Home Tags Block Cipher

Tag: Block Cipher

VeraCrypt fixes bugs uncovered in security audit

Security researchers have completed the Open Source Technology Improvement Fund-backed audit of encryption platform VeraCrypt and found eight critical, three medium, and 15 low-severity vulnerabilities. The team behind the popular tool addressed the audit's findings in VeraCrypt 1.19. This is how security audits should work. OSTIF said VeraCrypt 1.9 is safe because most of the the flaws have been addressed. Some vulnerabilities were not addressed in this version, due to the "high complexity for the proposed fixes," but workarounds for those exist. "As long as you are following the documentation for known issues and using it as advised, I believe [VeraCrypt 1.9] is one of the best FDE [full-disk encryption] systems out there," said Derek Zimmer, OSTIF CEO and president, in an Ask-Me-Anything Q&A on Reddit. Zimmer is also a partner with virtual private network service provider VikingVPN. OSTIF hired Quarkslab senior security researcher Jean-Baptiste Bédrune and senior cryptographer Marion Videau to check the VeraCrypt codebase, focusing on version 1.18, and the DCS EFI Bootloader. The audit focused on new security features that were introduced into VeraCrypt after the April 2015 security audit of TrueCrypt. VeraCrypt is the fork of that now-abandoned encryption tool, and is backwards-compatible. Four problems in the bootloader -- keystrokes not being erased after authentication, sensitive data not correctly erased, memory corruption, and null/bad pointer references -- were found in the audit and fixed in version 1.19.  A low-severity boot password flaw, where the password length could be determined, was also addressed.  While the information leak itself is not critical, as the system needs to be booted and privileged access is required to read BIOS memory, the vulnerability needed to be fixed because an attacker knowing the length of the password would hasten the time needed for brute-force attacks, the audit said. VeraCrypt relied on compression functions to decompress the bootloader when the hard drive is encrypted, to create and check the recovery disks if the system is encrypted and uses UEFI, and during installation. The audit found that all the compression functions had issues. VeraCrypt was using XZip and XUnzip, which had known vulnerabilities and were out-of-date. "We strongly recommend to either rewrite this library and use an up-to-date version of zlib, or preferably, use another component to handle Zip files," the auditors said. VeraCrypt 1.19 replaced the vulnerable libraries with libzip, a modern and more secure zip library. UEFI is one of the most important -- and newest -- features added to VeraCrypt, so the auditors paid extra attention to this part of the code. All code specific to UEFI is in the VeraCrypt-DCS repository, and was "considered much less mature than the rest of the project" by VeraCrypt's lead developer, the researchers wrote in the audit report. "Some parts are incomplete, or not incomplete at all." In the audit summary OSTIF wrote that "VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software."   As a result of the audit, VeraCrypt dumped GOST 28147-89 symmetric block cipher, originally added in VeraCrypt 1.17, due to errors in how it was implemented. GOST 28147-89 encryption was a Soviet-developed alternative to DES designed to strengthen the algorithm. All compression libraries were considered outdated or poorly written, the audit found. The implementation "fell short," Zimmer said in the Reddit AMA. In version 1.9, users can decrypt existing volumes that used the cipher but cannot create new instances. Users who used the GOST cipher that was removed as part of the audit should re-encrypt old partitions using the latest version. Users should also re-encrypt on all full-disk encryption systems since a number of issues with the bootloader have been fixed. Anyone who used pre-1.18 versions should re-encrypt partitions because of the bug related to the discovery of hidden partitions. VeraCrypt is a fork of TrueCrypt, which developers abruptly shut down in May 2014, hinting at unspecified security issues. There were concerns that the platform had a backdoor or some other flaw compromising the tool. The audit was necessary to assess the overall security of the platform. OSTIF said TrueCrypt 7.1a should no longer be considered safe because it is no longer under active maintenance and it is affected by the bootloader issues uncovered in the audit. However, the audit report also suggested that the weaknesses in TrueCrypt 7.1a do not affect the security of containers and non-system drives. It is easy to dismiss VeraCrypt as being unsafe because of the issues uncovered, but that ignores the entire value of having an audit. If the audit had uncovered issues and the team had refused to fix the issues, or were unresponsive to requests from the auditors, then that would give cause for concern. In this case, Quarkslab completed the audit in a month, and the maintainers fixed a significant number of the issues and documented in detail how to handle the other issues that hadn't been addressed. Yes, the auditors found some questionable decisions and mistakes that shouldn't have been made in the first place, but there were no problematic backdoors or any vulnerabilities that compromise the integrity of the full-disk encryption tool. The nature of open source development means the source code is available for anyone to examine. But, as has been repeatedly shown over the last few years, very few developers are actively looking for security flaws. This is why, despite the "many eyeballs" approach, Heartbleed and Shellshock and other critical vulnerabilities lingered in OpenSSL for years before being discovered. With an audit, professionals scrutinize every line of the open source software's source code to verify the integrity of the code, uncover security flaws and backdoors, and work with the project to fix as many problems as possible. The audit is typically expensive -- private search engine DuckDuckGo and virtual private network service Viking VPN were the primary donors to OSTIF for this audit -- which is why audits aren't more common. However, as many commercial products and other open source projects rely heavily on a handful of open source projects, audits are increasingly becoming important. With the VeraCrypt audit complete, the OSTIF is looking ahead to audits of OpenVPN 2.4. GnuPG, Off-the-Record, and OpenSSL are also on the roadmap. The Linux Foundation's Core Infrastructure Initiative had stated plans for a public audit of OpenSSL with NCC Group, but the status of that project is currently unclear. "I wish we could just hit every project that everyone likes, and my list would be enormous, but we have finite resources to work with and securing funding is the vast majority of our work right now," Zimmer wrote, noting that OSTIF is focusing on one "promising" project in each area of cryptography.

Audit sees VeraCrypt kils critical password recovery, cipher flaws

Patches slung at 11 bad bugs Security researchers have found eight critical, three medium, and 15 low -severity vulnerabilities in a one month audit of popular encryption platform VeraCrypt. The audit is the latest in a series prompted by the shock abandoning of TrueCrypt in May 2014 due to unspecified security concerns claimed by the hitherto trusted platform's mysterious authors. VeraCrypt arose from the ashes of TrueCrypt and added new security features. Quarkslab senior security researcher Jean-Baptiste Bédrune and senior cryptographer Marion Videau crawled through the VeraCrypt codebase, focussing on version 1.18 of the platform and the DCS EFI Bootloader 1.18 (UEFI), examining new security features introduced since the April 2015 security audit of TrueCrypt. They report boot passwords in UEFI mode and code length in legacy mode could be retrieved by attackers.

This appears to stem from a failure to properly erase passwords when changed by users. Further critical errors include the implementation of the GOST 28147-89 symmetric block cipher which the pair say must be abandoned due to implementation errors.

All compression libraries were considered outdated or "poorly-written". Researchers bankrolled by the Open Source Technology Improvement Fund on 1 August funded by DuckDuckGo and VikingVPN detailed their findings in a 42-page report (PDF). Critical and medium -severity flaws have been fixed in the latest VeraCrypt release version 1.9, along with most low risk vulnerabilities and concerns.

Those that remain unfixed were left due to the high complexity of patching, but researchers have also proposed workarounds. VeraCrypt has since dumped GOST 28147-89 encryption allowing users to decrypt volumes but not create new instances using the cipher. Boot password flaws were also squashed along with four other bootloader problems. "VeraCrypt is much safer after this audit, and the fixes applied to the software mean that the world is safer when using this software," the Open Source Technology Improvement Fund says of the audit. The auditors say the review is useful and beneficial for users, but is too expensive to be conducted for every version of encryption tools. ®

Meet PocketBlock, the crypto engineering game for kids of all ages

Enlarge / The US Navy Bombe used during World War II to break Germany's Enigma encryption system.National Security Agency reader comments 12 Share this story When you're an applied cryptographer, teaching your preteen daughters what you do for a living isn't easy.

That's why Justin Troutman developed PocketBlock, a visual, gamified curriculum that makes cryptographic engineering fun. In its current form, PocketBlock is a series of board-like grids that allows players to transform plaintext messages into secret ciphertext and convert it back again, one move at a time.

By restricting the operations to little more than addition and subtraction performed by rearranging squares on a piece of paper, PocketBlock helps students understand the fundamentals of encryption without requiring a formal background in mathematics.

At the same time, it stays true to the principles of modern cryptography and goes well beyond the classical cryptographic concepts, like the Caesar cipher, reserved for the most kid-centric material on cryptography today. "The goal is for kids to feel like they've worked with something of substance, to an extent that intrigues them," Troutman, a trained cryptographer who is currently the project manager at the Freedom of the Press Foundation, told Ars. "[PocketBlock] introduces cryptography as everything from a pillar of the modern Web to the tradecraft of spies past.
It introduces the same cryptographic concepts that I work with as a cryptographer in industry—the same underpinnings you'll find in academic papers.
It reduces these concepts to easy-to-solve problems and uses a visual language to map what happens to bits as they travel through a cryptographic algorithm." Enlarge While suitable for kids eight and older, PocketBlock is by no means restricted to kids.

