Thoth • April 29, 2016 10:49 PM

@Anura
I wanted to use BC on many instances and had to default to JCE or write my own crypto somewhere.

Since then I have stopped using BC and looked elsewhere…

Recently I am working on a project and needed to store RSA keypairs (for quick development) and I am baffled by the JCE Keystore, PKCS12, BC Keystore and whatever. I looked around and thought of writing my own simplified keystore but due to the amount of time needed to even write a simple keystore, I decided to store all the development private keys in simple PLAINTEXT file 😀 … solves all the problem.

Talk about a security engineer writing security and being pushed into a corner needing to store private keys in PLAINTEXT.

Of course the actual deployment version would use a HSM to store private keys but for now I am happy with PLAINTEXT KEYS while in development mode !!!

By the way I am not storing them in ASN.1 or any weird format … just plain Modulus and Exponentials in hexcode.

re: PBKDF2 Key Stretching

” I used PBKDF2 for key stretching for use with the passphrase, and the shared secret from ECDH would be hashed along with the PBKDF2 output and/or symmetric keymat, depending on what was provided.”

For those whom have worked on crypto hardware programming, you know the tiny amount of RAM/EEPROM and CPU you have. PBKDF2 to stretch PINs and Passwords are downright luxury. The BCRYPT, SCRYPT and many other open source stretching algorithms are even more luxurious. What you can do is simply HMAC (Algo=SHA256, Key=Password/PIN, Message=[00, 00, 00, 00, 00, 00, 00, 00 …… 00]) or maybe HMAC(SHA256, Key=Password/PIN, Message=[00,00…00], Iterate=10000) or the worse case just SHA-256/SHA-512 (anything above SHA256 is a luxury) and probably iterate it. Some applications requiring such limited resources might include PINPads for cards or tokens that require administrative modes without the power of a proper CPU (Intel, AMD) which the BCRYPT and SCRYPT are designed for.

re: MS CNG + Impossible Cert Extraction

“Microsoft, being Microsoft, decided to make it nigh impossible to extract the private key from a certificate”

Have you tried to read the RAM memory or maybe done a cold boot attack 😀 ?

I have bad memories implementing the Thales HSM with both CAPI and CNG. They are a chore to do and it leaves unpleasant stains in one’s consciousness for the rest of your life.

re: BouncyCrap

That is generally true of most crypto libraries I have encountered. I have not yet tried the NaCL/Sodium libraries but from the review of it and it’s KISS design and simple APIs, it looks promising.

Thoth • April 30, 2016 8:25 PM

@Nick P, Anura

“Just gotta check that compiler doesn’t make that go bye-bye during optimization.”

An even more paranoid attempt is one pass random overwrite and then zero bytes overwrite once and then GC collect. I wonder if the random bytes overwrite would be “optimized” 😀 .

re: NaCL

There is already a few Java bindings (e.g. Kalium) and they use JNR binding to interface into the C codes. This way you call from the JVM to C environment which in the C environment you could do things like memory manipulation to PROPERLY WIPE/ZEROIZE the memory stack when needed instead of … just calling GC and hope for the best … LOL.

Still the NSA’s bombshell regarding ECC being insecure is discomforting to know at least. Maybe DJB et. al. should really push for an investigation into Curve25519 to assure that nothing is wrong with Curve25519 despite NSA’s ECC bombshell and to conclude what NSA might be hinting at with their hasty release of the ECC issue just to help settle those dust NSA stirred up due to their reports.

What could be done to improve the quality and assurance of RSA/PKCS1 implementations would likely be very useful. These may include listing logical boundaries in design circuits, expected behaviours, etc… in a very easy to understand manner for code cutters (something Galois Inc. might be interested) to do high assurance RSA/PKCS1 on the code implementation levels.

Link:
– https://github.com/abstractj/kalium

Thoth • April 30, 2016 11:51 PM

@Nick P
If you remembered last year the NSA cautioned on the development and use of NIST Suite B ECC ?

@Anura
Indeed we should be moving to larger curves but for now Curve25519 would still be the main NaCL preferred curve unless DJB adds the bigger curves into NaCL library and tweetnacl.

Thoth • May 1, 2016 3:44 AM

@Anura
Those techniques are useful on PC systems with good amount of resource. I usually work near constrainted security devices (HSM and smart card with few KB of RAM and EEPROM). For such an occassion I have actually tried writing a PKCS5/7 for smart card by hand abd from there I realize almost every other padding scheme if needed to be done on something constrainted needs three properties: compact padding, operate on byte words and easily defined and quantified into fix length blocks.

I dropped PKCS 5/7 because it adds additionally blocks if a block of data is filled and cannot fit the pads inside and this is a huge no no when your memory capacities are in terms of only KBs.

From there I experimented with other padding scheme which innclude ISO7816 padding scheme for smart cards. They operate in bits not bytes and this is a headache when your device wants you to program in bytes not bits !!!

Finally I settled with good old zero pad with a single Lc byte (Length counter in smart card parlance). That means I just need to sacrifice 1 byte for Lc and I can have both predictive fixed length padding thst will not suddenly append some additional bytes and also it is pretty easy to code them into the constrainted device.

Talking about padding, it took me 4 to 5 months of trail and error to settle on this scheme while designing my smart card programs and protocols.

Oh, and not to forget the shear simplicity of the zero pad + Lc means you can easily verify padding with a single glance and done by hand. Anything too complex or mathematical (e.g. calculating PKCS5/7 pads) would only violate the KISS principle when your eyes are staring hard at lines of thick and messy codes you need to squeeze into KBs of memory space in the allocated space of a smart card or HSM.

I sometimes feel that the standard crypto we take for granted (e.g. ASN.1 cert, SSL/TLS, PGP…) were not made for compact and constrainted implementation in mind but due to the standards requiring them, now the compact devices need to attempt to implement standards that were never intended for them and in consequence bubbling up vulnerabilities due to faulty and highly complex designs needing to squeeze into a couple KB of memory space ina HSM/Smartcard/TPM…etc…

Thoth • May 1, 2016 4:42 AM

@Anura
An example is a fixed length block protocol. If you are given a 128 byte space to fill a message including the pads, it must only fit 128 bytes and no more. Imagine you have just enough data to fill a 128 byte data space and you put it through a PKCS5/7 pad, you would end up with another small block.

In the sense of a 128 bit block cipher, you would have to add a small block of 128 bit pad if your data is filled completely. Given that you have a buffer of 128 bytes already filled with data and you have to add another 16 bytes of pad, you would effectively have a buffer overflow if you attempted.

The data could be split across to another message packet but this would mean sending two message packets instead of 1.

In the sense for zero pads with a length counter, you could simply specify the length in a header and the rest padded to zero and encrypted without needing another block.

Of course the main issue would have been planning the message packets in advance before crafting the protocol but in many circumstances, a lot of “standards” would not be suitable for constrainted environments.

Thoth • May 2, 2016 1:51 AM

@Ergo Sum, Nick P
re: Aren’t we heading to WW3 already ?

“Aren’t we already there? By now, all nations have a “cyber division” in one form or another. While the stated intent of these divisions is protecting the country’s critical infrastructure, prevent terrorism, rooting out pedophiles, etc., their main objective is to exploit targeted individuals, organization, businesses, etc.”

We have to consider not all countries have “TRUE” Cyber Commands. Most of the nations in the world only have “Subordinate Commands” or simply the extension of the Will of those who are Powerful. Put it simply, think along the line of Lord of the Ring’s One Ring concept where all the other Rings are slaves to the One Ring. Bring this over to the Defense Industry, there are only very few “Solutions Maker” who can manufacture the entire “Solution” without the inclusion of parts from someone else.

An example is the secure communications encryptors. Thales, Harris and a few powerful names have the capability to create their own crypto chips. If you look at Curtiss Wright and the smaller companies, they have to leverage off someone else chips to include into their “Solutions”. What if …. the Big Boys decide to backdoor their chips and now all the other “Solutions” that rely on the backdoored chips and building blocks are all tainted along the line 🙂 ???

How would you know your Cyber Command is not a (in)voluntary slave of one of the Big Bros (UK, USA, China, Russia …) who have the absolute capability of producing their own building blocks and also have businesses that provides their (possibly tainted) building block into the “Solutions” to be supplied to their friends and others willing to pay ?

What is the likelihood that if one of the Big Bro’s decide to launch an attack, they wouldn’t use you as their proxy by sending a backdoor command of sorts to cause your system to automatically engage their targets on their behalf so that the blame falls on your “Slave” Cyber Command ?

Regarding the use of network based Data Diodes, the designs for the Data Diodes are actually rather simple and an example was done via the TFC project for civilian use (from @Markus Ottela’s design … hope I did not misspell your name yet again). If you look at the design from FoxIT or any other Data Diode, they are going to be supplied to your nation’s Cyber Command (Slaves !!! AHEM) in a Black Box form and you wouldn’t have access to the circuitry. They might even tamper resist the circuitry and I have known cases of nation states trying to pry open foreign supplied defense equipments and failed in their attempts.

How would you know these stuff are not tainted with some subtle backdoor that may look like accidental bugs in designs ? You could try all attempts to test them but most modern defense equipments come with tamper resistant designs specifically to prevent the owner from tampering and also to keep out attempts by attackers to tamper.

Who knows if a country accidentally pisses of one of the Big Bros, their F-16s or MiG 29s wouldn’t be able to lift off their tarmac or wouldn’t engage their weapons ?

Put it simply, the world has always been structured in an imbalance way where there are some more powerful than the rest and we might be heading into deep trouble due to manipulations as a result of using other nations as proxies. The Great Game never ended after WW1 & 2. The powers are simply shifting around.

