Merken

Legacy Crypto Never Dies

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
I am an Mannheim and come along with me in my theory on articles came out
and said she alright so i'm david holds some I would have done a lot of FPGA crypto cracking stuff and I also run to work on this conference in San Diego the and so this is called a legacy crypto never dies but uh subtitles why won't there's just I likewise wire resulting in doing this crap so did anybody see my
presentation 2012 with moxie marlin spike and distance you know chemical so all go over a little bit of this term but basically presented a number of years ago and and resigned break animus Chevy to and uh for those might not be familiar with the protocol provides mutual authentication for a number of different things and the things that we specifically focused on were pp VPNs and our WP to enterprise but we quickly found of there's a number of other things users well and this research is nothing new and actually in 99 emergent Bruce Schneier Wagner uh published a paper that spelled out all these problems in and this is stated that you know that at the time state actors and well-funded groups could easily break this and so on so this is by no means new research that we just
on have looked into a little more so if you aren't of familiar they must have the to the basic idea is that it's a challenge response from authentication protocol that involves a password so I actually sent across the network you have um your challenge in which is essentially here known text and then you have a response which is essentially a cyphertext and and so all this information and all this is basically based on a password that turns into an anti hash 3 and 4 and then creates your 128 bit key that's used to to create a short response and so up until we give a talk people were attacking the user password by idea doing dictionary attacks are they would try to call the weak passwords and in order to crack in the past with its use for these sorts of things so if you actually analyze like dutiful break on this and using the password it's you know somewhere around at you know 92 bits worth of you know that passes yet to search through which is you know really difficult to do and so on some toast point you know is pretty much as a pastor base attack their word they're just finding only finding passes a really weak and so this paper basically said you know why attack that when you can attack the password equivalent which is essentially hash and other than the hashes actually into 3 separate keys they're used on Ting encrypt the same plane Texas challenge cash appear so you can basic rack these independently and the basic idea here is that you know it's it's independent as operation so they claimed you know would be roughly around 2 57 the you have to brute-force inherited to break this anti hash and so we start looking at this and when actually implementing this I you know we have exact same plaintext was used as operations so naive naive implementation is that you and I am crack is independently and you fold you know desperate forces but and it's a breezy to just basically encryptor put the same plaintext and then just to compares after that so it's really just to the 56 illegal to the key space once worst-case error to crack with these keys in a 3rd key is only 16 bits so that they can be easily brute force and
so we we basic demonstrated that In this connection cracked with 256 does computations but I think that the cool thing about this presentation is that we made a successful everybody instead of just a well-funded groups and so really software where you can that pointed toward a know capture of a PV TP connection and then it wouldn't extract out the key material and create the session token the you could submit to cloud cracker . com which is moxie service that he had running and then the back and that would run on the PGA cluster that had my basement and so on so the the space inaccessible for everybody and we wanted to kind of rate-limited so we start charging 20 dollars for it but and a lot of people think that does
is relatively easy to to break because you have people are doing it back in 1999 and just for reference the effect cracker ran around 90 billion keys for 2nd and took about year 9 . 2 days to go through the whole key space and the and I know we we were targeting something around 24 hours to through force at the full key so for 24 hours of distance and benchmarks with AWS and you take around 80 thousand CPU cores in order to brute-force does in 24 hours and that's around 125 thousand dollars worth of AWS credits which I mentioned they give you a bit a discount if you buy a book like that and then we looked at the GPU Instances and that's around 1800 GPU soared around 6 months on 1 GPU and nearly as credits at around 20 thousand dollars and on the system that I had which is random hardware for my company that we can resell uh measures Grangier 48 FPGA is and analysis like this would sell for over 100 thousand dollars but I mention can borrow the hardware in my basement in and so we offer this for 20 dollars a key act as a picture of it in my
basement sits inside this wreck over here my son and so of course body
rush to fix things right how this can be cracked easily and of course not right we don't know how things go so you
