Schneier on Security
A blog covering security and security technology.
« Eavesdropping on GSM Calls |
| SMS of Death »
January 6, 2011
Sony PS3 Security Broken
Sony used an ECDSA signature scheme to protect the PS3. Trouble is, they didn't pay sufficient attention to their random number generator.
EDITED TO ADD (1/13): More info.
Posted on January 6, 2011 at 5:52 AM
• 85 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sony was hoist by their own petard. The security (or lack thereof) of their console was only tested by the community once they decided to close the platform to homebrew Linux users. In trying to stop an avenue for piracy the door was blown wide open. It's a shame that these sorts of closed platforms aren't simply banned outright. It reeks of anti-competitive bundling.
The fact that manufacturers continue to think they can keep people out of the devices they've purchased is ridiculous.
Sony worked for a year once to create copyright protection on cd's and a week after it debuted, the hack was a 79 cent black marker over the outermost tracks on the spinner.
I just love stories of low tech trumping high tech
It seems that having officially-supported linux at launch time was the best security feature in the PS3.
They piss off the hardcore geeks by removing linux, and suddenly we get a huge cracking effort.
There's a lesson to be learned here...
Console piracy is a business reality and Sony would have to be stupid to think they could stop it completely. All they wanted to do was to put it off for a while, which they did for 4 years, although with a little more attention to detail perhaps they could have lasted a little longer.
The funniest bit was they tried to take down sites that disseminated this information under the DMCA.
Could their key have been compromised as easily if they had been using RSA? The need to have quality random numbers on a per-message basis seems like an undesirable property of ECDSA.
I believe they didn't even use a random number generator. They used a fixed constant for the nonce (_n_umer used _once_) used in (EC)DSA signature generation. One of the first things you learn NOT to do when studying (EC)DSA.
Sony (and others!) seem to want to re-write the BetaMax vs VHS outcome figuring that, if they're a monopoly, they will have all of a huge market, not all of a tiny market.
I suspect that a more open-- Android based?-- console might be the VHS to Sony's BetaMax3.
It is bad enough that these organizations cannot handle security that doesn't depend upon obscurity.
Sony's PS4 will likely include many of the Palladium features since the buyer shouldn't actually *own* what they paid for.
This is what happens when you use code from XKCD 221 (aka RFC 1149.5) to generate random numbers. Coincidence that both Randal and the Sony Engineers chose 4?
@Nick: With a little more respect, they might have put the cracking off longer. The April 1, 2010 patch that removed the OtherOS option seems to have spurred the cracking efforts.
The people most likely to have bought the PS/3 for its advertised abilities to play games and run Linux are the ones most able to crack the security. Sony then presented them with a choice: accept the patch and lose the ability to run Linux, or refuse it and lose the ability to play online and play new games. Sony offered no sympathy or compensation for this change. This caused a great deal of outrage around this small community.
This also removed most ethical restrictions: these people had to crack Sony security in order to get what they'd paid for and originally had, and they were reacting to what they saw as unethical behavior on Sony's part. The cracking was still illegal, but that community doesn't generally much value obeying the law when that results in what is seen as an unjust outcome.
There are two lessons to take away here. First, there's a lot of security-cracking talent out there that isn't really organized. Second, many of those talented people aren't motivated by potential illegal profits as much as they are restrained by ethical considerations. Business ethics are becoming more of a consideration in security.
This also ties in with the Anonymous reactions to what many saw as unfair decisions regarding Wikileaks: DOS attacks that in some cases were pretty effective. We are, as Herb Sutter suggested (see http://herbsutter.com/2010/12/31/... starting to live in a cyberpunk world.
Cracking the PS3's security wasn't illegal. Releasing tools to enable piracy (PSJailbreak) became illegal after Sony convinced judges to place injunctions on them, but it's pretty clean cut about hacking to get Linux back: it's perfectly legal, as long as you don't release copyrighted Sony files.
I don't think that because one buys a game console that they "own" the right to modify its contents. I may spur some backlash about that, but I think to keep their business model afloat, console makers have to keep people from being able to play pirated games and using the console in ways that were not intended. I'm not saying big business is right in this case, just fueling the discussion.
In regards to the Anonymous reactions to Wikileaks - they were weak and uncoordinated, perpetrated by those too cowardly to show their identity because they're denying rights to the rest of us by hacking public credit card sites. Here's an article: https://www.infosecisland.com/blogview/10617-Anonymous-Movement-is-Fueled-by-Cowardice.html
The best part is when he compares the Anon movement with MLK's civil rights efforts and how the Anon "movement" is nothing without an identity. Those willing to break the law must be willing to accept its consequences in order to effect change.
"I don't think that because one buys a game console that they "own" the right to modify its contents."
If you aren't allowed to modify an item that you own, then you don't really own it. I own a car; I can replace parts in it with any part that will fit (and remain street legal). There is a name for people that are only allowed to replace with approved parts and not make changes:
If that were true, Sony wouldn't be selling the consoles - they'd loan the consoles, or otherwise give access to them without selling them.
The only entity responsible for a corporation's business model is that corporation. If it isn't working, they need to change their business model. As it is, I doubt this is much of a threat. This hack allows running of unauthorized software on somewhat old hardware.
No you can not. Lights on your car are certified, tires are certified, etc. f.e your brake lights must me red, you cannot install yellow ones. You can not replace brake fluid with orange juice and stay "street legal". etc. etc.
If it was explicity rented at €/$50 a year then people would not have the right to modify it. But once "one buys a game console", you own it, it is your physical property. The issue with renting a console, is that very few people would actually do that, consumers like to own things.
Sony (and Microsoft) are selling the consoles below cost, recouping the difference on game licensing. The US airforce and a few universities got cheap super clusters subsidised by Sony. This practice was only going to increase, hence Sony disabled OtherOS on the Slim models.
Selling slims without OtherOS kickstarted the hacking to a new level, disabling OtherOS on previously sold PS3's unleashed a tsunami of hacking.
Well Sony did not disable OtherOS really, just gave consumers a no real choice. You can stick on firmware 3.15 and have Linux/FreeBSD, play all standalone games released prior to the 1st of April 2009 and loose access to network gaming. Or upgrade to later firmware revisions and loose OtherOS, but regain access to network play and access to play games released after the 1st of april 2009.
You can see issues from Sony's point of view and from Linux/FreeBSD consumers point of view as well.
thats right peter and your hard drive is free to colonize with LSO's because you don't have any rights over who uses it when they want to. You do not own that hard drive and anyone is free to spy there and put spyware on it.
@owner of things.
Sure you can change those things to a car. As long as you don't drive it on a public street.
and that is exactly what sony will do. If you connect to the psn network you will need the latest firmware and in future it will some software that will check if it is a console without "homebrew".
"No you can not. Lights on your car are certified, tires are certified, etc. f.e your brake lights must me red, you cannot install yellow ones. You can not replace brake fluid with orange juice and stay "street legal". etc. etc."
Actually, you can legally do ALL of that, and MORE. There are absolutely no restrictions, whatsoever on doing any of the things you mention. The restrictions apply to whether you can drive it on public roads. Take, for instance, all of the show cars out there that designed and built to be showy and flashy, but are more than likely not street legal.
I suspect that a more open-- Android based?-- console might be the VHS to Sony's BetaMax3.
So, basically a PC computer?
Sorry brainfart typo I meant 1st of April 2010, not 2009.
With homebrew, why would anyone want to connect to PSN?
Hell many are looking for PSN's IP range so they can effectivly block it. (Ditto with Xbox live and battle.net, some networks dont want any such traffic)
And how is Sony going to push software to the Playstations out there to do this homebrew checking? Same way they push out their firmware? Oops, they cant, as one who has the signing keys can modify their gameos to dump that software and help decripting and analysing it.
", perpetrated by those too cowardly to show their identity"
Of course, fbm. Thanks for that comment fbm.
"because they're denying rights to the rest of us by hacking public credit card sites."
No credit card services were blocked. Only their web sites. This was a deliberate ethical choice on the part of Anonymous.
It's like buying a costume and the manufacturer stating that the buyer is not allowed to modify it. In this case to make for a better fit or to customize the overall look and function.
It's called "alterations". It's a fundamental part of the fashion industry. Besides, how will the manufacturer know that the user ISN'T modifying it short of following the wearer around, much less finding ANY clandestine tailor for that matter? And in then end, then what? Frivolous lawsuits for the sake of punishment by bankrupting the user?
Industry in general really has no control over any product once it leaves their facility. Computing technology that "phones home" serves as eavesdropping to make sure that the end user like a good little slave but then even that can be circumvented.
Modifications are what I consider "inalienable rights" since no one can stop anyone from doing so. It's just like the freedom of worship: No one can stop anyone from praying. In fact anyone can do so wordlessly in their own head and no one would be the wiser even under the heavy duress that torture causes.
If it wasn't for that inalienable right then the Nintoaster wouldn't exist.
And hey! I have scissors, adhesives, screwdrivers and various hardware tools, graphic and HTML editors (among other thangs)! I *DARE* ya to stop me! Bring it on! ;-)
@fbm: If you own something, you have the right to modify it. I don't see why you would say what you did.
You may not have the right to drive a modified car on a public street, or a modified console on a private network, but that's not the real issue here, as seen by the people we're talking about.
The real issue is that Sony forced the removal of at least one chunk of functionality from the older PS/3s, without compensation. The geek community considered this a very bad thing to do, and the reason really doesn't matter. Either legally and morally, there's lots of legitimate goals I can have, and lots of things I can't do to further those goals.
The geek community is not all that large, and for the most part is ignored in business considerations, but this may well turn out to have been a business mistake on Sony's part. It seems pretty clear that this led to the crack; how significant this is for Sony's bottom line remains to be seen. Whenever the PS/4 comes out, it's likely to face serious cracking attempts, and how successful these will be, and how much they'll affect Sony's profits, cannot be predicted.
Similarly, Anonymous had some real effects in the Wikileaks protest. They couldn't do everything they wanted (Amazon, for example, seems to have been unaffected), and you're certainly free to criticize what they did, but they did cause some effect. It's possible that this will encourage people who sympathized with Anonymous, but thought it pointless to join in.
Anonymous has nothing to do with civil disobedience, even philosophically. The idea behind civil disobedience was to appeal to people's consciences, while the idea behind Anonymous was to damage their corporate targets. A closer comparison would be to lynch mobs, although those operated against individual people rather than larger organizations.
What we have seen over the past couple of centuries is the increasing power available to individuals. It's a slow process, and partly nullified by increased surveillance and defensive power on the part of governments and corporations, but it exists. It would have been much more difficult for Timothy McVeigh or the Unabomber to carry out their terrorist acts in the 1800s.
We're seeing the ability of small groups of people to form anonymously, and have some impact on corporate operations without the possibility of effective retribution. This is significant.
@Peter - Owner_of_things specified staying street legal. Street legal is defined by the state, not by the car manufacturer.
@fbm: I disagree with you. Someone bought a machine that did two things, Sony tried to take away one of those things after the sale was finalized. That's a no-no under contact law.
@Owner_of_things: you got that right. That's why software and e-book "sales" are called licenses. And damn the person who started that trend.
“Don't think that because one buys a game console that they "own" the right to modify its contents. I may spur some backlash about that, but I think to keep their business model afloat, console makers have to keep people from being able to play pirated games and using the console in ways that were not intended. I'm not saying big business is right in this case, just fueling the discussion”
It is not the responsibility of the customer to in any way support or enable a company’s business model and it bothers me when people believe that it is. Say what you will about the morality or legality of piracy but your statement against “using the console in ways that were not intended” disturbs me. For example it is perfectly legal to purchase a PS3 and never buy nor pirate any games or content for it. Since Sony sells the hardware at a loss; in this situation you are undermining their business model, should this be illegal? By this logic it would be perfectly ok for a car manufacture to sell you a car (as in your own it) but require you take it for maintenance at their dealership only, purchase your insurance though them, buy gas though them, to enable their business model, would you support that? In the car dealership example what if someone figured out they could purchase oil for $20 and change it themselves instead of paying the dealership $80 to do it, should that be illegal or even morally wrong? If Sony really wanted to enforce the business model they are using they would require all customers to sign a contract that they will buy X games per year from them. But they would never do that because it is unacceptable to their customers as it should be, so instead they remember that 99% of customers are going to buy games anyway and take the chance that they will get their PS3 subsidy back plus profits. They are taking a calculated risk that people will buy games, If all their customers purchased PS3’s to devote to linux clusters then the worst case scenario happened and they will lose money but as the customer that is not my problem. Also since when is a company able to make up any crazy business model they like an expect customers to comply with it? Now I’m not saying Sony’s model is crazy as it has been successful in the past and still is successful (I personally believe piracy results in negligible loss of sales percentage wise but that’s another issue) simply that if you put it on the customers to support a business model then a company can make up any crazy business model they like. What determines if a business model can stay afloat is if customers accepts it and continue to act as planned (IE buying content). If customers cannot be convinced to accept the business model then the business model should fail (and by extension the company or at least lose profits) and the business model should no longer be offered. The company needs to then either come up with a new business model that will work or get out of the business all together, that is how it should work.
@various "we own the device"
We may own the physical device of the PS3 or a DVD disk but that doesn't mean we own the copywrite to the software, content or other IP. In fact Sony likely doesn't 'own' a lot of the software or firmware itself.
The difference between CAN do a thing and MAY do a thing is AUTHORIZATION.
WE CAN modify the consol becuase we have the tools and skill to do so. Rule 3 - if the bad guy has access to your hardware it's not your hardware anymore.
We MAY NOT modify the consol because of the license agreements we made with Sony as a condition of purchase.
You can be as big a dick as you want and torture little animals in the privacy of your own home but don't expect to be given any medals for it or not to be arrested if someone notices.
What's the point of owning not street legal car anyway? For 99% of people 99,99% of roads they EVER find are public.
@Bekki Doll others "who wants PSN anyway"
Opting out of the delivery channel is all well and good, and Sony likely don't care if hobbyists screw around and screw up their own consols. What Sony doesn't want (like DTV) is someone to begin selling jailbroken consols that are
a) selling Sony IP in violation of copywrite or license agreement with 3rd parties (they are still on the hook to these 3rd parties for IP Sony licenses
b) the ability to take the next step and begin theft of service from PSN and it's channel partners.
Guys, dont feed the trolls over the comparison of a video game console to a car, they've been hanging onto that one for a long time. I know the temptation is hard to resist, but you must, or else they'll never stop. Its been long established through common law via past court cases and groups like the EFF that its 100% legal to do whatever you want with your property once you buy it. End-User License Agreement (That you didnt agree to) does not override consumer rights. Remember the old principle - Possession is 9/10ths of the law.
Want a good example of EULA? Go buy a new pc game or the latest windows disaster, open it, read the EULA's part about "If you do not agree, return this to the store for a full refund" and try to return it to the store. They wont give you a cent back, once you open it, you're stuck with it.
And yes, I would download a car if I could. And so would you.
@Peter I don't see the point of the analogy.
A product was sold, and bought by consumers, to have features:
1 Play BluRay discs.
2 Play legally purchased Games standalone (released prior to 1st of April 2010)
3 Play legally purchased Games standalone (released post 1st of April 2010)
4 Play Network Games.
5 Install OtherOS.
Sony after sale decided that customers can have a subset of these features (1,2,5) and not others (3,4). Or you could update the firmware and have access to less features than the date of purchase (1,2,3,4). A modern day spin on the classic bait and switch.
Some very smart people were unhappy with this and are currently trying to (re)add features to hardware they own.
5b Install whatever OS on the hardware they own e.g. Linux, FreeBSD, NetBSD, ...
6 The ability to legally run whatever software they like on the hardware they own, software refered to as homebrew . e.g. XBMC, a proper web broswer, email client.
Now they are seeking what they bought (1,2,?3?,5b,6).
The people currently involved have no interest in software piracy, it is illegal. But as a consequence of their work it will happen.
When the first link in a security chain is broken, it is going to be near impossible for Sony to repair the chain. One way to make life harder for piracy would be to release a new firmware, with new sub-keys every few days/weeks. But the hardware failure rates for the PS3's flash memory would sky rocket.
"This is a fight Sony can't win" [http://bit.ly/bJNtDN]
In the race to combine tv with the web, I really cannot understand why Sony/Apple/etc don't embrace the HTPC and *nix model. A $100-200 box that lets you buy/watch online/media content and browse the web on your tv is a killer device. Amazon has record sales this season with a Kindle -- a hackable $139 Linux box that lets you read books and browse the web. Only 3lee+ users will ever hack the box, and Amazon/iTunes/Netflix show that it's possible to make amazing sales on conveniently available content at the right price point, even if all that content can be had for free via torrent. That Amazon can succeed at this for books and Apple for music but Sony can't figure this out for teevee (!) suggests incompetence.
I recently put together a Mac Mini HTPC; a PS3 solution would have been a strong contender if only for its performance/price, but the fact that Sony is hating on Linux removed it from consideration. Looks like the PS3 is again a good HTPC option, no thanks to Sony.
@BF Skinner: I never bought a PS/3 myself, so I'm curious about this license agreement as a condition of purchase. Did you have to sign it at the cash register? Was there a click-through EULA? (FWIW, I never encountered one on any of my Nintendo gaming consoles.) If not, I'm at a loss to where any such agreement could have come from.
Please do not assume that any random text Sony may have printed and included in the package constitutes an agreement. Unless there's some sign of assent, it isn't.
In the absence of such agreements, the only things that apply are patents and copyrights. The copyrights do not, I believe, prevent me from modifying my copy of something, and in the US they certainly don't prevent reverse engineering. They do prevent me from legally building my own game consoles and copying Sony's software, and that's really what Sony cares about.
The cracking may have violated the DMCA, but that's a law that is generally considered immoral by the geek community, and it's not generally considered immoral to violate an immoral law. Moreover, I'm willing to bet quite a bit that it didn't involve torturing small animals.
Sony security has and will always be broken from the CCC group in Berlin to others around the world, for some its just the challenge, to others its just what they want. Non story again, reader bait.
Thanks for covering this, Bruce. At first, I could not understand how getting the public key off the console allowed the private key to be obtained. The BBC now has quite a good explanation:
1) Copyright's irrelevant for personal use.
2) Sony has an individual contract with each purchaser? As far as I can tell, the closest they have is a SYSTEM SOFTWARE LICENSE AGREEMENT accepted on firmware updates, which is quite different. Section 2 just informs you have if you mod or attempt to mod, you void their warranty and they won't repair it. Section 7 suggests that by breaching section 2, they may deny you access to their network. That's about it. (source: http://www.scei.co.jp/ps3-eula/ps3_eula_en.html - go through the sony site to get your particular version)
Sony could easily tweak their console business model a bit to ensure nobody gets a below-cost console, thusly. All numbers are made up.
Instead of selling the box for $X below cost, sell it at cost with a voucher for $X discounts on game purchases. That way the subsidy is nice and explicit.
Alternative: like cellphones and satellite TV, sell for $X below cost plus an $X payment to be made unless N games are purchased within some time frame.
Good points. It actually has been illegal in America since the 1970s for a car manufacturer to require service at a particular mechanic -- more precisely, it is illegal to void a warranty if you have a certified mechanic do the service.
The hobbyists make a lot of noise but I suspect Sony is not the one most concerned and already engineering countermeasures; it is Apple.
I understood that they didn't use an RNG at all, they just reused the same constant. The k-value is more than a nonce, though. It has to be unpredictable, secret and never reused. If you reuse k, even while keeping it secret, your private key is exposed. Wikipedia even has an entire section on keeping your k value secure in their page on DSA.
Re: "You can be as big a dick as you want and torture little animals in the privacy of your own home..."
Isn't that rich? Equating hardware mods with animal cruelty? And now ALL modders are cruel to animals, too? Isn't that some really stupid reasoning for the sake of emotional appeal in lieu of the facts or what?
Still, that doesn't change the facts that 1) The hardware is in the person's possession, B) They can do what they want with the hardware in their possession no matter what scribbled legalese is on a scrap of paper, iii) Sony has no control over that, and FORE!) The "security" was eventually exploited through a chink in that armor.
Reverse engineering: Another inalienable right. ;-)
But animal cruelty? Oh PLUH-leeeeeeeeze! I don't own a PS3 and could care less what users do with the hardware in their possession much to the chagrin of Sony. At least no animals were harmed here (outside of the fevered egos at Sony and their reactionary apologists abroad).
I watched the video, and as far as I can tell, I think their main mistake was the fact that they didn't use hypervisor for anything useful. Like one of the fail0verflow guys said: "It just sits there, doing nothing". The fact that they don't distinguish between code and data pages is... weird.
And what's even more funnier - with the recovered keys, one can change hypervisor's config. So if it's able to do more than what it's doing right now, we should be able to make PS3 MORE SECURE than its retail state.
That is awesome. :D
@ David Thornley
I totally agree that the patch removing the OtherOS option indeed spurred the cracking efforts. Many folks that chose a PS3 over the much cheaper Xbox 360 or Wii for exactly this feature felt totally cheated and outraged when it was taken out. And in a blatant display of corporate arrogance Sony didn't even bother to compensate them in any way.
Irrespective of whether or not we should be allowed to modify or reverse engineer a device we have purchased, it goes to show just how far-reaching the implications can be when product marketing and management alienate themselves from a user community and start making decisions based on spreadsheets only. I'm pretty sure they were even warned by engineering for such a scenario.
I'm quite curious what their next steps are going to be since - if my understanding is correct - it would be very difficult to solve the issue without changing the hardware. It will probably affect PS4 security design and release date. It may contribute to an earlier PS3 EOL. Any which way, they will be losing money over this, especially because initial adoption of PS3 by the public was reasonably slow and they are now stuck with a product that has been compromised after only 4 years of the expected 5-6 years lifetime of an average console. Needless to point out the dangers of trying to take a product to market before it's ready, especially when you have it accompanied by a dancing nuns campaign (remember OS/2).
I guess there are a couple of valuable lessons for Sony and other companies to be learned from this:
1) Never underestimate the skills, ingenuity and resolve of some of your customers when targetting a potential geek audience, intentionally or by accident.
2) Don't tick them off because they care just as little about your business model as you care about them.
@ Bekki Doll
Can I take you to dinner or ice skating some time ?
What I find terribly ironic is that Sony, a multi-billion dollar conglomerate, is really clueless when it comes to security in general (does anyone else remember the XCD rootkit fiasco?). So clueless in fact that they thought they could use the same old nonsense of "security through obscurity". And, in the end after the big reveal by the hackers who cracked the code, they have a hypervisor that doesn't supervise a damn thing in regards to protecting the system from the very code that circumvented it in the first place?
Poetic. Simply poetic.
And lest you think this is Sony bashing: This is bashing weak security from a company with plenty of resources to make sure that it didn't happen in the first place. Besides, I have a Sony amplifier, VCR, DVD player, portable CD player and even a Sony Mavica. But then I got that stuff way back during the '90s and early 200x (the CD player was free from my Creator's company). So, at one time, Sony used to be the brand for very good consumer electronics.
Today I really see no incentive to buy Sony products. Especially if they can cripple one's hardware (XCD) or Sony-brand hardware becoming crippled over time due to Sony's indiscretion. And it took a few humans who dared to exercise their personal freedom to expose the emptiness behind the curtain in their pursuits in learning how things work.
Sony used to be "It" that, at one time, learned from the mistakes of others in the '90s (Nintendo and Sega) when it put forth the CD-based PlayStation. Now the company is "Shit" as it now succumbs to its own hubris.
Besides, emulation is where it's at when it comes to games. Which is why I'll never buy a stationary console again and throw my money towards computers instead (preferably running XP or Linux). I did buy a used GameBoy Advance (the clamshell model with the backlight that is either switchable between full bright and half-as-bright) simply because of homebrew hacking and its backward compatibility with ancient GameBoy games.
Now that the PS3 has been irrevocably PWNED, I wonder how many people will buy it just to mod it beyond Sony's shallow expectations before they're pulled from the market.
Oh pants; someone beat me to flirting with Bekki.
The mistake the Sony software engineers made is an understandable one, when you don't have a domain expert sitting at the design table, and during the review processes.
They basicaly optomised out a critical and difficult to achive part of the DSA protocol and in the process opened up a big fat, wide open, side channel that got exploited. Importantly this optomisation did not break the actual functioning of the software and would have past any regression tests...
The problem with the designed by NSA employee and certified by NIST DSA and it's "k value" has been known by domain experts for a while but not widely otherwise.
You can if you know what to search for even find examples of why it's bad and an explanation of how to exploit it online,
The fact that meeting all the "k value" requirments is difficult especialy in a high bandwidth communication system should ring bells in peoples heads about using it.
NIST with the help of the NSA have a number of protocols / standards that are overly brittle in use one way or another and if not used correctly each and every time will open up a side channel that leaks confidential information.
Another NSA / NIST example is AES and timing side channels and power spectrum side channels due to implementation issues. These where not mentioned / considered during the AES competition and the competition rules encoraged "optomised for speed" implementations that made the side channels implicit in the designs. Thus nearly every practical implementation of AES used the freely available competition code that had significant side channels. Thus nearly all early AES implementations many of which are still in use have side channels, and if your's does not the chances are it will work with another implementation that does...
I keep saying it but the three attack areas the likes of the NSA, GCHQ et al are going to be working in for their bread and butter code breaking are,
1, Protocol weaknesses (especialy their edge effects in practical implementations).
2, Side channels (of all kinds).
3, Known plaintext (in standard file headers etc).
The fact that the DSA "k value" is so very easy to get wrong in practical implementations, must have been well known to the NSA prior to it being made available to NIST. You therefore realy have to ask why they did not make it clear...
But then as I've said the NSA have previous in this respect going back atleast as far as the C34 field cipher machine.
Also as I've said before protocol issues are the most devistating of attacks not just because they are cross platform but because of the legacy effect of backwards compatability.
As Sony must now realise they have a real issue in that how do they solve the problem of this break but... Solve it in the PS4/5/6... without breaking backwards compatability or further alienating PS3 owners...
All of which is part of the reason I keep saying that NIST should stop having algorithm competitions and start producing "frameworks" because a properly designed frame work that is a requirment in all systems from the start will allow any broken algorithms to be quickly and easily replaced even in embedded systems.
Historicaly backwards compatability in secure systems is a very big NO NO it was the route used to repeatedly get breaks into the German Enigma System during WWII as some messages will always get encrypted under the old and new systems, thus enabaling traffic to be known as both plain and cipher texts which can give cryptoanalysts and traffic flow analysists very usefull information over and above the actual message contents.
Posted by: David Thornley
"Anonymous has nothing to do with civil disobedience, even philosophically."
You're right - but they're using the comparison for themselves. If you read the article, you'll see that some of the online chats the author had with some Anon movement folks steer in that direction.
Posted by: Mat
I suspect that a more open-- Android based?-- console might be the VHS to Sony's BetaMax3."
I did not write that.
Consumers DO have an effect on the business model. They don't have to care about it, but it affects the bottom line and affects the business model.
I agree that the crackers were only reacting to a juvenile "lock-out" of OSs by Sony. My point is, I don't agree that users should still have full access to certain items if they *choose* to open their systems and tool around with them. Just like installing aftermarket items on a car sometimes voids warranty.
And because you buy a product, does not entitle you to reverse engineer it.
"Reverse engineering: Another inalienable right. ;-)"
Right, but not if you want to access proprietary software, networks, or games by another or the same company. They're just not going to allow that.
Imagine if you wrote and recorded a song. Someone heard it on the internet and liked the guitar part. Imagine there was a way to strip only the guitar out of the full recording and someone did that to your song and used it in any fashion they saw fit - illegally, technically. Do you think that's legit? It's your music they "reverse-engineered" by your proclaimed inalienable right.
To me, inalienable rights are the right to freedom, right to live in the country - that kind of stuff. The sense of entitlement by some people in this world is absolutely baffling.
Amusing sidenote - the PSP's encryption keys were found in the PS3 dump as well, meaning that the previously-unhackable PSP Go is now effectively broken as well.
@John Campbell - Amusingly enough, Sony is developing an Android-based gaming phone. Anyone want to guess the odds on that staying secure? :D
Skinner: We MAY NOT modify the consol because of the license agreements we made with Sony as a condition of purchase.
That's incredibly weak -- surprisingly weak (Has someone taken your handle?). Obviously terms required by an effective cartel (aka, non-negotiable terms by all market players) are not an ethical "agreement" but merely "facts of the matter".
To equate the ethics ("MAY") of openly negotiated term between equal players in a free market, and terms of trade dictated by the collusion of producers eliminating all negotiation is vapid.
@fbm: "And because you buy a product, does not entitle you to reverse engineer it."
Are you kidding? To keep the car analogy :-) once you buy a car are you not entitled to look under the hood? or to disasseble it into bolts and nuts and examine them? that's all reverse engineering. Give me any statute reference that says you can't do these. Well, you may lose some rights or services the producer has voluntarily given you (such as a warranty) but this is it.
It's perfectly legal and, more important, unavoidable. What you're legally prohibited to do is to use some particular pieces of the knowledge gained in the process to make your own car - or a spaceship or a wheelbarrel or anything. There's where patent law kicks in. In practice, patent law prevents you (to some degree) from selling what you've built this way as nothing can prevent you from building a vehicle in your garage.
There's a different matter with immaterial things like software as there actually exist some laws prohibiting reverse engineering of software in some jurisdictions. I think it's absurd, as copyright protects the software in a similar way that patents protect physical things (and sometimes patents protect software, too). But again in some jurisdictions there are exceptions to this, for example you are allowed to RE software if you need to interface with it somehow (i.e. read/write compatible data files).
Back to PS3 case: I just wonder if a skilled lawyer could interpret it as a need to interface some random OS with PS3's firmware :-) Or would it be possible to throw out the firmware completely and put up a homebrew one? It is perfectly legal to replace your PC's BIOS with whatever you want, for that matter, even if it makes little sense because of the openness of the architecture.
@fbm: I'd be very wary of using "they" in connection with Anonymous, except for actual concerted acts. A phrase like "some of Anonymous" would be more accurate.
IANAL, but I don't think there's anything in copyright or patent law to prevent reverse engineering. It's often forbidden in licenses and similar documents, but that doesn't appear to apply to the PS3.
There's also laws in the US about how a commercial network provider can restrict users. That's how the AT&T monopoly on telephones and other equipment connecting to telephone lines was broken. It may turn out that Sony cannot legally ban some cracked PS3s from on-line play, if anybody cares to test it in court (which probably won't happen).
You do seem to be confusing reverse engineering with duplication. Reverse engineering would be figuring out how you fingered the guitar, or something like that. It has nothing to do with distributing unauthorized copies of copyrighted material.
The sense of entitlement among many corporations in this world is really puzzling.
David Thornley: The sense of entitlement among many corporations in this world is really puzzling.
It's not precisely that: the sense of entitlement among many with vested interests in corporate profits in this world is really puzzling.
Just look at who is saying what -- particularly the idea upthread that somehow having a business model means that it's ethical to coerce others into respecting that business model. There are folks here who would have arrested Ford for disrupting the buggy-whip manufacturers business model!
I'm sorry, but your claims about DSA are so full of mistaken premises and misinformation that I can hardly believe it. Let's deal with them one at a time, shall we?
"They basicaly optomised out a critical and difficult to achive part of the DSA protocol and in the process opened up a big fat, wide open, side channel that got exploited. Importantly this optomisation did not break the actual functioning of the software and would have past any regression tests..."
Three errors here.
Firstly, using a fresh random value for each signature is not especially difficult, particularly when you consider the context, which is signing code as part of Sony's release process. The console itself has no need to sign this stuff: it's done in-house, internally, beforehand. Optimization is almost completely unnecessary; even so, there are several possibilities for improving performance. (An obvious one is to associate a symmetric key with the signing key, and use it to generate the per-message randomizer, e.g., by computing a pseudorandom function of a counter, the date or the input message. Note also that the randomizers, and the computationally intensive parts of DSA signature computation, can be done in advance, before the message is known, and without knowledge of the private key.)
Secondly, this is not a side-channel. This is a well-known property of signature schemes based on the Fiat--Shamir heuristic applied to a three-pass proof-of-knowledge, and, indeed, is an essential part of the security proof for such schemes: the ability to extract the prover's (signer's) private key if it responds to distinct challenges (messages) when rewound (reusing a randomizer) demonstrates that a prover (signer) who can generate convincing responses (signatures) with significant probability must actually know the private key. Such schemes go back to Taher ElGamal's signature scheme of 1984; DSA shows the influence of Claus Schnorr's scheme of 1989. (DSA doesn't quite fit into this framework, because it doesn't seem to have the necessary zero-knowledge property. This was pointed out in public comments at the time.) In the event that you implement such a signature scheme incorrectly by reusing randomizers, you have a plain old cryptanalytic vulnerability. It's not a side-channel: the private key falls straight out of the front door.
Thirdly, this is exactly the sort of thing that a half-decent regression test ought to catch. Detecting reuse of a randomizer in DSA is very easy, since half of the signature depends only on the randomizer (and the domain parameters) -- and not at all on the message nor on the key (either public or private).
"The fact that meeting all the "k value" requirments is difficult especialy in a high bandwidth communication system should ring bells in peoples heads about using it."
It's not at all difficult, as I described above.
"The fact that the DSA "k value" is so very easy to get wrong in practical implementations, must have been well known to the NSA prior to it being made available to NIST. You therefore realy have to ask why they did not make it clear..."
Mistaken premise. It was indeed made clear: FIPS 186 (1994; the document in which DSA was originally standardized) says, quite clearly, in section 4: `Parameter k must be regenerated for each signature.'
It's true that later NIST standards contain much more implementation guidance than older ones. FIPS 186-3 (2009 -- so after Sony had already made the mistake) has a section (4.5) entitled `DSA Per-Message Secret Number' which explains the security properties needed for by the randomizer.
"The mistake the Sony software engineers made is an understandable one, when you don't have a domain expert sitting at the design table, and during the review processes."
No. It's very hard to understand this error: it'd be in the You Fail Cryptography Forever page of tvtropes if they had one.
Any self-respecting hardware security module will use a distinct randomizer for each DSA signature since it can't reuse randomizers and simultaneously make any pretence at holding signing keys securely. Standard HSM programming interfaces, e.g., PKCS #11, don't provide any way to pass a randomizer into the signing algorithm from outside the module: it must generate it itself.
In turn, this indicates that Sony aren't holding their signing keys in a hardware security module. Which is worthy of a facepalm all by itself.
This is a simple case of hubris -- `We can implement the crypto ourselves just fine' -- properly punished by Nemesis.
"The problem with the designed by NSA employee and certified by NIST DSA and it's "k value" has been known by domain experts for a while but not widely otherwise."
You'll have to explain to me why a non-domain expert will be writing a DSA implementation in the first place, and even then where he'd find out what it's meant to do without tripping over the requirement that each signature use a distinct randomizer. Bruce's book certainly makes this clear, as does Menezes, van Oorschott and Vanstone's Handbook of Applied Cryptography, available online, not to mention the official standard.
"NIST with the help of the NSA have a number of protocols / standards that are overly brittle in use one way or another and if not used correctly each and every time will open up a side channel that leaks confidential information."
Many (most?) cryptographic schemes impose requirements on higher-level protocols and applications which must be fulfilled for security. This is often described in terms of a `security warranty': using the crypto widget wrongly `voids the warranty'.
Blaming the tendency towards `brittleness' in cryptographic widgets on the NSA is very bizarre. If anything, it comes from the academic trend towards provably secure schemes and protocols. The proof tells you that, if you use the thing properly, and satisfy its conditions, and the explicitly stated intractability assumptions hold, the theorem gives you well-defined and (ideally) well quantified security properties. If one of these hypotheses fails, the theorem obviously doesn't apply any more, and you might get nothing at all. (Consider GCM, where tag reuse leads to a catastrophic authentication failure.)
"I keep saying it but the three attack areas the likes of the NSA, GCHQ et al are going to be working in for their bread and butter code breaking are,
1, Protocol weaknesses (especialy their edge effects in practical implementations).
2, Side channels (of all kinds).
3, Known plaintext (in standard file headers etc)."
Known plaintext is irrelevant in modern cryptography. Any encryption scheme worthy of consideration resists /chosen/ plaintext attacks -- and, in practice, security against chosen /ciphertext/ attack is also necessary. Worrying about known plaintext is infinitely more likely to cause errors due to ambiguous data formats than it is to defend against cryptanalysis.
I think Sony deserves it, and in spades. If I root your box, I'm some sort of terrorist, and I go to jail, maybe even have to pay some resitution.
Sony roots zillions of boxes, and the remedy is:
No one goes to jail.
A small (to them) fine is paid and becomes a feather in some AG's hat.
Users get something like one free new CD, no matter the actual damage to them.
Where I live, VA, EULA's have the force of a signed contract, UCITA, and I believe MD fell for that too. Of course, that's where tons of people work for the government and have computers.
No place else fell for it. It truly stinks.
Thus proving we have the best laws money can buy. I think that they're not even the best for the people who buy them -- they are too shortsighted, it's all about the next quarter's results. Most of them are designed more or less to reduce competition from newcomers - not that the big guys don't hate one another, but they gang up on any new guy with a disruptive technology via huge pools of cross-licensed bogus patents -- no matter how bad they are, they cost a few million each to have thrown out, and no little guy can get in the game as a result.
As an example of the big guys for once, going after one another with ridiculous patents, see "every mobile phone company sues every other one" Or Paul Allen "Interval vs the entire world".
The thing is, limiting the players to just a few big ones, in what amounts to a joint monopoly stifles the very innovation they need to succeed as a group! They don't seem to care about the size of the pie, as long as they split it between them. As I said, shortsighted.
"Are you kidding? To keep the car analogy :-) once you buy a car are you not entitled to look under the hood? or to disasseble it into bolts and nuts and examine them? that's all reverse engineering. Give me any statute reference that says you can't do these. Well, you may lose some rights or services the producer has voluntarily given you (such as a warranty) but this is it."
I'm not kidding. I was talking about voiding the "car" warranty. That was my whole point. I don't care about anything else except legitimate purposes.
Fact is, I don't care about cracking or reverse engineering software or what those people think about it. My opinion is that they shouldn't be doing it in the first place - and THEN demand they continue to receive business support for the mods they've done illegally.
"You do seem to be confusing reverse engineering with duplication. Reverse engineering would be figuring out how you fingered the guitar, or something like that. It has nothing to do with distributing unauthorized copies of copyrighted material."
I'm not, actually. Because reverse engineering of the demo song I mentioned would be stripping the one section that you wanted from the whole - which is actually not even possible right now with a song.
I'm very well versed in what licensing and selling and reverse engineering mean in relation to intellectual property - I just happen to have a controversial opinion about it.
Reverse engineering software and then demanding the provider continue to provide access to support or further gameplay/upgrades - whatever - is juvenile. Why would they? It affects their bottom line. Fact is, if there are people who care that much about a particular function to play pirated games on their hacked systems when the company blocks it that they continue to crack their systems - well, seems to me they have a LOT of time on their hands that could be more productively used.
"Just look at who is saying what -- particularly the idea upthread that somehow having a business model means that it's ethical to coerce others into respecting that business model. There are folks here who would have arrested Ford for disrupting the buggy-whip manufacturers business model!"
I think you're misunderstanding my statement. Customers affect the business model in how they treat the business through their actions after the purchase - especially with electronics and more so with software and hardware.
In this case, they're not being particularly respectful - albeit, the company may have made a somewhat unethical decision.
Two wrongs don't make a right. Their reaction was juvenile, IMO.
WARNING: Potentially "tl:dr" for simple minds, people with very low attention spans, PS3 apologists in denial and 4chan users in general.
Regarding point-by-points by "fbm":
"Right, but not if you want to access proprietary software, networks, or games by another or the same company."
Objection! Assumes facts not in evidence! ;-)
"If" assumptions are dumb: Who says that I don't have access now via open networks, software and protocols? Do you even know about emulation and much of the reverse engineering behind that which renders such assumptions as wrong? And did you miss the part of me NOT OWNING A PS3?
Scroll up. It's in there.
Besides, "If" you want to know what my interests are then just ask! Otherwise you are going to make more wrong guesses and wrong assumptions again and again.
"Imagine if you wrote and recorded a song. Someone heard it on the internet and liked the guitar part."
Another piece of "If" assumptive nonsense: Reverse engineering is the same as cut/copy & paste music sampling? Do you even KNOW what you're writing about?
Granted, this isn't as bad as equating hardware modifications with animal cruelty. But it's still pretty stupid regarding that stretch of the imagination. So imagine this: Your "logic" can be used to strain pasta.
"To me, inalienable rights are the right to freedom, right to live in the country - that kind of stuff."
You have a very constricted and vague definition there reeking of nonsensical patriotic claptrap.
Inalienable rights are rights that can neither be granted nor taken away (the freedom to worship, for example, which I have already detailed). No one can stop that, much less others communicating with each other. No one can stop someone from using tools in the privacy of their own home or workspace. And no one can stop people with like-minded interests from gathering and sharing information.
The Big One: People can't stop anyone from learning anything. Not even you, for that matter. Sure, we can lock up people left and right, ban this and that or even engage in broad surveillance intruding into ones' private lives and even engage in filing frivolous lawsuits to bankrupt whomever. But is it worth pissing people off though those violations? People, as in the general populace (especially if they're technologically savvy).
People can get off on vegetating in front of consoles or in front of any idiot box in general. Some people like getting off on learning how a device works from beginning to end. Some people get off by being fully clad in latex and engaging in a fantastic fetish fantasy. Who is anyone to state that ones' interests are wrong as long as nonconsenting humans and other lifeforms aren't physically harmed?
Sony, of ALL conglomerates, should be fully aware of that. ESPECIALLY in light of the damage caused by the XCP rootkit they chose to place on their discs (I'm glad I'm not the only one who remembers).
And certainly, if someone claims out of sheer ignorance and/or stupidity that something is "unhackable", there will be those enterprising individuals who will put such a claim to the test. Fortunately, knowledge is the cure for stupidity and awareness is the cure for ignorance.
"The sense of entitlement by some people in this world is absolutely baffling."
No. It's not baffling and it's not entitlement when people are born with those freedoms then eventually realize and choose to exercise them. It just is. You just can't keep people in a bubble forever. Eventually that bubble breaks and Reality intrudes.
Entitlement is when Sony thinks that its console deserves special protection from those "animal-abusing over-sampling modders", much less wanting to take away features that the customer already paid for on that console. In fact no one deserves jack shit, especially when a so-called "unhackable" console gets PWNED big time though security holes big enough to slam a Hughes DickFour through!
Anyone can reverse engineer anything if they wanted to. Anyone can also document and report such findings through reverse engineering. That's freedom despite how repressive regimes and their brainwashed constituencies may wish otherwise. Some may use that knowledge for good or evil, or in this case for homebrew or warez. The knowledge gained is neutral in and of itself. It's all in the context of the actions of the end user of that information.
That's reality and not even the DMCA/IFPI/MPAA/SPA/etc. can protect against that where anyone can publish/distribute anything pseudoanonymously digitally. It's called "freedom of communication". Love it or hate it, that's just the way it is.
I do have to thank those idiots, though: If it wasn't for them there wouldn't be an underground, much less a very profitable black market despite the risks. I consider the black market the invisible finger on the invisible hand of the free market (guess which finger).
One little detail: Freedom isn't free because actions have consequences. The question is if the value of ones' exercised freedom is worth the potential benefits or consequences as a result thereof. The PS3 hack revealed much more than regaining revoked functionality. So the actions of the hackers wound up invariably unlocking the whole system. That is known as an unintended consequence.
In short, good for the hackers! And chalk up another blow against "security through obscurity"!
