27C3: We come in peace (2010)

The new national id card Neuer Personalausweis (NPA) was one of the biggest IT projects in the German government in the last years. Compared to the old id card, the new id card is a RFID smart card, which can also be used on the internet to prove your identify to a remote party (Ebay, Paypal, or Amazon for example) and to sign binding contracts. For example, you can use the card to buy a new house or car, or open up a bank account or apply for a credit.

When using the card over the internet, the card is connected to a reader, which is connected to a (potentially insecure) PC, which is connected to the internet. To use the card, the user needs to enter his PIN code to prove possession of the card and knowledge of the PIN. If the PIN is entered on an insecure device as the PC, it might be recorded by an attacker and used by him later.

Frank Morgner and Dominik Oepe examined the various attack scenarios on the NPA, which could be possible, depending on the used reader for the NPA:

Wir untersuchen die Machbarkeit und Auswirkung von Relay-Angriffen in Hinblick auf die verschiedenen Lesegeräteklassen und Anwendungsszenarien des neuen Personalausweises. Nach dem derzeitigen Stand der Spezifikationen lassen sich solche Angriffe kaum verhindern. Einige der Probleme erweisen sich als unlösbar, für andere existieren Lösungsansätze, welche von simpel, aber unzureichend bis komplex, aber kaum umsetzbar reichen.

Personally, I am interested in this talk, because it might show us some nice attack scenarios on the NPA, which are hard to counter, without buying very expensive readers. A lot of low-cost readers have just been distributed by a well known computer magazine in Germany, so that we can assume that a lot of people will be using their NPA with a highly insecure reader.

See the talk at Day 1, 21:45, Saal 1!

Autor: Erik Tews

Thanks to the Mission Angels, you’ll be able to interact with the talks going on at the 27c3 and more! While you watch the streams from one of many Peace Missions throughout the world, Mission Angels will be monitoring IRC and Twitter for questions to be asked in selected events during the 27c3.

To ask a question in a session on IRC join #27c3-Saal-1, #27c3-Saal-2, #27c3-Saal-3 on Freenode or use the corresponding terms as a Twitter hashtag to put your question to the session.

If you’re in a Peace Mission, you can even sign up to give a Lightning Talk!

See the Peace Missions entry on the 27c3 wiki for more information. We’ll be updating the entry as we add more communications methods. If you’re at the bcc, consider volunteering to be a Mission Angel!

Photo by anders_hh

Many applications, including closed source applications like malware or DRM-enabled multimedia players (you might consider them as malware too) use cryptography. When analyzing these applications, a first step is the identification and localization of the cryptographic building blocks (cryptographic primitives, for example AES, DES, RSA…) in the applications. When these blocks have been localized, the input and output of the cryptographic primitives and the key management can be observed and the application can be analyzed further. Fortunately, many cryptographic algorithms use special constants or have a typical fingerprint  and there are only a few different public implementations of the algorithm. This allows us to automate this first, Felix Gröbert will show us how:

Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic algorithms and their parameters.

Trace driven/dynamic analysis has some advantages of static analysis:

• Because the program is analyzed at runtime, it is immediately known which parts of the code are used at which time, so that they might be correlated with runtime decryption of the code or with network communication.
• Inputs and outputs of the primitives as well as the keys are recorded, even if the originate from a remote server or botnet. This allows us to immediately distinguish between long term keys and session keys, if multiple executions of the same program can be recorded.
• This is also highly interesting if private keys are included in an obfuscated binary, for example private RSA keys.
• Dead or unused code is automatically excluded, so that one can proceed with the main parts of the code first.
• If additional code is loaded from a server, it is included in the analysis. This would be hard to impossible using static analysis.

Of course, trace driven analysis has it disadvantages, for example if a malware needs to communicate with a command-and-control server, which has already been taken down or behaves differently on different systems or at different times.__

Personally, I am interested in this talk because it might make ease up the analysis of closed source applications using cryptography. Even if the application, the DRM scheme, or the cryptographic primitive has no special weaknesses or bugs, just he recording of every input and output of all cryptographic building blocks in the application might be sufficient to extract a DRM free version of DRM protected digital content. Please also note that even if an application uses only well analyzed cryptographic primitives as AES and RSA, it might still be insecure, if these primitives are used in the wrong way.

See the talk at Day 1, 16:00, Saal 3!

Author: Erik Tews

Who: You! And lots of Hackers in Berlin!
What: Day 0 Dinner Meetup
When: Today! (26 Dec.) 6pm-11pm (18-23h)
Where: Vapiano Berlin 3 — Mittelstrasse 51, 10117 Berlin
Why: Interesting conversation, good food and great people!
How: Register Here! (Registration requested, not required)

Following the success of last year’s meetup, we’ve arranged another relaxing dinner to celebrate the start of the 27c3 and the other events happening in Berlin between Christmas and New Year’s.  Whatever your plans for the 27th on, stop by tonight for some nice food and great company! Vapiano has dishes for all budgets and dietary restrictions and we’ll have a spot to ourselves at the venue.

For more information, see the Side Events Wiki Page or call +49-179-3966141

If you try to get to the congress but get stuck in traffic, don’t know the status of the road in front of you or sit a platform caused by a cancelled train, you can call us beginning from Sunday 10am. We set up a number where we will help you to find a possibility to get to the congress or just answer questions about your trip. This is quite handy for situations when you don’t have internet access or if every other hotline is overcrowded.

Travel Information: +49 30 809 400 22 2324

Have a safe journey. Slow down the speed if the road forces you to do so. Keep in mind: this year you don’t have to hurry for your ticket.

In one of our last posts we’ve invited all peace missions to register their IP addresses by mail. Registered IP addresses will be granted access to a dedicated video streaming relay.

We’ve received mails from lots of people, who’d like to set up a peace mission and gave us their IP address. So far, so good – it’s cool to see so much interest. Unfortunately, now you’ve invested time for sending us an email, we do change the registration procedure.

There will be a web site, where peace missions can register. After we’ve acknowledged a registration you may add or change your IP address on the white list.

Those of you, who already sent us an email, please re-register again by using that web interface.

We don’t know the URL yet, but we’ll post it as soon as we know it here and on the Peace Missions page in the wiki.

Update:
Please register your Peace Mission at 27c3 Peacekeeper to get guaranteed Bandwidth!

We wish you a very merry festival of fixing the WiFi at your family’s home!

Over the past few days, the 27c3 team has been hard at work with the initial preparations for the 27c3.  At the bcc, several tons of networking hardware have arrived, the network backbone is up and running and the hackcenter decor is taking shape.  In far away lands, many new Peace Missions have been announced and there’s always room for more.

Peaceful journeys!  We’ll see you on the 27th!