15. Authentication
Wrap Up
PC:
Password entered
not too often
(usually just after
unlocking console)
Smartphone:
Password entered
every time you need
access data
(after switching
applications or after
short time-out)
Handling passwords on
smartphone is more difficult
than on PC
Smartphone requires stronger
password protection than PC
but provides less capabilities
for doing so!
16. Threat Model
Assumptions:
01.
Attacker
has:
Recover master password
for password manager(s)
on the mobile device
Extract passwords stored
by those managers
02.
Attacker
wants to:
Physical access
to the device, or
Backup of
the device, or
Access to password
manager database file
18. Physical Access
PC:
Computers are
relatively big. Thus,
hard to steal or lose.
You know where it is
(well, most of the
time).
Smartphone:
Lots of phones go
in wrong hands every
year. Many are left
in the bars.
Do you really know
where exactly your
phone is right now?
20. Device Backup
Apple iOS:
Need device password
Optional encryption
(not enforced)
PBKDF2-SHA1
with 20’000 iterations
BlackBerry:
Need device passcode
or iTunes pairing
Optional encryption (enforced by
device) PBKDF2-SHA1 with 10’000
iterations
21. Database Files
Apple iOS:
Need device password
BlackBerry:
Via afc (need passcode
or iTunes pairing)
Via SSH (jailbroken devices)
Via physical imaging
(up to iPhone 4)
22. iOS Passcode
Starting with iOS 4 passcode is involved
in encryption of sensitive data
Passcode key derivation is slowed down
by doing 50’000 iterations
- Each iteration requires
talking to hardware AES
- 6 p/s on iPhone 4
Can’t be performed off-line and scaled
Checking all 6-digit
passcodes will take
more than 40 hours
23. Cracking Passwords
Name
Keeper® Password & Data Vault
Password Safe - iPassSafe Free
Strip Lite - Password Manager
SafeWallet - Password Manager
DataVault Password Manager
mSecure - Password Manager
LastPass for Premium Customers
1Password Pro
BlackBerry Password Keeper
BlackBerry Wallet 1.0
BlackBerry Wallet 1.2
iOS passcode
Complexity
1x MD5
1x AES-256
4000x PBKDF2-SHA1 + 1x AES-256
10x PBKDF2-SHA1 + 1x AES-256
1x SHA-256 + 1x SHA-1
1x SHA-256 + 1x Blowfish
2x SHA-256 + 1x AES-256
1x MD5 + 1x AES-128
3x PBKDF2-SHA1 + 1x AES-256
2x SHA-256
1x SHA-512 + 100x PBKDF2-SHA1 + 1x AES-256
50000 iterations with HW AES
CPU p/s
60 M
20 M
5000
1500 K
7 M
300 K
5 M
15 M
5 M
6 M
200K
6
GPU p/s
6000 M
N/A
160 K
20 M
500 M
N/A
20 M
20 M
20 M
300 M
3200 K
0
Len/24h
14.7
12.2
10.1
12.2
13.6
10.4
12.2
12.2
12.2
13.4
11.4
5.7
24. Cracking Passwords
Name
Keeper® Password & Data Vault
Password Safe - iPassSafe Free
Strip Lite - Password Manager
SafeWallet - Password Manager
DataVault Password Manager
mSecure - Password Manager
LastPass for Premium Customers
1Password Pro
BlackBerry Password Keeper
BlackBerry Wallet 1.0
BlackBerry Wallet 1.2
iOS passcode
Complexity
1x MD5
1x AES-256
4000x PBKDF2-SHA1 + 1x AES-256
10x PBKDF2-SHA1 + 1x AES-256
1x SHA-256 + 1x SHA-1
1x SHA-256 + 1x Blowfish
500x PBKDF2-SHA256 + 1x AES-256
1x MD5 + 1x AES-128
3x PBKDF2-SHA1 + 1x AES-256
2x SHA-256
1x SHA-512 + 100x PBKDF2-SHA1 + 1x AES-256
50000 iterations with HW AES
CPU p/s
60 M
20 M
5000
1500 K
7 M
300 K
12 K
15 M
5 M
6 M
200K
6
GPU p/s
6000 M
N/A
160 K
20 M
500 M
N/A
600 K
20 M
20 M
300 M
3200 K
0
Len/24h
14.7
12.2
10.1
12.2
13.6
10.4
10.7
12.2
12.2
13.4
11.4
5.7
25. None of the tested password
keepers offers reliable protection
on top of OS security
Using them on improperly configured
device may expose sensitive data
Paid apps are not necessarily
more secure than free ones
Summary
29. and smaller…
Toshiba's 0.85” 4GB HDD
General principles still the same