P.S. I could never be a pirate. I'd have to lose a limb, get a parrot, get a friggin' frigate, and start speaking with strategic interjections of "ARR!" I think I'll be the resident compu-wrench wench instead, although I'm sure I can find a crew... ;-)
P.P.S. For flirters please form a nice orderly queue. Avast mateys! LOL!
"not that the big guys don't hate one another, but they gang up on any new guy with a disruptive technology via huge pools of cross-licensed bogus patents -"
I agree completely with this sooo many completely bogus patents, just sorting them is the bane of my existence.
What is interesting is that there are several new start-ups that are avoiding having a US presence all together so that they can avoid patent litigation.
If are are not a US entity then about all that a competitor can do is to ban your product (and derivative products) from importation to the US (ITC exclusion order). However in today's world that still means you can happily ship to the rest of the world (something like 70% of total available market )
The consequence of this is that the large OEM that uses your product for the rest of the world will want to also use it in the US. So they will make sure the bogus patent disappears. This levels the playing field. This strategy is work great for at least two Asian companies that I can think of.
Unfortunately you still have to deal with US patent trolls, they are the real blight on the world of patents.
@ Bekki Doll,
When you say that,
"P.S. I could never be a pirate..."
I susspect you may have left out a reason,
In your P.P.S
"P.P.S. For flirters please form a nice orderly queue. Avast mateys! LOL"
You don't quite have the "lingo" that Hollywood script writers would have us believe, it should read,
'P.P.S For flirters please form a nice orderly queue ARR, Avast behind mateys ARGH, Avast behind, there she blows Capt'n!'
[effect faux rough west cornish accent (with west coast drawl), and an appropriate lurid squint]
'Arghhha, thar bees flirting... and then thar bees real flirting matey! Oh eye then thar bees real flirting!'
All of which reminds me of the very old computing joke,
Q : Why did the parrot say "pieces of seven, pieces of seven"?
A : It was a "parroty error"...
@ RobertT, Doug C,
Re : Patents and Patent Trolls.
In the US the patent system is patently absurd, with the likes of "submarine patents" and other legal tricks, the only clear winners are those that stand up in court to express opinion...
As Bruce has noted in the past, even trying to do the right thing is dangerous, in that an "unknowing breach" is considerably less expensive than a "known breach" with the lawyers saying what the difference is between "unknowing and known".
When you chuck in the new "get our own way" lawyers trick of "electronic discovery" you find that even knowing that patents exist is a slow way to die the death of a thousand cuts.
Speaking of death, "Patent Trolls" make a big assumption that people will always play by their rules. We have an expression in the UK about this which is "It's my bat and my ball and I get to decide what the rules are!"
At some point somebody is going to figure out it would be cheaper if they simply took the bat off of the troll and beat them with it with the help of a friendly official or two.
Or worse that it was time the troll "had an unfortunate accident" due to brake failure or whatever...
It is a method of business that the Russians appear to be addopting and attempting to push out into the global economy.
@ : Mark Wooding,
Thanks for the indepth reply.
Unfortunatly Sony are not the only ones to make this series of mistakes. Some of those who really really should have known better such as those that came up with the WEP standard have made all of these mistakes and in that case as in others "known plain text" was the way in.
Sony engineers should have known from Microsoft and it's use of TEA in the XBox, and a whole host of other examples not to roll their own but fore reasons unknown they did.
The simple fact is a phrase such as`Parameter k must be regenerated for each signature' has specific meaning to a domain expert, but is at best opaque to a code cutting software person. Which might account for the change in NIST's documentation you mention. However who really knows what the motivation was, as you say it was becoming a very widely known problem in the field of endevor.
As for generating true random numbers this is a very very hard problem to solve and is fraught with subtle issues right down into the silicone. Even more so if you have to ensure no reuse which is why despite the fact it is technicaly a 'no no' determanistic methods such as CTR are used. Even then people still easily get it wrong (Debian) and Richard Clayton over at Cambridge Labs went on an Internet hunt to find there were a very significant number of broken certs etc due to this.
As for if the issue is a side channel or not it depends on your view point of what a side channel is. I tend to use it in a lose sense as a high level "class" of problem where by an apparently correctly functioning system convays unknown to the system user information that can be used to an adversaries advantage.
In this particular case not regenerating parameter k did not stop the signing software working as advertised. It was only on multiple uses with the same value that it was possible using statistical methods to determine what the key was. In this respect it is like the big 'no no' of key reuse in an OTP or other stream cipher. The process is agnostic to how it is used it is the failure of understanding by those implementing it in a system that is at fault.
And it is this failure of understanding which would also get the problem through regression testing on the old principle of "Garbage in Garbage out" or "the fault is leaving here ok". If you are not testing for a fault because you don't know you should be testing for it then the fault will pass through unnoticed.
This is something a domain expert should pick up on and not alow to happen, but a non domain expert would not even see it, except by chance.
The simple fact is when it comes to product engineering on what is effectivly an embbeded fast moving consumer electronics (FMCE) product in a highly cost sensitive market place, every byte of ROM or RAM counts. As wasting a byte "robs features", that could help sell the product (have a look at legacy boot code and BIOS code in PCs to see this). It is a mentality that effects every thing you code untill you "break out of it" by changing into a different line of work.
Another endemic mind set in the cost sensitive FMCE market is "security through obscurity" we see this all the time with things like crypto on embbeded micro controlers in "black box" solutions. Often used in payment systems (MiFare chips) car locking systems etc etc. For most of these broken systems the underlying issue was cost.
The chances where good that as Sony where "rolling their own" the code cutters writing it suffered from both mind sets...
Finaly as for "Known Plain Text", it has been, still is and will likley remain the bread and butter stuff of jobbing not academic crypto analysts such as the likes of the NSA GCHQ et al. Simply because it can be used simply to speed up the checking of automatic deciphering.
However it is also seeing renewed life in analysing encrypted random access storage media such as thumb and hard disk drives. These are classic examples of breaking the old 'no no' of never encrypt the same message under different keys.
Part of the issue with encrypted drives is that to avoid licence fees and other IP issues they roll their own crypto. Almost inevitably for speed and performance they will make one or more of a couple of simple mistakes which effectivly render the crypto to a stream cipher equivalent.
There are a number of reasons given as to why the NSA was called "The Puzzle Palace" one of which is "as with all puzzles the pieces eventualy drop into place", thus time will no doubt tell what they are doing today and how.
"You have a very constricted and vague definition there reeking of nonsensical patriotic claptrap."
And attacking me with this kind of crap doesn't make sense either.
The music analogy wasn't the copy/paste variety. It was using a theoretical "IF" scenario based on something that doesn't exist. You cannot strip individual parts of a song out without technically "reverse engineering" it - the process that doesn't exist. I guess the analogy was lost on you since you think I'm some sort idiot spouting patriotic nonsense.
> One little detail: Freedom isn't free
Nope. It costs a buck o'five.
@ RobertT, Doug C,
Re : Patents and when crosslicencing agrements fail.
It would appear that Microsoft have been getting upset with Motorola over their use of Android and filed patent infringment as an opening shot prior to filing the real issue that Motorola was charging execessive royalty fees...
Motorola in turn are now suing Microsoft over patent infringment and have sought to have all XBox360 imports stopped by the US ITC.
Both parties have added a whole load of other infringments against each other. There is now a 45 day period for preliminary investigation then a USITC judge gets involved, then unless chalenged within 60days of starting the case an embargo will be put in place...
Thus Microsoft made noises and started a bullying process. Motorol has retaliated with an appropriate response when being bullied of "kick them where it hurts most".
Thus both parties have in effect lifted the covers on their MAD (as in nuke "footballs") buttons. The question is do they have a "Red phone Hot Line" and are they going to use it or are Motorola doing a 'John F Kennedy' to Microsoft's 'Nikita Khrushchev' and who will blink first...
If no blink then the "phoney war" will be over and this one will make the fur fly in a way SCO didn't quite manage...
A bit more info on it,
If it does go all the way the fall out will definatly settle in some very odd places and have some very curious effects on the whole ICT ecology as this is where implied and actual cross licencing of patents is the greatest currently.
Your comment of 2:55 PM was way over the top, and not only the part that you yourself described as personal attacks. You can try that again if you stick to your reasoned arguments and leave out the flaming. A more restrained use of capital letters and exclamation points would be a good start.
Also, please note that the "torture little animals in the privacy of your own home" remark was not made by fbm.
Most importantly: do not ever talk about physically assaulting another commenter, even as a joke. It will mean an immediate ban next time.
"And attacking me with this kind of crap doesn't make sense either."
And you're the one writing very poor "If" hypothetical nonsense and comparing apples to oranges. The irony is that both of us, at least, know they're faulty:
"The music analogy wasn't the copy/paste variety. It was using a theoretical "IF" scenario based on something that doesn't exist."
Thank you for stating WHY your "If" hypotheticals are nonsense and should be dismissed by default. I couldn't have stated it better. And yet even that analogy doesn't take current audio tech into consideration.
Here's why: Audio editors have got better allowing one to filter out specific frequencies. Even full digital samples can be filtered by simply sampling and filtering out the sample (I'm also an audio engineering hobbyist).
So, much to your chagrin, the technology *IS* available and it does work. In fact such technology was available since 2002, at least (I use the Magix Music Editor for pre-mastering and use Audacity for clip-fixing and high-resolution editing and conversion).
And that's not even with ProTools but $20 bargain bin in addition to free open-source software.
How your "If" audio hypothetical equates to...
1) Duping ROMs.
2) Using logic probes, multimeters and other electronic tools to analyze hardware.
3) Disassembling/decompiling code to trace how it functions.
4) Tracing circuits boards and discovering the relationships between the various hardware components.
5) Decapping, photographing, identifying and tracing the internals of ICs.
6) Documenting the findings for future projects (cross-platform emulation, for example).
...among other techniques used in reverse-engineering is even EQUIVALENT to audio sampling I'll leave as an exercise for others to try to figure out. It makes no sense in light of the facts and what both entail. But certainly reverse-engineering would be much easier "If" it did fall into that equation.
For at least one example of real-life reverse engineering in action do check out the MAME project at http://www.mamedev.org which shows this and much more in action for the sake of arcade game preservation. That and it's my way of giving a shoutout towards other oldskool retrogamers.
And, as this discussion moves on, the PS3 still remains PWNED and will get PWNED further as its internals get analyzed and documented further.
P.S. EDIT: I originally used the nuclear option. Content has been edited for "civility" at the moderator's discretion. My apologies to Mr. Schneier.
P.P.S. I'll have to get a few pirate movies (the "ARR!" type and not the "K-RaD K00L" type) and finally sit down to read "Moby Dick". My sole influences have been Adam Savage, SpongeBob SquarePants and Kip Addotta (http://www.kipaddotta.com). And that was back in 2006 when, around that time, I stopped watching television. But I can be disciplined and educated. Especially disciplined. ;-)
In your studies of human behaviour did you look into animal studies?
Most people are aware of "Pavlov's dogs" but what of "B.F. Skiner's Superstitious Pigeons"?
B.F. Skinner discovered during his research that pigeons just like humans went in for behavioural rituals due to false correlations, like "it never rains when I carry my lucky umbrella", "so if I take my lucky umbrella on the kiddies picnic it won't rain".
A more extream form of this 'superstitious behavior' in humans is that of the "Cargo Cult" where religious rituals are believed to bring the wealth of modern goods in some primative societies ( http://en.wikipedia.org/wiki/Cargo_cult ).
In his paper ( a copy of which can be seen at http://wahiduddin.net/views/... ) presenting this B.F. Skinner briefly describes part of the experimental procedure,
"A pigeon is brought to a stable state of hunger by reducing it to 75 percent of its weight when well fed. It is put into an experimental cage for a few minutes each day. A food hopper attached to the cage may be swung into place so that the pigeon can eat from it."
Which might well be described as,
"Torturing little animals in the privacy of your own room"
B.F. Skinner was the inventor of the "Skinner Box" where animals are seen to be trained to push buttons in response to various visual stimuli and receive a pellet of food etc as a reward.
As a result of his studies B.F. Skinner actualy seriously suggested using pigeons to guide bombs to target enemy ships ( http://en.wikipedia.org/wiki/Project_Pigeon ). And his methods are rumoured to live on in the training of aquatic mammals to find/place mines on ships and the surounding environs and carry out other acts of war ( http://www.spawar.navy.mil/sandiego/technology/... ).
Therefore B.F. Skinner could claim to be the father to all the subsiquent trials to turn other animals into weapons of war, and depending on your view point (ie equivilance of marine mamals intellect/behavior to human children, exploiting captured/imprisoned children with hunger to turn them into soldiers) some war crimes as well.
It needs to be said at this point the B.F. Skinner to whom I'm referring was born over 100 years ago,
I'm certain that, regarding patent trolls, we would all like to have a few free swings of the baseball bats. Just think of them as a pinyata, just a few good hits and the candy will fall out.
Unfortunately, from my experience we all have a hard time deciding who the trolls actually are...
Motorola is not a company that I would traditionally have included in the trolls group, however their demise as a manufacturing entity has resulted in the emergence of a troll like creature.
Qualcomm on the other hand, seems to be a troll that is morphing into a viable semiconductor supplier. Although financially it's still a borderline failure without the patent royalties.
It seems the only solution, for the emerging technology company, is to simply have no operations in the US. It's sad that it has down come to this, but to use your metaphor, the new participants have simply decided, that the game is rigged so they'd rather take their bat and ball and go home!
"It seems the only solution, for the emerging technology company, is to simply have no operations in the US"
Or many other WASP or EU nations. To be blunt "first world inovation" appears to come from "second world nations" these days. Because it is not just patents that are the issue. Think of all the governmental "red tape" and faux markets they have set up, upto and including "carbon trading". Where they use legislation and taxation to favour the incumbrant "dinosaurs" in the name of "National Security".
Some years ago befor the Internet got going there was a sugestion put forward that the patent system be changed such that it became a royalty system like the record industry. That is that being granted a patent you actually handed the rights over to a central organisation who would set a uniform royalty rate and ensure anybody could obtain a licence to use the technology.
At the time it had the alure of an apparently working system that removed some serious hurdles (licencing). Now we see a couple of decades later that the likes of the RIAA et al have resorted to lobbying for legislation changes whereby the "artists" have less rights in return for the RIAA becoming legalized racketeers demanding money with significant menaces from anyone they chose to intimidate on the flimsiest of pretexts.
Thus I'm increasingly thinking that Lobbying and all the other questionable activities of our politicians and senior civil servants are to blaim. Thus it is towards this we need a solution.
Although I have sugested what was once known as "radical root and branch surgury", the major casualty of such adjustments is stability which would open the doors further to racketeering types not close it.
Thus I have been thinking along the lines that our political masters have two much time on their hands to make legislation that they don't understand put forward by various civil service factions with agenders that are not immediatly obvious (think about all the gumph stuffed into the US Patriot act for instance).
Thus I'm thinking that all legislation should have a time point (say every seven years) at which it must be revoted for to stay in effect and that this rule be enshrined in the constitutional rules of the government.
This would have two effects, the first being it would slow down the creation of new legislation, the second it would enable bad legislation to be removed more easily than the current process alows for.
However I suspect that even a small change such as this would still be open to the largesse of large corporations, who bassicaly don't pay their due of taxation and use a small amount of this money to basicaly bribe politicians and senior civil servants.
In all we have a century or so of questionable legislation to both regulate and deregulate markets and provide incentives of one form or another to various corperations. All of which distort an honest market into one that although legal alows compleatly dishonest behaviour.
Such are the joys of "Monkey in a Suit" "Representational Democracy", perhaps the solution lies in getting rid of the representatives and get back to Democracy of the people by the people as seen in some Swiss Cantons. The question then becomes how do you scale it to the size of a nation with the secondary question of how do you stop vested interests distorting the view of the voting public.
As Winston Churchill once observed, Democracy is the worst form of politics except for all the rest...
Ho hum 'tis midday in the UK time to start addressing one of man's base needs by cooking sunday lunch 8)
"Thank you for stating WHY your "If" hypotheticals are nonsense and should be dismissed by default. I couldn't have stated it better. And yet even that analogy doesn't take current audio tech into consideration.
Here's why: Audio editors have got better allowing one to filter out specific frequencies. Even full digital samples can be filtered by simply sampling and filtering out the sample (I'm also an audio engineering hobbyist).
So, much to your chagrin, the technology *IS* available and it does work. In fact such technology was available since 2002, at least (I use the Magix Music Editor for pre-mastering and use Audacity for clip-fixing and high-resolution editing and conversion).
And that's not even with ProTools but $20 bargain bin in addition to free open-source software."
I'm a professional musician and composer and I haven't come across software (much less Audacity or Magix Music Editor) that can perform these types of functions - most definitely not since 2002. Maybe I'm not looking hard enough, but I'm probably just too busy reading your comments.
Seriously though, your attacking me doesn't make you any more correct - especially in light of this "revelation" that software you describe exists. Even Pro Tools doesn't do that. Plugins might be able to strip vocals from the center channel using frequency cancellation, but I seriously doubt your contention on being able to accurately strip individual instruments from an entire mix. Doesn't happen. Ok, maybe a snare drum or single hit, but not more.
I apologize to the others that my comment is a bit off-topic but I just had to reply to this nonsense.
Dad would be so proud.
The torturing animals remark was made to illustrate the difference between the possible from the permissible.
The interesting application of conditioning was not teaching pigeons to play ping pong but occured when Olds and his researchers began electrical stimulation of the limbic system. Rats trained to get food pellets were placed in a Skinner box that had a electrified floor segment between them and the food dispenser. Once shocked the rats would starve to death rather than cross that barrier.
Rats who where implanted and conditioned to turn on thier electrodes (instead of a food pellet) charged across the electrified floor no matter how painful the shock became.
This would be a much more reliable entry in to the animal corps of British Army's Kamikaze Regiment, the Queen's Own McKamikaze Highlanders.
Though I reckon that arms in general are faster and make a larger boom are most reliable. Maybe use vultures for spy missions.
But back to conditioning...What the Behaviorists found was that all conditioned behavior was subject to extinction unless the behavior was reinforced. People and animals just went back to doing what they were doing before. (btw this is why I have a hard time believing in the cabal that controls all world events.)
The type of behaviors that were least subject to extinction were those that were conditioned with random stimula.
Apparently when our nervous systems lose a cognizable pattern they freak at a cellular level.
Leary later theorized that a strong enough stimulus, like childbirth, could imprint a change so strong on the nervous system that made conditioning look like a sand castle when the tide was coming in.
@ Clive Robinson
"Even more so if you have to ensure no reuse which is why despite the fact it is technicaly a 'no no' determanistic methods such as CTR are used. Even then people still easily get it wrong (Debian) and Richard Clayton over at Cambridge Labs went on an Internet hunt to find there were a very significant number of broken certs etc due to this."
The Debian OpenSSL fiasco is a bit different. Debian botched the way that OpenSSL gathers external entropy, to the extent that it only used the process's PID. While that did indeed cause key leakage as a result of reusing signature randomizers (I had to replace my own SSH keys), it's not a a result of attempting to use a deterministic method -- quite the contrary, in fact! It's a result of botching the /true/ random number generator.
"The simple fact is a phrase such as`Parameter k must be regenerated for each signature' has specific meaning to a domain expert, but is at best opaque to a code cutting software person."
Really? It seems pretty plain to me (though I probably do count as a domain expert). It says that I must somehow concoct k afresh each time I make a signature. Elsewhere it describes k as `a randomly or pseudorandomly generated integer with 0
I agree that some programmers aren't particularly good at reading plain English, but describing those that can read a straightforward specification as `domain experts' seems like a stretch. Besides, getting the rest of ECDSA to work involves implementing rather complicated things like arbitrary-precision (or at least rather high-precision) integer arithmetic and elliptic curve arithmetic (a somewhat rarefied area of mathematics); the sort of person who can manage this
is unlikely to have much trouble with FIPS 186. (Once you have the elliptic curve and finite field arithmetic implemented, ECDSA signatures are more or less trivial.)
"As for if the issue is a side channel or not it depends on your view point of what a side channel is. I tend to use it in a lose sense as a high level "class" of problem where by an apparently correctly functioning system convays unknown to the system user information that can be used to an adversaries advantage."
I think this is incorrect. A cryptographic widget has certain inputs and outputs which are part of its syntactic structure. For example, an encryption scheme takes as input a key and a message (and maybe a nonce), and outputs a ciphertext; a signature takes as input a private key and a message, and outputs a signature. A side-channel is an additional output of the widget which doesn't exist in an `ideal' black-box instantiation but does in some practical implementation, such as power consumption, timing, cache effects, electromagnetic radiation, and so on. Side-channel attacks are interesting because the usual models used for analysing cryptographic widgets deal only with the `ideal' version of the widgets: a practical instantiation might therefore be given a clean bill of health by this sort of idealized analysis, while leaking vital secrets through side-channels.
Reuse of a DSA randomizer is clearly visible in the signatures themselves. Since the signatures are a signature scheme's `official' output, this is therefore not a side-channel.
"In this particular case not regenerating parameter k did not stop the signing software working as advertised. It was only on multiple uses with the same value that it was possible using statistical methods to determine what the key was."
No `statistical methods' are necessary. Two signatures with the same randomizer are sufficient: you end up with two linear equations with two unknowns (the randomizer and the key), and very simple arithmetic yields the private key in its entirety.
Some more detail. DSA works with a group G of q elements (for some prime q), and the field K = GF(q) with q elements; it makes use of a mapping, which I'll write using square brackets, from G to K. (In plain DSA, G is the q order subgroup of GF(hq + 1)* and [...] is simply reduction modulo q; in ECDSA, G is an elliptic curve over a field of about q elements, and [...] takes the x-coordinate of a point on the curve, converts it to an integer if necessary, and reduces it mod q.) Let P be a generator of G; Alice's private key is a random element of K, which I'll denote a, and her public key is A = a P. One signs a message hash m by choosing a random k, computing R = k P, u = [R], and v = (m + a u)/k; the signature is the pair (u, v). To verify the signature, check that [(m/v) P + (u/v) A] = u.
Now, suppose that m' is a second message hash, and let v' = (m' + a u)/k be the second half of a signature on m' using the same randomizer. Then v/v' = (m + a u)/(m' + a u); rearranging that gives a = (m v' - m' v)/(u (v - v')) and it's all over for Alice.
"The simple fact is when it comes to product engineering on what is effectivly an embbeded fast moving consumer electronics (FMCE) product in a highly cost sensitive market place, every byte of ROM or RAM counts. As wasting a byte "robs features", that could help sell the product (have a look at legacy boot code and BIOS code in PCs to see this)."
This is irrelevant here. As I mentioned earlier, the console doesn't make these signatures, so nobody ought to be counting bytes or cycles. The part which /verifies/ the signatures needs to be on the console (in the boot loader, indeed), but it seems that (unlike Nintendo!) the verification code is fine. It'll be part of Sony's release process, done on some server somewhere; it ought to have been an HSM, but wasn't.
Mark thanks for digging into the details of this Sony problem. I'll have to raise my hand and admit that I'm often baffled by the mathematics of modern cryptography. Sometimes the concept of trying to actually understand the requirement is so daunting that the alternative action, just write the code and hope this is what they mean, is the action that wins out in the end.
I can assure you that at a product design review level the design manager would much rather have multiple root canals than spend one minute understanding the crypto-protocol requirements.
So product design reality is that some junior engineer / coder wrote this function and he would claim that he followed DSA guidelines. I seriously doubt that anyone dug into the details of the implementation until now. Unfortunately there is little or no value in finding crypto implementation errors at least not within the corporate culture. It is a completely thankless job.
Awesome. PS3 compute clusters are back in the game. Nice alternative to IBM's Cell Blades that go for $5,000 per Cell processor. I think those are better Cell processors, but PS3's still give a TFLOP peak for $2500 or less. Cracking tools will definitely benefit from this. Secure system designs might as well due to Cell's hardware protection mechanisms. I hope they are more reliable than the other security features. (sighs)
Update: Sony is suing fail0verflow and geohot of copyright infringement and computer fraud.
fail0verflow also notes that there are "YouTube's and Facebook's fail0verflow accounts... they are scammers. We are NOT requesting donations."
geohot also warns against scammers "any legal fund donation things you see are 100% fake as of now, don't get scammed" and has posted the complaint on scribd (link is on his site).
Allegations are of violation of DCMA 17 U.S.C. § 1201 and Computer Fraud and Abuse act 18 U.S.C. § 1030.
Though honestly I don't see how the fraud and abuse act applies. Sony is'nt alledging the PS3 is a US federal government system or processing national security data is it?
Maybe an argument "protected computer" commerce and communications interference or under financial data.
I find it of some interest at the speed at which fake donation sites for this, rather obscure, disaster were set up.
Are hackers, DMAA challengers and their supporters a known demographic for milking for "defense funds"?
From motion for TRO
"Defendants recently bypassed effective technological protection measures"
effective. How effective is it if it's bypassed with a low effort?
Does all a company have to do is implement any sort of content control to be effective under DCMA? If so Sony could have deployed a system protected with DES or RC3 and claim protection under the law. Then would there be any motive there for them to deploy stronger (more expensive) crypto.
Yeah here's the CFAA argument from about page 23
(1) intentionally accessed a protected computer used for interstate commerce or communication;
(2) without authorization or by exceeding authorized access to the protected computer; and
(3) thereby obtained information from the protected computer"
Under this interpretation ANY computer with a password and used for internet access classes as a 'protected computer'
quibble or hairsplitting.
"First, the PS3 System consists of a “protected computer” because it is used in interstate commerce (e.g., the Internet.) "
If a purchaser of a PS3 NEVER used it to access a commerce site (PS3 network, netflix, whatever) and ONLY used it to play games locally and browse the web. is it still interstate commerce?
@ BF Skinner
Nice investigative work. I used to be one of Sony's biggest fans. They were innovative and served their customers well. Now, they are becoming increasingly oppressive. I can't wait to see them go belly up and maybe sell their PlayStation I.P. to a better company.
US District Judge Illston denied Sony's request for injuction and seizure of Hotz gear.
Sony argued that because pay pal, you tube and twitter (and Hotz had accounts on them) were located in her District she had jurisdiction. To which her answer was 'But that means I have jurisdiction over EVERYONE on youtube, pay pal and twitter.' Didn't seem right to her.
Given that troll infringment lawsuits are on the increase this becomes an important precedent.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.