|
Finally, this alternative speaker became an speaker, nothing more. Maxi and I will be given a lecture during Black Hat, as you can see here.
Just think about being in the same rostrum than Fyodor makes me feel so small...
|
|
( I love acronyms :-D )
At this point, all of you should know and see how the H D Moore’s toys work. Those toys attack SSH public-key authentication using clone keys and online brute force.
Furthermore, many of you know that there are other effects produced by a biased PRNG besides this one.
Strangely, I could not find more of those toys exploiting these aspects. So, I would like to show you a Wireshark patch which attacks Perfect Forward Secrecy (PFS) provided by Ephemeral Diffie Hellman (EDH).
Introduction to EDHLet’s put it in plain words (if you know what we are talking about, ignore this and jump to the next heading):
In an insecure communications channel the parties agree a common key to cipher their dialog. This is what happens in SSL (in most of the cases, depending on the cipher suite):
- The server selects a random prime p and a generator g of the field Z*p (Let’s ignore the mathematical properties of these values). So, the components p and g are public.
- The server picks a secret random number Xs and calculates Ys=gXs mod p. Ys is public and is sent to the client (just like p and g).
- The client does something similar, selecting a secret random number Xc and calculating Yc=gXc mod p too. The client makes Yc public by sending it to the server.
- The shared secret s is the public key of the other part to the exponential of the own private number, all in p modulus. That is, for the client s=YsXcmod p and for the server s=YcXsmod p.
- With this shared secret the parties can encrypt all the following messages in a secure way.
- In the Ephemeral Diffie Hellman (EDH), the private numbers are ruled out, so s is mathematically secure and nobody can obtain it even having access to one of the parties after the aforementioned handshake.
The “exploit”If an eavesdropper can explore the complete private key space (the all possible numbers for Xc or Xs), he/she will be able to get access to the shared secret. With it all the communication can be deciphered. That’s what this patch can do.
A Wireshark with this patch and a list of possible private keys will try to brute force the share secret. If one of the parties is using the vulnerable OpenSSL package the communication is totally insecure and will be decrypted.
- The patch for Wireshark 1.0.2 can be downloaded from here.
- Debian packages with the patch applied can be found here.
- This is a list of all 215 possible 64 and 128 bit DH private keys in systems vulnerable to the predictable OpenSSL PRNG described by DSA-1571.
- An example of a pcap file can be found here (it was built with a vulnerable client and one of the Moore toys, a hacked getpid by running $ MAGICPID=101 LD_PRELOAD=‘getpid.so’ ./vulnerable-openssl/apps/openssl s_client -connect db.debian.org:443 )
The patch was submitted in order to be committed on the Wireshark trunk. There you can find the patch against the on-develop source revision 25765.
Issues that can be improvedWe (the other developers and myself) detected few things to be improved. But we will do nothing for them. So, if you want to contribute with some code, start from these items and submit the patches to the Wireshark’s bugzilla: - When the packets are out-of-order the decipher with stop itself.
- The brute force attack should run in a background process (and with a progress bar)
- Check the length of the keys before trying to brute force them.
- The patch also implements the display of public DH parameters in the packet tree. It’s incomplete.
CreditsPaolo Abeni <paolo.abeni at email.it>
Luciano Bello <luciano at debian.org>
Maximiliano Bertacchini <mbertacchini at citefa.gov.ar>
This work was partially supported by Si6 Labs at CITEFA, Argentina.
UPDATE Jul. 21st: See more and updated info here, especially this.
|
|
The last weeks have been very active. A lot of e-mails from people and magazines, a lot of congratulations and a lot of free beer made me feel like a rock star :) Thanks a lot to everyone. I really appreciated that.
And maybe this petition would sound you like an abuse of this situation. And maybe you are right.
The fact is, I need an sponsor to travel to Defcon16, in Las Vegas, the next August. I need a flight ticket, 3 or 4 nights in a hotel and 2 meals per day.
I've been accepted to explain the Debian/OpenSSL problem and I'm dying to be there. If you work for a company which is looking for a nice way to say "thank you", please consider this option :)
Contact me at luciano <alt+64> debian.org for more details. Thanks.
update (13 minutes later): I just received confirmation from the Black Hat organization to be an alternative speaker there too! So I will need to fund 5 extra nights... :D |
|
Well, maybe I was a little noisy with my first DSA. I will try to be quieter next time :)
I think that many people are being very unfair with the OpenSSL’s maintainers. They made (and are making) a really good job. Was an accident, that things happens.
What we need is a real auditory process of the Debian specific patches. It’s hard, but it’s necessary. |
|
In my free Friday I made a little cuasi-web knocking for OpenBSD’s Packet Filter. Click here if you want to read more.
 |
| » Debian Logo and Messier 74 |
|---|
  Many years ago I heard that the Debian logo represents a galaxy. And I always thought “There is no galaxy that looks like that”. Of course, I was wrong.
The Astronomy Picture of the Day from few days ago is a really nice picture of the Messier 74 galaxy.
Any resemblance is purely coincidental :)
Dec. 4th, 2007 @ 01:31 am
|
| » It's a party... and you are invited! |
|---|
Better than just a party, it’s a bug squashing party! Imagemagick needs your help. It a very important package for Debian and its really outdated. It has more than 100 bugs.
The objective, is to reduce the bugs to less than 20 in a month in the current development version. Let’s go for them! :)
Nov. 21st, 2007 @ 05:48 pm
|
| » captchas: The Good, the Bad and the Ugly |
|---|
Some months ago, I commented about a weak implementation in a fancy captcha. Today I would like to comment about other bad implementations, but in other ways.
The goodA captcha should have big Shannon entropy, finite, but big. The session ID and the challenge must not be reused. The images must be resistant to OCR but should be understandable by a human.
The badHere is the first example:
Believe it or not.. This is a real case. So incredible eh?
The uglyThe victim, in this case, is this one: 
This is an implementation of captchanumbers, by Hadar Porat. This captcha and many others generated by captchanumbers can be read with this script.
The idea is simple. As the numbers are nearly in the same place, they can be cut. Those parts can compared independently, reducing the entropy. May be the script and this image would be more enlightening than my limited English:
The 10,000 possibilities was reduced to 159. No OCR, 100% deterministic.
Second moral: Understand the fundamentals first, write code later.
Oct. 31st, 2007 @ 02:17 am
|
| » ocurrencia |
|---|
In Spanish, occurrence and stupid idea are the same word.
j=`w3m planet.debian.org -dump -no-graph -l 200 | tr -d -C [:alpha:] | tr [:upper:] [:lower:]`; for i in `seq ${#j}`; do echo $j | cut -b $i; done | sort | uniq -c | while read w; do y=`echo $w | cut -f 1 -d ' '`; echo -n $(echo "scale=5; $y/${#j}" | bc); echo " `echo $w | cut -f 2 -d ' '`" ;done | sort -rn
Sep. 18th, 2007 @ 02:00 pm
|
| » luciano at debian.org |
|---|
After a long long long process of 946 days, I’m a Debian Developer :-).
Let’s have a drink... today it’s on me.
Aug. 4th, 2007 @ 11:08 am
|
| » Eppur si muove |
|---|
yes | w3m -M -F -dump http://nm.debian.org/nmlist.php 2> /dev/null | grep -A 60 "Luciano Bello" > /tmp/DAM-`date +%F`.txt ; ! diff /tmp/DAM-`date -d yesterday +%F`.txt /tmp/DAM-`date +%F`.txt > /dev/null && echo "Eppur si muove"
Thanks and continue like this. Go for them^W us :)
Jul. 31st, 2007 @ 04:58 pm
|
| » fancy /mathematical /insecure /unofuscated /reused captchas |
|---|
Few days ago, Gunnar told me about a quite curious captcha:
But, in the other hand, it had been implemented insecurely. With just one answer, you can submit many times:
Furthermore, I notice that the captcha was precomputed and, therefore, finite and reused. I made more than 15,000 requests and I had less than 5% unique (there is no motivation to solve 700 differential equations :P).
Moral: Sometimes, extravagance goes against security.
Jul. 23rd, 2007 @ 06:10 pm
|
| » Obedientia Civium Urbis Felicitas (Happy the city where citizens obey) |
|---|
Hi Dubs! (aka Dubliners)
In a week I will be in your land for few days, before DebConf7. I would like know what do you advise me to [visit/see/stay at/]. Can I visit the Google HQ? Where I can drink good beer? Do you plan go to Debconf as a group?
Please, leave a comment on this post or send me an email (luciano *at* linux.org.ar).
Thanks, see you in Ireland :)
May. 30th, 2007 @ 02:57 pm
|
| » sometimes, unusual things happens (x2) |
|---|
Causality I:
The Cause: CVE-2007-1365
The Effect:
Causality II:
The Cause: DAM has an idle evening
The Effect:
Mar. 14th, 2007 @ 10:44 am
|
| » DebConf8 ... be our guest |
|---|
DebConf8 will be in Argentina... :D
Improve your tango.... and be our guest :)
Feb. 12th, 2007 @ 02:59 pm
|
| » I know that one.... |
|---|
I know that one... Let me think... I have it on the tip of my tongue...
:)
Feb. 9th, 2007 @ 11:44 am
|
| » lintian cleanliness |
|---|
There're packages which are particularly averse to all this lintian issue:
$ lintian /var/cache/pbuilder/result/wicrawl_0.3a-1_i386.changes | wc -l
1014
Jan. 29th, 2007 @ 08:11 pm
|
| » Dear Santa Pyro |
|---|
Dear Santa Pyro,
 I've been a really good maintainer this year and I hope not to get coal. Don't let my not-updated-lintian-page fool you. My packages hasn't got any RC bug in unstable or testing and they are all updated.
What I really want for Christmas is Task and Skill step finished. That will look great under Christmas tree :)
Thanks in advance.
Your eternal applicant, luciano
Dec. 19th, 2006 @ 02:11 pm
|
| » cuasi-custom kernel in a non-traditional way |
|---|
I'm averse to compile programs for productive machines. Lot's of developers and maintainers have been working (and work) hard to make a wonderful binary for you. But sometimes you need a customization. Especially if it's about a kernel. I was needed support for 8GB ram.
Most of the people would download a kernel from www.kernel.org, would configure it and would compile it.
If it's about a Debian user, he would probably compile it by-the-Debian-way, with make-kpkg.
But I only needed a really small change from the debian official kernel image. So, I tried to made a custom kernel image, without wasting the work from the kernel team, making as less changes as possible.
$ apt-get source kernel-image-2.6.8-3-686-smp
$ vi kernel-image-2.6.8-i386-2.6.8/config/686-smp
Add support for HighMem64G:
CONFIG_HIGHMEM64G=y
wq!
In order to not generate all the images for all the platforms (I'm not sure that i386, k7, etc. are platforms) I delete those files from kernel-image-2.6.8-i386-2.6.8/config:
$ rm 386 686 k7 k7-smp
Then... let's bulid a package (compile in a DD-way :P)!
dpkg-buildpackage
And now I have a package with my non-too-much-custom-kernel-image, ready to be used.
Aug. 2nd, 2006 @ 11:57 am
|
| » the WTF survey |
|---|
Sometimes, if you don’t blog for a while, you need a good excuse for do it. Today I have one.
Click to see the whole page
You don’t speak Spanish? You should :P.
It’s a survey (or an opinion poll, i’m not sure). The newspaper La Razón ask to the readers: Are you agree that the tubal ligation and the vasectomy are allowed?. The answers are: between 9 and 7 hours (49.8%), between 6 and 4 hours (46.1%), ten or more (2.6%) and neither, I can’t sleep (1.5%).
Jul. 17th, 2006 @ 08:24 pm
|
|
![[info]](http://l-stat.livejournal.com/img/community.gif){kind=small}
lbello_english![[info]](http://l-stat.livejournal.com/img/userinfo.gif){kind=small}