Any piece of data could
be modified independently
Erasing performed via overwriting
Data erasure standards exists
30. Flash Memory
Intel’s m-SATA 80G SSD (2010)
Invented in 1984
Two major types: NOR (1988,
Intel) NAND (1989, Toshiba)
Stores electrical charge into
a floating gate of transistor
Able to retain data
for 10-100 years
31. Flash Memory
Characteristics
Any byte could be written independently
Need erase (make all bits=1) before re-writing
Erasing with precision of block (e.g. 64K) only
- Limited number of guaranteed erase cycles
- Usually between 10’000 and 1’000’000
- Inerasable block should be marker as “bad”
Some blocks could be inerasable
when leaving factory
32. Flash Memory
Layout
Spare area could
be used for:
Marking bad pages/blocks
Storing ECC data
Holding Physical-to-Logical
mapping information
Bank 1
Bank 2
Bank 3
Erase Block 1
Erase Block 2
Erase Block 3
Page 1
Page 2
Page 3
Page N
Erase Block N
Bank N
Data
(512b)
Spare
33. Wear Leveling
Dynamic process that rearranges
pages/blocks in order to extend
flash lifetime
Algorithms developed by
memory device manufacturers
Implementation details
usually keeps secret
Goal: evenly spread
the erasing of blocks
over the full range
of physical blocks
Data is written
on blocks with the
lowest erase count.
Writing and erasing
of data are evenly
distributed.
Blocks are maximized
and ideally, fail
at the same time.
34. Logical
Characteristics
Simulates behavior of common HDD
Logical Block Addressing
Logical Address translates to Physical
Address by Flash Memory Controller
TRIM command for SSD
Intel’s m-SATA 80G SSD (2010)
36. Flash Translation
Layer (FTL)
Responsible for finding Physical Page
that represents actual data for specific
Logical Page Number (LPN) of Block device
State of mapping tables is stored in Flash
and cached in RAM
Unused (TRIM-ed) LPNs are not mapped at all
37. Altering data
in Flash Storage
Any modification of data changes the mapping
New data is written to new (free) page
Previous version of page data (and content
of TRIM-ed pages) still resides somewhere
in Flash until block erased due to wear leveling
or garbage collection
38. FTL in iOS devices
LPN
Implemented in software (runs on CPU)
Spare area of Data pages contains:
USN
(Update Sequence Number)
allows to find all Physical
pages that were used to store
data of some Logical page
allows to build the ordered
“history” of page copies
39. Accessing raw Flash
on iOS devices
IOFlashControllerUserClient kernel service
is available
externalMethod functions allows perform
“raw” reading of Physical pages
ReadPage request support removed in iOS 5
- RAMdisk based on iOS 4 could help
- It is possible to patch the kernel in
memory and restore ability to read pages
40. Which devices
could be examined?
Anything prior to iPhone4S
/iPad2/iPod5 by loading
custom RAMdisk/Kernel
01. Jailbroken device
by patching kernel
in memory
03.
Any iOS device if you
know how to obtain digital
signature for your RAMdisk
from Apple
02.
41. How “Forensic” is it?
Not too much…
Booting the
iDevice causes
some alteration
of Flash content
Obtaining Flash
dump twice would
not produce
identical results
01. 02.
42. Is there secure
way to erase data?
Deleting file produces good result at logical
level (due to TRIM) – better that HDD
Neither deleting nor overwriting are actually
removes the data at physical level – much
worse than HDD
Probability of successful data recovery
depends on amount of unused space
on Flash Storage (more space – more
chances)
45. Back side:
nothing
Explore textual
marks on Modem
Hmm, what the actual manufacturer name and model number?
