My self is steam

Insights into computer security, programming and math


May 21, 2020
Timing Attack Side Channel in IAIK JCE DSA Implementation

IAIK-JCE is a provider for the Java Cryptography Extension that, according to the vendor, "supplements the security functionality of the default JDK". It is a commercial product developed by Stiftung Secure Information and Communication Technologies, a spin-off of the Institute for Applied Information Processing and Communication” (IAIK) of the University of Graz. The company is kind enough to offer a full, free evaluation version for any non-commercial use.

By observing the behavior of the latest version (5.60 as of today), one can get a glimpse of how the major cryptographic algorithms are implemented. This process led me to the discovery of a subtle vulnerability in the implementation of the DSA algorithm: the way that some of the computations involved in the signature generation are carried out introduces a side channel that leaks timing information from the observation of which an attacker could potentially recover the private key.

Read more

May 03, 2020
Mindreading your Ps and Qs

Consider the following:

Problem 1: Given a set of n randomly selected RSA numbers, estimate the portion k of numbers whose composing primes both belong to the residue class 3 (mod 4).

Attempting to solve this apparently innocent problem will allow us to range over a few interesting ideas from different disciplines.

It is important to first identify the constraints of the problem, since it clearly inquires about mathematical objects whose scope intersects with the domain of security: we shall define an RSA number to be any odd semiprime for which we do not directly observe neither its composing primes nor any kind of property about them. This definition easily applies to the public key moduli of RSA certificates, for instance.

Under this setting, the problem basically asks whether it is possible to infer some kind of information about objects that are kept secret; in other words, although it is generally not possible to reconstruct the underlying factors, could we at least classify them into well-defined categories by interacting with the observables only? That is, given a set of N=pq, could one state anything at all about both p and q by observing only the Ns?

Read more

December 11, 2018
Finding Duplicate RSA Moduli in the Wild

Or, programming in the way of Diogenes

Let's imagine one is assigned the problem of finding duplicate RSA moduli in all publicly available SSL certificates on the Internet, the reason being a census of public hosts sharing the same modulus.

Most of the time, if not always, having the same modulus equates to saying that the certificates share the same public key, the latter being the tuple composed of the public exponent and the modulus. Indeed, the public exponent is often chosen between the values 3, 17 and 2^16 + 1, as this leads to fast exponentiation operations. Therefore, under this conditions, it is the modulus to be responsible for the uniqueness of the public key.

In this setting, the certificates fall into three distinct sets that, from a security standpoint, delineate a simple yet interesting threat model.

The first one is the set of all the certificates for which no duplicates occur; the second is the set of all the certificates with shared moduli/public keys belonging to the same organization. The third and most interesting one is the set of all those duplicates that appear to belong to different, unrelated actors.

The assumptions under which the latter two sets are meant, which hence form the basis of the model, are those where an entry in the third set would represent a concrete threat to those parties whose modulus is non-unique; while an entry in the second set, although not representative of best-practices, could be more easily justified as the result of key or certificate reusage, a common custom on the Internet.

Read more

September 11, 2018
The Penguin Still Shows Through

An account of CVE-2018-5548

Sometimes a technical discipline manages to reach the point of providing the wrong answers to the right problems, as in the case of what is commonly misnamed Software Engineering. It may also happen that a whole industry is built on the belief that no answers to the wrong problems is a profitable strategy to respond to the demanding needs of an ever-growing customer base. Historically, such a case is exemplified by the infosec industry. It's a sterile exercise to acknowledge that the industry has reached the point where flame wars about irresponsible disclosure, embargos and branded vulnerabilities are the major pillars of its dialectic. Thirty years after the Morris Worm, we are still dealing with WannaCry, after all.

My little personal contribution to the gallery of infosec failures is the discovery of a vulnerability in F5 BIG-IP. The vulnerability has been assigned CVE-2018-5548.

Read more

February 27, 2018
SQL Injection Suminagashi

I once found myself in the oppressive situation in which the only interaction with the underlying machine was through a rather restrictive application delivered as an X11-forwarded GUI communicating with a SAP database named Sybase ASE. The interaction was only in the form of insertion of text into input fields. The majority of these input fields only allowed for thirty-two-characters-long strings but there were exceptions depending on the context. Also, a sanitization mechanism was in place, transforming all characters to uppercase, truncating input at the occurrence of spaces, stripping single quotes and escapes other metacharacters. The only feedback from the database was in the form of error messages.

Within such restricted environments the artist finds the liminal space for self-expression.

Read more

January 28, 2018
Hacking Safenet MobilePass OTP Token

Or, "A Secret You Own is a Secret You Pwn".

Safenet MobilePass is a software OTP token from Gemalto that, in its most used configuration, serves as a two-factor authentication solution for webmail portals. Unfortunately, as it is often the case with this kind of solutions, rather than being of any use at all, they show up as an obstacle to usability and personal freedom. Not only does the token introduce the need to remember yet another PIN code for which up to three failed insertion attempts are tolerated, after which the prospect of an account lock becomes painfully concrete, but it also requires a smartphone or a Windows installation in order to run. As there is no place in my life for such diversions, I once found myself in the absurd situation of not being able to access my email.

When the right to communicate, access one's own data, and carry out working tasks, lie on the assumption of expensive gadgets or unusable proprietary software as being the norm, it means that an abuse against a minority is being perpetrated. This assumption would equate to the situation of being denied the right to speak in a foreign country just because we have no interest in learning the local language. As an instrument of oppression, I then declared Safenet MobilePass as my enemy to the sabotage and subversion of which I dedicated all the efforts of one of my weekends. When the machine oppresses, break the machine.

Read more

August 28, 2017
Programming had Troy won the war

A form of self improvement can be found in attempting to implement algorithms, no matter how simple, in less conventional programming languages. This kind of activity can sometime lead to the same enlightenment experienced in solving the best linguistic riddles: our personal boundaries are broadened by a transversal understanding, as opposed to cognitive experiences circumscribed to a defining set of rules (logical or mathematical puzzles, for instance). I currently regard APL as one of the best programming languages with which to explore new approaches to problem solving; its highly compositional power combined with the orthogonality of its rich set of operators enable the programmer to focus her efforts on the problem itself rather than struggling with the limitations or the burdens imposed by the language peculiarities.

Read more

August 21, 2017
GNU APL on OpenBSD

In order to run the GNU APL interpreter on OpenBSD, that to the best of my knowledge seems to be one of the very few free APL interpreters available, I created a port that I currently mantain and that will be part of the next OpenBSD release (by the time of this writing is planned to be the 6.2). I also packaged Adrian Smith's original fonts, which are now a dependency of the GNU APL package. For the time being I host both ports on my home page as well.

Read more