know a few years later we look and 1 of the main examples in our talk was I predator VPN because 1 more popular VPN providers and I was this we call them out and of course they're still up offering BTB VPNs they just added this this'll note on the website like 0 you probably shouldn't use the TP because it's insecure but you can still use it and so that's basically was across the board like all these became providers or still providing TB begins the and then people kind of discounted the WPA to hackers 0 you know it's not really an issue and and so recently started looking back into the stuff put and and and also
we were getting something from of jobs running through the system so just sort of looking at these weird ones that story coming through so normally you have ones that look like fairly random plaintext and cyphertext but we notice like you know ones for it's like 1 1 2 2 3 3 you know that that doesn't look very random and so on just wondering what's up with that and we also notice ones where both the cyphertext are exactly same and so they're obviously using this for something that's not in this chapter 2 at at and so you know I just like started seeing
sniffin articles people are definitely still cracking to EPA to some enterprise and there's all sorts of tutorials on Internet now for setting up your own rate roadie AP with fake radius server for basically stealing his credentials to crack 3 the asleep or cloud crackers and uh and then also just with the search on the 1 1 2 2 3 3 4 4 and it's the default challenge string for a meta splits as be really module so at the border policing for that so I started
looking to sort of more and and yet about ways that people are using this for other purposes and was written intended and when they traffic to optimize server distraught often is like what the hell's going on here and cyclic record
outcome just died 1 of Internet e-mail moxie never replied and so some kind of sodium ions site the basically just provides the does cracking service of specifically for the PGA system I have the and I was saying this up I was wanting to kind of adds extra features and Friday you update everything to make it work with the new things we were doing
sorry about using a for and I and what what features shared and most of all the reasonable reason was product exists as to and you know I calculi killed does once and for all and and how well for his legacy crypto in general that everybody knows is insecure but it's just it's always going to be there
so I'm looking at this and the really module if you if you look at the LAN MAN until and the 1 John response it's exactly the same as the most happy to and so people realize this shortly after talking
and you know started doing these attacks were there is so using that to some to cracker people's passwords for that either you set up their own fake Samir server redirect you know as servers and people login they would serve the crown jewels and in and John Nash the and
basically how this works is that I'm so if you use this to be really module and it'll start this spitting out that's captured and t hash these of the network and the hash and on hash values here and then uh and you can easily take that feed directly into chap crack which Marx a long time ago and give it that fixed challenge of 1 1 2 2 3 3 4 4 5 0 6 and 7 in and and and then it will create a token is that the website and then and ultimately the value you get back from us an e-mail within 24 hours is that you the the land and hash or the insulin half based on which 1 these values you use that to us good and then you can do you need a
number of pass a hash attacks or whatever and and to use a hash to authenticate with the actual system and then I and will actually started making it super easy to create your own fake axis points for doing WP to enterprise attacks and so on this is easy credit so actually fully set up you know road because the PDE Damon in radius server and everything then as people connected just you know this is the same thing where it gives you a challenge response used and I am
that you can take those and you do the exact same thing for you to the system it'll crack the and
then the hash equivalent of and you can use to authenticate to the WP to enterprise network and and I and I start asking people industry like how often do they actually see people doing fold you know certificate validation of the server and add a much new I talk to so that you know it's like maybe 95 % the time and this attack works and so the the people on checking certificates at all there's lots of don't really supported or it handled very well and there's also tons of people that just sales severe whatever Anderson type my credentials anyway at the so this is definitely
very much so things on and then was shortly after we give a talk in 2012 of you guys saw this talk with personal answer labs and basically a doing a remote updates to SIM cards with the same toolkit kit and a lot of these operators rely and as for their for verifying the remote updates and so he'd you demonstrated that the and we with a lot of the of the carriers it looked at a good percentage of them still used as and you can easily cracked the key and and build a center with updates appeals phones there's all sorts of nefarious things you can do with that but I am looking at those chemicals that recently I missed a robot they they featured this this hack and actually use cloud cracker to crack the does keys and so those companies the and so I say
the main features I want at this was to provide a more general purpose interface instead of people just kind of like abusing this you the system in order to crack whatever they wanted and so on so just set out to create a really simple rule and the basic idea here is that now you can submit jobs the system word and if you're trying to I was if he hasn't cyphertext mean some of the text for that block then you can use a simple mask and um and then we we allow up to 24 bits of zeros so as long as you know like something about the plaintext that will be the final the keys match that send you a list of all the keys and then you can further verify neuron and I haven't so this is this features but not for a while now and and I can of wanted to just you know experience this intraday try to break something using this new interface and so on and so my
friends presented on this and that the number of years ago and and held her grows as provides up the does option and um and downgraded attacks of freely using and so I I was just like 0 nobody's does anymore thcre rows and I for my day job I just looked at them or network and of course a network only does does in our sky for so I'm my show there's a number of environments out there that have a pre-Windows 2008 computers that and you still have to provide ways to support and supporters so just looking at this this idea
is that with initial authentication with the see you can the men the middle it and then downgrading say only does is supported and and then busy from then on they used as keys for a for all of her rows the
so so I wrote a supporter cap filter that essentially swapped settled encryption possible encryption types of 4 3 with just C and and this actually works really well and and so so then all the all the values you see flows for viral doesn't cryptid and then and that's all
is someone encoded and solve the the whole this someone a fairly fixed and so you can actually get really reliable known-plaintext out of that from 1 example like that they have shown here the pro I can't see it all is and that there is this particular block the 3 fixed and it's entirely based on the current day and it actually the year and month it's like per that field and so it's pretty easy to to figure out the entire known-plaintext is based on that the and and then as 1st CBC it's a fairly simple to figure out the actual plaintext for some the known plaintext for that particular does block because you if they see just the cyphertext of the previous block X sword with an the plain text of the current block hence the exodus together and that's your known-plaintext for we're trying to crack and so say and I just because using some 0 doesn't necessarily mean that and it's setting much security and for for these types of attacks through brute force in the and Folke space
so that a universal code to extract out of all this known-plaintext know a blocks and then essentially just create a contractor tokens so if you're able to run the center kept filter and and then you just like do pcap capture of the traffic run into here at all and busy pull out a bunch of tokens you can use for cracking the CoreSC used in an ISO Morgan actually leveraging that to you know then pulled out all the tickets and and you know I think it to main controller all that sort of stuff but that's a place for another talk had time so yeah then you can see that the system and the new can you know the key player on so then I started of missing people asking specifically for cracking does script hashes so the dealers remember description like what the nineties or something like that and Linux is you using that and I like a long time ago I wrote and some FPGA could for cracking these but like I never saw use for this and so as give up on it but now nowadays knowing me asking if I can crack the like OK I guess all try to and I am and just a few years remember this was actually designed to replace an older and and 2 0 not and 209 cypher that ticket 125 ms on a PDP 11 and they wanted to their safer to take over 1 2nd on a PDP 11 and so that's the design criteria for this but it's essentially 25 rounds of does and and I figure you uses anymore right and so did Zebedee
URIs near QNX across connects all and that will be 0 and so and say I found out that you have tons of vehicles are using QNX for their them infotainment system and stuff like that and so I only OK guess this is worthwhile and and so I I just like to search for presentations on and everything things and so this is actually which early Miller and Chris sex a paper on cracking the Jeep Cherokee into those the 2014 you care Cherokee and so they just published the shadow file for them like OK now I got some stuff to work off of 1 other presentation related published a shadow file and and then just
searching around us like you know there's tons of does hashes on the internet that people are trained and you get it passes on so maybe there's something to this
and so I set out to basically the full key state possible key space for this and so this is the 96 so you what 95 possible characters for all possible to you the character length and so and with 25 rounds of desert takes around 3 days for my system to to go through the full table key space for this and I
am and so I just started you know like me even the simplest directly to the system if you go to crack that sh now and M. the I figure that there must be
secure passes out there that I could actually use to is a system on like I in there has to be some some people actually use special characters and stuff in a passage right you think so and so a friend of mine I might I
mentioned this that you know about the system and he's like 0 I got it I got hash for you crack here it's 4 and the answer our the newest stored systems have a link you next and use their yeah shadow file for the passive role answer systems allow gets pretty cool and so I've put in my system and I'm waiting in the same year it immediately
returns and answer is really and like what the now very candidate had as expecting something get out there and so and then I went
through and looked at these other ones and it's like simple like dt donkey like so same way as this is a call to any of you if you have any does cryptosystem Kinect systems that you're unable to crack with which on the Ripper let me know because I want to have something that this is good for so please help me out here have in
and so anyway I uh if you go on the get half you know we have some of ways to verify all of you know how a our during and everything is 1st byte ordering you know keys with parity versus non parities seeking can verify your implementation of and then also would you can submit jobs fairly easily and I create tokens through this and other tokens are all 64 encoded so it's easy to to write yourself if you want to you but this is just a reference implementation and this could also implements the Eucharist system he cracking stuff use have an idea for how to have occurred with this fall the the I and then I get this lead
to the to the generated the website
and you know within the usually within a day you'll receive a list of all the keys to match that and then some units a sizable news down to a decent size you can easily verify was software whatever that so that's so we have right now and so if you happen to come across in wild which is becoming a more increasing we've had on a popular thing but for some reason and then when you know and that is that that's pretty
much the talk and I I I really want to just have some help with killing legacy crypto and and so if anybody wants to or has any ideas please just e-mail me and I'll just give you access to the system for free because I mean I I just wanna get out there and and there is no charge money is just because you know want it flooded from you know all these all these people trying to crack stupid things so but you can find everything on crack that sh and get there's links on the website as well and and also just a quick plug we have to work on Sandiego coming up this year at the end of August and and then we also have to recant which is the US hacker camp next year on an island in Washington which is usually what funds on things you time pressure and few the questions you comments complaints then it it at the but Kovacs
Data Encryption Standard
Kryptologie
Speicherbereichsnetzwerk
Kryptologie
Computersicherheit
Physikalische Theorie
Computeranimation
Virtuelles privates Netzwerk
Ebene
Server
Bit
Subtraktion
Punkt
Gruppenkeim
Zahlenbereich
Implementierung
Kolmogorov-Komplexität
Information
Kombinatorische Gruppentheorie
Äquivalenzklasse
Term
Raum-Zeit
Computeranimation
Virtuelles privates Netzwerk
Unternehmensarchitektur
Gruppentheorie
Authentifikation
Hash-Algorithmus
Endogene Variable
Speicherabzug
Computersicherheit
Kontrollstruktur
Passwort
Passwort
Abstand
Implementierung
Nichtlinearer Operator
Transinformation
Datennetz
Protokoll <Datenverarbeitungssystem>
Stochastische Abhängigkeit
Gemeinsamer Speicher
Computervirus
Quick-Sort
Arithmetisches Mittel
Softwareschwachstelle
Cracker <Computerkriminalität>
Client
Authentifikation
Billard <Mathematik>
Wort <Informatik>
Information
Ordnung <Mathematik>
Unternehmensarchitektur
Schlüsselverwaltung
Aggregatzustand
Fehlermeldung
Bit
Kondition <Mathematik>
Gruppenkeim
Computerunterstütztes Verfahren
Kombinatorische Gruppentheorie
Zentraleinheit
Raum-Zeit
Computeranimation
Graphikprozessor
Field programmable gate array
Software
Computersicherheit
COM
Abstand
Einflussgröße
Benchmark
Analysis
Soundverarbeitung
Einfach zusammenhängender Raum
Data Encryption Standard
Hardware
Physikalisches System
Knotenmenge
Motion Capturing
Dienst <Informatik>
Forcing
Cracker <Computerkriminalität>
Speicherabzug
Ordnung <Mathematik>
Schlüsselverwaltung
Zentraleinheit
Instantiierung
Virtuelles privates Netzwerk
Data Encryption Standard
Web Site
Information
Knotenmenge
Service provider
Whiteboard
Computeranimation
Field programmable gate array
Cracker <Computerkriminalität>
Elektronischer Fingerabdruck
Computersicherheit
Hacker
Hacker
Zentraleinheit
Server
Weg <Topologie>
Chiffre
Zusammengesetzte Verteilung
Information
Extrempunkt
Computeranimation
Eins
Internetworking
Homepage
Physikalisches System
Prozess <Informatik>
Randomisierung
Computersicherheit
