Entries Tagged "encryption"

Page 39 of 56

Detecting Words and Phrases in Encrypted VoIP Calls

Interesting:

Abstract: Although Voice over IP (VoIP) is rapidly being adopted, its security implications are not yet fully understood. Since VoIP calls may traverse untrusted networks, packets should be encrypted to ensure confidentiality. However, we show that it is possible to identify the phrases spoken within encrypted VoIP calls when the audio is encoded using variable bit rate codecs. To do so, we train a hidden Markov model using only knowledge of the phonetic pronunciations of words, such as those provided by a dictionary, and search packet sequences for instances of specified phrases. Our approach does not require examples of the speaker’s voice, or even example recordings of the words that make up the target phrase. We evaluate our techniques on a standard speech recognition corpus containing over 2,000 phonetically rich phrases spoken by 630 distinct speakers from across the continental United States. Our results indicate that we can identify phrases within encrypted calls with an average accuracy of 50%, and with accuracy greater than 90% for some phrases. Clearly, such an attack calls into question the efficacy of current VoIP encryption standards. In addition, we examine the impact of various features of the underlying audio on our performance and discuss methods for mitigation.

EDITED TO ADD (4/13): Full paper. I wrote about this in 2008.

Posted on March 24, 2011 at 12:46 PMView Comments

Eavesdropping on GSM Calls

It’s easy and cheap:

Speaking at the Chaos Computer Club (CCC) Congress in Berlin on Tuesday, a pair of researchers demonstrated a start-to-finish means of eavesdropping on encrypted GSM cellphone calls and text messages, using only four sub-$15 telephones as network “sniffers,” a laptop computer, and a variety of open source software.

The encryption is lousy:

Several of the individual pieces of this GSM hack have been displayed before. The ability to decrypt GSM’s 64-bit A5/1 encryption was demonstrated last year at this same event, for instance. However, network operators then responded that the difficulty of finding a specific phone, and of picking the correct encrypted radio signal out of the air, made the theoretical decryption danger minimal at best.

But:

As part of this background communication, GSM networks send out strings of identifying information, as well as essentially empty “Are you there?” messages. Empty space in these messages is filled with buffer bytes. Although a new GSM standard was put in place several years ago to turn these buffers into random bytes, they in fact remain largely identical today, under a much older standard.

This allows the researchers to predict with a high degree of probability the plain-text content of these encrypted system messages. This, combined with a two-terabyte table of precomputed encryption keys (a so-called rainbow table), allows a cracking program to discover the secret key to the session’s encryption in about 20 seconds.

Did you notice that? A two-terabyte rainbow table. A few years ago, that kind of storage was largely theoretical. Now it’s both cheap and portable.

Posted on January 5, 2011 at 6:20 AMView Comments

Proprietary Encryption in Car Immobilizers Cracked

This shouldn’t be a surprise:

Karsten Nohl’s assessment of dozens of car makes and models found weaknesses in the way immobilisers are integrated with the rest of the car’s electronics.

The immobiliser unit should be connected securely to the vehicle’s electronic engine control unit, using the car’s internal data network. But these networks often use weaker encryption than the immobiliser itself, making them easier to crack.

What’s more, one manufacturer was even found to use the vehicle ID number as the supposedly secret key for this internal network. The VIN, a unique serial number used to identify individual vehicles, is usually printed on the car. “It doesn’t get any weaker than that,” Nohl says.

Posted on December 23, 2010 at 2:02 PMView Comments

New Attack Against ASP.NET

It’s serious:

The problem lies in the way that ASP.NET, Microsoft’s popular Web framework, implements the AES encryption algorithm to protect the integrity of the cookies these applications generate to store information during user sessions. A common mistake is to assume that encryption protects the cookies from tampering so that if any data in the cookie is modified, the cookie will not decrypt correctly. However, there are a lot of ways to make mistakes in crypto implementations, and when crypto breaks, it usually breaks badly.

“We knew ASP.NET was vulnerable to our attack several months ago, but we didn’t know how serious it is until a couple of weeks ago. It turns out that the vulnerability in ASP.NET is the most critical amongst other frameworks. In short, it totally destroys ASP.NET security,” said Thai Duong, who along with Juliano Rizzo, developed the attack against ASP.NET.

Here’s a demo of the attack, and the Microsoft Security Advisory. More articles. The theory behind this attack is here.

EDITED TO ADD (9/27): Three blog posts from Scott Guthrie.

EDITED TO ADD (9/28): There’s a patch.

EDITED TO ADD (10/13): Two more articles.

