Difference between revisions of "Cryptography"

From Hackepedia
Jump to navigationJump to search
Line 86: Line 86:
 
* If for example a an encrypted session does not have a Message Authentication Check (MAC) then a [[MITM]] attack changing the ciphertext on a network may cause problems in the protocol when the plaintext is fed to the program.  Pretend SSH did not have a MAC, then someone could modify packets and garble would come out and likely the terminal would print garble and the shell would complain at the unknown command.
 
* If for example a an encrypted session does not have a Message Authentication Check (MAC) then a [[MITM]] attack changing the ciphertext on a network may cause problems in the protocol when the plaintext is fed to the program.  Pretend SSH did not have a MAC, then someone could modify packets and garble would come out and likely the terminal would print garble and the shell would complain at the unknown command.
  
* If an encrypted session did not have a counter wrapped by an MAC then it would be possible to inject packets and the same garble would result as indicated above only it may not be able to be stopped.  A simple counter on each packet sent should prevent injections and replay attacks.
+
* If an encrypted session did not have a counter wrapped by an MAC then it would be possible to inject packets and the same garble would result as indicated above only it may not be able to be stopped.  A simple counter and MAC on each packet sent should prevent injections and replay attacks.
  
 
* The most annoying attack is the hang-up attack.  We have heard of people in foreign countries modifying their TCP stacks to prevent RST's being sent to hang-up a session, however the next step by the MITM is to change the ciphertext which fails the MAC check which I predict would cause a tear-down of the session.  If a protocol is robust enough to not be affected by hang-up it means that a MITM attack can probe several keys in the ciphertext in order to "test the water" and possibly use that to derive a key with computation.
 
* The most annoying attack is the hang-up attack.  We have heard of people in foreign countries modifying their TCP stacks to prevent RST's being sent to hang-up a session, however the next step by the MITM is to change the ciphertext which fails the MAC check which I predict would cause a tear-down of the session.  If a protocol is robust enough to not be affected by hang-up it means that a MITM attack can probe several keys in the ciphertext in order to "test the water" and possibly use that to derive a key with computation.

Revision as of 02:59, 7 August 2013

Cryptography is the method for distorting plain text so that it is unreadable by someone other than the intended recipient. For example, someone that is using a packet sniffer to listen in on network communication. Only if this third party knows the secret key to the ciphertext will they break the encryption and be able to see the plaintext. We highly recommend anyone using plain text protocols these days to use their free, open source, encrypted equivalents.

Cryptography found in UNIX


One way hashing

UNIX programmers implemented a One way hash of DES to "encrypt" passwords as part of the crypt(3) function. It was impossible to decrypt these passwords since they were a modified version of DES, so in order to know if someone had the right password the plain text would be encrypted and the result compared with the hash of the password database. If they matched, a user would be granted access. As computers became faster so did the speed at which DES would be cracked. An amd64 3500+ running OpenBSD using the systems crypt(3) functions can hash 121,000 passwords in 1 second in 2005. So a slower hash algorithm was needed and one that could take more than 8 characters for the passwords. Many Operating Systems have implemented MD5 hashing which does 1880 crypts per second on the aforementioned OpenBSD system, however it can now be broken with a custom made cracker (2012) which does 77 milllion cracks per second against this hashing method. So OpenBSD went even further and designed an interesting hash of blowfish that has a variable setting for rounds that blowfish will encrypt the hash with the string "OrpheanBeholderScryDoubt" 64 times per round. The result is that with 12 rounds, a crypt will do 2 passwords in 1 second.

One way hashing wasn't confined to just passwords. With the md5 and SHA, as well as the rmd160 commands one can make a cryptographic hash sum (or fingerprint) of a file or text in the system. For example, if you want to ensure a file or directory has not been altered, you can print the checksum onto read-only media (i.e. paper/burn onto a cd). Whenever you run the checksum program against the same file or directory, you should get the same results unless something has been altered. If this topic interests you, tripwire is popular software you'll want to read more about.


MAC / HMAC

A MAC (Message Authentication Code), it's called so because you can sign a message (run it through a one way hash) and if the hash does not equal the message then it's not the right message. An HMAC has a hashed MAC with an extra password protection.

Please see RFC 2104 for how HMAC's are computed.

Symmetric cryptography

Aes-spaceplot.jpg


True private key cryptography was also present with the bdes and the openssl commands which could encrypt files with a variety of ciphers. Some well known ciphers are DES (broken not used anymore), AES (the current standard at 256 bits), blowfish, CAST128 and Arcfour. Many ciphers are imported through the openssl library.

Most symmetric crypto ciphers are "block" ciphers in that they do encryption but only for blocks of 8 bytes or 16 bytes depending on the cipher. This is a bit of a pain for programmming with these ciphers because one would have the question of "what do I use as padding". Padding is the remainder of a block if the ciphertext wasn't exactly the blocksize. We don't have any recommendations for that but bad padding could potentially weaken a cryptographic message.