Default
Radius
Motion Capturing
Cracker <Computerkriminalität>
Physikalisches System
Bitrate
Quick-Sort
Hoax
Meta-Tag
Zeichenkette
Emulation
Cracker <Computerkriminalität>
Client
Server
Restklasse
Versionsverwaltung
Unternehmensarchitektur
Streuungsdiagramm
Zeichenkette
Streuungsdiagramm
Data Encryption Standard
Web Site
Minimierung
Web Site
Physikalisches System
Information
E-Mail
Quick-Sort
Computeranimation
Internetworking
Physikalisches System
Datensatz
Dienst <Informatik>
Cracker <Computerkriminalität>
Computersicherheit
Server
E-Mail
Data Encryption Standard
Biprodukt
Information
Computeranimation
Kryptologie
Authentifikation
Code
Endogene Variable
Cracker <Computerkriminalität>
Computersicherheit
Lokales Netz
Bitrate
Metropolitan area network
Web Services
Prinzip der gleichmäßigen Beschränktheit
Web Site
Server
Hash-Algorithmus
Datennetz
Konvexe Hülle
Information
Hoax
Computeranimation
Endogene Variable
Token-Ring
Programmfehler
Authentifikation
Hash-Algorithmus
Cracker <Computerkriminalität>
Server
Computersicherheit
Restklasse
Passwort
E-Mail
Bitrate
Modul
Radius
Server
Punkt
Zahlenbereich
Kartesische Koordinaten
Programmierumgebung
Physikalisches System
Information
Hoax
Computeranimation
Unternehmensarchitektur
Cracker <Computerkriminalität>
Hash-Algorithmus
Endogene Variable
Computersicherheit
Server
Kategorie <Mathematik>
Digitales Zertifikat
Radius
Unternehmensarchitektur
Message-Passing
Chipkarte
Server
Äquivalenzklasse
Information
Computeranimation
Unternehmensarchitektur
Datentyp
Hash-Algorithmus
Computersicherheit
Roboter
Data Encryption Standard
Nichtlinearer Operator
Digitales Zertifikat
Schlüsselverwaltung
Datennetz
Freier Ladungsträger
Prozess <Informatik>
Validität
Programmierumgebung
Software Development Kit
Quick-Sort
Roboter
Chipkarte
Cracker <Computerkriminalität>
Kategorie <Mathematik>
Digitales Zertifikat
Simulation
Schlüsselverwaltung
Unternehmensarchitektur
Streuungsdiagramm
Schnittstelle
Bit
IEC-Bus
Chiffre
Zahlenbereich
Computerunterstütztes Verfahren
Information
Computeranimation
Entscheidungstheorie
Datensatz
Prozess <Informatik>
Computersicherheit
Kerberos <Kryptologie>
Schnittstelle
Data Encryption Standard
Datennetz
Konvexe Hülle
Schlussregel
Mailing-Liste
p-Block
Physikalisches System
Schlussregel
Verdeckungsrechnung
Konfiguration <Informatik>
Cracker <Computerkriminalität>
Wort <Informatik>
Ordnung <Mathematik>
Schlüsselverwaltung
Programmierumgebung
Data Encryption Standard
Digitalfilter
Information
Datenfluss
Computeranimation
Kugelkappe
Datensatz
Chiffrierung
Wurzel <Mathematik>
Datentyp
Cracker <Computerkriminalität>
Computersicherheit
Authentifikation
Kerberos <Kryptologie>
Schlüsselverwaltung
Data Encryption Standard
Hash-Algorithmus
Universal product code
Kryptologie
Chiffre
Konnektionismus
Token-Ring
Unrundheit
Physikalisches System
p-Block
E-Mail
Information
Raum-Zeit
Quick-Sort
Computeranimation
Motion Capturing
Deskriptive Statistik
Datenfeld
Forcing
Cracker <Computerkriminalität>
Hash-Algorithmus
Datentyp
Protokoll <Datenverarbeitungssystem>
Computersicherheit
Gamecontroller
Kerberos <Kryptologie>
Skript <Programm>
p-Block
Data Encryption Standard
Hash-Algorithmus
Kryptologie
Infotainment
Physikalisches System
Elektronische Publikation
Kombinatorische Gruppentheorie
Fastring
Information
Computeranimation
Internetworking
Hash-Algorithmus
Cracker <Computerkriminalität>
Computersicherheit
Abschattung
Binärcode
Data Encryption Standard
Dicke
Hash-Algorithmus
Integritätsbereich
Kryptologie
Unrundheit
Physikalisches System
Information
Raum-Zeit
Computeranimation
Physikalisches System
Wurzel <Mathematik>
Cracker <Computerkriminalität>
Computersicherheit
Schlüsselverwaltung
Aggregatzustand
Tabelle <Informatik>
Physikalisches System
Binder <Informatik>
Elektronische Publikation
Information
Computeranimation
Data Mining
Rechter Winkel
Rechter Winkel
Hash-Algorithmus
Cracker <Computerkriminalität>
Computersicherheit
Abschattung
Passwort
Data Encryption Standard
Hash-Algorithmus
Kryptosystem
Kryptologie
Systemaufruf
Physikalisches System
Information
Rippen <Informatik>
Computeranimation
Eins
Cracker <Computerkriminalität>
Computersicherheit
Passwort
Chiffrierung
Einheit <Mathematik>
Prozess <Informatik>
Gerade Zahl
Cracker <Computerkriminalität>
Computersicherheit
Implementierung
Token-Ring
Physikalisches System
Information
Schlüsselverwaltung
Computeranimation
Web Site
Token-Ring
Einheit <Mathematik>
Prozess <Informatik>
Software
Cracker <Computerkriminalität>
Computersicherheit
Mailing-Liste
Information
Schlüsselverwaltung
Computeranimation
Web Site
Freeware
Kryptologie
E-Mail
Binder <Informatik>
Information
Computeranimation
Freeware
Druckverlauf
Kryptologie
Cracker <Computerkriminalität>
Computersicherheit
Hilfesystem
Hacker
Hilfesystem

Metadaten

Formale Metadaten

Titel Legacy Crypto Never Dies
Serientitel REcon 2017 Brussels Hacking Conference
Teil 17
Anzahl der Teile 20
Autor Hulton, David
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/32397
Herausgeber REcon
Erscheinungsjahr 2017
Sprache Englisch
Produktionsort Brüssel

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract In 2012 I released a DES cracking service with Moxie Marlinspike for cracking MSCHAPv2 and quickly started seeing it being used for cracking other things besides MSCHAPv2.

Ähnliche Filme

Loading...