Troutman said it's also suitable for professional developers who want to deepen their understanding of the way cryptographic algorithms work, given that they're often implementing them.
So far, Troutman has used PocketBlock in four workshops: for kids of all ages at r00tz Asylum (Defcon 24), for middle school girls at a Hackers Girls Summer Camp sponsored by Facebook, for high school students at Cal Poly SLO's EPIC engineering summer camp, and for professional developers at Facebook's internal Hacktober event. The first entry in the PocketBlock series is called Pockenacci (pronounced POCK-uh-notch-ee), an authenticated encryption scheme that introduces the inner workings of a block cipher. Pockenacci includes a simple key schedule based on Fibonacci-style addition, which transforms a password into a cryptographic key; two P-boxes that permute, or shift, the location of characters inside the plaintext message; an S-box that substitutes one character for another; and a Message Authentication Code for verifying that an adversary hasn't tampered with an encrypted message while it was in transit. Adolescent Encryption Standard The next entry will be "aes," or the "adolescent encryption standard," a version of the Advanced Encryption Standard that has been simplified enough to be done by hand. While it has been scaled down, Troutman said it will retain the full structure of AES. In its current form, PocketBlock mostly resembles a crude board game, but Troutman said this is just the early curriculum-based stage. He has plans to expand PocketBlock to an interactive app for tablets with tangible components like physical, programmable blocks that work with the app for more of a hands-on experience.
In addition, Troutman is also planning to integrate a narrative interactive fiction environment in which players use their newfound crypto skills to complete missions.

The first installment of this narrative adventure will be titled "Mudspeak." "The goal of this narrative, interactive-fiction-esque component is to gamify things even more, by having players both build and break ciphers in order to level up," Troutman said. "They'll need to build ciphers in order to set up secure and private communication, break ciphers in order to read secret messages, and forge new ones.

Completing missions will depend heavily on keeping their secrets safe while learning the secrets of their opponents." The PocketBlock curriculum source is free and open source and available on the official PocketBlock repo on Github. Project updates and upcoming workshops can be found at the official PocketBlock website.

Big data busts crypto: ‘Sweet32’ captures collisions in old ciphers

Boffins blow up Blowfish and double down on triple DES Researchers with France's INRIA are warning that 64-bit ciphers – which endure in TLS configurations and OpenVPN – need to go for the walk behind the shed. The research institute's Karthikeyan Bhargavan and Gaëtan Leurent have demonstrated that a man-in-the-middle on a long-lived encrypted session can gather enough data for a “birthday attack” on Blowfish and triple DES encryption. They dubbed the attack “Sweet32”. Sophos' Paul Ducklin has a handy explanation of why it matters here. The trick to Sweet32, the Duck writes, is the attackers worked out that with a big enough traffic sample, any repeated crypto block gives them a start towards breaking the encryption – and collisions are manageably common with a 64-bit block cipher like Blowfish or Triple-DES. They call it a “birthday attack” because it works on a similar principle to what's known as the “birthday paradox” – the counter-intuitive statistic that with 23 random people in a room, there's a 50 per cent chance that two of them will share a birthday. In the case of Sweet32 (the 32 being 50 per cent of the 64 bits in a cipher), the “magic number” is pretty big: the authors write that 785 GB of captured traffic will, under the right conditions, yield up the encrypted HTTP cookie and let them decrypt Blowfish- or Triple-DES-encrypted traffic. If you do it right, and here begins the TL;dr part. To launch the attack, you need to: Get a victim to visit a malicious site (site A) – one that they have to log into. The victim's login sets an HTTP cookie the browser uses for future requests; Pass the victim on to Site B, which generates millions of JavaScript requests to Site A, using the login cookie given to the victim; Keep the connection alive long enough to store 785 GB of encrypted data blocks, and look for a collision; Decrypt the login cookie. Decryption is still the hard part: the researchers note that it's far from an instant process: On Firefox Developer Edition 47.0a2, with a few dozen workers running in parallel, we can send up to 2,000 requests per second in a single TLS connection. In our experiment, we were lucky to detect the first collision after only 25 minutes (220.1 requests), and we verified that the collision revealed [the plaintext we were after …The full attack should require 236.6 blocks (785 GB) to recover a two-block cookie, which should take 38 hours in our setting. Experimentally, we have recovered a two-block cookie from an HTTPS trace of only 610 GB, captured in 30.5 hours. As they note, however, long-lived encrypted connections exist in at least one real-world setting: VPN sessions. “Our attacks impact a majority of OpenVPN connections and an estimated 0.6% of HTTPS connections to popular websites. We expect that our attacks also impact a number of SSH and IPsec connections, but we do not have concrete measurements for these protocols” (emphasis added). For users, that means switching from 64-bit ciphers to 128-bit ciphers; or if you can't get the server to switch, set up your client to force frequent re-keying. Browser makers, TLS library authors and OpenVPN have been notified and are working on patches. ® Sponsored: Global DDoS threat landscape report

