Security
BruCON: Can we trust cryptography?
On September 18 and 19, the community-made conference BruCON made its first appearance in
Brussels. BruCON is organized by a small group of Belgian people working in
the security industry who wanted to create a security conference with room
for independent research and without a commercial undertone. As one of the
organizers, Benny Ketelslegers, said at the beginning of the conference:
"We have a lot of security researchers in Belgium, but we didn't have
a conference here that suits our needs.
"
Being a Belgian conference, there couldn't be a better speaker for the first lecture than Vincent Rijmen, a Belgian cryptographer and one of the designers of the Advanced Encryption Standard (AES). He is currently working as an associate professor at the University of Leuven. His talk was named Trusted cryptography [PDF] and discussed the growing doubts about the trust we can put in cryptology and its applications. His point being: today we can't trust cryptography.
Rijmen took the audience back to where cryptography started. In the Roman days, we had the Caesar cipher, which is a simple substitution cipher in which each letter in the plain text is replaced by a letter some fixed number of positions down the alphabet. This encryption method is named after Julius Caesar, who used it with a shift of three positions to communicate with his generals. Polyalphabetic substitution ciphers, like Vigenère or the Enigma machine used by Germany in World War II, were also driven by military requirements.
So cryptography in the past was used solely for military purposes,
Rijmen explained, but there is more to it than that: "Encryption was
used between trusted
parties, with secure perimeters. This is much different with our current
use of encryption: think about our bank cards, where crackers can even
measure the power consumption of the smartcard chip to try to crack the
encryption.
"
The shift to the public
This shift began in the 1970s and 1980s, for example with the concept of public-key cryptography introduced by Whitfield Diffie and Martin Hellman, and RSA being invented by Ronald Rivest, Adi Shamir and Leonard Adleman. As a result of these technical breakthroughs, Rijmen maintains that cryptography finally entered the public world:
This is how we have come to the current situation, where modern
communication networks are all based on cryptography. We have the A5/1
stream cipher in the GSM cellular telephone standard, the KeeLoq block
cipher used in the majority of remote car keys, and the Wired Equivalent
Privacy (WEP) algorithm which was the first attempt to secure IEEE 802.11
wireless networks. It is not a coincidence that Rijmen named these
protocols: they are all broken. The A5/1 design was initially kept secret,
but after leaks and reverse engineering several serious weaknesses have
been identified. KeeLoq was cryptanalyzed with much success in recent
years. And WEP, which is using the stream cipher RC4, can be broken in
minutes with off-the-shelf hardware and open source software such as Aircrack-ng. "RC4 is a good
protocol, but it is used incorrectly in WEP. If one of my students came up
with such a design, he should redo my course and come back next
year
", Rijmen told the audience.
Security myths and evil cryptography
All these defective designs, supposedly made by smart people, don't
improve trust in cryptography. Rijmen blames the defective designs to a
couple of "industry myths
" that don't seem to die out:
But there are cases where cryptography evidently works. When there is a business case, companies are suddenly able to do it right. For example, HP implemented authentication between the printer and the ink cartridge, as Rijmen explains:
But it's not only in industry where things go wrong. Rijmen maintains that
there are also some fairly pervasive research myths circulating. Many
security researchers are too academic and think that a good security model
is a model that allows them to prove theorems. In their eyes, security is,
then, what they can prove about some objects in their abstract mathematical
models. This whole abstract notion of security amounts to a degenerate
concept of "good research
" as applying well-known methods to
well-known problems, taking all the creativity and innovations out of the
research.
Added to this, we see that malware writers have discovered
cryptography. They use it to escape detection or to implement recovery
after partial exposure. But there's also a worrying trend where malware
encrypts the hard drive of a victim and then the malware writer extorts the
victim to get his data back. The consequence of these bad cryptography
examples in industry, academia, and the "evil cryptography
"
used by malware writers means that the public loses trust in the
technology. And that's were Rijmen's talk came at a breakpoint. His message
was clear:
It was funny to see how most of the audience's questions were about Rijmen's example of electronic voting, although he hastened to add that e-voting was just an example of the perils of bad cryptography and their consequences for our trust in cryptography in general. It was not, in any way, a remark about the security of particular e-voting implementations. Many persons attending his talk were genuinely worried about the security of e-voting, but don't consider themselves Luddites. One person stated that he doesn't trust e-voting because this centralizes the power of counting the votes into a black-box network of electronic devices from the same producer. In contrast, traditional voting decentralizes the counting by outsourcing it to thousands of people, which makes the votes less susceptible to manipulation.
A new kind of cryptography development
To regain trust in cryptography, Rijmen has two proposals: collaborative standards development and best practices. As an example case, Rijmen points to the development of his own AES. In January 1997, the National Institute of Standards and Technology (NIST) announced the initiative to develop a successor to the aging Data Encryption Standard (DES). NIST asked for input from interested parties, and in September 1997 there was a call for new algorithms. In the next three years, fifteen different designs were submitted, analyzed, narrowed down, and, in October 2000, NIST announced the winner: Rijndael, designed by Vincent Rijmen and Joan Daemen. Rijmen stressed some remarkable facts about the AES process:
According to Rijmen, the AES process should be taken as an example for collaborative standards development, not only for algorithms like AES, but also for protocols and even applications. The organizers of such a competition should invite the relevant people to contribute, get both the industry and academia on board, and envision future requirements. Moreover, they should advertise the development process, motivate submitters and reviewers, and evaluate the evaluations. Last but not least, they should push the result after all this work.
Rijmen's second proposal is to limit the number of standards and standard solutions, an approach that he calls green cryptography. It's all about recycling: reuse ideas that have proven their merits, and keep the implementations simple. This makes sense, because complexity is the culprit behind a lot of instances of cryptography failing:
From the developer's perspective, this means that they have a
marketplace of algorithms to pick from, and developers should be
discouraged of making their own home-brew algorithms: "Unless you can
absolutely not, use a standard.
" Rijmen gave an example of how it
shouldn't be done. Since 2000, there is a trend to combine encryption and
authentication into one operation, because encryption without
authentication leads to weaknesses in almost all applications. There are a
couple of standards and RFCs for authenticated encryption, but what did
Microsoft do with its BitLocker Drive Encryption in Windows Vista and 7? It
uses AES (which is good), in CBC mode (which Rijmen calls "the
standard mode in the 1980s, not in 2000
"), and without
authentication, against all security trends. Microsoft's explanation was
that "There is no space to store authentication tags on the hard
disk
", although each hard disk reserves space for bad
blocks. Rijmen's take-home message is that we don't need better
cryptography, but better implementations, sticking to the standards:
"Cryptography is not do-it-yourself stuff.
"
Security should be open
Regarding the open source aspect,
Rijmen concluded that openness has been the pulse of cryptographic design
in the last few decades, and that we should expect the same from its
implementations: "Openness works in cryptography because
cryptographers have access to the design and the analysis.
" But he
adds that we should not focus on opening the source for cryptographic
implementations: opening the source alone is not sufficient to attract
cryptographers and let them research the code, we should open the whole
standards development process.
The BruCON organizers showed the same openness as their first speaker. Different from other security events that are more commercially focused, BruCON gathered hackers (in the good sense), security researchers, security vendors, and governments, and they succeeded with a diverse mix of presentation topics and speakers, from Rijmen's metatalk, talks about social engineering and the information leakages in social networks to highly technical talks about the risks of IPv6, SQL injection, and the future techniques of malware. Moreover, anyone who has missed the conference can find the slides and even video recordings of almost all of the presentations online. Although the BruCON organizers wanted to make it a real "Belgian" conference, they didn't make the mistake of being too chauvinist. They were able to attract a lot of top-class international speakers, and the audience came from all over Europe and from the US. Your author hopes they return next year with a second event.
New vulnerabilities
asterisk: multiple vulnerabilities
| Package(s): | asterisk | CVE #(s): | CVE-2009-2726 CVE-2009-0871 CVE-2009-2346 | ||||||||||||
| Created: | September 28, 2009 | Updated: | June 4, 2010 | ||||||||||||
| Description: | From the Red Hat bugzilla (1, 2, 3): CVE-2009-0871: The SIP channel driver in Asterisk Open Source 1.4.22, 1.4.23, and 1.4.23.1; 1.6.0 before 1.6.0.6; 1.6.1 before 1.6.1.0-rc2; and Asterisk Business Edition C.2.3, with the pedantic option enabled, allows remote authenticated users to cause a denial of service (crash) via a SIP INVITE request without any headers, which triggers a NULL pointer dereference in the (1) sip_uri_headers_cmp and (2) sip_uri_params_cmp functions. CVE-2009-2346: The IAX2 protocol implementation in Asterisk Open Source 1.2.x before 1.2.35, 1.4.x before 1.4.26.2, 1.6.0.x before 1.6.0.15, and 1.6.1.x before 1.6.1.6; Business Edition B.x.x before B.2.5.10, C.2.x before C.2.4.3, and C.3.x before C.3.1.1; and s800i 1.3.x before 1.3.0.3 allows remote attackers to cause a denial of service (call-number exhaustion) by initiating many IAX2 message exchanges, a related issue to CVE-2008-3263. CVE-2009-2726: On certain implementations of libc, the scanf family of functions uses an unbounded amount of stack memory to repeatedly allocate string buffers prior to conversion to the target type. Coupled with Asterisk's allocation of thread stack sizes that are smaller than the default, an attacker may exhaust stack memory in the SIP stack network thread by presenting excessively long numeric strings in various fields. Note that while this potential vulnerability has existed in Asterisk for a very long time, it is only potentially exploitable in 1.6.1 and above, since those versions are the first that have allowed SIP packets to exceed 1500 bytes total, which does not permit strings that are large enough to crash Asterisk. (The number strings presented to us by the security researcher were approximately 32,000 bytes long.) Additionally note that while this can crash Asterisk, execution of arbitrary code is not possible with this vector. | ||||||||||||||
| Alerts: |
| ||||||||||||||
asterisk: remote denial of service
| Package(s): | asterisk | CVE #(s): | CVE-2009-2651 | ||||
| Created: | September 28, 2009 | Updated: | September 30, 2009 | ||||
| Description: | From the Red Hat bugzilla entry: main/rtp.c in Asterisk Open Source 1.6.1 before 1.6.1.2 allows remote attackers to cause a denial of service (crash) via an RTP text frame without a certain delimiter, which triggers a NULL pointer dereference and the subsequent calculation of an invalid pointer. | ||||||
| Alerts: |
| ||||||
backintime: incorrect file permissions when removing backup
| Package(s): | backintime | CVE #(s): | |||||||||
| Created: | September 28, 2009 | Updated: | September 30, 2009 | ||||||||
| Description: | From the Red Hat bugzilla entry: A Debian bug reportindicates that backintime chmods files to mode 0777 prior to removing them via removing a snapshot. What makes this worse is that if those files exist in subsequent snapshots, the permissions on those files is also mode 0777 which allows anyone to manipulate/delete the files in the backup. | ||||||||||
| Alerts: |
| ||||||||||
dovecot: arbitrary file modification
| Package(s): | dovecot | CVE #(s): | CVE-2008-5301 | ||||
| Created: | September 28, 2009 | Updated: | September 30, 2009 | ||||
| Description: | From the Ubuntu advisory: It was discovered that the ManageSieve service in Dovecot incorrectly handled ".." in script names. A remote attacker could exploit this to read and modify arbitrary sieve files on the server. This only affected Ubuntu 8.10. (CVE-2008-5301) | ||||||
| Alerts: |
| ||||||
glib2.0: privilege escalation
| Package(s): | glib2.0 | CVE #(s): | CVE-2009-3289 | ||||||||||||
| Created: | September 24, 2009 | Updated: | April 27, 2010 | ||||||||||||
| Description: | From the Mandriva alert: The g_file_copy function in glib 2.0 sets the permissions of a target file to the permissions of a symbolic link (777), which allows user-assisted local users to modify files of other users, as demonstrated by using Nautilus to modify the permissions of the user home directory. | ||||||||||||||
| Alerts: |
| ||||||||||||||
horde3: arbitrary code execution
| Package(s): | horde3 | CVE #(s): | CVE-2009-3236 | ||||||||||||||||||||
| Created: | September 28, 2009 | Updated: | April 1, 2010 | ||||||||||||||||||||
| Description: | From the Debian advisory: Stefan Esser discovered that Horde, a web application framework providing classes for dealing with preferences, compression, browser detection, connection tracking, MIME, and more, is insufficiently validating and escaping user provided input. The Horde_Form_Type_image form element allows to reuse a temporary filename on reuploads which are stored in a hidden HTML field and then trusted without prior validation. An attacker can use this to overwrite arbitrary files on the system or to upload PHP code and thus execute arbitrary code with the rights of the webserver. | ||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||
