Bestand wählen
Merken

Defeating (Not)Petya's Cryptography

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
thank you and and
and and the it thing about big round of applause is about as good as while at the same so we want and to some I wanna talk about a whole Iot defeated not patios cryptography and
some might say it and that's not here would be from Ukraine's scourge and for those of you who don't know 0 what toward scourge means of this guy right here does know you the and the quick trivia quiz and does anyone know 0 what this movie is was the name of the movie the so in the next seeing Johnny Depp enters the doesn't ring a bell but there's is a movie by jim jarmusch assault require new young dead men variety grades so great movies so if you wanna know what a scourge and then you could watch the movie so let's begin with my own with with my
talk so and this is what actually and the oficial Ukraine in Twitter account tweeted some time ago and at the end of June 2017
and and there was an outbreak of a ransomware tech uh which was noticed mostly in Ukraine but uh and also all over the world so millions of users and also companies
logical these were unaffected and the damage went into the billions of dollars so and we the the problem there is I mean this this this
this the every day on ransomware outbreak you will have the I want to give you a short glimpse into the the you not at a universe of and also I could T. crypt all
the stuff that yeah actually was encrypted by from the this arrest world break and so 1st I want to begin my talk with a
differenciation the wire will want to draw a demarcation line because all this not pitch universe and this much subcategorized under under this whole label and a really an and just talking about a
small fraction of this whole universe and so I will come 1st distinguish between what might what would be in 1 model will not be of Annex only and describe not piteous
cryptography especially on pages cryptographic figures and which I have and will be um exporting in the remainder of the talk and see and how can the users get
there are some the of the implications for respect so yeah what was
this this whole thing and the outbreak of some started as I said I mean June 2017 and and it started as fake update or as a malicious update from and a software called Medoc and this is a text software 1 of the 2 official texts in the Ukraine so in almost every company has it is stored on Texaco and so on on the computers there are many private persons have it installed and it was and pushed and then the side loaded in this final proceed that um will spend and the dollar to the computers and it comprises several parts and and some parts of our more interesting than than others and so and 1 component after have more time than it would start encrypting defines depending on the them access level so if there wasn't any kind excess to infect the computer with someone of this and we are infected and then it would just based on the current user level encrypted files based on that current user the in a better name I would call this the mission component I know it's usually somewhat different something different and however and that this was the best name I could find their so it's basically just a fine prepare with AS my talk would not go about this bound this part the sign vector and the next very interesting component was the spare apart and it's basically 1 based on the eternal blue which are the Romans and exploits and that had been leaked by and the shadow brokers and my talk will not go about this as well in this I hold different universes while and 1 of my talk will be about so the actual and not Pantoea component and this is an MBR encryptor and my world and show you in the next slide but
it's actually about so and the user would see something like this and upon reboot and so if the year in excess rights are granted so if there's some local admin installed on the computer or from the correct password could be guessed by some attack and then there's um that drop the proceed that would in fact the system by overriding the master boot record them with a custom-built over and it would be the reboot the system after a predefined time usually being about 10 minutes and then on the the action not operative component would take into action and this infected can be our own this book over some shows this cornea unchecked disk screen them and in the background would and find and iterate around the all the files on the file system and encrypt all these files so the the main takeaways of the slide or and that is we're dealing with a 16 bit code here so we're we're in 16 bits our real mode so this means no proper higher systemic means no 32 bit or 64 bit code and there are no Windows API so so debugging all this and um analyzing this is a tedious work around however we have something on on the plus side and which is a biosignal the Basic Input Output System and and more with that comes at a rate of interrupts and that all very well described and and they're really nice thing is that having box and being able to around yeah debunk all this in the and in I R so this was a really neat plug-in that had been developed by the sum of force
so let's analyze a bit and to check the time cryptography and why it implemented cryptos really hard and so I will always start this part with and describing in short words that on the fury of salsa 20 and and then check that compare that against Andy not touch implementation of of this sigh
to sales of 20 is a downstream streamcipher and so basically and you will have a and plain text and it's spot here and now and then you will have some kind of a and B are random number generator a pseudorandom number chicken generated and and then apply some operations on the plaintext and outcomes decipher text and and what you put in the in our for different variables that are more for 4 different inputs and because there's the constant part which offers you a variable that model was able that in a bit and so you you have some these key and the moles the and then there's this really nifty thing quot contra and Watson if the ball that is and if you were to use the to stream data also 28 cryptid string and you would lose some frames and then you could come and just this account of variable which would in Denmark The and offset of the current stream in the cards stream and then could continue needlessly around with with the description of a stream so this is a very nice feature and the size of the conquerors and 64 bits and the in the term hash size here so from what's also the does is created a 64 Kbyte and hash for from every different of these inputs and with that of an applied to the input the and if you want any more details cells also sigh far and the inventor of source should be in this room when should be in the conventional is that the convention that I just the trying with them uh and so I guess you can ask and the user gory details from all of salsa 20 so it's really nice that crypto sigh and you should get him up and ask hope should have said that right sort effect to the basically what on a very important thing is to to note is for every invocation of this in this war for every instance of some of the 18 of Pacha um encryption and you would have this frequent these free variables all these 3 inputs from being constant so and not pitcher would would patch during the infection process and the key the norms and the constants and into a configuration the sector of the cost spot on the Stiefel somewhat different them and then the culture would only change filled every iteration so the interesting thing what are these interesting question was 1st what is the and the length of and the the key streams so the keystream you know the the number of different outputs that that would come the model for office hashing function and I mean for a of this implementation or this of the theory and this is quite clear it's 64 bits bytes and times and the 64 bytes of output so it would be about 2 to the 70 and of a pure aperiodicity a 1 different around about the actual implementation in an not and the fury of them would be that this constant something here had been changed to come I string a reading knowledge of infinite sect i IT so this will break the amorphous implementation and so the
very 1st and failure I a solid it's not pet common or something like this and so I think it can stick to the side because it's obvious for everyone that the a fair so who sees the fail Soon not OK then then I'll explain it so that also skating exam was must not expecting for free to grasp that for so and remember we're in 16 bit code and we have it here this shift left operation which would in a shift a register by and bytes the register with cure 16 bits so it only has 16 digits so to speak and you wouldn't be shifted by 16 by 10 x 16 and this would effectively the register and even worse on this here so I'm you which shift a and an 8 bit register for around 16 so this is something you were you would expect from a proper non-cryptographic implementation and analysts was really intrigued why that is because will make any sense and source code and the not Peterbilt pet shelters I'm really implement that on purpose or what what was the the gist with it and I looked up the and and OR pattern uh the the salsa 20 implementation and my just google it and find a nice website that and metadata and implementation of the knowledge source of 20 and the the there you would see this code so I'm you see here and it's is in the the endianness conversion and you see here on these these shifting off some bits of registers and you here this this is you and fast 16 or 32 on type and so it becomes quite clear that this is a proper implantation right so everyone can see that right no not right now and because you need to know something more about this uh and there are 2 important facts and that may give this implementation broken and the 2 facts are you need to compile this code for 16 bits and and you need to look up somewhat vicious to you makes of these these type definitions here and when you look that up and this numbers from resisted units in the Senate and the board of h from her file and there is it's interpreted or translated as unsigned and so this is the base type and is based on content in in 16 bit code is a 16 bit variable a 16 bit register and then everything makes sense and this was somewhat of a of a failure around here and the authors did really check if the cold was actually working against the test vectors and and this guy who wrote the coherent and this point implementation and made this mistake them also
it and on this slide you see 2 bodies of some of the not touch on implementation of some of 20 and I quickly want to to expand them both to you because they are of some somewhat importance for the remainder of the talk and so both revolve of all the all the the culture of variable and just remember and this counter variable is the only dynamic input the only variable input through all these it's also 20 invocations and the the 1st hour is and so we need you to read a and sector sector number into the memory so a bit about the in a the low-level aspects of how drive and they have from the view or from the bios would look somewhat like around a bunch of different sectors so these are a 512 byte chunks of data and and they they come 1 after another so if you were to read a sector you would actually read a 5 12 bytes but about long per portion of data and and this is obviously not the offset in the stream and a somewhat of a problem The so that you see here the same variable is used to and T. crib for encrypted data and I mean this this so and it doesn't it isn't really apparent to and to the implementer of of this becomes high for the however them if you were to analyze it and it would look something like
this so you would have the year round key string but off to different sectors to different consecutive sectors here so we would start would with at alpha and then continues with the 7 and so on and and the next we have almost all the bytes identical and this is and you have a really big favor because and this really nice so 20 implementation of the this recent mice salsa algorithm will then be and there from within the you of a converted from a one-time pad to a many times pet and and this is the 1st time I want to show
you this very few lines of code the 2nd part is on the 2nd bond is here and this large keyword remember we are in 16 bit code so and this large keyword here does not push a 64 bit variable as uh we would suspect to do it by the 32 preparing so only 32 bits of and this this a nice culture variable are actually used in this case so these 2 failures are a somewhat of a problem for a and this and also 20 implementation it soon in this
slide I on to 2 and different hex dumps and the common the Saxons were our enemy within this expand key of functions and and they need but they are well basically 2 snapshots 1 time right before on the use of box become apparent so before this this demand and in this conversion and right after on the lower half and so you can very nicely see from the the different variables being put into all the different keepers being put into them and the use of this memory blocks so here would spell out invalids sect idea you know the constants are not architecture users and here you would see the key and around here so it's broken into 2 halves um additionally you would see the norms here and or really sticks out is the this bunch of zeros here so this is this high part of this in a 64 bit variability is needed used is there it's not even filters so I'm this well on the 1st problem here and after the end in this conversion you see on that it's not really an and in this conversion but it's more of a nulling off some of bytes so the result would be that found this initially 64 bit variable would be just 16 bit in length and as I said earlier in the original source implementation would be to to the 7 to you on the for us as key lectures and and right now we have a and 16 bits at times 64 bytes in key length which would result in at 26 bits in key length which would be a measly of 4 megabytes thinking this so and this this was a very interesting observation i made there and uh and this would be possible than in 2 D crypts were we're together with the and many times packed and properties of the Cypher and which make it really easy to break so to quickly
summarize from this part of the talk so we have a very very short keystream of just 4 megabytes of and it's highly repetitive repetitive and so for each sectary progress and you would only have a progress of 1 byte and at a time and so you only use 26 bits remain of the whole stream and and as I said the even the many times pad and properties very nice thing to have to analyze the I could come around to and implement a small joke so from this this horse implementation I would only call of a lot of from no 1 that sorry is a bad joke sorry so the the main goal is and to derive the keystream and and as I'm not really a crypto experts from the basically the the only attack I know it would be a known plaintext attacks so this was my goal the because it's so straightforward to do that and they the remainder of the talk I will and tell you how it is that so without further ado let's
exploit these figures elements you know much of the we can actually get from the pain of pitch and fact 5 and so the
modusoperandi of an arpeggio would look somewhat like that and this this goes so let's let's stop with the with the left hand side of the the of the slide and concentrate on the right hand side and for those of you who are not really intimately familiar with and as uh I wasn't before analyzing petty but we're not pitcher them as well so no worries it's it's quite simple so every scientific partition as something cold and master the t abbreviated and then it would be around contain some metadata both the fire for simple defined named the 5 size and and if the file is small enough it would even fit to the metal content of the file into this record so I mean as the Committee's just list of records spam and if the file is larger it would be around have a pointer a and support data on their which would point and to a cluster or sector on the disk on the partition and which would then become actually be the the payload data and 1 of the MFT records from this 1 kilobyte insights size so no 2 on index implementation so and it's not a bit elements you hold this law also implementation and is used in in not patio and so we would basically just iterate over over all these MFT records and then and check if this record were put into it would point to a file if that is the case it would be and encrypt the 1st kilobyte of the file and then I I would encrypt the whole record itself and this is a limitation as good for on a bunch of reasons and it's very fast and you would only need to come my property 1st kilobyte and this this 1st provided con it's really really important information and and of temple Haderer Harris word on the ecstasy when compressed files and have these really important Hatteras structures the and additionally a recovery to its would be able to and work anymore because most of them relying on this very header and then the 2nd thing is this MFT from this and can be considered as table of contents so with and no metadata with with no pointers to these to the files and you won't have anything there to work with to recover from and and this is very coming from from the implementation standpoint it's very neat because it's fast edits and have somewhat so far 0 and as the MST is really an important in my idea was to to recover that 1st and then take what and what comes out from there and see in how can can further progress there with the description of the 5 so the metadata and would would be of most importance and I'm a
visual person and the in here I took to move around you know disk dumps but from a and from 1 of my test disks and so I infected a clean system with and it includes the hard drive and on the left hand side you see on the plain text on and on the right-hand side you see it on the encrypted on data so to just get a better picture of all the encryption process on the far left hand side fancy paul point um wasn't animation and you see and some kind of indicator so which which would it and tell you and which offsets and how much of the of the data is actually the and being different and you see and the whole disk is more or less being encrypted the the however you see them at the far the bottom part here and it's more dark red and this is actually the MFT so from there you and towards the end of the disk sometimes and but this might be a misconception so that my of my
idea was something like this and Web 2 input right we have the the encrypted MFT and we have encrypted files and them 1st I would like to analyze on the MST and then derive the keystream from that and after from that that analysis stage had been finished I would and put the and streamed back into the and this this and the little box here and to actually decrease that and then what comes the empty cryptic them if t and with that and the keystream 0 would be able to find the encrypted files on the disk and then get it to you and decrypt them and then be ready with right so this it was my my initial idea of the and I'm so and let's start with the decryption theme of
no Appendix attack right and so and must to Europe looks for a from from the viewpoint of the the keystream somewhat like this so you would have here from the 1st the 2nd and so on so MFT records and on the on the column you would have the dimension of white that is used them as key to encrypt keystream every remember the time operation from that so mean that encrypts the you know the the key stream and the and the plaintext Thomas just a mere x or operation so you have the the key stream and the plaintext home and it's plainly and so you can switch false and that between them in plain text and cyphertext and even the keystream with these it was just applying in next for operations and so it what you see here is and for the very 1st records and you only have very few keystream whether sound bites or very few sample points however as and the proper to make problems with the analysis and then you will have more and more of these and sample bytes to come collect from and and this this would give you more confidence in the In the result in the maybe note keystream and the question is when does the MFT holding of and plain text to do some some kind of a plaintext attack so let's look into
the specifications and the MFT record has basically to UBM-fused so and there's this standard information and which is a well defined structure and there's something else called attribute list and which is a quite dynamic structural of some and this would be a 0 somewhat more different uh difficult to come clean on plaintext from so concentrate on this and 1st part and the 1st part quickly turn out to be found quite constant forums on MIT figure for many or most of them the MFT records that and then initiated starts with file and then as some makes digits after that and and others 1 before bottle on the part of the site I can edit my area certainty level so the the certainty level would be the number off different firms have a bias that would have but multiplied by the confidence I would have been that the sample by being actually this and this plain text too easy for the very 1st record and we would have a quite low for of very most certainty and mean it it's
just 1 by right and so the the 2 by 2 skipping and miss I mean quite straightforward considering you would have usually you 512 bytes per sector of on a disk and the term MFT record is 1 kilobyte insights so the stream or progress 2 bytes and
and for record 100 so for a for the 100th erected a would have a certainty and what for and because you know I would just assume the state plaintext bytes here and divided by 2 but then resigned into 4
and this was a really satisfactory and the problem the walls towards the end of my would have many many some unknown records and because of what was concentrating on on the very 1st parts of on the header and so the remainder of the keystream at the very end of the queue stream from the wars and be able to being analyzed and eventually decryption so I thought of something different and and there was something like a bike I would call bite histogram Sorel for every offset them off the MFT record I would be around will then on the calculates the Creighton and a histogram and then take how many different bytes of they're actually for text you know it's a plaintext known-plaintext attack and so I would need some kind of context I would do that for every offset for every and work on the record and to the the questions they're hard to get many MFT records it's quite easy and if you have some some nice colleagues you just need to hang them all the balcony antechamber but then more less voluntarily they will give you some must to work with in and the result of that is in quite nice you know I mean for for the very 1st there's nothing much you can do and the the 1st record will always have a very few sample points but as the stream progresses and you will have a dramatic change there so from this relatively low certainty of 4 my could increase that to become more than 30 and the so this somewhat nice and after but of doing
science them what this table and drops off from nowhere found so I compared this to come attack types so from the 3 that from from right to left them on the on the far right I have for the 1st approach them about 98 % off from the MFT record standing successfully recovered In a word with uh the the good thing with science and with all this some academic approach and is a you a ground truth so I have a plaintext unencrypted how arrive virtually virtually around on from something that around right after infection and then you let and execute the viewer infection encryption process and then you can differentiate and and taking notes the servers snapshots throat infection and change a different keep your values and all the stuff so this is a very nice thing about this from academic approach from models taking of the and so I could see I could exactly pinpoint how many at some of these records were around perfectly and recover that in so for the bite histogram approach I could in crib almost all of the record which is quite nice because then we have a high quality t to work with there was also quite nice is and had we have and world keystream bytes what's not-so-nice how however isn't that what I was only able to you them recover about them on by 3 per cent of the overall click keystream and um remember this this keystreamis about them 4 megabytes length and I was able to recover only 50 kilobytes of that so we can recover all of the the files or is that some this is this was my next question there and uh and so I
I drawn another nice diagram and this is the key stream in the uh this the MFT sorry in the so i t the unconstrained is only filled in in sample bites that this 2 megabytes mark and the question is and other there are many files in this area being encrypted or is there some other bar guy critics point and I am checked where the fires would
lie into these the key keystream and so or check how many fires of r at which location into keystream being encrypted the and you see on the keystream is used all over the place so I mean sometimes it's use more sometimes is it's it's used the less however is basically used all over the place and so the this much of the case including a perfect scenario B and it means perfect scenario being a perfect known plaintext oracle and could theoretically be recovered and however and this is somewhat of a problem here and in the
next part of the talk I will present you the will save to solve this problem as 1 of so and remember
that when the the entire system is actually in the encrypted by an op-ed young and Hudson look somewhat like this so you would have the MFT which is totally garbled and so you won't have any of any nice high pointers pointing were deterrence pointing them to those files you won't have any um nice higher names and all the stuff them up with the 1st stage being finished and the MFT looks really nice I mean like almost 100 per cent of the Sun's records could be recover so that looks somewhat like this so you have a bunch of metadata and you can now used to analyze and the the the remainder of the fires and the remainder of the encryption so all this semis to you or almost all the actually decrypted and and for files you would have and the very 1st kilobyte being encrypted and the remainder of the finally the mean burst size or a more than the collective size right so some or all of the rest not encrypted to read you have all this this data and metadata and to collect information and 2 he used to exploit them as known plaintext as indicators for known plaintext and so I
follow of 3 different approaches to come in yeah to to attack this problem the basically I also think about a k or what different tyres all there and I was quickly they Cumont different file types and I mean there our are and I mean the the fact that can be easily gleaned from this right because you and would have the the file extension and that would be basically and if I type them you would have 2 different types of files you would have structured fires and unstructured files to them i for all of these and you would have something like the the and the source code which I would consider is more or less unstructured and i was calculating the histogram of and so this would give me some kind of prevalence towards different bytes indications of what would be somewhat like the guest plaintext attack or something like that and the next thing for a and structured finance would be found to do the very same approach known as with the MFT records I would become can get to his room for every year most of the 1st kilobyte and and then and critiques the home how many different bytes all the offset and the last approach some users the somewhat more undated that and use some of the metadata and also some of the fire data and why would go into this
room right now and so why basically have your come as a set it's and only this the little portion of the finest encrypted and you'll remember of the finest not encrypted which is quite nice and then also the fine 95 size it's not entropy so why users what what I would do here is and create a database of known finds of known the Windows system files for example and you all we might remember all of these nice background images forms all this stuff on tight exists and flying around everywhere and if you just look for it and I would have been basically 3 different from no get 3 3 different to distinguish 2 distintas and but windows on to know which which is the correct plaintext so there's this this key by name in the file size and then the Hessian of this this will remain at this hotel so on if all these 3 tuple would match and would consider it and this essay what proper plaintext and however there are some collisions and so and this this is not really something that is straightforward
so in the initial idea of having uh of only needing to some analyze the time of the alleged that could distributing energy in the forward to decrypt files that need to be imported bit so I added this database of known files spell there I added another another outcome analysis of stage that in this nice box here the and then I will would be able to uh and cryptic files and eventually so it's a bit of science
and check and if this approach would be was pressed pursuing on a real world scenario so that the science can do science that we have a drink thank you the so while they you were in did do here at is it to create a di database of known files and I collect a bunch of them default wheels installations and which resulted in about 3 and a 40 thousand to the unique files in it and then I calculate it you know the the different find type histograms I talked about uh my prepared my test set up from my edit the 1000 different files and you should know that these guys were not part of this norm database and they found were different from that because otherwise it would have been easy to do and then I would in fact this machine and then the and then edits encrypt by not pity on and then in the mid term the recovery and this
only resource that so but in hired do this with the 4 different runs so I knew what I tried every approach and separately and then combined these 3 approaches and the outcome will something like this so I would have the only 2 fives by the general histogram approach and being able to be there to to decrypt the least 8 per cent and and were able lower yeah decrypted by the location histogram approach them and by the notifies approach them over 90 per cent of could be successfully recover and even better on the combined outcome would be around almost all files being able to crypt so so much about academia so the the problem there is that if you apply this to the real word and you could get
into more trouble there and there was lots lots of uh more to think about to the war for example um money for Windows installations without history of updates and so this might be a really interesting from a forensics perspective and moreover but there's lots of installed programs to drive known-plaintext from and for example but not to use a vast resource of known plaintext the orally JDK Inst installations and so especially the JDK would and would result in about and tens of thousands of different source code in HTML files so this the really model was really quite nice around the the drawback their walls and so on in the war so much data to and collect from the 1st attempts and fate miserably because of on the sheer amount of RAM while was using and this 1 would the will result in the elements constantly giving me more more mn my view as I I uh would eventually and up with a think 120 and gigabytes of RAM and my my test the and also you have a much larger emulsifiers table you know because of what this implies that would need to be stored uh so it wouldn't mean in comparison and so this nice work in proper type of form so this nice test set up I mean and would have in them if t of about 26 megabytes and for real world scenarios you would have something like that at least 500 megabytes and and even the and and could be even like the cover of gigabytes in size so this means much more plaintext so forth for these really large to you could it quickly recover from the whole keystream the whole 4 megabytes and just by looking at the end of the and the and In summary and this means that the description of not pretend could the drives if possible and so for a for the the and 5 systems the drives I have looked at and it was really I mean after after and and having all these these 1st bodies and in order for way and I was able to and you could can recover all the files that so there's a good chance and the invocation photos can be recovered as well and this will conclude my talk
and so a quick summary of my pet you has some severe cryptographic failures and false but in this so I would only be able to call this loss signed and not source also anymore the it might be possible due to further look into this this this from you know this expanded key something it it has really and really a bunch of more cryptographic failures in it I didn't look into that so that the teacher but I know some of you guys are professors and so and this might be a nice hole work for your students to look at this not page implementation and check out some you know more advanced bankrupt analysis found 2 methods and you should note that in this whole crew this this or not patch of thing you're I describe the VO cryptographic false there are not just an not pity on and they are and you see the brackets there there they or in every each and every version of the picture so of all of the drives them that you potentially have saved and can be decrypted and and Sue my last point is the if any of you for any of us and falls victim to Aaron's more you really should keep the drives to keep them untouched in a locker and wafer and the talk like this basically and on then the hope that the and someone comes around and then be able to decrypt the drives and then you will have purification back so
that's all forks and thank you for your attention few few of those who was in these view of what the microphones microphone please I something very much sharing your findings widows and for other than the largest harbor in Europe and Asia might we were struck by the idea is to terminals went out on the basis of 100 million euros of damage then the process quite theoretically so now practice if you would there this summer and with these findings would you be able to help us and decrease the files and get all the companies of a running again or is this to academic there is a practical approach and I mean I work for crawl strike and and what we had some locations were we were able to help the customers and so it's from a very practical thing to do so and I also trying to to insinuate this with the you know the this this light years so I I
was talking about the real work in this scenario so am I looked at about 50 different encrypted home-price with an op-ed and I was able to to prove all of them or most of them mostly from the easy ones not being able to decrypt and were to some or all of let's say a level AIDS mistakes also if you share her findings with no above or to no I don't know what the they provide encryption tools for where something you can these 2 thank you thank you microphone 6 please thank you uhm in the beginning you mentioned the basically the was shortened to what laws of 24 bit something that was exists logistics media from that point wasn't the room forests their weight factor and way more reliable on another again we're all of of the so the keystream length walls or to to the 26 so the keystream length was 4 megabytes so and you weren't avian you would be able to use brute force that so we do get that so the the number of in of bytes was 4 megabytes and and you could be evidence to prove false that yeah but you've already mentioned the beginning that you basically a shortened it down to lose the possibility also at most 2 to the power of 26 this annotator the quality level this is actually get the question but URI Europe and some missing the point there so it's not the key space to a to the 26 but the key length is 2 to the 26 which would be something the I I I'm not good at admitted to converted this to 2 decimal would be something like let me check to the I mean here math guys can be revised to to the 26 comedy this instead so again how a lot so it's I mean this is formalized of of killing him and and you couldn't you couldn't just and just proved false that because you you would have each of these 4 megabytes you would have to brute force got that the the the the the key is not to to the 26th but the the key link the keystream length is that long so that so yeah that this this to be the case base and would be longer than the Bible you know and you can just brute-force the Bible the text of the Bible I mean given enough time yes but you know we will know the stories with the monkeys and typewriters the we we we can talk about that that often but you're you're makes up to different numbers there AIDS the I think questions from maintenance these does the ever the encryption work the same for pairs are not bitter um me yes the underlying mechanism is the same as the cryptography it from and differs in such a way that the constants number there is different so this
little guy here and this is different and it would be usually like expanded kiII something something um and here it's invalid sect ID so it's somewhat different and what about the the MST encryption and the the the bytecode the them and and the algorithm is the very same this it any more questions yeah and then all of these different legal losses of all to be what it is
that you're and and you the top put it to bed at at Pope
Arithmetisches Mittel
Unterring
Rechter Winkel
Kryptologie
Kryptologie
Unrundheit
Varietät <Mathematik>
Gradient
Twitter <Softwareplattform>
Computervirus
Ereignishorizont
Divergente Reihe
Bruchrechnung
Informationsmodellierung
Kryptologie
Kontrollstruktur
Computervirus
Ereignishorizont
Figurierte Zahl
Grundraum
Gerade
Homepage
Subtraktion
Strömungsrichtung
Computer
Vektorraum
Computerunterstütztes Verfahren
Computervirus
Exploit
Elektronische Publikation
Übergang
Software
Vorzeichen <Mathematik>
Mereologie
Abschattung
Zusammenhängender Graph
Serviceorientierte Architektur
Bit
Mereologie
Gewichtete Summe
Quader
Gruppenoperation
Code
Interrupt <Informatik>
Datensatz
Kryptologie
Mini-Disc
Bildschirmfenster
Dateiverwaltung
Passwort
Zusammenhängender Graph
Funktion <Mathematik>
Touchscreen
ATM
Booten
Systemverwaltung
Physikalisches System
Elektronische Publikation
Ein-Ausgabe
Bitrate
Arithmetisches Mittel
Forcing
Rechter Winkel
Wort <Informatik>
Mini-Disc
Software Engineering
Bit
Umsetzung <Informatik>
Punkt
Prozess <Physik>
Iteration
NP-hartes Problem
Metadaten
Streaming <Kommunikationstechnik>
Deskriptive Statistik
Einheit <Mathematik>
Bit
Code
Mustersprache
Chiffre
Pseudozufallszahlen
Funktion <Mathematik>
Verschiebungsoperator
Softwaretest
Lineares Funktional
Nichtlinearer Operator
Freier Parameter
Quellcode
Ein-Ausgabe
Chiffrierung
Rechter Winkel
Physikalische Theorie
Digitalisierer
Schlüsselverwaltung
Instantiierung
Lesen <Datenverarbeitung>
Zeichenkette
Web Site
Subtraktion
Rahmenproblem
Zellularer Automat
Implementierung
Zahlenbereich
Term
Physikalische Theorie
Whiteboard
Code
Informationsmodellierung
Variable
Konstante
Hash-Algorithmus
Datentyp
Konfigurationsraum
Zehn
Autorisierung
Soundverarbeitung
Vektorraum
Elektronische Publikation
Quick-Sort
Zufallsgenerator
Unendlichkeit
Office-Paket
Chipkarte
Patch <Software>
Dechiffrierung
Mereologie
Normalvektor
Eigentliche Abbildung
Bit
Subtraktion
Implementierung
Zahlenbereich
Unrundheit
Ein-Ausgabe
Rechenschieber
Divergente Reihe
Streaming <Kommunikationstechnik>
Variable
Algorithmus
Festspeicher
Nichtunterscheidbarkeit
Jensen-Maß
Schlüsselverwaltung
Zeichenkette
Graphiktablett
Resultante
Umsetzung <Informatik>
Bit
Subtraktion
Quader
Implementierung
Code
Variable
Kryptologie
Luenberger-Beobachter
Flächeninhalt
Gerade
Lineares Funktional
Dicke
Filter <Stochastik>
Sechsecknetz
Kategorie <Mathematik>
Quellcode
p-Block
Konstante
Rechenschieber
Rechter Winkel
Festspeicher
Mereologie
Speicherabzug
Computerarchitektur
Normalvektor
Schlüsselverwaltung
Expandierender Graph
Expertensystem
Divergente Reihe
Bit
Mereologie
Arithmetische Folge
Kategorie <Mathematik>
Mereologie
Implementierung
Element <Mathematik>
Figurierte Zahl
Graphiktablett
Bit
Punkt
Prozess <Physik>
Implementierung
Element <Mathematik>
Gesetz <Physik>
Metadaten
Deskriptive Statistik
Datensatz
Mini-Disc
Punkt
Indexberechnung
Inhalt <Mathematik>
Zeiger <Informatik>
Datenstruktur
Softwaretest
Elektronische Publikation
Kategorie <Mathematik>
Wurm <Informatik>
Mailing-Liste
Elektronische Publikation
Partitionsfunktion
Rechenschieber
Konzentrizität
Chiffrierung
Rechter Winkel
Automatische Indexierung
Mereologie
Speicherabzug
Wiederherstellung <Informatik>
Wort <Informatik>
Information
Tabelle <Informatik>
Chiffrierung
Benutzerbeteiligung
Mereologie
Elektronische Publikation
Chiffrierung
Quader
Rechter Winkel
Mini-Disc
Ein-Ausgabe
Elektronische Publikation
Analysis
Resultante
Web Site
Punkt
Chiffre
Zahlenbereich
E-Mail
Information
Übergang
Streaming <Kommunikationstechnik>
Datensatz
Bereichsschätzung
Webforum
Stichprobenumfang
Datenstruktur
Figurierte Zahl
Attributierte Grammatik
Analysis
Umwandlungsenthalpie
Nichtlinearer Operator
Datentyp
Elektronische Publikation
Mailing-Liste
Elektronische Publikation
Datensatz
Konstante
Flächeninhalt
Verschlingung
Rechter Winkel
Digitalisierer
Mereologie
Information
Schlüsselverwaltung
Resultante
Punkt
Mathematisierung
Information
E-Mail
Term
Histogramm
Streaming <Kommunikationstechnik>
Datensatz
Mailing-Liste
Arithmetische Folge
Standardabweichung
Mini-Disc
Stichprobenumfang
Warteschlange
Datentyp
Systemaufruf
Kontextbezogenes System
Datensatz
Divergente Reihe
Chiffrierung
Histogramm
Verschlingung
Attributierte Grammatik
Aggregatzustand
Dicke
Prozess <Physik>
Güte der Anpassung
Vektorpotenzial
E-Mail
Elektronische Publikation
Viewer
Wiederherstellung <Informatik>
Streaming <Kommunikationstechnik>
Diagramm
Datensatz
Informationsmodellierung
Histogramm
Chiffrierung
Flächeninhalt
Rechter Winkel
Stichprobenumfang
Datentyp
Server
Wort <Informatik>
Tabelle <Informatik>
Chiffrierung
Mereologie
Elektronische Publikation
Perfekte Gruppe
Mereologie
Vektorpotenzial
URL
Wiederherstellung <Informatik>
Orakel <Informatik>
Subtraktion
Elektronische Publikation
Content <Internet>
Quellcode
Physikalisches System
Elektronische Publikation
Arithmetisches Mittel
Divergente Reihe
Metadaten
Datensatz
Chiffrierung
Rechter Winkel
Datentyp
Dateiformat
Information
Indexberechnung
Maßerweiterung
Zeiger <Informatik>
Bit
Elektronische Publikation
Quader
Stoß
Datenhaltung
n-Tupel
Physikalisches System
Elektronische Publikation
Chiffrierung
Energiedichte
Bildschirmmaske
Bildschirmfenster
Schlüsselverwaltung
Analysis
Softwaretest
Elektronische Publikation
Datenhaltung
Elektronische Publikation
Term
Virtuelle Maschine
Histogramm
Reelle Zahl
Datentyp
Mereologie
Wort <Informatik>
Wiederherstellung <Informatik>
Installation <Informatik>
URL
Fünf
Mini-Disc
Normalvektor
Default
Einfügungsdämpfung
Subtraktion
Punkt
Versionsverwaltung
t-Test
Implementierung
Element <Mathematik>
Homepage
Überlagerung <Mathematik>
Deskriptive Statistik
Poisson-Klammer
Bildschirmmaske
Informationsmodellierung
Kryptologie
Reelle Zahl
Digitale Photographie
Perspektive
Bildschirmfenster
Datentyp
Installation <Informatik>
Optimierung
Computerforensik
Analysis
Softwaretest
Sichtenkonzept
Zehn
Quellcode
Physikalisches System
Paarvergleich
Elektronische Publikation
Arithmetisches Mittel
Patch <Software>
Maschinenschreiben
Ordnung <Mathematik>
Eigentliche Abbildung
Tabelle <Informatik>
Bit
Gewicht <Mathematik>
Punkt
Prozess <Physik>
Mathematisierung
Zahlenbereich
Gesetz <Physik>
Raum-Zeit
Übergang
Eins
Kryptologie
Radikal <Mathematik>
Logistische Verteilung
Leistung <Physik>
Kraftfahrzeugmechatroniker
Dicke
Wald <Graphentheorie>
Sichtenkonzept
Spider <Programm>
Binder <Informatik>
Teilbarkeit
Konstante
Softwarewartung
Dezimalsystem
Chiffrierung
Forcing
Maschinenschreiben
Basisvektor
Hypermedia
URL
Schlüsselverwaltung
Hypermedia
Medianwert
Systemprogrammierung
Einfügungsdämpfung
Chiffrierung
Algorithmus
Byte-Code
Gammafunktion

Metadaten

Formale Metadaten

Titel Defeating (Not)Petya's Cryptography
Serientitel 34th Chaos Communication Congress
Autor Eschweiler, Sebastian
Lizenz CC-Namensnennung 4.0 International:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen.
DOI 10.5446/34933
Herausgeber Chaos Computer Club e.V.
Erscheinungsjahr 2017
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract In this presentation we will outline our findings about (Not)Petya's crypto flaws and how we were able to exploit them to decrypt infected computers.
Schlagwörter Security

Zugehöriges Material

Video wird in der folgenden Ressource zitiert

Ähnliche Filme

Loading...
Feedback