Legacy Crypto Never Dies

Video thumbnail (Frame 0) Video thumbnail (Frame 1077) Video thumbnail (Frame 2456) Video thumbnail (Frame 6125) Video thumbnail (Frame 7287) Video thumbnail (Frame 9044) Video thumbnail (Frame 10422) Video thumbnail (Frame 11233) Video thumbnail (Frame 12073) Video thumbnail (Frame 13098) Video thumbnail (Frame 13629) Video thumbnail (Frame 14412) Video thumbnail (Frame 15488) Video thumbnail (Frame 16292) Video thumbnail (Frame 17297) Video thumbnail (Frame 18545) Video thumbnail (Frame 19889) Video thumbnail (Frame 20691) Video thumbnail (Frame 21129) Video thumbnail (Frame 21588) Video thumbnail (Frame 23239) Video thumbnail (Frame 25645) Video thumbnail (Frame 26659) Video thumbnail (Frame 27408) Video thumbnail (Frame 28019) Video thumbnail (Frame 28582) Video thumbnail (Frame 29312) Video thumbnail (Frame 30365) Video thumbnail (Frame 31127)
Video in TIB AV-Portal: Legacy Crypto Never Dies

Formal Metadata

Legacy Crypto Never Dies
Title of Series
Part Number
Number of Parts
CC Attribution 4.0 International:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.
Release Date
Production Place

Content Metadata

Subject Area
In 2012 I released a DES cracking service with Moxie Marlinspike for cracking MSCHAPv2 and quickly started seeing it being used for cracking other things besides MSCHAPv2.
Computer animation Storage area network Cryptography Theory
Point (geometry) Presentation of a group Group action Implementation State of matter Multiplication sign Control flow Distance Number Different (Kate Ryan album) Term (mathematics) Operator (mathematics) Error message Vulnerability (computing) Authentication Enterprise architecture Dependent and independent variables Key (cryptography) Information Planning Independence (probability theory) Bit Equivalence relation Virtuelles privates Netzwerk Arithmetic mean Word Computer animation Hash function Software Password Order (biology) Quicksort Communications protocol Spacetime
Presentation of a group Group action Service (economics) Motion capture Coma Berenices Distance Neuroinformatik Core dump Computer hardware Physical system Key (cryptography) Forcing (mathematics) Mathematical analysis Sound effect Bit Instance (computer science) Measurement Benchmark Connected space Discounts and allowances Befehlsprozessor Computer animation Software Order (biology) Spacetime
Virtuelles privates Netzwerk Computer animation Hacker (term) Internet service provider Website Whiteboard
Ciphertext Enterprise architecture Default (computer science) Randomization Server (computing) Meta element Hoax 1 (number) Process (computing) Radius Computer animation Bit rate Internetworking String (computer science) Software cracking Point cloud Quicksort Physical system
Server (computing) Email Service (economics) Computer animation Internetworking Website Quicksort Mathematical optimization Row (database) Physical system
Dependent and independent variables Computer animation Local area network Cryptography Metropolitan area network Product (business)
Server (computing) Email Hoax Computer animation Hash function Software Password Multiplication sign Website
Point (geometry) Enterprise architecture Server (computing) Dependent and independent variables Message passing Hoax Radius Computer animation Hash function Cartesian coordinate system Physical system Number
Enterprise architecture Validity (statistics) Key (cryptography) Multiplication sign Plastikkarte Public key certificate Equivalence relation Type theory Computer animation Software Hash function Robotics Operator (mathematics) Charge carrier Point cloud Quicksort Software development kit
Ciphertext Key (cryptography) Block (periodic table) Interface (computing) Electronic mailing list Rule of inference Number Neuroinformatik Word Process (computing) Computer animation IEC-Bus Integrated development environment Software Auditory masking Computer configuration Order (biology) Physical system Row (database)
Authentication Dataflow Type theory Computer animation Key (cryptography) Spherical cap Encryption Row (database)
Ciphertext Scripting language Game controller Block (periodic table) Token ring Forcing (mathematics) Multiplication sign Motion capture Field (computer science) Type theory Roundness (object) Computer animation Universal product code Hash function Figurate number Quicksort Descriptive statistics Spacetime Physical system
Presentation of a group Computer animation Computer file Hash function Internetworking Acoustic shadow Infotainment Near-ring Physical system
Roundness (object) Computer animation Key (cryptography) Length State of matter Table (information) Physical system Spacetime
Data mining Computer animation Computer file Hash function Link (knot theory) Right angle Acoustic shadow Physical system
Computer animation Ripping Cryptosystem 1 (number) System call Physical system
Implementation Process (computing) Computer animation Key (cryptography) Parity (mathematics) Token ring Physical system
Computer animation Software Key (cryptography) Execution unit Electronic mailing list Website
Computer animation Link (knot theory) Hacker (term) Multiplication sign Online help Freeware Pressure Cryptography
I am an Mannheim and come along with me in my theory on articles came out
and said she alright so i'm david holds some I would have done a lot of FPGA crypto cracking stuff and I also run to work on this conference in San Diego the and so this is called a legacy crypto never dies but uh subtitles why won't there's just I likewise wire resulting in doing this crap so did anybody see my
presentation 2012 with moxie marlin spike and distance you know chemical so all go over a little bit of this term but basically presented a number of years ago and and resigned break animus Chevy to and uh for those might not be familiar with the protocol provides mutual authentication for a number of different things and the things that we specifically focused on were pp VPNs and our WP to enterprise but we quickly found of there's a number of other things users well and this research is nothing new and actually in 99 emergent Bruce Schneier Wagner uh published a paper that spelled out all these problems in and this is stated that you know that at the time state actors and well-funded groups could easily break this and so on so this is by no means new research that we just
on have looked into a little more so if you aren't of familiar they must have the to the basic idea is that it's a challenge response from authentication protocol that involves a password so I actually sent across the network you have um your challenge in which is essentially here known text and then you have a response which is essentially a cyphertext and and so all this information and all this is basically based on a password that turns into an anti hash 3 and 4 and then creates your 128 bit key that's used to to create a short response and so up until we give a talk people were attacking the user password by idea doing dictionary attacks are they would try to call the weak passwords and in order to crack in the past with its use for these sorts of things so if you actually analyze like dutiful break on this and using the password it's you know somewhere around at you know 92 bits worth of you know that passes yet to search through which is you know really difficult to do and so on some toast point you know is pretty much as a pastor base attack their word they're just finding only finding passes a really weak and so this paper basically said you know why attack that when you can attack the password equivalent which is essentially hash and other than the hashes actually into 3 separate keys they're used on Ting encrypt the same plane Texas challenge cash appear so you can basic rack these independently and the basic idea here is that you know it's it's independent as operation so they claimed you know would be roughly around 2 57 the you have to brute-force inherited to break this anti hash and so we start looking at this and when actually implementing this I you know we have exact same plaintext was used as operations so naive naive implementation is that you and I am crack is independently and you fold you know desperate forces but and it's a breezy to just basically encryptor put the same plaintext and then just to compares after that so it's really just to the 56 illegal to the key space once worst-case error to crack with these keys in a 3rd key is only 16 bits so that they can be easily brute force and
so we we basic demonstrated that In this connection cracked with 256 does computations but I think that the cool thing about this presentation is that we made a successful everybody instead of just a well-funded groups and so really software where you can that pointed toward a know capture of a PV TP connection and then it wouldn't extract out the key material and create the session token the you could submit to cloud cracker . com which is moxie service that he had running and then the back and that would run on the PGA cluster that had my basement and so on so the the space inaccessible for everybody and we wanted to kind of rate-limited so we start charging 20 dollars for it but and a lot of people think that does
is relatively easy to to break because you have people are doing it back in 1999 and just for reference the effect cracker ran around 90 billion keys for 2nd and took about year 9 . 2 days to go through the whole key space and the and I know we we were targeting something around 24 hours to through force at the full key so for 24 hours of distance and benchmarks with AWS and you take around 80 thousand CPU cores in order to brute-force does in 24 hours and that's around 125 thousand dollars worth of AWS credits which I mentioned they give you a bit a discount if you buy a book like that and then we looked at the GPU Instances and that's around 1800 GPU soared around 6 months on 1 GPU and nearly as credits at around 20 thousand dollars and on the system that I had which is random hardware for my company that we can resell uh measures Grangier 48 FPGA is and analysis like this would sell for over 100 thousand dollars but I mention can borrow the hardware in my basement in and so we offer this for 20 dollars a key act as a picture of it in my
basement sits inside this wreck over here my son and so of course body
rush to fix things right how this can be cracked easily and of course not right we don't know how things go so you
know a few years later we look and 1 of the main examples in our talk was I predator VPN because 1 more popular VPN providers and I was this we call them out and of course they're still up offering BTB VPNs they just added this this'll note on the website like 0 you probably shouldn't use the TP because it's insecure but you can still use it and so that's basically was across the board like all these became providers or still providing TB begins the and then people kind of discounted the WPA to hackers 0 you know it's not really an issue and and so recently started looking back into the stuff put and and and also
we were getting something from of jobs running through the system so just sort of looking at these weird ones that story coming through so normally you have ones that look like fairly random plaintext and cyphertext but we notice like you know ones for it's like 1 1 2 2 3 3 you know that that doesn't look very random and so on just wondering what's up with that and we also notice ones where both the cyphertext are exactly same and so they're obviously using this for something that's not in this chapter 2 at at and so you know I just like started seeing
sniffin articles people are definitely still cracking to EPA to some enterprise and there's all sorts of tutorials on Internet now for setting up your own rate roadie AP with fake radius server for basically stealing his credentials to crack 3 the asleep or cloud crackers and uh and then also just with the search on the 1 1 2 2 3 3 4 4 and it's the default challenge string for a meta splits as be really module so at the border policing for that so I started
