itsicherheit_implementierung   11

efail: Outdated Crypto Standards are to blame
I have a lot of thoughts about the recently published efail vulnerability [NB: https://pinboard.in/u:kraven/b:0d0ecac4fe3f], so I thought I'd start to writeup some of them. I'd like to skip all the public outrage about the disclosure process for now, as I mainly wanted to get into the technical issues, explain what I think went wrong and how things can become more secure in the future. I read lots of wrong statements that "it's only the mail clients" and the underlying crypto standards are fine, so I'll start by explaining why I believe the OpenPGP and S/MIME standards are broken and why we still see these kinds of bugs in 2018. I plan to do a second writeup that will be titled "efail: HTML mails are to blame". Not all of the attack scenarios involve crypto, but those that do exploit a property of encryption modes that is called malleability. It means that under certain circumstances you can do controlled changes of the content of an encrypted message. Malleability of encryption is not a new thing. Already back in the nineties people figured out this may be a problem and started to add authentication to encryption. Properly using authenticated encryption modes can prevent a lot of problems. It's been a known issue in OpenPGP, but until now it wasn't pressing enough to fix it. The good news is that with minor modifications OpenPGP can still be used safely. And having a future OpenPGP standard with proper authenticated encryption is definitely possible. For S/MIME the situation is much more dire and it's probably best to just give up on it. It was never a good idea in the first place to have competing standards for e-mail encryption. For other crypto protocols there's a lesson to be learned as well: Stop using unauthenticated encryption modes. If anything efail should make that abundantly clear.
hanno böck, 22.05.2018
krypto_algo_modus_aead  krypto_algo_modus_aead_ocb  krypto_algo_modus_aead_eax  krypto_openpgp  software_krypto_gnupg  itsicherheit_exploit_flaw  software_mua_html_mail  krypto_smime  itsicherheit_implementierung  itsicherheit_verdeckterkanal_data_exfil  krypto_openpgp_mdc 
yesterday by kraven
Efail or OpenPGP is safer than S/MIME
Some may have noticed that the EFF has warnings [NB: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now] about the use of PGP out which I consider pretty overblown. The GnuPG team was not contacted by the researchers but I got access to version of the paper [NB: https://efail.de/] related to KMail. It seems to be the complete paper with just the names of the other MUAs redacted. Here is a response I wrote on the weekend to a reporter who inquired on this problem: The topic of that paper is that HTML is used as a back channel to create an oracle for modified encrypted mails. It is long known that HTML mails and in particular external links like <img href="tla.org/TAG"/> are evil if the MUA actually honors them (which many meanwhile seem to do again; see all these newsletters). Due to broken MIME parsers a bunch of MUAs seem to concatenate decrypted HTML mime parts which makes it easy to plant such HTML snippets. There are two ways to mitigate this attack: - Don't use HTML mails. Or if you really need to read them use a proper MIME parser and disallow any access to external links, - Use authenticated encryption. The latter is actually easy for OpenPGP because we started to use authenticated encryption (AE) since 2000 or 2001. Our AE is called MDC (Modification detection code) and was back then introduced for a very similar attack [NB: Massive Fail der gesamten in- und ausländischen Presse & inkl. EFF].
gnupg-users mailinglist, 14.05.2018
krypto_openpgp  software_krypto_gnupg  ngo_eff  itsicherheit_exploit_flaw  uni_de_fh_münster  software_mua_tb_enigmail  software_mua_html_mail  krypto_smime  itsicherheit_implementierung  itsicherheit_verdeckterkanal_data_exfil  itsicherheit_strategie  internet_protokoll_mime  krypto_openpgp_mdc  uni_nl_ku_leuven  uni_de_bochum 
11 days ago by kraven
Super-GAU für Intel: Weitere Spectre-Lücken im Anflug
Ganze acht neue Sicherheitslücken in Intel-CPUs haben mehrere Forscher-Teams dem Hersteller bereits gemeldet, die aktuell noch geheimgehalten werden. Alle acht sind im Kern auf dasselbe Design-Problem zurückzuführen, das der Abschnitt "Meltdown und Spectre für Dummies" näher erläutert – sie sind sozusagen Spectre Next Generation. Jede der acht Lücken hat eine eigene Nummer im Verzeichnis aller Sicherheitslücken bekommen (Common Vulnerability Enumerator, CVE) und jede erfordert eigene Patches – wahrscheinlich bekommen sie auch alle eigene Namen. Konkrete Informationen liegen uns bisher nur zu Intels Prozessoren und deren Patch-Plänen vor. Es gibt jedoch erste Hinweise, dass zumindest einzelne ARM-CPUs ebenfalls anfällig sind. Vier der Spectre-NG-Sicherheitslücken stuft Intel selbst mit einem "hohen Risiko" ein; die Gefahr der anderen vier ist lediglich als mittel bewertet. Eine der Spectre-NG-Lücken vereinfacht Angriffe über Systemgrenzen hinweg so stark, dass wir das Bedrohungspotential deutlich höher einschätzen als bei Spectre. Konkret könnte ein Angreifer seinen Exploit-Code in einer virtuellen Maschine (VM) starten und von dort aus das Wirts-System attackieren – also etwa den Server eines Cloud-Hosters. Oder er greift die auf dem gleichen Server laufenden VMs anderer Kunden an.
ct, 03.05.2018
itsicherheit_cpu_meltdown_spectre  itsicherheit_exploit_flaw  itsicherheit_hardware  itsicherheit_implementierung  tech_hw_chip_cpu  tech_hw_chip_cpu_cache  unternehmen_amd  unternehmen_intel  unternehmen_allg_desinformation_propaganda  itsicherheit_by_obscurity  itsicherheit_virtualisierung  itsicherheit_seitenkanal_analyse_angriff 
21 days ago by kraven
Reading privileged memory with a side-channel
We have discovered that CPU data cache timing can be abused to efficiently leak information out of mis-speculated execution, leading to (at worst) arbitrary virtual memory read vulnerabilities across local security boundaries in various contexts. Variants of this issue are known to affect many modern processors, including certain processors by Intel, AMD and ARM. For a few Intel and AMD CPU models, we have exploits that work against real software. So far, there are three known variants of the issue: Variant 1: bounds check bypass (CVE-2017-5753), Variant 2: branch target injection (CVE-2017-5715), Variant 3: rogue data cache load (CVE-2017-5754). Before the issues described here were publicly disclosed, Daniel Gruss, Moritz Lipp, Yuval Yarom, Paul Kocher, Daniel Genkin, Michael Schwarz, Mike Hamburg, Stefan Mangard, Thomas Prescher and Werner Haas also reported them; their [writeups/blogposts/paper drafts] are at: Spectre (variants 1 and 2), Meltdown (variant 3) [NB: Fuck you Intel, mein nxter Rechner wird non-intel].
google project zero, 03.01.2018
itsicherheit_exploit_flaw  itsicherheit_malware_spyware  itsicherheit_speicher_aslr  itsicherheit_hardware  itsicherheit_implementierung  itsicherheit_os  unternehmen_intel  sicherheitsforschung_itsicherheit  software_os_linux  software_os_windows  software_os_mac  software_os_kernel  unternehmen_amd  unternehmen_arm  tech_hw_chip_cpu  tech_hw_chip_cpu_cache  itsicherheit_cpu_meltdown_spectre  itsicherheit_seitenkanal_analyse_angriff 
january 2018 by kraven
Millions of high-security crypto keys crippled by newly discovered flaw
A crippling flaw in a widely used code library has fatally undermined the security of millions of encryption keys used in some of the highest-stakes settings, including national identity cards, software- and application-signing, and trusted platform modules protecting government and corporate computers. The weakness allows attackers to calculate the private portion of any vulnerable key using nothing more than the corresponding public portion. Hackers can then use the private key to impersonate key owners, decrypt sensitive data, sneak malicious code into digitally signed software, and bypass protections that prevent accessing or tampering with stolen PCs. The five-year-old flaw is also troubling because it's located in code that complies with two internationally recognized security certification standards that are binding on many governments, contractors, and companies around the world. The code library was developed by German chipmaker Infineon and has been generating weak keys since 2012 at the latest. The flaw is the one Estonia's government obliquely referred to last month when it warned that 750,000 digital IDs issued since 2014 were vulnerable to attack. Estonian officials said they were closing the ID card public key database to prevent abuse. Last week, Microsoft, Google, and Infineon all warned how the weakness can impair the protections built into TPM products that ironically enough are designed to give an additional measure of security to high-targeted individuals and organizations. The flaw is the subject of a research paper titled The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli, which will be presented on November 2 at the ACM Conference on Computer and Communications Security. The vulnerability was discovered by Slovak and Czech researchers from Masaryk University in the Czech Republic, Enigma Bridge in Cambridge, UK, and Ca' Foscari University in Italy.
