IAIK-JCE is a provider for the Java Cryptography Extension that,
according to the vendor, "supplements the security functionality
of the default JDK". It is a commercial product developed by Stiftung Secure Information
and Communication Technologies, a spin-off of the Institute for
Applied Information Processing and Communication” (IAIK) of the
University of Graz. The company is kind enough to offer a full,
free evaluation version for any non-commercial use.
By observing the behavior of the latest version (5.60 as of today), one can get
a glimpse of how the major cryptographic algorithms are implemented. This
process led me to the discovery of a subtle vulnerability in the
implementation of the DSA algorithm: the way that some of the computations
involved in the signature generation are carried out introduces a side
channel that leaks timing information from the observation of which an
attacker could potentially recover the private key.
Consider the following:
Given a set of randomly selected
RSA numbers, estimate the portion
of numbers whose composing primes both belong to the residue class
Attempting to solve this apparently innocent problem will allow us
to range over a few interesting ideas from different disciplines.
It is important to first identify the constraints of the problem,
since it clearly inquires about mathematical objects whose scope
intersects with the domain of security: we shall define an RSA
number to be any odd semiprime for which we do not directly observe
neither its composing primes nor any kind of property about them.
This definition easily applies to the public key moduli of RSA
certificates, for instance.
Under this setting, the problem basically asks whether it is
possible to infer some kind of information about objects that
are kept secret; in other words, although it is generally not possible
to reconstruct the underlying factors, could we at least classify
them into well-defined categories by interacting with the observables
only? That is, given a set of ,
could one state anything at all about both and
by observing only the s?
Or, programming in the way of Diogenes
Let's imagine one is assigned the problem of finding duplicate
RSA moduli in all publicly available SSL certificates on the Internet,
the reason being a census of public hosts sharing the
Most of the time, if not always, having the same modulus equates
to saying that the certificates share the same public key, the
latter being the tuple composed of the public exponent and the
modulus. Indeed, the public exponent is often chosen between the
values 3, 17 and 2^16 + 1, as this leads to fast exponentiation
operations. Therefore, under this conditions, it is the modulus to
be responsible for the uniqueness of the public key.
In this setting, the certificates fall into three distinct sets
that, from a security standpoint, delineate a simple yet interesting
The first one is the set of all the certificates for which no
duplicates occur; the second is the set of all the certificates
with shared moduli/public keys belonging to the same organization.
The third and most interesting one is the set of all those duplicates
that appear to belong to different, unrelated actors.
The assumptions under which the latter two sets are meant, which
hence form the basis of the model, are those where an entry in the
third set would represent a concrete threat to
those parties whose modulus is non-unique; while an entry
in the second set, although not representative of best-practices,
could be more easily justified as the result of key or certificate
reusage, a common custom on the Internet.
An account of CVE-2018-5548
Sometimes a technical discipline manages to reach the point of providing
the wrong answers to the right problems, as in the case of what is
commonly misnamed Software Engineering. It may also happen that
a whole industry is built on the belief that no answers to the wrong
problems is a profitable strategy to respond to the demanding needs of
an ever-growing customer base. Historically, such a case is exemplified
by the infosec industry. It's a sterile exercise to acknowledge that the industry has
reached the point where flame wars about irresponsible disclosure,
embargos and branded vulnerabilities are the major pillars of its dialectic.
Thirty years after the Morris Worm, we are still dealing with
WannaCry, after all.
My little personal contribution to the gallery of infosec failures is
the discovery of a vulnerability in F5 BIG-IP.
The vulnerability has been assigned CVE-2018-5548.
I once found myself in the oppressive situation in which
the only interaction with the underlying machine was
through a rather restrictive application delivered as
an X11-forwarded GUI communicating with a
SAP database named
Sybase ASE. The interaction was only in the form of
insertion of text into input fields. The majority of these input fields
only allowed for thirty-two-characters-long strings but there
were exceptions depending on the context. Also, a sanitization
mechanism was in place, transforming all characters to uppercase,
truncating input at the occurrence of spaces, stripping single quotes
and escapes other metacharacters. The only feedback from the database
was in the form of error messages.
Within such restricted environments the artist finds the liminal space for self-expression.
Or, "A Secret You Own is a Secret You Pwn".
Safenet MobilePass is a software OTP token from Gemalto that,
in its most used configuration, serves as a two-factor authentication
solution for webmail portals. Unfortunately, as it is often the case
with this kind of solutions, rather than being of any use at all, they
show up as an obstacle to usability and personal freedom. Not only
does the token introduce the need to remember yet another PIN code
for which up to three failed insertion attempts are tolerated, after
which the prospect of an account lock becomes painfully concrete, but it
also requires a smartphone or a Windows installation in order to run.
As there is no place in my life for such diversions, I once found
myself in the absurd situation of not being able to access my email.
When the right to communicate, access one's own data, and carry out
working tasks, lie on the assumption of expensive gadgets or
unusable proprietary software as being the norm, it means that an abuse
against a minority is being perpetrated. This assumption would equate to
the situation of being denied the right to speak in a foreign country
just because we have no interest in learning the local language. As an
instrument of oppression, I then declared Safenet MobilePass as my enemy
to the sabotage and subversion of which I dedicated all the efforts of
one of my weekends. When the machine oppresses, break the machine.
A form of self improvement can be found in attempting to implement
algorithms, no matter how simple, in less conventional programming
languages. This kind of activity can sometime lead to the same
enlightenment experienced in solving the best linguistic riddles: our
personal boundaries are broadened by a transversal understanding, as
opposed to cognitive experiences circumscribed to a defining set of rules
(logical or mathematical puzzles, for instance). I currently regard APL as
one of the best programming languages with which to explore new approaches
to problem solving; its highly compositional power combined with the
orthogonality of its rich set of operators enable the programmer to focus
her efforts on the problem itself rather than struggling with the
limitations or the burdens imposed by the language peculiarities.
In order to run the GNU APL
interpreter on OpenBSD, that to the best of my knowledge seems to be
one of the very few free
available, I created a port that I currently mantain and that will be part
of the next OpenBSD release (by the time of this writing is planned to be
the 6.2). I also packaged
Adrian Smith's original
fonts, which are now a dependency of the GNU APL package.
For the time being I host both ports on my home page as well.