Front side:
4G” logo
operator’s logo
Under the cover
(access to SIM and SD cards):
Operator’s internal
model number
IMEI
Serial number
49. Is there Modem
anymore?
After plugging into PC running Windows 7:
CWID USB SCSI CD-ROM USB Device
ZTE MMC Storage USB Device
(MicroSD Card Reader)
After performing “Eject CD Drive”:
CD-ROM (sometimes they come back!)
MicroSD Card Reader
Remote NDIS* based Internet Sharing Device
*NDIS == Network Driver Interface Specification
No drivers
required!
(at least on Windows 7 ;)
52. HTTP server
on 192.168.0.1
GET /index.html HTTP/1.1
Host: 192.168.0.1
HTTP/1.1 404 Site or Page Not Found
GET / HTTP/1.1
Host: 192.168.0.1
HTTP/1.0 302 Redirect
Server: GoAhead-Webs/2.5.0
Location: http://192.168.0.1/index.html
53. HTTP server Handlers
Defined UrlHandlers:
/goform
/cgi-bin
/mmc2
/api/xmlclient/post
/client/backup
/api/nvramul.cgi
Defined GoForm handlers:
/goform/goform_get_cmd_process
/goform/goform_set_cmd_process
/goform/goform_process
/goform/formTest
55. Switching to Download
(FACTORY) mode
http://192.168.0.1/goform/goform_process?
goformId=MODE_SWITCH&switchCmd=FACTORY
New devices appears:
ZTE Diagnostics Interface (COMX)
ZTE NMEA Device (COMY)
ZTE Proprietary USB Modem
NB: Send AT+ZCDRUN=F to COM-port associated
with “ZTE NMEA Device” to return from Download mode
56. telnetd on 192.168.0.1
OpenEmbedded Linux 9615-cdp
msm 20130729 9615-cdp
9615-cdp login: root
Password: zte9x15
root@9615-cdp:~# id
uid=0(root) gid=0(root) groups=0(root)
57. Root is good!
Full-featured ARM-based Linux
busybox apps (e.g. nc and netstat)
iptables
tcpdump
gdbserver
CD image at /usr/zte_web/ZTEMODEM.ISO
HTTP server root at /usr/zte_web/web/*
auto_apn
copy
zte_log
60. What are the treats?
log all
internet activity
replicate all
internet activity
access to
local network?
GPS-enabled?
store/report
GPS location
WiFi-enabled?
access to
local WiFi
under remote
management
controls all
external traffic
64. Bit of history
01. Who knows what is
BPF/eBPF/Systemtap/DTrace?
02. Have you ever used any of these technology
before?
03. Why do we need eBPF if we already have
/proc/vmstat/lsof/strace/tcpdump/ ... ?
65. Bit of history
Who knows what is
BPF/eBPF/Systemtap/DTrace?
01.
Why do we need eBPF if we already have
/proc/vmstat/lsof/strace/tcpdump/ ... ?
03.
Have you ever used any
of these technology before?
02.
66. Man bpf
* Run code
in the kernel without
having to write a ko
(kernel module)
Description
The bpf() system call performs a range of operations related to
extended Berkeley Packet Filters. Extended BPF (or eBPF) is similar
to the original ("classic") BPF (cBPF) used to filter network pack‐
ets. For both cBPF and eBPF programs, the kernel statically analyzes
the programs before loading them, in order to ensure that they cannot
harm the running system.
eBPF extends cBPF in multiple ways, including the ability to call
a fixed set of in-kernel helper functions (via the BPF_CALL opcode
extension provided by eBPF) and access shared data structures such
as eBPF maps.
limited C eBPF bytecode
67. λ ~ sudo tcpdump host 127.0.0.1 and port 80 -d
(000) ldb [0]
(001) and #0xf0
(002) jeq #0x40 jt 3 jf 19
(003) ld [12]
(004) jeq #0x7f000001 jt 7 jf 5
(005) ld [16]
(006) jeq #0x7f000001 jt 7 jf 19
(007) ldb [9]
(008) jeq #0x84 jt 11 jf 9
(009) jeq #0x6 jt 11 jf 10
(010) jeq #0x11 jt 11 jf 19
(011) ldh [6]
(012) jset #0x1fff jt 19 jf 13
(013) ldxb 4*([0]&0xf)
(014) ldh [x + 0]
(015) jeq #0x50 jt 18 jf 16
(016) ldh [x + 2]
(017) jeq #0x50 jt 18 jf 19
(018) ret #262144
(019) ret #0
tcpdump?
