  * C=US, O=Entrust.net, OU=www.entrust.net/Client_CA_Info/CPS
incorp. by ref. limits liab., OU=(c) 1999 Entrust.net Limited,
CN=Entrust.net Client Certification Authority
  * C=US, O=Entrust.net, OU=www.entrust.net/CPS incorp. by ref.
(limits liab.), OU=(c) 1999 Entrust.net Limited, CN=Entrust.net
Secure Server Certification Authority
  * C=EU, O=AC Camerfirma SA CIF A82743287,
OU=http://www.chambersign.org, CN=Chambers of Commerce Root
  * C=EU, O=AC Camerfirma SA CIF A82743287,
OU=http://www.chambersign.org, CN=Global Chambersign Root
  * C=US, O=The Go Daddy Group, Inc., OU=Go Daddy Class 2
Certification Authority
  * C=US, O=Starfield Technologies, Inc., OU=Starfield Class 2
Certification Authority

I decided to keep the actual implementation of the exploit secret for the 
moment.

We put up a little webpage summarizing some postings related to the
attack. This is written primary for end users who want to secure their
browsers, but contains links to some intresting mailing list posts too.

http://www.cdc.informatik.tu-darmstadt.de/securebrowser/


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil


Real World Exploit for Bleichenbachers Attack on SSL from Crypto'06 working

2006-09-14 Thread Erik Tews
Hi

I had an idea very similar to the one Peter Gutmann had this morning. I
managed to write a real world exploit which takes as input:

  * an CA-Certificate using 1024 Bit RSA and Exponent 3 (ca-in)
  * a Public Key, using an algorithm and size of your choice
(key-in)

and generats an CA-Certificate signed by ca-in, using public key key-in.

At least 3 major webbrowsers on the marked are shipped by default with
CA certificates, which have signed other intermediate CAs which use
rsa1024 with exponent 3, in their current version. With this exploit,
you can now sign arbitary server certificates for any website of your
choice, which are accepted by all 3 webbrowsers without any kind of
ssl-warning-message.

I used the following method:

I first generated a certificate, with BasicConstraints set to True,
Public Key set to one of my keys, and Issuer to the DN of a CA using
1024 Bit RSA with Exponent 3. I used usual values for all the other
fields. When I signed a Certificate I shiftet all my data to the left. I
had 46 bytes of fixed valued (this can perhaps be reduced to 45 bytes, I
have not checked yet, but even with 46, this attack works). They had the
form 00 01 FF FF FF FF FF FF FF FF ASN1DataWithHash. This gives me 82
bytes I can fill with arbitary values (at least, if the implementations
skipps some part of the asn1-data, I can choose some bytes there too).

If you now set all the bytes right of your ASN1DataWithHash to 00, and
interpret that as a number n, and compute:

   y = (ceil(cubeRoot(n)))^3

   Where ceil means rounding to the next bigger natural number and cubeRoot
 computes the third Root in R.

y will be a perfect cube and have the form:

00 01 FF FF FF FF FF FF FF FF ASN1DataWithHash' Garbage

and ASN1DataWithHash' looks quite similar to your original
ASN1DataWithHash, with perhaps 2-3 rightmost bytes changed. These bytes
are part of the certificate hash value.

This signature is useless, because every certificate has a fixed hash
value. But you don't need to sign a fixed certificate. So i started
adding some seconds to the notAfter value of the certificate and
computed the hash again. I brute forced until I had a certificate where
the computation of y did not alter any bytes of the ASN1DataWithHash.

I had to try 275992 different values which took 2-3 minutes on my 1.7
GHz Pentium using an unoptimized java-implementation.

I used this cert and my key to sign an end-entity certificate which I
used to set up an webserver.

I have to check some legal aspects before publishing the names of the
browser which accepted this certificate and the name of the
ca-certificates with exponent 3 I used in some hours, if nobody tells me
not to do that. Depending on the advice I get, I will release the
sourcecode of the exploit too.

Thanks go to Alexander May and Ralf-Philipp Weinmann who helped me.


signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil