# My self is steam

Insights into computer security, programming and math

## May 21, 2020Timing Attack Side Channel in IAIK JCE DSA Implementation

IAIK-JCE is a provider for the Java Cryptography Extension that, according to the vendor, "supplements the security functionality of the default JDK". It is a commercial product developed by Stiftung Secure Information and Communication Technologies, a spin-off of the Institute for Applied Information Processing and Communication” (IAIK) of the University of Graz. The company is kind enough to offer a full, free evaluation version for any non-commercial use.

By observing the behavior of the latest version (5.60 as of today), one can get a glimpse of how the major cryptographic algorithms are implemented. This process led me to the discovery of a subtle vulnerability in the implementation of the DSA algorithm: the way that some of the computations involved in the signature generation are carried out introduces a side channel that leaks timing information from the observation of which an attacker could potentially recover the private key.

Consider the following:

Problem 1: Given a set of $n$ randomly selected RSA numbers, estimate the portion $k$ of numbers whose composing primes both belong to the residue class .

Attempting to solve this apparently innocent problem will allow us to range over a few interesting ideas from different disciplines.

It is important to first identify the constraints of the problem, since it clearly inquires about mathematical objects whose scope intersects with the domain of security: we shall define an RSA number to be any odd semiprime for which we do not directly observe neither its composing primes nor any kind of property about them. This definition easily applies to the public key moduli of RSA certificates, for instance.

Under this setting, the problem basically asks whether it is possible to infer some kind of information about objects that are kept secret; in other words, although it is generally not possible to reconstruct the underlying factors, could we at least classify them into well-defined categories by interacting with the observables only? That is, given a set of $N=pq$, could one state anything at all about both $p$ and $q$ by observing only the $N$s?

## December 11, 2018Finding Duplicate RSA Moduli in the Wild

### Or, programming in the way of Diogenes

Let's imagine one is assigned the problem of finding duplicate RSA moduli in all publicly available SSL certificates on the Internet, the reason being a census of public hosts sharing the same modulus.

Most of the time, if not always, having the same modulus equates to saying that the certificates share the same public key, the latter being the tuple composed of the public exponent and the modulus. Indeed, the public exponent is often chosen between the values 3, 17 and 2^16 + 1, as this leads to fast exponentiation operations. Therefore, under this conditions, it is the modulus to be responsible for the uniqueness of the public key.

In this setting, the certificates fall into three distinct sets that, from a security standpoint, delineate a simple yet interesting threat model.

The first one is the set of all the certificates for which no duplicates occur; the second is the set of all the certificates with shared moduli/public keys belonging to the same organization. The third and most interesting one is the set of all those duplicates that appear to belong to different, unrelated actors.

The assumptions under which the latter two sets are meant, which hence form the basis of the model, are those where an entry in the third set would represent a concrete threat to those parties whose modulus is non-unique; while an entry in the second set, although not representative of best-practices, could be more easily justified as the result of key or certificate reusage, a common custom on the Internet.

## September 11, 2018The Penguin Still Shows Through

### An account of CVE-2018-5548

Sometimes a technical discipline manages to reach the point of providing the wrong answers to the right problems, as in the case of what is commonly misnamed Software Engineering. It may also happen that a whole industry is built on the belief that no answers to the wrong problems is a profitable strategy to respond to the demanding needs of an ever-growing customer base. Historically, such a case is exemplified by the infosec industry. It's a sterile exercise to acknowledge that the industry has reached the point where flame wars about irresponsible disclosure, embargos and branded vulnerabilities are the major pillars of its dialectic. Thirty years after the Morris Worm, we are still dealing with WannaCry, after all.

My little personal contribution to the gallery of infosec failures is the discovery of a vulnerability in F5 BIG-IP. The vulnerability has been assigned CVE-2018-5548.

## February 27, 2018SQL Injection Suminagashi

I once found myself in the oppressive situation in which the only interaction with the underlying machine was through a rather restrictive application delivered as an X11-forwarded GUI communicating with a SAP database named Sybase ASE. The interaction was only in the form of insertion of text into input fields. The majority of these input fields only allowed for thirty-two-characters-long strings but there were exceptions depending on the context. Also, a sanitization mechanism was in place, transforming all characters to uppercase, truncating input at the occurrence of spaces, stripping single quotes and escapes other metacharacters. The only feedback from the database was in the form of error messages.

Within such restricted environments the artist finds the liminal space for self-expression.

## January 28, 2018Hacking Safenet MobilePass OTP Token

### Or, "A Secret You Own is a Secret You Pwn".

Safenet MobilePass is a software OTP token from Gemalto that, in its most used configuration, serves as a two-factor authentication solution for webmail portals. Unfortunately, as it is often the case with this kind of solutions, rather than being of any use at all, they show up as an obstacle to usability and personal freedom. Not only does the token introduce the need to remember yet another PIN code for which up to three failed insertion attempts are tolerated, after which the prospect of an account lock becomes painfully concrete, but it also requires a smartphone or a Windows installation in order to run. As there is no place in my life for such diversions, I once found myself in the absurd situation of not being able to access my email.

When the right to communicate, access one's own data, and carry out working tasks, lie on the assumption of expensive gadgets or unusable proprietary software as being the norm, it means that an abuse against a minority is being perpetrated. This assumption would equate to the situation of being denied the right to speak in a foreign country just because we have no interest in learning the local language. As an instrument of oppression, I then declared Safenet MobilePass as my enemy to the sabotage and subversion of which I dedicated all the efforts of one of my weekends. When the machine oppresses, break the machine.