72. eXpress Data Path (XDP)
Allows easily mitigate
DDoS attacks on L3-L7
Your weakest point is your
network bandwidth
Requires supported
network cards to offload
XDP program on it
Application
Network devices
BPF
program
Network
stack
Kernel
Fast drop
74. Tools
● bcc – BPF Compiler Collection
● Cilium – container-aware eBPF-based Networking, Observability, Security
● Katran – high-performance layer 4 load balancing forwarding plane
● Falco – Open Source Security Tool for containers, Kubernetes and Cloud
● bpftrace – High-level tracing language for Linux eBPF
● KubeArmor – Container-aware Runtime Security Enforcement System
● Tracee – Linux Runtime Security and Forensics using eBPF
● Pixie – Scriptable observability for Kubernetes
75. eBPF use-cases
● Facebook uses Katran as a software-based solution to load balancing at a FB scale.
● Google announces Cilium & eBPF as the new networking dataplane for GKE.
● Netflix uses eBPF flow logs at scale for network insight.
● Cloudflare used eBPF to Build Programmable filter in Magic Firewall
● CF uses XDP to mitigate DDoS attacks
● etc …
76. One-liners / quick examples
● files opened by process:
bpftrace -e 'tracepoint:syscalls:sys_enter_open
{ printf("%s %sn", comm, str(args->filename)); }'
● Any invoked processes / forks / children:
bpftrace -e 'tracepoint:syscalls:sys_enter_exec*
{ printf("%s %sn", comm, str(args->filename)); }
● get any line entered in bash (command sniffing):
bpftrace -e 'uretprobe:/bin/bash:readline {
printf("readline: "%s"n", str(retval)); }'
80. Cryptocurrency is decentralized digital money
that’s based on blockchain technology.
A blockchain is an open, distributed ledger that
records transactions in code. In practice, it’s a little
like a checkbook that’s distributed across countless
computers around the world. Transactions are
recorded in “blocks” that are then linked together
on a “chain” of previous cryptocurrency transactions.
What is
cryptocurrency?
86
86
86
86 86
Corporate Cryptocurrency Wallet Management
Cryptocurrency
https://www.forbes.com/advisor/investing/cryptocurrency/what-is-cryptocurrency/
https://marketing.exness.com/crypto/
81. 87
87
87
87 87
Corporate Cryptocurrency Wallet Management
https://www.forbes.com/sites/jonathanponciano/2022/03/29/second
-biggest-crypto-hack-ever-600-million-in-ethereum-stolen-from-nft-
gaming-blockchain/
Why it should be protected?
82. 88
88
88
88 88
Corporate Cryptocurrency Wallet Management
https://crystalblockchain.com/s
ecurity-breaches-and-fraud-inv
olving-crypto/
Why it should be protected?
84. Know Your Transaction or KYT is
a commonly used financial industry term
that refers to the process of examining
financial transactions for fraudulent or
suspicious activities including money
laundering.
As cryptocurrency adoption continues
to grow, it has been important for
institutions to have the ability to drill
down into crypto transactions for
evidence of financial crimes.
Addition
to KYC / AML
90
90
90
90 90
Corporate Cryptocurrency Wallet Management
KYT (Know Your Transaction)
https://crystalblockchain.com/articles/the-importanc
e-of-knowing-your-cryptocurrency-transaction-kyt/
85. 91
91
91
91 91
Wallet Types
Hot
Wallet
● Private key is being stored on
special hardware device with
● no internet access
● Requires manual actions
● for signing
● Usually signed TX is being
broadcasted on separate device
● Best overall security
Corporate Cryptocurrency Wallet Management
https://glacierprotocol.org/
● Easiest to start using crypto
● Keys are being generated
and stored online
● Transactions (TXs) are
being signed by provider
● Lowest security level
● Uses proprietary software to
generate and store wallets
● Keys stored offline on device
(eg smartphone)
● TXs are being signed on
user’s device
● Balanced approach for
everyday usage
Warm
Wallet
Cold
Wallet
86. The enclosed instructions tell the person to
connect the Ledger to their computer, open
a drive that appears, and run the enclosed
application.
The instructions then tell the person to
enter their Ledger recovery phrase to
import their wallet to the new device.
Hardware
Wallets is not
a panacea
92
92
92
92 92
Corporate Cryptocurrency Wallet Management
https://www.bleepingcomputer.com/news/cryptocurrency/criminals-are-mailing-alt
ered-ledger-devices-to-steal-cryptocurrency/
Wallet Types
87. 93
93
93
93 93
Crypto Custody Types
Corporate Cryptocurrency Wallet Management
● Custodian handles any problems
● Easier for small business
● Usually have insurance
● Custodian controls crypto liquidity
(can be frozen etc)
● Custodian may be hacked
(or any other 3rd-party risk)
● Fees can be applied
Third-party custody
● Full control of crypto liquidity
● No 3rd party risks
● Have to handle the management
of keys
● Also can be hacked
Self-Custody
88. This standard defines how to derive private and public
keys of a wallet from a binary master seed (m) and an
ordered set of indices (called path) usually provided by
values separated by slash:
m / purpose' / coin_type' /
account' / change / address_index
m / 44' / 0' / 1' / 3 / 37
There are two possible types of BIP32 derivation:
hardened or non-hardened
How does it work?
94
94
94
94 94
Corporate Cryptocurrency Wallet Management
Hierarchical Deterministic
Wallets (BIP-0032)
https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki
https://github.com/bitcoin/bips/blob/master/bip-0044.mediawiki
89. 95
95
95
95 95
Corporate Cryptocurrency Wallet Management
https://medium.com/@blainemalone01/hd-wallets-why
-hardened-derivation-matters-89efcdc71671
https://learnmeabitcoin.com/technical/extended-keys
A parent extended
public key together with
a non-hardened child
private key can expose
the parent
private key.
Hierarchical
Deterministic Wallets
91. Hardware Security Modules (HSMs)
are hardware devices that can reside on a
computer motherboard, but the more advanced
models are contained in their own chassis
as an external device and can be accessed
via the network.
What are HSM & TPM?
97
97
97
97 97
Corporate Cryptocurrency Wallet Management
HSM
Trusted Platform Modules (TPMs) are small
hardware devices that are usually embedded
into computer motherboards and are available
as external devices.
https://goteleport.com/blog/tpm-vs-hsm-difference/
Hardware Security
Module TPM Trusted Platform
Module
92. Mechanism that moves multiple signatures
verification on the blockchain side.
scriptPubKey:
m {pubkey}...{pubkey} n OP_CHECKMULTISIG
scriptSig:
OP_0 ...signatures…
Order matters!
OP_0 sigB sigA OP_2 pubA pubB pubC OP_3
OP_CHECKMULTISIG -> fail
98
98
98
98 98
Corporate Cryptocurrency Wallet Management
Bitcoin Multisig
(BIP-0011)
https://www.forbes.com/advisor/investing/cryptocurrency/what-is-cryptocurrency/
https://marketing.exness.com/crypto/
96. 102
102
102
102
102
MPC TSS
DKG
Multi-party computation ]
[
Distributed key generation ]
[
Threshold signature scheme ]
[
Corporate Cryptocurrency Wallet Management
https://github.com/ZenGo-X/awesome-tss
Multiple Bugs in Multi-Party Computation: https://www.youtube.com/watch?v=0Okqvm4lBQI
Allows to make the signature and
derive the keys without having the
private key in the same place
Allows to generate the private key
parts without having the original
one in the same place
Allows to make a signature
of transaction having M of N
required secret parts
● Can be combined with
standards like multisig
& hd wallets
● Universal solution for
multiple blockchains
● Requires more research
for enterprise usage
MPC, TSS, DKG
New Wave of Secure
Cryptocurrency Management