ars technica, 16.10.2017
eid_dokument  itsicherheit_code_signing  itsicherheit_exploit_flaw  tech_hw_chip_krypto_tpm  krypto_bibliothek_rsa_infineon  unternehmen_infineon  krypto_entschlüsselung  krypto_algo_rsa  krypto_faktorisierung  krypto_key_recovery  de_bundesamt_bsi  itsicherheit_zertifizierung  itsicherheit_implementierung  krypto_openpgp  krypto_verschlüsselung_datenträger  krypto_verschlüsselung_kommunikation  krypto_verschlüsselung_transport  tech_hw_krypto_token  krypto_tls_cert  krypto_signierung  krypto_signierung_qes 
october 2017 by kraven
Falling through the KRACKs
The big news in crypto today is the KRACK attack on WPA2 protected WiFi networks. Discovered by Mathy Vanhoef and Frank Piessens at KU Leuven, KRACK (Key Reinstallation Attack) leverages a vulnerability in the 802.11i four-way handshake in order to facilitate decryption and forgery attacks on encrypted WiFi traffic.
matthew green, 16.10.2017
krypto_algo_wpa2  internet_wlan  tech_wifi_wlan  itsicherheit_exploit_flaw  itsicherheit_trafficmanipulation_paketinjektion  krypto_entschlüsselung  krypto_verschlüsselung_transport  verband_ieee  überwachung_internet_mitm  itsicherheit_implementierung 
october 2017 by kraven
India's database with biometric details of its billion citizens ignites privacy debate
In 2008, they formulated Aadhaar, an audacious project "destined" to change the prospects of Indians. It was similar to Social Security number that US residents are assigned, but its implications were further reaching. Eight years later, Aadhar, which stores identity information such as a photo, name, address, fingerprints and iris scans of its citizens and also assigns them with a unique 12-digit number, has become the world's largest biometrics based identity system. According to the Indian government, over 1.11 billion people of the country's roughly 1.3 billion citizens have enrolled themselves in the biometrics system. About 99 percent of all adults in India have an Aadhaar card, it said last month. Today, the significance of Aadhaar, which on paper remains an optional program, is undeniable in the country. The government says Aadhaar has already saved it as much as $5 billion. But that's not it.
mashable, 14.02.2017
land_indien  datenbank_biometrie_in_aadhaar  in_uidai  in_uidai_india_stack  bezahlsystem_bargeldlos  biometrie_fingerabdruck  biometrie_gesicht  biometrie_iris  datenschutz_id_management  datenbank_population  datenbank_idnr_schlüssel  itsicherheit_datensicherheit  itsicherheit_by_obscurity  itsicherheit_implementierung  überwachung_person_identifizierung  überwachung_person_profil  unternehmen_ongrid 
february 2017 by kraven
Antivirensoftware: Die Schlangenöl-Branche
Antivirenprogramme gelten Nutzern und Systemadministratoren als unverzichtbar. Doch viele IT-Sicherheitsexperten sind extrem skeptisch. Antivirensoftware ist oft selbst voller Sicherheitslücken - und hat sehr grundsätzliche Grenzen.
golem, 21.12.2016
itsicherheit_by_obscurity  software_anti_malware_virus  itsicherheit_malware_spyware  itsicherheit_implementierung  überwachung_internet_mitm_sslproxy  itsicherheit_exploit_flaw  itsicherheit_strategie  tech_medien_kompetenz 
december 2016 by kraven
Gezinkte Primzahlen ermöglichen Hintertüren in Verschlüsselung
Einem Forscherteam ist die Berechnung eines diskreten Logarithmus bezüglich einer 1024-bittigen Primzahl gelungen – in nur zwei Monaten Rechenzeit auf 2000 bis 3000 Kernen. Doch die Bedeutung des Papers A kilobit hidden SNFS discrete logarithm computation von Fried, Gaudry, Heninger und Thomé reicht viel weiter. Es zeigt nämlich auf, dass sich mit Hilfe geschickt konstruierter Primzahlen eine Hintertür in Verschlüsselungsverfahren einbauen lässt, die nach heutigem Stand der Forschung niemand entdecken kann. Ihrem Konstrukteur ermöglicht sie jedoch das unbemerkte Knacken der Verschlüsselung. Das wirft die Frage auf, ob das nicht längst geschehen ist und beispielsweise die NSA gezinkte Primzahlen in Verschlüsselungsstandards eingeschmuggelt hat.
heise, 13.10.2016
krypto_backdoor  krypto_problem_dlp  itsicherheit_implementierung  krypto_algo_dh_kex  krypto_algo_dsa_dss  krypto_entschlüsselung  krypto_tls  geheimdienst_us_nsa_ces 
october 2016 by kraven
A Famed Hacker Is Grading Thousands of Programs — and May Revolutionize Software in the Process
At the Black Hat cybersecurity conference in 2014, industry luminary Dan Geer, fed up with the prevalence of vulnerabilities in digital code, made a modest proposal: Software companies should either make their products open source so buyers can see what they’re getting and tweak what they don’t like, or suffer the consequences if their software failed. Mudge and his wife, Sarah, a former NSA mathematician, have developed a first-of-its-kind method for testing and scoring the security of software — a method inspired partly by Underwriters Laboratories, that century-old entity responsible for the familiar circled UL seal that tells you your toaster and hair dryer have been tested for safety and won’t burst into flames. Called the Cyber Independent Testing Lab, the Zatkos’ operation won’t tell you if your software is literally incendiary, but it will give you a way to comparison-shop browsers, applications, and antivirus products according to how hardened they are against attack.
intercept, 29.07.2016
itsicherheit_audit  itsicherheit_exploit_flaw  itsicherheit_implementierung 
july 2016 by kraven
Extracting Qualcomm's KeyMaster Keys - Breaking Android Full Disk Encryption
After covering a TrustZone kernel vulnerability and exploit, I thought this time it might be interesting to explore some of the implications of code-execution within the TrustZone kernel. In this blog post, I'll demonstrate how TrustZone kernel code-execution can be used to effectively break Android's Full Disk Encryption (FDE) scheme. We'll also see some of the inherent issues stemming from the design of Android's FDE scheme, even without any TrustZone vulnerability. I've been in contact with Qualcomm regarding the issue prior to the release of this post, and have let them review the blog post. As always, they've been very helpful and fast to respond. Unfortunately, it seems as though fixing the issue is not simple, and might require hardware changes.
bits, please, 30.06.2016
unternehmen_qualcomm  software_os_linux_android  itsicherheit_exploit_flaw  itsicherheit_firmware_mobilfunkgerät  itsicherheit_hardware  itsicherheit_mobil_os  krypto_entschlüsselung  krypto_verschlüsselung_datenträger  krypto_analyse_bruteforce  krypto_key_recovery  itsicherheit_implementierung  krypto_key_kdf  itsicherheit_by_obscurity  itsicherheit_authentisierung_passwort  überwachung_itforensik  krypto_backdoor 
july 2016 by kraven

related tags

bezahlsystem_bargeldlos  biometrie_fingerabdruck  biometrie_gesicht  biometrie_iris  datenbank_biometrie_in_aadhaar  datenbank_idnr_schlüssel  datenbank_population  datenschutz_id_management  de_bundesamt_bsi  eid_dokument  geheimdienst_us_nsa_ces  in_uidai  in_uidai_india_stack  internet_protokoll_mime  internet_wlan  itsicherheit_audit  itsicherheit_authentisierung_passwort  itsicherheit_by_obscurity  itsicherheit_code_signing  itsicherheit_cpu_meltdown_spectre  itsicherheit_datensicherheit  itsicherheit_exploit_flaw  itsicherheit_firmware_mobilfunkgerät  itsicherheit_hardware  itsicherheit_malware_spyware  itsicherheit_mobil_os  itsicherheit_os  itsicherheit_seitenkanal_analyse_angriff  itsicherheit_speicher_aslr  itsicherheit_strategie  itsicherheit_trafficmanipulation_paketinjektion  itsicherheit_verdeckterkanal_data_exfil  itsicherheit_virtualisierung  itsicherheit_zertifizierung  krypto_algo_dh_kex  krypto_algo_dsa_dss  krypto_algo_modus_aead  krypto_algo_modus_aead_eax  krypto_algo_modus_aead_ocb  krypto_algo_rsa  krypto_algo_wpa2  krypto_analyse_bruteforce  krypto_backdoor  krypto_bibliothek_rsa_infineon  krypto_entschlüsselung  krypto_faktorisierung  krypto_key_kdf  krypto_key_recovery  krypto_openpgp  krypto_openpgp_mdc  krypto_problem_dlp  krypto_signierung  krypto_signierung_qes  krypto_smime  krypto_tls  krypto_tls_cert  krypto_verschlüsselung_datenträger  krypto_verschlüsselung_kommunikation  krypto_verschlüsselung_transport  land_indien  ngo_eff  sicherheitsforschung_itsicherheit  software_anti_malware_virus  software_krypto_gnupg  software_mua_html_mail  software_mua_tb_enigmail  software_os_kernel  software_os_linux  software_os_linux_android  software_os_mac  software_os_windows  tech_hw_chip_cpu  tech_hw_chip_cpu_cache  tech_hw_chip_krypto_tpm  tech_hw_krypto_token  tech_medien_kompetenz  tech_wifi_wlan  uni_de_bochum  uni_de_fh_münster  uni_nl_ku_leuven  unternehmen_allg_desinformation_propaganda  unternehmen_amd  unternehmen_arm  unternehmen_infineon  unternehmen_intel  unternehmen_ongrid  unternehmen_qualcomm  verband_ieee  überwachung_internet_mitm  überwachung_internet_mitm_sslproxy  überwachung_itforensik  überwachung_person_identifizierung  überwachung_person_profil 

Copy this bookmark:



description:


tags: