SHA-1
backdooring and exploitation
brought to you by
Maria Eichlseder, Florian Mendel, Martin Schläffer
TU Graz, .at; cryptanalysis
@angealbertini
Corkami, ....
1. WTF is a hash function backdoor?
2. backdooring SHA1 with cryptanalysis
3. exploitation! collisions!
TL;DR:
who’s interested in crypto backdoors?
& Dual_EC speculation — https://projectbullrun.org
Clipper (1993)
crypto researchers?
Young/Yung malicious cipher (2003)
- compresses texts to leak key bits in ciphertexts
- blackbox only (internals reveal th...
2011: theoretical framework, but nothing useful
what’s a crypto backdoor?
not an implementation backdoor
example: RC4 C implementation (Wagner/Biondi)
#define TOBYTE(x) (x) & 255
#define SWAP(x,y)...
a backdoor (covert) isn’t a trapdoor (overt)
RSA has a trapdoor, NSA has backdoors
VSH is a trapdoor hash based on RSA
backdoor in a crypto hash?
“some secret property that allows you to
efficiently break the hash”
“break” can be about collisions, preimages…
how to model the stealthiness of the backdoor…
exploitation can be determinist...
role reversal
Eve wants to achieve some security property
Alice and Bob (the users) are the adversaries
definitions
malicious hash = pair of algorithms
exploit() either “static” or “dynamic”
generate()randomness
hash function ...
taxonomy
static collision backdoor
returns constant m and m’ such that H(m)=H(m’)
dynamic collision backdoor
returns rando...
stealth definitions
undetectability vs undiscoverability
detect() may also return levels of suspicion
H may be obfuscated....
our results
dynamic collision backdoor
valid structured files with arbitrary payloads
detectable, but undiscoverable
and a...
SHA-1
SHA-1
everywhere
RSA-OAEP, “RSAwithSHA1”, HMAC, PBKDF2, etc.
⇒ in TLS, SSH, IPsec, etc.
integrity check: git, bootloaders,...
SHA-1
but no collision published yet
actual complexity unclear (>260
)
Differential cryptanalysis for collisions
“perturb-and-correct”
2 stages (offline/online)
1. find a good differential characteristic
= one of high probability
2. find conforming messages...
find a characteristic: linearization
low-probability
high-probability
2-40
2-15
2-40
find conforming messages
low-probability part: “easy”, K1
unchanged
use automated tool to find a conforming message
round ...
collision!
1-block, vs. 2-block collisions for previous attacks
empty
but it’s not the real SHA-1!
“custom” standards are common in
proprietary systems
(encryption appliances, set-top boxes, etc.)
motivations:
customer-sp...
how to turn garbage collisions
into useful collisions?
(= 2 valid files with arbitrary content)
basic idea
where H(M1
)=H(M2
)
and Mx
is essentially “process payload x”
M1
M2
Payload1
Payload2
Payload1
Payload2
constraints
differences (only in) the first block
difference in the first four bytes
⇒ 4-byte signatures corrupted
PE? (Win* executables, etc.)
differences forces EntryPoint to be at > 0x40000000
⇒ 1GiB (not supported by Windows)
PE = fail
ELF, Mach-O = fail
(≥ 4-byte signature at offset 0)
shell scripts?
#<garbage, 63 bytes>
#<garbage with differences>
EOL
<check for block’s content>
//block 1 start
//block 2 start
//same pa...
RAR/7z
scanned forward
≥ 4-byte signature :-(
but signature can start at any offset :-D
⇒ payload = 2 concatenated archives
killing the 1st
signature byte disables the top archive
COM/MBR?
COM/MBR
(DOS executable/Master Boot Record)
no signature!
start with x86 (16 bits) code at offset 0
like shell scripts, sk...
JMP address1
JMP address2
address1:
<payload1>
address2:
<payload2>
//block 1 start
//block 2 start
//common payload
JPEG?
JPEG
2-byte signature 0xFFD8
sequence of chunks
idea
message 1: first chunk “commented”
message 2: first chunk processed
polyglots
2 distinct files, 3 valid file formats!
~virtual multicollisions
> msha1.py mbr_shell_rar*.pdf 5a827999 82b1c71a 5141963a b389abb9
mbr_shell_rar0.pdf 10382a6d3c949408d7cafaaf6d110a9e23230...
Conclusions
Implications for SHA-1 security?
None.
We did not improve attacks on the
unmodified SHA-1.
Did NSA use this trick when
designing SHA-1 in 1995?
Probably not, because
1) cryptanalysis techniques are known since ~20...
Can you do the same for SHA-256?
Not at the moment.
Good: SHA-256 uses distinct constants at each step
⇒more control to co...
thank you! questions?
Roads? Where we're going, we don't need roads.
SHA-1 backdooring & exploitation
SHA-1 backdooring & exploitation
SHA-1 backdooring & exploitation
SHA-1 backdooring & exploitation
SHA-1 backdooring & exploitation
SHA-1 backdooring & exploitation
SHA-1 backdooring & exploitation
Upcoming SlideShare
Loading in …5
×

SHA-1 backdooring & exploitation

774 views

Published on

If the four 32-bit constants of SHA-1 can be modified, then exploitable collisions can be constructed. No need to panic, this doesn’t affect the original SHA-1. However, vendors and customers of products with custom cryptography will be interested.

for more info, check http://malicioussha1.github.io/

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
774
On SlideShare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
15
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SHA-1 backdooring & exploitation

  1. 1. SHA-1 backdooring and exploitation
  2. 2. brought to you by Maria Eichlseder, Florian Mendel, Martin Schläffer TU Graz, .at; cryptanalysis @angealbertini Corkami, .de; binary kung-fu @veorq Kudelski Security, .ch; theory and propaganda :-)
  3. 3. 1. WTF is a hash function backdoor? 2. backdooring SHA1 with cryptanalysis 3. exploitation! collisions!
  4. 4. TL;DR:
  5. 5. who’s interested in crypto backdoors?
  6. 6. & Dual_EC speculation — https://projectbullrun.org
  7. 7. Clipper (1993)
  8. 8. crypto researchers?
  9. 9. Young/Yung malicious cipher (2003) - compresses texts to leak key bits in ciphertexts - blackbox only (internals reveal the backdoor) - other “cryptovirology” schemes
  10. 10. 2011: theoretical framework, but nothing useful
  11. 11. what’s a crypto backdoor?
  12. 12. not an implementation backdoor example: RC4 C implementation (Wagner/Biondi) #define TOBYTE(x) (x) & 255 #define SWAP(x,y) do { x^=y; y^=x; x^=y; } while (0) static unsigned char A[256]; static int i=0, j=0; unsigned char encrypt_one_byte(unsigned char c) { int k; i = TOBYTE(i+1); j = TOBYTE(j + A[i]); SWAP(A[i], A[j]); k = TOBYTE(A[i] + A[j]); return c ^ A[k]; }
  13. 13. a backdoor (covert) isn’t a trapdoor (overt) RSA has a trapdoor, NSA has backdoors VSH is a trapdoor hash based on RSA
  14. 14. backdoor in a crypto hash?
  15. 15. “some secret property that allows you to efficiently break the hash”
  16. 16. “break” can be about collisions, preimages… how to model the stealthiness of the backdoor… exploitation can be deterministic or randomized…
  17. 17. role reversal Eve wants to achieve some security property Alice and Bob (the users) are the adversaries
  18. 18. definitions malicious hash = pair of algorithms exploit() either “static” or “dynamic” generate()randomness hash function H backdoor b exploit() hash function H collision/preimagebackdoor b challenge
  19. 19. taxonomy static collision backdoor returns constant m and m’ such that H(m)=H(m’) dynamic collision backdoor returns random m and m’ such that H(m)=H(m’) static preimage backdoor returns m such that H(m) has low entropy dynamic preimage backdoor given h, returns m such that H(m)=h
  20. 20. stealth definitions undetectability vs undiscoverability detect() may also return levels of suspicion H may be obfuscated... detect()hash function H exploit() ? discover() hash function H backdoor b exploit()
  21. 21. our results dynamic collision backdoor valid structured files with arbitrary payloads detectable, but undiscoverable and as hard to discover as to break SHA-1
  22. 22. SHA-1
  23. 23. SHA-1 everywhere RSA-OAEP, “RSAwithSHA1”, HMAC, PBKDF2, etc. ⇒ in TLS, SSH, IPsec, etc. integrity check: git, bootloaders, HIDS/FIM, etc.
  24. 24. SHA-1
  25. 25. but no collision published yet actual complexity unclear (>260 )
  26. 26. Differential cryptanalysis for collisions “perturb-and-correct”
  27. 27. 2 stages (offline/online) 1. find a good differential characteristic = one of high probability 2. find conforming messages with message modification techniques
  28. 28. find a characteristic: linearization low-probability high-probability 2-40 2-15 2-40
  29. 29. find conforming messages low-probability part: “easy”, K1 unchanged use automated tool to find a conforming message round 2: try all 232 K2 ‘s, repeat 28 times (cost 240 ) consider constant K2 as part of the message! round 3: do the same to find a K3 (total cost 248 ) repeating the 240 search of K2 28 times…. round 4: find K4 in negligible time iterate to minimize the differences in the constants...
  30. 30. collision! 1-block, vs. 2-block collisions for previous attacks
  31. 31. empty
  32. 32. but it’s not the real SHA-1!
  33. 33. “custom” standards are common in proprietary systems (encryption appliances, set-top boxes, etc.) motivations: customer-specific crypto (customers’ request) “other reasons”
  34. 34. how to turn garbage collisions into useful collisions? (= 2 valid files with arbitrary content)
  35. 35. basic idea where H(M1 )=H(M2 ) and Mx is essentially “process payload x” M1 M2 Payload1 Payload2 Payload1 Payload2
  36. 36. constraints differences (only in) the first block difference in the first four bytes ⇒ 4-byte signatures corrupted
  37. 37. PE? (Win* executables, etc.) differences forces EntryPoint to be at > 0x40000000 ⇒ 1GiB (not supported by Windows)
  38. 38. PE = fail
  39. 39. ELF, Mach-O = fail (≥ 4-byte signature at offset 0)
  40. 40. shell scripts?
  41. 41. #<garbage, 63 bytes> #<garbage with differences> EOL <check for block’s content> //block 1 start //block 2 start //same payload
  42. 42. RAR/7z scanned forward ≥ 4-byte signature :-( but signature can start at any offset :-D ⇒ payload = 2 concatenated archives
  43. 43. killing the 1st signature byte disables the top archive
  44. 44. COM/MBR?
  45. 45. COM/MBR (DOS executable/Master Boot Record) no signature! start with x86 (16 bits) code at offset 0 like shell scripts, skip initial garbage JMP to distinct addr rather than comments
  46. 46. JMP address1 JMP address2 address1: <payload1> address2: <payload2> //block 1 start //block 2 start //common payload
  47. 47. JPEG?
  48. 48. JPEG 2-byte signature 0xFFD8 sequence of chunks idea message 1: first chunk “commented” message 2: first chunk processed
  49. 49. polyglots 2 distinct files, 3 valid file formats! ~virtual multicollisions
  50. 50. > msha1.py mbr_shell_rar*.pdf 5a827999 82b1c71a 5141963a b389abb9 mbr_shell_rar0.pdf 10382a6d3c949408d7cafaaf6d110a9e23230416 mbr_shell_rar1.pdf 10382a6d3c949408d7cafaaf6d110a9e23230416 > msha1.py jpg-rar*.jpg 5a827999 9b73a440 71599fc5 0c8a53e4 jpg-rar0.jpg 7a00042714d8ee6f4978193b07df705b652d0e39 jpg-rar1.jpg 7a00042714d8ee6f4978193b07df705b652d0e39 more magic: just 2 files here
  51. 51. Conclusions
  52. 52. Implications for SHA-1 security? None. We did not improve attacks on the unmodified SHA-1.
  53. 53. Did NSA use this trick when designing SHA-1 in 1995? Probably not, because 1) cryptanalysis techniques are known since ~2004 2) the constants look like NUMSN (√2 √3 √5 √10) 3) remember the SHA-0 fiasco :)
  54. 54. Can you do the same for SHA-256? Not at the moment. Good: SHA-256 uses distinct constants at each step ⇒more control to conform to the characteristic (but also more differences with the original) Not good: The best known attack is on 31 steps (in ~265 ), of 64 steps in total, so it might be difficult to find a useful 64-step characteristic
  55. 55. thank you! questions? Roads? Where we're going, we don't need roads.

×