Posted on September 27, 2010 at 6:51 AMView Comments

Master HDCP Key Cracked

The master key for the High-Bandwidth Digital Content Protection standard—that’s what encrypts digital television between set-top boxes and digital televisions—has been cracked and published. (Intel confirmed that the key is real.) The ramifications are unclear:

But even if the code is real, it might not immediately foster piracy as the cracking of CSS on DVDs did more than a decade ago. Unlike CSS, which could be implemented in software, HDCP requires custom hardware. The threat model for Hollywood, then, isn’t that a hacker could use the master key to generate a DeCSS-like program for HD, but that shady hardware makers, perhaps in China, might eventually create and sell black-market HDCP cards that would allow the free copying of protected high-def content.

Posted on September 17, 2010 at 1:57 PMView Comments

More Skein News

Skein is my new hash function. Well, “my” is an overstatement; I’m one of the eight designers. It was submitted to NIST for their SHA-3 competition, and one of the 14 algorithms selected to advance to the second round. Here’s the Skein paper; source code is here. The Skein website is here.

Last week was the Second SHA-3 Candidate Conference. Lots of people presented papers on the candidates: cryptanalysis papers, implementation papers, performance comparisons, etc. There were two cryptanalysis papers on Skein. The first was by Kerry McKay and Poorvi L. Vora (presentation and paper). They tried to extend linear cryptanalysis to groups of bits to attack Threefish (the block cipher inside Skein). It was a nice analysis, but it didn’t get very far at all.

The second was a fantastic piece of cryptanalysis by Dmitry Khovratovich, Ivica Nikolié, and Christian Rechberger. They used a rotational rebound attack (presentation and paper) to mount a “known-key distinguisher attack” on 57 out of 72 Threefish rounds faster than brute force. It’s a new type of attack—some go so far as to call it an “observation”—and the community is still trying to figure out what it means. It only works if the attacker can manipulate both the plaintexts and the keys in a structured way. Against 57-round Threefish, it requires 2503 work—barely better than brute force. And it only distinguishes reduced-round Threefish from a random permutation; it doesn’t actually recover any key bits.

Even with the attack, Threefish has a good security margin. Also, the attack doesn’t affect Skein. But changing one constant in the algorithm’s key schedule makes the attack impossible. NIST has said they’re allowing second-round tweaks, so we’re going to make the change. It won’t affect any performance numbers or obviate any other cryptanalytic results—but the best attack would be 33 out of 72 rounds.

Our update on Skein, which we presented at the conference, is here. All the other papers and presentations are here. (My 2008 essay on SHA-3 is here, and my 2009 update is here.) The second-round algorithms are: BLAKE, Blue Midnight Wish, CubeHash, ECHO, Fugue, Grøstl, Hamsi, JH, Keccak, Luffa, Shabal, SHAvite-3, SIMD, and Skein. You can find details on all of them, as well as the current state of their cryptanalysis, here. NIST will select approximately five algorithms to go on to the third round by the end of the year.

In other news, we’re once again making Skein polo shirts available to the public. Those of you who attended either of the two SHA-3 conferences might have noticed the stylish black Skein polo shirts worn by the Skein team. Anyone who wants one is welcome to buy it, at cost. Details (with photos) are here. All orders must be received before October 1, and we’ll have all the shirts made in one batch.

Posted on September 1, 2010 at 6:01 AMView Comments

WikiLeaks Insurance File

Now this is an interesting development:

In the wake of strong U.S. government statements condemning WikiLeaks’ recent publishing of 77,000 Afghan War documents, the secret-spilling site has posted a mysterious encrypted file labeled “insurance.”

The huge file, posted on the Afghan War page at the WikiLeaks site, is 1.4 GB and is encrypted with AES256. The file’s size dwarfs the size of all the other files on the page combined. The file has also been posted on a torrent download site.

It’s either 1.4 Gig of embarrassing secret documents, or 1.4 Gig of random data bluffing. There’s no way to know.

If WikiLeaks wanted to prove that their “insurance” was the real thing, they should have done this:

  1. Encrypt each document with a separate AES key.
  2. Ask someone to publicly tell them to choose a random document.
  3. Publish the decryption key for that document only.

That would be convincing.

In any case, some of the details might be wrong. The file might not be encrypted with AES256. It might be Blowfish. It might be OpenSSL. It might be something else. Some more info here.

EDITED TO ADD (8/9): Weird Iranian paranoia:

An Iranian IT expert warned here on Wednesday that a mysterious download file posted by the WikiLeaks website, labeled as ‘Insurance’, is likely a spy software used for identifying the information centers of the United States’ foes.

“The mysterious file of the WikiLeaks might be a trap for intelligence gathering,” Hossein Mohammadi told FNA on Wednesday.

The expert added that the file will attract US opponents and Washington experts can identify their enemy centers by monitoring individuals’ or organizations’ tendency and enthusiasm for the file.

Posted on August 4, 2010 at 7:52 AMView Comments

1 37 38 39 40 41 56

Sidebar photo of Bruce Schneier by Joe MacInnis.