kvm: privilege escalation
| Package(s): | kvm | CVE #(s): | CVE-2009-3290 | ||||||||||||||||||||||||||||||||
| Created: | September 29, 2009 | Updated: | November 6, 2009 | ||||||||||||||||||||||||||||||||
| Description: | From the Red Hat advisory: The kvm_emulate_hypercall() implementation was missing a check for the Current Privilege Level (CPL). A local, unprivileged user in a virtual machine could use this flaw to cause a local denial of service or escalate their privileges within that virtual machine. | ||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||
newt: buffer overflow
| Package(s): | newt | CVE #(s): | CVE-2009-2905 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 24, 2009 | Updated: | June 3, 2010 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Debian alert: Miroslav Lichvar discovered that newt, a windowing toolkit, is prone to a buffer overflow in the content processing code, which can lead to the execution of arbitrary code. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
opensaml: multiple vulnerabilities
| Package(s): | opensaml | CVE #(s): | |||||
| Created: | September 28, 2009 | Updated: | September 30, 2009 | ||||
| Description: | From the Debian advisory: Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. Incorrect processing of SAML metadata ignored key usage constraints. | ||||||
| Alerts: |
| ||||||
openssh: privilege escalation
| Package(s): | openssh | CVE #(s): | CVE-2009-2904 | ||||||||||||
| Created: | September 30, 2009 | Updated: | March 30, 2010 | ||||||||||||
| Description: | From the Red Hat alert: A Red Hat specific patch used in the openssh packages as shipped in Red Hat Enterprise Linux 5.4 (RHSA-2009:1287) loosened certain ownership requirements for directories used as arguments for the ChrootDirectory configuration options. A malicious user that also has or previously had non-chroot shell access to a system could possibly use this flaw to escalate their privileges and run commands as any system user. (CVE-2009-2904) | ||||||||||||||
| Alerts: |
| ||||||||||||||
php: multiple vulnerabilities
| Package(s): | php | CVE #(s): | CVE-2008-7068 CVE-2009-3291 CVE-2009-3292 CVE-2009-3293 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | September 28, 2009 | Updated: | January 15, 2010 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | From the Mandriva advisory: The dba_replace function in PHP 5.2.6 and 4.x allows context-dependent attackers to cause a denial of service (file truncation) via a key with the NULL byte. NOTE: this might only be a vulnerability in limited circumstances in which the attacker can modify or add database entries but does not have permissions to truncate the file (CVE-2008-7068). The php_openssl_apply_verification_policy function in PHP before 5.2.11 does not properly perform certificate validation, which has unknown impact and attack vectors, probably related to an ability to spoof certificates (CVE-2009-3291). Unspecified vulnerability in PHP before 5.2.11 has unknown impact and attack vectors related to missing sanity checks around exif processing. (CVE-2009-3292) Unspecified vulnerability in the imagecolortransparent function in PHP before 5.2.11 has unknown impact and attack vectors related to an incorrect sanity check for the color index. (CVE-2009-3293) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
xmp: buffer overflows
| Package(s): | xmp | CVE #(s): | CVE-2007-6731 CVE-2007-6732 | ||||||||
| Created: | September 24, 2009 | Updated: | September 30, 2009 | ||||||||
| Description: | From the National Vulnerability Database entrys:
CVE-2007-6731:
"
CVE-2007-6732:
" | ||||||||||
| Alerts: |
| ||||||||||
xmltooling: several vulnerabilities
| Package(s): | xmltooling | CVE #(s): | |||||
| Created: | September 25, 2009 | Updated: | September 30, 2009 | ||||
| Description: | From the Debian advisory:
Several vulnerabilities have been discovered in the xmltooling packages, as used by Shibboleth: Chris Ries discovered that decoding a crafted URL leads to a crash (and potentially, arbitrary code execution). Ian Young discovered that embedded NUL characters in certificate names were not correctly handled, exposing configurations using PKIX trust validation to impersonation attacks. Incorrect processing of SAML metadata ignores key usage constraints. This minor issue also needs a correction in the opensaml2 packages, which will be provided in an upcoming stable point release (and, before that, via stable-proposed-updates). | ||||||
| Alerts: |
| ||||||
Page editor: Jake Edge
Next page:
Kernel development>>