HTTPS and OpenVPN face new attack that can decrypt secret cookies

Enlarge / From an upcoming paper laying out a new attack against 64-bit block ciphers used by HTTPS and OpenVPN.Karthikeyan Bhargavan and Gaëtan Leurent reader comments 10 Share this story Researchers have devised a new attack that can decrypt secret session cookies from about 1 percent of the Internet's HTTPS traffic and could affect about 600 of the Internet's most visited sites, including nasdaq.com, walmart.com, match.com, and ebay.in. The attack isn't particularly easy to carry out because it requires an attacker to have the ability to monitor traffic passing between the end user and one of the vulnerable websites and to also control JavaScript on a webpage loaded by the user's browser.

The latter must be done either by actively manipulating an HTTP response on the wire or by hosting a malicious website that the user is tricked into visiting.

The JavaScript then spends the next 38 hours collecting about 785GB worth of data to decrypt the cookie, which allows the attacker to log into the visitor's account from another browser.

A related attack against OpenVPN requires 18 hours and 705GB of data to recover a 16-byte authentication token. Impractical no more Despite the difficulty in carrying out the attack, the researchers said it works in their laboratory and should be taken seriously.

They are calling on developers to stop using legacy 64-bit block-ciphers.

For transport layer security, the protocol websites use to create encrypted HTTPS connections, that means disabling the Triple DES symmetric key cipher, while for OpenVPN it requires retiring a symmetric key cipher known as Blowfish.

Ciphers with larger block sizes, such as AES, are immune to the attack. "It is well-known in the cryptographic community that a short block size makes a block cipher vulnerable to birthday attacks, even if the[re] are no cryptographic attacks against the block cipher itself," the researchers wrote in a blog post explaining the attacks. "We observe that such attacks have now become practical for the common usage of 64-bit block ciphers in popular protocols like TLS and OpenVPN." A birthday attack is a type of cryptographic exploit that is based on the mathematical principle known as the birthday paradox.
It holds that in a room of 23 randomly selected people, there is a 50-percent chance two of them will share the same birthday, and there's a 99.9 percent chance when the number is increased to 70 people.

The same principle can be used by cryptographers to find so-called collisions, in which the output of two chunks of encrypted text is the same.

Collisions, in turn, easily return the plaintext.

By collecting hundreds of gigabytes worth of HTTPS or VPN data and carefully analyzing it, the attackers are able to recover the sensitive cookie. In response to the new attack, which the researchers have dubbed Sweet32, OpenVPN developers on Tuesday released a new version of the program that actively discourages the use of 64-bit ciphers. OpenSSL maintainers, meanwhile, said in a blog post that they plan to disable Triple DES in version 1.1.0, which they expect to release on Thursday.
In versions 1.0.2 and 1.0.1, they downgraded Triple DES from the "high" to "medium," a change that increases the chances that safer ciphers are used to encrypt data traveling between servers and end users.

The precise cipher choice is made dynamically and is based on a menu of options supported by both parties. While stripping Triple DES out of all versions would be the safest course, it also would leave some people unable to browse certain HTTPS sites altogether. “A matter of good hygiene” "When you have a large installed base, it is hard to move forward in a way that will please everyone," Rich Salz, a senior architect at Akamai Technologies and a member of the OpenSSL developer team, wrote. "Leaving triple-DES in 'DEFAULT' for 1.0.x and removing it from 1.1.0 is admittedly a compromise. We hope the changes above make sense, and even if you disagree and you run a server, you can explicitly protect your users through configuration." Browser makers are also in the process of making changes that prioritize safer ciphers over Triple DES. The Sweet32 attack will be presented in October at the 23rd ACM Conference on Computer and Communications Security. While the time and data-collection requirements present a significant barrier, it works as described on sites that support Triple DES and allow long-lived HTTPS connections.

As of May, about 600 websites in the Alexa 100,000 were identified, including those mentioned at the beginning of this article. Karthikeyan Bhargavan and Gaëtan Leurent—the researchers behind Sweet32—estimate that about 1 percent of the Internet's HTTPS traffic is vulnerable. OpenSSL team member Viktor Dukhovni summed things up well in an e-mail. "We're not making a fuss about the 3DES issue, and rating it 'LOW," Dukhovni wrote. "The 3DES issue is of little practical consequence at this time.
It is just a matter of good hygiene to start saying goodbye to 3DES."

SSL Padding Oracle On Downgraded Legacy Encryption (POODLE) Vulnerability

On October 14, 2014, a vulnerability was publicly announced in the Secure Sockets Layer version 3 (SSLv3) protocol when using a block cipher in Cipher Block Chaining (CBC) mode.
SSLv3 is a cryptographic protocol designed to provide...