Misuses of Cryptography (Mobile PenTesting Issue 03_2014)

On the subject of the upcoming issue, we reckon the following tools to go under discuss on the blog we are proudly launching on the time.

We are trying to upgrade the quality of our materials and engage more experts to bring along the sociaty awarness of subject importance today.

One of our new authors has reviewed and explained some cryptography tools and how we should pair them off, as all of us may have different intentions for the effective usage of them :)

Let's acquaint with the review and author's thoughts on the matter. Make your own suggestions on other tools known for you. Any adds to the reviewed ones?

The Mobile Pentesting Issue is to be published shortly, therefore we encourage you to acknowledge with its partial content down on this post.

Introduction

Cryptography is a well-established field. It has been developed for ages and it is being passed in a constant stage of evolution. From the ancient days of transformation algorithms with basic security concepts to the ECC and RSA, cryptography has proven as a main (if not the only) mean for privacy and security. Certainly, we all use its techniques nowadays.

Although we have verycloseto unbreakable algorithms, we also may hear, that companies (even big ones) are being hacked all the time and the data is stolen. We can hear, that SSL decryption and signature are compromised along with standard protocols that utilize AES, which got broken too. Then, how can this occur?

On the following article we will try to cover the basic and common mistakes of the implementation of different cryptography methods being implemented on different services and products. We will also learn how the basic misunderstanding of the information security concepts and cryptography has impacted all of us and and its influence will probably just increase with the time. Hopefully, the readers of this article are already informed to the issues at hand or have gained a better understanding of others’ mistakes, which made them succeed in implementing cryptography onto different systems.

Issues of the Day

In today’s world we have shifted an important concept of mind without really thinking about the usage of ‘free services’ such as Gmail, Facebook, LinkedIn, Twitter or many others, where we are not really getting a free service. We are bartering. These companies have a very clean and coherent business model. They will provide a good service, which individuals would certainly use and take our information for selling out. It is well stated in any EULA (The End User License Agreement) and you may find privacy related sections to the Privacy Agreements which none of us actually read. This is not to say that they are evil or providing its services without any common morality principles.

Some of these companies have even showed very high morality when faced with requirements to hand over too much information (as in the case of LavaBit, which we will refer to later on). This comes up to remind us of a ‘new’ privacy concern, which a lot of us have forgotten.

The paragraph above is not to deal with issues of privacy or appealing for denial from the services. You can use all of them (for example, I have a Gmail, Facebook and LinkedIn accounts).

However, you should be aware of the information you upload to these companies servers.

Cryptography Concepts

We have a couple of key cryptography concepts, which are available in our arsenal today.

Let’s separate them off into two main categories and then into the detailed technical information:

Secrecy & Integrity

Under the title we are talking about solutions that allow us to keep the information readable only to the intended recipients. Thereby, we make sure that the information has not been modified.

When talking about discreet behaviour and integrity, our living seems to managed relatively easy.

We have many technologies available at our disposal and we will mention them later on.

Trust

Trust is a more difficult thing to achieve. When talking about trust, we usually avoid the digital world since it is very hard to come with a strong trust over the internet. How do I know, that the certificate i see uploaded really belongs to the domain it claims to? How do I know, that domain belongs to the company is indicates. Most of you have experienced a domain purchase, thus you know that there are many other domain names very similar to your own. A famous phishing attack is known for purchasing the domain name paypaI.com (which is ‘paypa’ and a captial i).

It is important to note that these two categories are not really separated. We will talk about most of the algorithms, which provide solutions for secrecy, integrity and trust or any other two of these categories, but the sorting out intended to give the reader a better understanding of these two different problems.

The Tools We Have

For the years we have created and developed various good technologies to secure our data. I will try to cover and find out what they can be used for as well as the advantages and disadvantages of them.

Hashing

Hashing algorithms are one way functions, which produce a known size output and requires no key. Hashes are used to store sensitive information (including passwords) and as checksums for information. It is important to remember that they do not provide any trust and hashing open algorithms, that anyone can generate a hash for a known plain text. The two prime examples (and, probably, most commonly known) are the MD5 cipher and the SHA2 family. MD5 has been widely used but is now considered to be insecure due to known collusion attacks, that have generated a 128bit output. SHA2 is a family, which encompass two most commonly used algorithms: the SHA256 and the SHA512. The names indicate the output size. As for the day, this article is written (2014), there is no mathematical attack available against the SHA2 family algorithms.

