27C3 on CCC Event Blog

Crypto Talk at 27C3: New Key Recovery Attacks on RC4/WEP, Day 4, 17:15, Saal 2

Thu, 30 Dec 2010 02:36:26 +0000

The RC4 Stream Cipher could be the most common stream cipher used on the Internet. RC4 is the only Stream Cipher which is standardized for the SSL/TLS protocol, it is also used for WEP and WPA protected wireless networks. Initially, RC4 was designed to be a closed source commercial product, with the core algorithm kept secret. In 1994, the source code for RC4 was posted on the internet and the algorithm could be analyzed.

The first attack on RC4 was published by Fluhrer, Mantin, and Shamir in 2001. The attack is very effective, but can only be used against certain keys starting with a special sequence of bytes, (for example 3, 255…). This worked perfectly well against WEP, which generates a per packet key using a random initialization vector IV, and a static secret key K. K is kept secret and shared among all nodes in the network. IV is public, and transmitted with every packet in clear. The per packet is key simply the IV concatenated with K (IV | K). We would also say, that there is a correlation between the output of RC4 and a part of the key, if certain conditions apply (the per packet key starts with 3, 255 for example). Many more of these correlations where found later and implemented in a WEP attack tool by a person under the pseudonym KoreK, which made key recovery on WEP protected networks much faster.

The next level of WEP breaking tools was published in 2007, when a new correlation was used against WEP. This correlation had been previously been found by Jenkins and Klein independently, but was never used against WEP so far. The correlation was much weaker than the correlations used in previous attack, but needed effectively no additional conditions, so that nearly every packet could be used to assist key recovery.

Looking at all those previous WEP attacks, one logical idea would be to automate the search for correlations in the RC4 output, which can be used in key recovery attacks. This is exactly the approach taken by Martin Vuagnoux:

In this paper, we present several weaknesses in the stream cipher RC4. First, we present a technique to automatically reveal linear correlations in the PRGA of RC4.

With this method, 48 new exploitable correlations have been discovered. Then we bind these new biases in the PRGA with known KSA weaknesses to provide practical key recovery attacks. Henceforth, we apply a similar technique on RC4 as a black box, i.e. the secret key words as input and the keystream words as output. Our objective is to exhaustively find linear correlations between these elements. Thanks to this technique, 9 new exploitable correlations have been revealed. Finally, we exploit these weaknesses on RC4 to some practical examples, such as the WEP protocol. We show that these correlations lead to a key recovery attack on WEP with only 9,800 encrypted packets (less than 20 seconds), instead of 24,200 for the best previous attack.

One could ask, why one should still try to improve attacks on RC4/WEP. WEP ca be broken in less than a minute nowadays. The successor protocol to WEP, namely WPA TKIP still uses the RC4 cipher in a very similar mode as WEP does. An improvement on WEP attacks could also help us in breaking WPA. Attacking RC4 in SSL/TLS would also be very interesting: Using RC4 in SSL/TLS is very efficient, because it doesn’t need any padding compared to a block cipher and needs less bandwidth than SSL/TLS using a block cipher does. A good attack on RC4 could render SSL/TLS connections insecure.

Personally, I am very interested in this talk, because I worked on attacking WEP in my diploma thesis and the last generation of WEP attacking tools was one of the results of my diploma thesis. The new attack present here will definitely outperform the last generation of WEP attacks and supersedes my results.

See the talk, Day 4, 17:15, Saal 2

Autor: Erik Tews

Crypto Talk at 27C3: FrozenCache – Mitigating cold-boot attacks for Full-Disk-Encryption software, Day 3, 23:00, Saal 2

Tue, 28 Dec 2010 18:38:05 +0000

As a general attack against encryption software on a computer, the cold boot attack was presented at 25C3. To encrypt data on a PC, many programs store the encryption key in RAM. The key is usually derived from a password or loaded from the hard disk where it is protected by a password too. The key resists as least as long as the encryption operation take in RAM. For many applications like Full-Disk-Encryption or Email Signatures, it is convenient to keep the key permanently in RAM, once it has been loaded, so that the user doesn’t need to enter his password again and again.

To protect the key from unauthorized access, computers are locked when the legitimate user is away or the computer has been switched to power-saving-mode. To gain access again, the user needs to type a password or needs to identify himself using a fingerprint reader or any other kind of biometric authorization device. Of course, the key is still in RAM for the whole time.

Here, the cold boot attack kicks in. At 25C3, it has been shown that RAM chips (DRAMs) can be easily removed from a running PC, Server or Laptop Computer, and their content can be extracted afterward. Even if the device has just been turned off, the content of the RAM fades only slowly away, depending on the exact type of RAM and its temperature. Even if some bits are recovered incorrectly, the correct encryption key can still be found an corrected, because many cryptographic algorithms use a lot of redundancy in they keys (round-keys for AES for example).

One way to counter the attack could be to store the keys only in the computer cache, instead of RAM. In contrast to the RAM which is a separate device connected to the computers motherboard, the Cache resides on the CPU die, and cannot easily be extracted or read-out. However, caches are hard to control and one needs to make sure that keys are really frozen in the cache and are never written to the RAM:

Cold boot attacks are a major risk for the protection that Full-Disk-Encryption solutions provide. FrozenCache is a general-purpose solution to this attack for x86 based systems that employs a special CPU cache mode known as “Cache-as-RAM”. Switching the CPU cache into a special mode forces data to held exclusively in the CPU cache and not to be written to the backing RAM locations, thus safeguarding data from being obtained from RAM by means of cold boot attacks.

Personally, I am interested in this talk, because it might be a good solution to use secure full-disk encryption software, without always having to shutdown your computer when you leave it unattended.

See the talk, Day 3, 23:00, Saal 2!

Autor: Erik Tews

Crypto Talk at 27C3: Is the SSLiverse a safe place? Day 2, 16:00, Saal 2

Tue, 28 Dec 2010 01:18:50 +0000

SSL/TLS is the standard when it comes to securing HTTP traffic on the internet. The authenticity of a web server is usually secured using a X.509 certificate digitally signed by a trusted certification authority (CA). All major web browsers come with a list of CAs preinstalled they assume as trustworthy. Every website can be signed by any of these CAs, so no web browser would show a warning, if www.dod.gov would be signed by a Chinese certification authority or the Deutsche Telekom.

To examine the usage of X.509 certificates for SSL/TLS, the EFF installed a SSL Observatory:

The SSL observatory is a project to bring more transparency to SSL Certificate Authorities, and help understand who really controls the web’s cryptographic authentication infrastructure. The Observatory is an Electronic Frontier Foundation (EFF) project that began by surveying port 443 of all public IPv4 space. At Defcon 2010, we reported the initial findings of the SSL Observatory. That included thousands of valid ‘localhost’ certificates, certificates with weak keys, CA certs sharing keys and with suspicious expiration dates, and the fact that there are approximately 650 organizations that can sign a certificate for any domain that will be trusted by modern desktop browsers, including some that you might regard as untrustworthy.

I am looking forward to see some obscure SSL/TLS setups here. For example, SSL/TLS doens’t require the server to present a certificate, connections where no certificate at all are also supported, which only provide security against an passive eavesdropper. Also, the usage of encryption is an optional feature in SSL/TLS, so that both parties may send their traffic in clear, and use SSL/TLS only to prevent unauthorized modification of the data or to prove authenticity of the server. Also, the key in a certificate doesn’t need to be an RSA key, instead some public Diffie-Hellmann parameters or a DSA key might be embedded there too.

For those of you who would like to know why it is called SSL/TLS: SSL 1.0 was created by Netscape to secure HTTP traffic, but the standard was never released to the public. SSL 2.0 was the first version of SSL released to the public and implemented in the Netscape Browser. SSL 3.0 was the last version of SSL created by Netscape, before the IETF took over development. TLS 1.0 was the first version of SSL released by the IETF, which technically still carriers a version number 3.1 in the protocol header. While there are big differences between SSL 2.0 and SSL 3.0, the differences between SSL 3.0 and TLS 1.0 are only minor. The current version of TLS is version 1.2 (which still carries a version number 3.3 in the protocol header), which contains some security fixes and improvements over TLS 1.0. So we usually say SSL/TLS, when we refer to the SSL or TLS protocol, but not to a particular version of the protocol.

Personally, I am interested in this talk because I conducted a small SSL X.509 survey by myself back in 2007, when I implemented a TLS 1.0 stack in Java for the J2ME platform. Nowadays, this stack is included in the bouncycastle project, a Java cryptography provider, and can be run on J2ME as well as on J2SE or J2EE.

See the talk at Day2, 16:00 Saal 2!

Autor: Erik Tews

Crypto Talk at 27C3: Die gesamte Technik ist sicher, Day 1, 21:45, Saal 1

Mon, 27 Dec 2010 12:09:09 +0000

The new national id card Neuer Personalausweis (NPA) was one of the biggest IT projects in the German government in the last years. Compared to the old id card, the new id card is a RFID smart card, which can also be used on the internet to prove your identify to a remote party (Ebay, Paypal, or Amazon for example) and to sign binding contracts. For example, you can use the card to buy a new house or car, or open up a bank account or apply for a credit.

When using the card over the internet, the card is connected to a reader, which is connected to a (potentially insecure) PC, which is connected to the internet. To use the card, the user needs to enter his PIN code to prove possession of the card and knowledge of the PIN. If the PIN is entered on an insecure device as the PC, it might be recorded by an attacker and used by him later.

Frank Morgner and Dominik Oepe examined the various attack scenarios on the NPA, which could be possible, depending on the used reader for the NPA:

Wir untersuchen die Machbarkeit und Auswirkung von Relay-Angriffen in Hinblick auf die verschiedenen Lesegeräteklassen und Anwendungsszenarien des neuen Personalausweises. Nach dem derzeitigen Stand der Spezifikationen lassen sich solche Angriffe kaum verhindern. Einige der Probleme erweisen sich als unlösbar, für andere existieren Lösungsansätze, welche von simpel, aber unzureichend bis komplex, aber kaum umsetzbar reichen.

Personally, I am interested in this talk, because it might show us some nice attack scenarios on the NPA, which are hard to counter, without buying very expensive readers. A lot of low-cost readers have just been distributed by a well known computer magazine in Germany, so that we can assume that a lot of people will be using their NPA with a highly insecure reader.

See the talk at Day 1, 21:45, Saal 1!

Autor: Erik Tews

Mission Angels: How to Connect to the 27c3

Mon, 27 Dec 2010 04:56:47 +0000

Thanks to the Mission Angels, you’ll be able to interact with the talks going on at the 27c3 and more! While you watch the streams from one of many Peace Missions throughout the world, Mission Angels will be monitoring IRC and Twitter for questions to be asked in selected events during the 27c3.

To ask a question in a session on IRC join #27c3-Saal-1, #27c3-Saal-2, #27c3-Saal-3 on Freenode or use the corresponding terms as a Twitter hashtag to put your question to the session.

If you’re in a Peace Mission, you can even sign up to give a Lightning Talk!

See the Peace Missions entry on the 27c3 wiki for more information. We’ll be updating the entry as we add more communications methods. If you’re at the bcc, consider volunteering to be a Mission Angel!

Photo by anders_hh

Crypto Talk at 27C3: Automatic Identification of Cryptographic Primitives in Software, Day1, 16:00, Saal 3

Mon, 27 Dec 2010 01:31:51 +0000

Many applications, including closed source applications like malware or DRM-enabled multimedia players (you might consider them as malware too) use cryptography. When analyzing these applications, a first step is the identification and localization of the cryptographic building blocks (cryptographic primitives, for example AES, DES, RSA…) in the applications. When these blocks have been localized, the input and output of the cryptographic primitives and the key management can be observed and the application can be analyzed further. Fortunately, many cryptographic algorithms use special constants or have a typical fingerprint and there are only a few different public implementations of the algorithm. This allows us to automate this first, Felix Gröbert will show us how:

Using dynamic binary instrumentation, we record instructions of a program during runtime and create a fine-grained trace. We implement a trace analysis tool, which also provides methods to reconstruct high-level information from a trace, for example control flow graphs or loops, to detect cryptographic algorithms and their parameters.

Trace driven/dynamic analysis has some advantages of static analysis:

Because the program is analyzed at runtime, it is immediately known which parts of the code are used at which time, so that they might be correlated with runtime decryption of the code or with network communication.
Inputs and outputs of the primitives as well as the keys are recorded, even if the originate from a remote server or botnet. This allows us to immediately distinguish between long term keys and session keys, if multiple executions of the same program can be recorded.
This is also highly interesting if private keys are included in an obfuscated binary, for example private RSA keys.
Dead or unused code is automatically excluded, so that one can proceed with the main parts of the code first.
If additional code is loaded from a server, it is included in the analysis. This would be hard to impossible using static analysis.

Of course, trace driven analysis has it disadvantages, for example if a malware needs to communicate with a command-and-control server, which has already been taken down or behaves differently on different systems or at different times.__

Personally, I am interested in this talk because it might make ease up the analysis of closed source applications using cryptography. Even if the application, the DRM scheme, or the cryptographic primitive has no special weaknesses or bugs, just he recording of every input and output of all cryptographic building blocks in the application might be sufficient to extract a DRM free version of DRM protected digital content. Please also note that even if an application uses only well analyzed cryptographic primitives as AES and RSA, it might still be insecure, if these primitives are used in the wrong way.

See the talk at Day 1, 16:00, Saal 3!

Author: Erik Tews

Change of Plan — Video Streams For Peace Missions

Sat, 25 Dec 2010 01:02:28 +0000

In one of our last posts we’ve invited all peace missions to register their IP addresses by mail. Registered IP addresses will be granted access to a dedicated video streaming relay.

We’ve received mails from lots of people, who’d like to set up a peace mission and gave us their IP address. So far, so good – it’s cool to see so much interest. Unfortunately, now you’ve invested time for sending us an email, we do change the registration procedure.

There will be a web site, where peace missions can register. After we’ve acknowledged a registration you may add or change your IP address on the white list.

Those of you, who already sent us an email, please re-register again by using that web interface.

~~We don’t know the URL yet, but we’ll post it as soon as we know it here and on the Peace Missions page in the wiki.~~

Update:
Please register your Peace Mission at 27c3 Peacekeeper to get guaranteed Bandwidth!

The fairydust has landed at the 27c3

Fri, 24 Dec 2010 18:05:34 +0000

We wish you a very merry festival of fixing the WiFi at your family’s home!

Over the past few days, the 27c3 team has been hard at work with the initial preparations for the 27c3. At the bcc, several tons of networking hardware have arrived, the network backbone is up and running and the hackcenter decor is taking shape. In far away lands, many new Peace Missions have been announced and there’s always room for more.

Peaceful journeys! We’ll see you on the 27th!

Bring Your DVB-T receivers

Thu, 23 Dec 2010 00:31:56 +0000

At 27C3 all lectures will be broadcast via DVB-T and reception will be possible in and around the bcc. Visitors can watch via TV if they want avoid overcrowded lecture rooms.

To receive the signal any PC with DVB-T-USB-Stick, TV set with DVB-T tuner or cellphone with DVB-T-function will work. We will publish all needed configuration files and a list of working and non-working receivers in the wiki.

The Bundesnetzagentur (German regulation body) has allocated channel 22 (482MHz) for us, where we will transmit with 6 watts ERP.

The last time DVB-T was available on Chaos Congress was at 24C3 where in some areas the signal was to much attenuated to be received properly. This year we come up against this with more transmission power, better
placement of the transmitter antenna and a new, better modulator.

Details are available at http://events.ccc.de/congress/2010/wiki/DVB-T

Downloadable tickets are available in your presale-account

Fri, 17 Dec 2010 21:26:52 +0000

Downloadable tickets are available in your presale-account. NOW.

As you already may have noticed, the availability of your tickets has been delayed.. ahem.. just a little bit. But here’s the good news:

Your 27C3-tickets are available for download now!
Please log in to https://presale.events.ccc.de , download the pdf, print it out, and make sure to bring it with you to the cash desk.

We wish you a lot of fun at the 27C3!

24 Hour Hardware Hacking Returns to 27c3

Thu, 16 Dec 2010 19:54:29 +0000

Hackers of all ages can (learn how to) make things at the Hardware Hacking Area of the 27c3!

The HHA is open to everyone and open the entire congress! Hackers of all ages and skill levels are welcome! Round-the-clock hands on workshops will be led by lots of experienced teachers like Mitch Altman, Jimmie P. Rodgers, fbz, Wim Vandeputte and…you!

Learn to solder, then help teach others! Make cool things with electronics, design and print 3D models on the Makerbot, break RFID, or give your own workshop on the projects you’ve been hacking on this year. Last year there was a Cantenna workshop, a Mikrocopter workshop, and a GSM workshop among many others.

Lots of kits for you to make will be available including Brain Machines, TV-B-Gones, Trippy RGB Waves, Mignonette Games, LEDcubes, LOL shields, Atari Punk Consoles…and there’s always room for yours!

To accommodate all this hardware hacking goodness, the HHA will be twice the size it was during the 26c3, but still conveniently located near the Hackcenter.

Even if you don’t have a ticket to Congress, you can stop by the HHA with a Night Pass good from Midnight to 6 AM. Night passes are only €5 and will be sold shortly before midnight each day of the 27c3.

Lightning Talks at the 27c3

Mon, 13 Dec 2010 19:04:15 +0000

Want four minutes on stage at the 27c3? You can have it! Registration is now open for the Lightning Talk sessions at the 27c3.

Taking place at 12:45 in Saal 3 on Days 2, 3 and 4, these fast paced sessions are perfect for pitching new software or hardware projects, exploits, creative pranks or strange ideas you need to share with the world.

Lightning talks are also good for getting publicity for your workshop at the 27c3, or for recruiting people to join in on things like a high calorie flash mob.

In order to maximize the available time, registrations will be granted to presenters who submit their graphics (i.e. slides, background picture, contact info, etc.) in advance. Exceptions will be made very selectively on a case-by-case basis. Register soon, as we anticipate the available slots will go quickly. (Proposals started coming in a few minutes after we put up a draft of the wiki page!)

Read the Lightning Talks article on the 27c3 wiki for more information!

Photo Courtesy Matt Biddulph via flickr.

All-Day-Tickets sold out

Mon, 06 Dec 2010 16:47:12 +0000

On Saturday the last batch of 27C3 tickets were sold. There are no all-day-passes left.
We will make the actual tickets available to you via your presale account ~~on December, 13th~~ shortly. The tickets will contain all relevant billing data and can be used as invoice.

Please print your ticket and bring it to the cashdesk.

Those who did not get a ticket during presale, please do not travel to the congress. There are no all-day-passes available at the cashdesk. Our door policy is strict: Only visitors with valid ticket codes will be granted entrance.

As of day 2 (2010-12-28) a few day-passes will be available at the cashdesk. These will be sold very soon, so please do not rely on them.

If you have any questions or problems, don’t hesitate to contact 27c3-presale@cccv.de. Please note: The presale team does not have any tickets to hand out to you.

Content Meetings are over: Fahrplan released

Wed, 10 Nov 2010 22:46:04 +0000

This past Sunday, we concluded the second and final Content Meeting for 27C3. We’ve looked at all 223 submissions for talks and presentations and selected what we feel are the best 98 of them. We’d like to thank all submitters for the many interesting proposals that lightened up our work.

One card for each talk that was accepted for 27C3

But now, the schedule for the 27th Chaos Communication Congress is mostly done. So today we present the first release of the 27C3 presentation schedule (or “Fahrplan” in German): Fahrplan Version 0.1. Note this is Version 0.1. Blanks will be filled with more really cool stuff. Much more to come.

The Content Team is shuffling cards on the floor to plan 27C3

This year we’ll also have talks that last 30 minutes. The intent is to create a space for issues that are too complex for a Lightning Talk but still would not fill an entire hour. The resulting increase in the number of presentations serves to diversify the programme as well as allow people to tune into the event with morning sessions that don’t require quite the same attention span we might be able to more easily muster in afternoons and evenings.

Finished schedule for 27C3

We will be highlighting some of the accepted talks with short introductions here soon. So stay tuned. :-)

The main presale for 27C3 is beginning

Tue, 09 Nov 2010 22:09:36 +0000

Dear attendants in spe,

as announced earlier, the second batch of tickets for 27C3 will be available accompanying the initial Fahrplan release.

At Thursday, November 11th at 9 p.m. CET (that is 8 p.m. UTC), we will release the largest of our three allotments with 2,000 tickets. Log into our presale system. While the first batch was designated to hackers with rather long journeys to allow booking flights and hotels early, most tickets were sold to Germans. We have to rethink the policy for 28C3.

Please watch out for the booby traps below, so you won’t be left unhappy without a ticket:

To protect us – and thus your tickets – from automated hoarding, accounts can not be used for ordering tickets until 24 hours after you create them. If you don’t have one yet, get one soon.
Please confirm your order by clicking “Confirm Order” after selecting your tickets.
Tickets have to be paid within 14 days. Overdue tickets are returned to the pool.
Orders we received payments for will be flagged as “payment confirmed”. If that does not happen for some reason, please do not hesitate to contact us.
“Golden Tokens” are only valid until November 30th, so don’t procrastinate too long. Unused tokens are returned to the pool.