Thoth • May 3, 2016 12:33 AM

@all

A Self-Destructing Pattern-based Biometric Authentication Scheme

In the light of powerful organisations and agencies engaging in actions of harassment against individuals to coerce secret information to unlock detained devices (iPhone with TouchID in this case), the necessity to equip biometric capable devices equipped with security co-processors with secure wipe functionalities and self-destruct capability is paramount for the security of the individual and any accompanying secrets held within the device.

There are known cases of politicians communicating national secrets or sensitive information over COTS hardware bought off-the-streets/off-the-shelf from civilian vendors which makes it paramount for implementors to consider some levels of security in the event these off-the-streets devices are used for communication of sensitive secrets (i.e. Hillary Clinton’s case of using her own COTS email server).

For the scheme to work, the device requires at least a Secure Execution Environment supported by hardware with fingerprint pattern biometric capabilities (e.g. Secure Enclave, ARM TrustZone, Smart Card with Bio-Template enabled …etc…). A tamper resistant environment would provide higher security benefits as well.

A user would be required to enroll a particular finger for unlocking the device and also one or two more secondary fingers to act as a “Self-Destruct Indicator”. In order to trigger a self-destruct under duress, the user would simply have to attempt the unlock with a registered finger that has been set aside as a “Self-Destruct Indicator”. The software logic in the biometric template matching algorithm would always randomly decide whether to check for self-destruct before normal unlock or vice versa first in an attempt to prevent power line glitching attacks on the chip using the chip’s HW-CSPRNG.

To prevent accidental self-destruct from occuring on the device, the user may setup an option to use multiple sets of fingerprints being scanned according to a fixed pattern or randomly scanned (as long as all or majority of the fingerprints used are registered as “Self-Destruct Indicators”) in an attempt to prevent random fingerprint touches from triggering an actual self-destruct on the device.

Most fingerprint protected devices also come with a backup password/PIN/swipe pattern that could be used in case of failure to unlock a device with the correct fingerprint. There should also be considerations to include Self-Destruct features on password/PIN/swipe patterns in the event those who coerce knows of the existence of self-destructing fingeprint setups and decides to use password/PIN/swipe pattern which under these circumstances, all avenues for authentication must be protected with self-destruct features.

The down side is you have to remember extra passwords/PINs/swipe patterns in the event attackers decide to bypass the self-destructing fingerprint implementation which in this case, you can assign a significantly weaker password/PIN/swipe pattern as an alternate self-destruct trigger.

Link: http://arstechnica.com/tech-policy/2016/05/should-the-govt-be-able-to-force-you-to-open-your-phone-with-just-your-fingerprint/

Thoth • May 3, 2016 6:09 AM

@Clive Robinson
Maybe the better idea for shorter passwords would be short 6 to 8 digit PIN but those would be easily bruteforced. To prevent bruteforce, a combination with a hardware secure element (PKI token) that allows short PINs and limited pin tries would be useful.

A modified login module that accepts a contact/contactless token/smart card with an external or embedded contact/contactless reader would be sufficient and the user simply presents a token and validates the token by entering the token’s short PIN code (6 to 8 digits).

This would make PIN codes easily remembered and PIN codes can be reused (not advisable). The PIN tries would typically be hardware counters stored inside the token which bruteforce would be ineffective (causing the token to be disabled until a strong 48 bytes PUK code is used).

The applet software for the token can be inspected if open source applets are used and tokens in the form of “Open Platform” cards that allow users to install any applets and take control over the cards by setting their own Issuer Security Domain keys by themselves.

One example is the open source IsoApplet and the open source GIDSApplet (both are open source PKI applets for smart cards) can be downloaded and installed into your preferred “Open Platform” smart card and afterwards you select your own keys to lock the card from modification.

The thing left to do is create an open source login module that accepts smart card login from either or both open source applets and then users can use short PINs and PKI as much as they like. The trouble is always whipping out a card to unlock your phone unless you have a phone cover that have card pouches built in it.

Links:
– https://github.com/philipWendland/IsoApplet/
– https://github.com/vletoux/GidsApplet

Thoth • May 3, 2016 7:59 AM

@Dirk Praet
My scheme has a multiple finger and multiple scan scheme in case you prevent to scan different fingers randomly or via a sort of secret sequence to activate the self-destruct. It is sort of like a secret door tapping method. It should be viewed as a low security scheme (as with other biometrics that are used alone).

It really boils down to the level of security you want. Anything sensitive would require more than just self-destructing fingerprints and biometrics to protect. Ideally for something sensitive, you want to use a smart card (CAC, PIV, GIDS, PKI cards) with PIN/Password to authenticate the card to use a PKI key for challenge response unlocking features.

If you want to quickly unlock (with minimal security levels) and have “nothing to hide”, then a fingerprint and probably a self-destructive sequence of fingerprint(s) would suffice.

Thoth • May 5, 2016 6:37 PM

@all
GCHQ’s attempt to sway the public from frequently changing their passwords … in an attempt to spy on users ? When can we ever trust Govt advises when all they give are really obviously bad ones ?

Link: http://www.theregister.co.uk/2016/05/05/stop_resetting_your_password_says_uk_spy_network/