Since algorithms are built on block cipher, (discussed later in the article) each little modification to the plain text will result in a major change to the output. This makes them great for integrity checking. The following line “I'm just sitting here reading a magazine...” gives the following output by using SHA256:

6e7ac84298c8fac86f3ca5c02b6d9f7a7472856ac92fa0d2a8ae97fcfb38c98a

If you input this line “Im just sitting here reading a magazine...” you will get the following output: b1abf53eef4b67cedb52c717ed40b601f0a93820e805e2776aa3fcccfae0dc47

Notice how a small modification has resulted in a huge, easily noticeable difference.

Symmetric Encryption

A cipher will be categorized as symmetric encryption only when the key is being used to encrypt the plain text. Then the same key required to decrypt the cipher text back to plain text. In this category we classify them as stream ciphers and the block ciphers. The stream ciphers operate on one bit at the time when one of the ground rules claims not to encrypt information with the same key twice. A prime example for a strong stream cipher algorithm is RC4.

A block cipher is still a symmetric cipher but it runs on blocks of plain text and it runs in iterations. These algorithms are more ‘expensive’ (resources wise) but are dimmed stronger. Two prime examples for strong block ciphers are the AES family and the Twofish algorithm.

A-Symmetric Encryption

A Symmetric encryption is a process which enables a key pair (public and private) while one is being used to the encryption process and the other is used for the decryption process. At this article we will not go into asymmetric encryption, but I would want to mention two key concepts. The first is that all big asymmetric algorithms relay on a factorial of two prime numbers. These prime numbers are the fundamental blocks of all numbers. Since there is no real way to compute prime numbers or check for prime numbers, they are harder to come by. The last sentence is generally, but not entirely true. We do have algorithms like RabinMiller[1] for a better method of checking if the number is a prime or a composite and we do have the Prime Number Theorem[2] to allocate amount of primes within a group, but not to particularly determine which numbers are the primes. We have the Euler’s function ( f(n) = n2 + n + 41 ) alike other prime number. It is generating functions of a certain type of primes or not always primes. Eventually, they are shown up as not to be valid to anything relating to cryptography. The end concept you should know about Asymmetric encryption before we go on is this: To learn more about prime numbers, that’s why I would recommend the book “Rainbow of Primes” by Joao da Silva[3] .

Real Uses of Cryptography

Blackberry’s Messenger

Blackberry has an instant messaging protocol and program named BBM (Blackberry Messenger). BBM was first available only on Blackberry devices but onthe 25th of October 2013 BBM was released for Android and iOS as well. Many users find BBM is an encrypted and secure way to transfer message. Blackberry pointed out:

BlackBerry Messenger and PIN to PIN messages are NOT encrypted. They are scrambled using a global cryptographic key which EVERY BlackBerry in the world uses.” BBM uses an asymmetric key, employed on the all devices. It later uses an PINtoPIN “encryption”, but the PIN is never encrypted. This is important to understand since those are not encrypted messages, but scrambled ones.

WEP

WEP stands for Wired Equivalent Privacy. It is an amendment to the protocol introduced by the IEEE 802.11 WiFi protocol. WEP refers to more than just the encryption, but to the authentication process, the encryption, the integrity and more. WEP applies the RC4 stream cipher for confidentiality. RC4 is esteemed to be good stream cipher.

Even though RC4 is still being used in many protocols, where WEP is considered to be very insecure due to the design of the protocol, not the encryption standard it implements. Since RC4 is a stream cipher repeating the same key more than once, it is a big nono. If the same key is used more than once, it may allow an attacker to conclude on the entire key and, eventually, rest of the messages accordingly. In order to avoid this, the designers of WEP added an IV to the key.

The IV (initialization vector) is added to the key and therefore changing the actual key is going into the RC4 cipher each time to ensure the same key is unrepeated. The IV is added to the packet and sent in the clear to prevent other clients from repeating by using the same IV again. So far, it’s a good concept of the implementation, however, it is a completely different thing. The IV is 24 bit long. Within 5,000 packets there is a 50% chance of the same IV being used twice. Since it is sent in the clear, an attacker can easily spot two packets encrypted with the same IV.

A standard network will generate more than 5,000 packets per 10 second. Assume that you watch a 12 seconds long youtube video on HD, at the meanwhile you will generate approximately 43,000 packets. If you would like to check that, load your favorite packet sniffer and prove it to yourself. This means that an attacker does not even have to be active in order to crack the key and can just sniff traffic (the bus is actually the air!); then, attempt to crack the key locally without generating any traffic or interacting with the network or any of its clients.

To compare, the WPA1 standard which still utilizes RC4 for encryption, uses TKIP to exchange keys and the WPA2 uses AES for the encryption process and can use TKIP and/or CCMP. WEP takes a good symmetric cipher which is used in many other encryption standards such as WPA1, SSL and others. It incorporates into a protocol, which misses the biggest issue with the cipher itself. It is important to notice, that the authentication manner suits the RC4 algorithm as well as used in a challenge-response manner. Note, that the main vulnerable point in WPA1&2 is the handshake itself.

PRISM - NSA

The PRISM program was released in 2013 over Edward Snowden’s case. It has rattled the industry and the world. Plenty of articles have been written about it and this is not going to be another one of them. Instead, we are going to focus on the aftermath of this epic event.

The PRISM program has proven to us that a third party cannot be trusted whether we are referring to a service provider or a product manufacturer (programs, certifications and more). It has been showed that closed systems (software or encryption) is not something we can relay on. We need to understand how the particular schemes work and let a sufficiently big group of experts to comment on that system, so that we can vouch for its security. Big service providers have been proven to supply information to the PRISM program (willingly and unwillingly) and some have even tried to fight the program. LavaBit is a prime example. When Lavabit were asked to hand over the SSL keys to their services, they tried to fight the act, eventually handing the keys over. The event caused the shutdown of the company since it cannot guarantee users’ safety and privacy. This has woken up the information security community and they have started modifying the way we look at security. Services like Threema, which we will talk about later, rose and started finding solutions how to provide security but through transparency rather than obscurity. The lesson we learn from this is that there are entities with interest and resources directed to trouble methods of information breach. If we are keen to keep our information secure, we need to rely on comprehensive mechanism. IPv6, for instance, requires the IPSec technology for encryption. IPSec has been around for a while with only one issue. The protocol is so mindbogglingly complex that not a single cryptographer has been able to understand it and even state for its security level. Simple algorithms like the RSA, AES, Twofish, PGP have all been proven to be secure with the test of time. They are relatively easy for understanding and implementation, therefore, analysis and attacks can be implemented to patch up the needed parts for us to make it secure.

Perfect Forward Secrecy is another concept which we have learned to use. Instead of using just the TLSv1 or the SSL (even v3), we have a concept for the encryption, which cannot be decrypted backwards. In the standard TLS protocol we ‘just’ need the secret key and then we can decrypt all the data that was sent in the history using that public key for encryption. We use the same TLS within PFS, but in that strong tunnel we exchange a secret key (symmetric encryption) for that session only. This key is quite long and strong. We mainly use it to encrypt the traffic of that session and will not be stored for any further processe. This means that after the session is ended, the information still cannot be restored.

 

CryptoLocker

CryptoLocker is a relatively new ransomeware. The unique thing about this ransomeware is the way it implements cryptographic (hindsight perfectly).

CryptoLocker spreads itself by using regular phishing emails and requires to be run as executable after downloading. It infects only Windows machines. After being executed, CryptoLocker will copy itself to a random name on your ‘Documents and Settings’ folder. It will start a search for all *.doc,ppt,pptx,xls,bmp,jpeg etc and will list them. On the next stage, it will turn to a bunch of DNSs which one of them is the real C&C server. The C&C server creates a new UID for the infected machine and creates a new public and private key pair. The public key is sent to the victim’s copy of CryptoLocker, which the encrypts all of the files it listed in RSA 2048 bit. Later on, it zero fills all the original files and deletes them from the drive.

The user is then displayed with a message requesting 300 USD for the key which should be transferred via BitCoin. If the user does not transfer the BitCoins required within 72 hours, the private key will be deleted and the information is lost. This is a prime example of a bad use of cryptography, but perfectly accomplished (cryptography wise). Only a public key is the one being transferred and the private key remains on an unknown server. The RSA 2048 bit encryption is a very powerful algorithm rendering in very close to uncrackable with the computing power we have today. Since the secret key was never stored locally, it is impossible to reach it with the endpoint (victim) machine.

Microsoft’s Membership Providers

This is a technology unveiled by Microsoft in ASP.NET . I have recently come upon with this technology due to a student after a cryptography lessons, who wondered the implementation was good. The answer is close but no. The Membership Providers is the interface between the Microsoft ASP.NET's membership service and membership data sources.

The purpose refers to the additional functionalities such as managing users (read and write), verify logins, and more.

Regular hashed passwords are relatively easy to crack. Thereby, the best practice today is salting. On this practice, we will concatenate more with data to the data method, which is already going into the hashing algorithm and practically make the password stronger. For example, if we have a password of ‘123’, the SHA1 sum of it will be as following:

SHA1(123) = 40bd001563085fc35165329ea1ff5c5ecbdbbeef

The ‘cracking’ of it is to look for the hash in google. We can use a salting method of adding the ‘ahggf4%4d string in the beginning and the string ‘12gf&’ at the end, making the password size larger and removing the collisions when someone matches the hash (we’ll see that in a minute).pass = 123; SHA1(ahggf4%4d & pass & 12gf&) = 323dd0a9312cd53581003d884fb307ca7c811087

This also protects us from collision attacks since someone got to our tables and assume that they find the 323dd0a9312cd53581003d884fb307ca7c811087 sum is generated by the plain text value of ‘123456’ as well, when they try to login, the salting will still occur meaning that: pass=123456; //remember that SHA1(123456) == SHA1(ahggf4%4d & pass & 12gf&) SHA1(ahggf4%4d & pass & 12gf&) // SHA1(ahggf4%4d12345612gf&The reason we just went into that is the implementation of the cryptographic mechanism in the Microsoft’s Membership Providers. If you go to the Microsoft’s documentation page you will find the following table explanation:

Table 1. Membership Providers Reference Table

Column Name Column Type Description

ApplicationId uniqueidentifier Application ID

UserId uniqueidentifier User ID

Password nvarchar(128) Password (plaintext, hashed, or encrypted;

base64encoded

if hashed or encrypted)

PasswordFormat int Password format (0=Plaintext, 1=Hashed,

2=Encrypted)

PasswordSalt nvarchar(128) Randomly generated 128bit

value used to

salt password hashes; stored in

base64encoded

form

MobilePIN nvarchar(16) User's mobile PIN (currently not used)

Email nvarchar(256) User's email

address

LoweredEmail nvarchar(256) User's email

address (lowercase)

PasswordQuestion nvarchar(256) Password question

PasswordAnswer nvarchar(128) Answer to password question

IsApproved bit 1=Approved, 0=Not approved

IsLockedOut bit 1=Locked out, 0=Not locked out

CreateDate datetime Date and time this account was created

Trimmed it a bit to see only the fields we are interested in. If you look at the ‘Password’ field it has 3 options; plaintext which we do not want, hashed or encrypted. Now, encrypted options always have its issues since it can be decrypted with the right key, but we’ll let that go for now and consider the hashed option.

This service uses SHA1 as the hash function, which is already a bit problematic, but the most problematic thing is the salting implementation, which is very important but in almost a useless way. The salt and the password are saved on the same table. They are both BASE64 encoded (NOT encrypted! Just another representation of the actual data). Thereby, when the attacker gets a read permission on the table, let’s say via SQL injection, the data is all he needs to decrypt the passwords.

Troy Hunt wrote a nice piece about this and if you write in ASP.NET or have an understanding of the language then you will enjoy exploring it.