The opposite of a block cipher is called a "stream" cipher. You can feed it a byte with the algorithm and an encrypted byte will come out.


Symmetric Cipher Modes

A cipher has several modes. The plain mode for a cipher is called ECB which stands for electronic code book. This is a weak mode and can reveal many things. It's not recommended. Another mode is called CBC and stands for Cipher Block Chaining method. Here the cipher blocks are XOR'ed with the previous text block resulting in an even stronger crypto. A CBC mode requires an IV (an initial vector) so that the first block has something to XOR and isn't in ECB mode which could potentially weaken the stream. Some say that an IV doesn't have to be secret, but it can't hurt if it's exchanged like key in an assymetric exchange (DH/RSA). Another mode is CTR (counter mode). This mode is often used in sparse files because it allows random access into the ciphertext (unlike CBC which has to be streamed from the beginning). CTR requires a nonce (a one time value) which is XOR'ed against the block of ciphertext. The nonce is usually derived from an offset of the ciphertext.

There is many more modes.. these are just some basic ones.

Public Key cryptography

Also called assymetric cryptography. It uses 2 or more keys, usually one that's private and one that's public which is publically known. Ciphers include Diffie Hellman (DH), and RSA. GPG a program to encrypt mail on the application OSI layer uses this.

A new report in 2013 came out that RSA/DH may be broken within 5 years. slashdot story. This would potentially bring everything to a standstill in terms of online commerce. Alternatives are Elliptic Curve Cryptography.

Elliptic Curve Cryptography

This is new to us who write in this wiki, please see the Wikipedia entry.

Symmetric / Assymmetric Hybrids

This method is used in OSI session layer communication. A public-key exchange takes place to agree on a session key which is random and also a Symmetric encryption and all data following will be encrypted. This is used extensively in ssh and most SSL enabled software.


Cheap cryptography

Rotational Ciphers based on the alphabet are CHEAP. Often used by Usenet trolls who think that the people they troll don't have a clue what they are talking about.

$ echo OrpheanBeholderScryDoubt | /usr/games/rot13
BecurnaOrubyqreFpelQbhog

rot13 is probably good to keep data safe from your 7 year old sister.


Xor-spaceplot.jpg


Another type of cryptography is the XOR method. XOR used as a One time pad is potentially secure. Here is an example of a typical XOR encryption the xortext.c program is also available:

$ cat /etc/passwd | ./xortext blah | hexdump -C | head
00000000  10 03 0e 1c 58 46 5b 58  58 5c 5b 2b 0a 0d 13 04  |....XF[XX\[+....|
00000010  0b 09 41 4e 4e 40 4d 52  4d 1e 0e 07 16 56 4e 0a  |[email protected].|
00000020  0b 02 4e 1b 0a 66 05 09  07 01 0e 06 58 46 5b 59  |..N..f......XF[Y|
00000030  58 5d 5b 3c 0a 09 41 0c  07 1a 08 04 42 04 08 05  |X][<..A.....B...|
00000040  11 09 0d 0e 58 43 13 07  0d 18 5b 47 11 0e 08 06  |....XC....[G....|
00000050  4d 02 0e 04 0d 0b 08 06  68 03 11 0d 10 0d 15 07  |M.......h.......|
00000060  10 56 4b 52 50 56 54 52  31 15 12 1c 07 01 41 4e  |.VKRPVTR1.....AN|
00000070  58 43 0e 18 07 1e 00 1c  0d 1e 5b 47 11 0e 08 06  |XC........[G....|
00000080  4d 02 0e 04 0d 0b 08 06  68 0e 08 06 58 46 5b 5b  |M.......h...XF[[|
00000090  58 5b 5b 2a 0b 02 00 1a  0b 09 12 48 21 03 0c 05  |X[[*.......H!...|

Surprisingly some companies employ XOR cryptography in their products as a secruity mechanism.


Attacks on cryptography

  • If for example a an encrypted session does not have a Message Authentication Check (MAC) then a MITM attack changing the ciphertext on a network may cause problems in the protocol when the plaintext is fed to the program. Pretend SSH did not have a MAC, then someone could modify packets and garble would come out and likely the terminal would print garble and the shell would complain at the unknown command.
  • If an encrypted session did not have a counter wrapped by an MAC then it would be possible to inject packets and the same garble would result as indicated above only it may not be able to be stopped. A simple counter and MAC on each packet sent should prevent injections and replay attacks.
  • The most annoying attack is the hang-up attack. We have heard of people in foreign countries modifying their TCP stacks to prevent RST's being sent to hang-up a session, however the next step by the MITM is to change the ciphertext which fails the MAC check which I predict would cause a tear-down of the session. If a protocol is robust enough to not be affected by hang-up it means that a MITM attack can probe several keys in the ciphertext in order to "test the water" and possibly use that to derive a key with computation.