looking to sort of more and and yet about ways that people are using this for other purposes and was written intended and when they traffic to optimize server distraught often is like what the hell's going on here and cyclic record
outcome just died 1 of Internet e-mail moxie never replied and so some kind of sodium ions site the basically just provides the does cracking service of specifically for the PGA system I have the and I was saying this up I was wanting to kind of adds extra features and Friday you update everything to make it work with the new things we were doing
sorry about using a for and I and what what features shared and most of all the reasonable reason was product exists as to and you know I calculi killed does once and for all and and how well for his legacy crypto in general that everybody knows is insecure but it's just it's always going to be there
so I'm looking at this and the really module if you if you look at the LAN MAN until and the 1 John response it's exactly the same as the most happy to and so people realize this shortly after talking
and you know started doing these attacks were there is so using that to some to cracker people's passwords for that either you set up their own fake Samir server redirect you know as servers and people login they would serve the crown jewels and in and John Nash the and
basically how this works is that I'm so if you use this to be really module and it'll start this spitting out that's captured and t hash these of the network and the hash and on hash values here and then uh and you can easily take that feed directly into chap crack which Marx a long time ago and give it that fixed challenge of 1 1 2 2 3 3 4 4 5 0 6 and 7 in and and and then it will create a token is that the website and then and ultimately the value you get back from us an e-mail within 24 hours is that you the the land and hash or the insulin half based on which 1 these values you use that to us good and then you can do you need a
number of pass a hash attacks or whatever and and to use a hash to authenticate with the actual system and then I and will actually started making it super easy to create your own fake axis points for doing WP to enterprise attacks and so on this is easy credit so actually fully set up you know road because the PDE Damon in radius server and everything then as people connected just you know this is the same thing where it gives you a challenge response used and I am
that you can take those and you do the exact same thing for you to the system it'll crack the and
then the hash equivalent of and you can use to authenticate to the WP to enterprise network and and I and I start asking people industry like how often do they actually see people doing fold you know certificate validation of the server and add a much new I talk to so that you know it's like maybe 95 % the time and this attack works and so the the people on checking certificates at all there's lots of don't really supported or it handled very well and there's also tons of people that just sales severe whatever Anderson type my credentials anyway at the so this is definitely
very much so things on and then was shortly after we give a talk in 2012 of you guys saw this talk with personal answer labs and basically a doing a remote updates to SIM cards with the same toolkit kit and a lot of these operators rely and as for their for verifying the remote updates and so he'd you demonstrated that the and we with a lot of the of the carriers it looked at a good percentage of them still used as and you can easily cracked the key and and build a center with updates appeals phones there's all sorts of nefarious things you can do with that but I am looking at those chemicals that recently I missed a robot they they featured this this hack and actually use cloud cracker to crack the does keys and so those companies the and so I say
the main features I want at this was to provide a more general purpose interface instead of people just kind of like abusing this you the system in order to crack whatever they wanted and so on so just set out to create a really simple rule and the basic idea here is that now you can submit jobs the system word and if you're trying to I was if he hasn't cyphertext mean some of the text for that block then you can use a simple mask and um and then we we allow up to 24 bits of zeros so as long as you know like something about the plaintext that will be the final the keys match that send you a list of all the keys and then you can further verify neuron and I haven't so this is this features but not for a while now and and I can of wanted to just you know experience this intraday try to break something using this new interface and so on and so my
friends presented on this and that the number of years ago and and held her grows as provides up the does option and um and downgraded attacks of freely using and so I I was just like 0 nobody's does anymore thcre rows and I for my day job I just looked at them or network and of course a network only does does in our sky for so I'm my show there's a number of environments out there that have a pre-Windows 2008 computers that and you still have to provide ways to support and supporters so just looking at this this idea
is that with initial authentication with the see you can the men the middle it and then downgrading say only does is supported and and then busy from then on they used as keys for a for all of her rows the
so so I wrote a supporter cap filter that essentially swapped settled encryption possible encryption types of 4 3 with just C and and this actually works really well and and so so then all the all the values you see flows for viral doesn't cryptid and then and that's all
is someone encoded and solve the the whole this someone a fairly fixed and so you can actually get really reliable known-plaintext out of that from 1 example like that they have shown here the pro I can't see it all is and that there is this particular block the 3 fixed and it's entirely based on the current day and it actually the year and month it's like per that field and so it's pretty easy to to figure out the entire known-plaintext is based on that the and and then as 1st CBC it's a fairly simple to figure out the actual plaintext for some the known plaintext for that particular does block because you if they see just the cyphertext of the previous block X sword with an the plain text of the current block hence the exodus together and that's your known-plaintext for we're trying to crack and so say and I just because using some 0 doesn't necessarily mean that and it's setting much security and for for these types of attacks through brute force in the and Folke space
so that a universal code to extract out of all this known-plaintext know a blocks and then essentially just create a contractor tokens so if you're able to run the center kept filter and and then you just like do pcap capture of the traffic run into here at all and busy pull out a bunch of tokens you can use for cracking the CoreSC used in an ISO Morgan actually leveraging that to you know then pulled out all the tickets and and you know I think it to main controller all that sort of stuff but that's a place for another talk had time so yeah then you can see that the system and the new can you know the key player on so then I started of missing people asking specifically for cracking does script hashes so the dealers remember description like what the nineties or something like that and Linux is you using that and I like a long time ago I wrote and some FPGA could for cracking these but like I never saw use for this and so as give up on it but now nowadays knowing me asking if I can crack the like OK I guess all try to and I am and just a few years remember this was actually designed to replace an older and and 2 0 not and 209 cypher that ticket 125 ms on a PDP 11 and they wanted to their safer to take over 1 2nd on a PDP 11 and so that's the design criteria for this but it's essentially 25 rounds of does and and I figure you uses anymore right and so did Zebedee
URIs near QNX across connects all and that will be 0 and so and say I found out that you have tons of vehicles are using QNX for their them infotainment system and stuff like that and so I only OK guess this is worthwhile and and so I I just like to search for presentations on and everything things and so this is actually which early Miller and Chris sex a paper on cracking the Jeep Cherokee into those the 2014 you care Cherokee and so they just published the shadow file for them like OK now I got some stuff to work off of 1 other presentation related published a shadow file and and then just
searching around us like you know there's tons of does hashes on the internet that people are trained and you get it passes on so maybe there's something to this
and so I set out to basically the full key state possible key space for this and so this is the 96 so you what 95 possible characters for all possible to you the character length and so and with 25 rounds of desert takes around 3 days for my system to to go through the full table key space for this and I
am and so I just started you know like me even the simplest directly to the system if you go to crack that sh now and M. the I figure that there must be
secure passes out there that I could actually use to is a system on like I in there has to be some some people actually use special characters and stuff in a passage right you think so and so a friend of mine I might I
mentioned this that you know about the system and he's like 0 I got it I got hash for you crack here it's 4 and the answer our the newest stored systems have a link you next and use their yeah shadow file for the passive role answer systems allow gets pretty cool and so I've put in my system and I'm waiting in the same year it immediately
returns and answer is really and like what the now very candidate had as expecting something get out there and so and then I went
through and looked at these other ones and it's like simple like dt donkey like so same way as this is a call to any of you if you have any does cryptosystem Kinect systems that you're unable to crack with which on the Ripper let me know because I want to have something that this is good for so please help me out here have in
and so anyway I uh if you go on the get half you know we have some of ways to verify all of you know how a our during and everything is 1st byte ordering you know keys with parity versus non parities seeking can verify your implementation of and then also would you can submit jobs fairly easily and I create tokens through this and other tokens are all 64 encoded so it's easy to to write yourself if you want to you but this is just a reference implementation and this could also implements the Eucharist system he cracking stuff use have an idea for how to have occurred with this fall the the I and then I get this lead
to the to the generated the website
and you know within the usually within a day you'll receive a list of all the keys to match that and then some units a sizable news down to a decent size you can easily verify was software whatever that so that's so we have right now and so if you happen to come across in wild which is becoming a more increasing we've had on a popular thing but for some reason and then when you know and that is that that's pretty
much the talk and I I I really want to just have some help with killing legacy crypto and and so if anybody wants to or has any ideas please just e-mail me and I'll just give you access to the system for free because I mean I I just wanna get out there and and there is no charge money is just because you know want it flooded from you know all these all these people trying to crack stupid things so but you can find everything on crack that sh and get there's links on the website as well and and also just a quick plug we have to work on Sandiego coming up this year at the end of August and and then we also have to recant which is the US hacker camp next year on an island in Washington which is usually what funds on things you time pressure and few the questions you comments complaints then it it at the but Kovacs