Threema is a recent application available for mobile devices. It is an instant messaging solution using PGP. The cryptographic implementation of Threema is a very good example of how to use cryptography. When you create a user on Threema, your device also generates a publicprivate key pair. Whenever you add a contact you must have their private key. You can set levels of trust for the contact. You can get 1 rating for someone that you do not know and has just texted you. You can get a 2 rating if the person you are communicating with is already in your address book and has been matched via a phone number or an email address. A 3 star is something you set manually or when you scan a QR code from a phone of your friend with the secret key.

For the sufficient system the infrastructure cannot be only peer to peer since this will require both parties to be online for communication. In Threema you must go through Threema’s servers, then you can leave a message for a user while he is offline. In order to implement a privacy protection mechanism over your contact list, Threema’s client does not upload it to the server and does not search in plain text but rather hashes the details of the user you are looking for and then searching for the hash on the server, so the server does not recognize the user communicating with, but it is able to match a specific user with a specific key.

The implementation of the public key infrastructure with Threema allows you to encrypt the information and to vouch for the authenticity of the author. The only key missing here for me is the exchange of a temporal sessions key.

bitcoin

BitCoin is a new distributed monetary system based on a peertopeer topology. The better term I like for this is ‘cryptocurrency’. The bitcoin system is divided into three main components:

The Wallet

The wallet is basically a public and private key pair, which is used to perform an outgoing transaction. You need to have the private key of that particular wallet. The public key is shared with the entire network, which will allow receiving bitcoins from other wallets.

The Block Chain

The block chain is the history of all the transactions, registered an verified in the bitcoin network. The block chain is what makes BitCoin so strong. Since the currency flows as digital bits and bytes, there is an important factor to make sure that no user can double spend the currency in that particular wallet.

Mining

Mining for bitcoin is the process which is used to reward users with bitcoins. The process is actually intended to add computing power to the system by allowing users to gain currency. Mining allows user to recompute the block chain and verify that all bitcoin done transactions are confirmed with a matching balance.

Though people will comment that bitcoin is still not a successful currency, for the time of March 2013 bitcoin’s network has had more computing power than the top 500 supercomputers in the world.

The original paper by Satoshi Nakamoto which suggested the BitCoin system can be found here

SQRL

Secure QRcode Login is another technology emerged from PRISM. Steve Gibson wrote a shocking white paper about an alternative method for web authentication and privacy issues. This protocol utilizes asymmetric concepts and algorithms to allow seamless and strong authentication.

The initial stage is the creation of a large seed, which will be the secret of that particular user. For each login at a website the new publicprivate key pairs will be generated. The public key will be uploaded to the server and will be correlated to that user’s account. From that point, whenever that user would want to authenticate to that site, he will face a challenge. He will need to take that challenge and sign it with the secret key matching the public key stored on the server. This will allow the site to know that the user who replied to the challenge also has the private key matching the public key stored on the server.

This protocol is only at the entry stage of the development for now, but it is a very interesting concept aiming the ambitious goal to replace (or going along with) the way we currently conduct authentications over the web.

Read more about SQRL from the author himself here:

https://www.grc.com/sqrl/sqrl.htm

Wrapping It All Up

The end point of this article is that you should continue using encryption. Before implementing or judging system, one has to possess a strong understanding of the methods. You do not need to be a mathematician. You do not need to understand the bits and the bytes at this point. All you need is to gain practical knowledge of encryption standards and algorithms. The ‘do’ and the ‘do not’s at cryptography while reviewing a new system are the obliging requirements for you in this case. Along with general concepts, you can see the point of failures in many protocols, which is the basis of hacking.

 

About the Author

36b1418-300x300

Yuval tisf Nativ is the Offensive Division manager at SeeSecurity Technologies. His work encompasses consulting, security research and at night time teaching developers on how to become hackers.

The above is the partial content of the first article in the titled issue. We and the author are keen to know your opinion and suggestions on the topic.

Enjoy your time on PenTest Magazine Blog and find out more about issue on our website!

Respectively,

Karina Radzikowska and PenTest Magazine Team

© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013