A CRYPTO-FAIL STORY
RootedCON Valencia
September 2017

2
Jose Selvi (@Jose Selvi)
+12 years in the infosec industry
Principal Penetration Tester
& Security Researcher
SANS Institute Community Instructor
GIAC Security Expert (GSE)
Blogger (sometimes): http://www.pentester.es
$ WHOIS JSELVI

3
I DID NOT MAKE A FULL VULNERABILITY RESEARCH

4
THIS IS NOT A CRYPTO TRAINING

5

6

7
TESTING CRYPTO IN 30 MINUTES
test1@test.com : 123456 -> 5A 8D 7D B4 DB B4 05 E9 AB CC 2D 46 AD AD 21 7F
test1@test.com : 123456 -> 5A 8D 7D B4 DB B4 05 E9 AB CC 2D 46 AD AD 21 7F
REUSE SALT, REUSE IV
test1@test.com : 123456 -> 5A 8D 7D B4 DB B4 05 E9 AB CC 2D 46 AD AD 21 7F
test1@test.com : 000000 -> 2E C7 7C 2A 19 6E 02 2B AA 68 7E F0 61 67 51 B0
test1@test.com : 123456 -> 5A 8D 7D B4 DB B4 05 E9 AB CC 2D 46 AD AD 21 7F
test2@test.com : 123456 -> 7B 49 CF 4D E4 32 1E 77 93 21 1A B5 74 8B 44 DA
BASED ON EMAIL & PASSWORD
BLOCK CIPHER (REVERSIBLE) ENCRYPTION
B6 78 78 BD F5 72 FC BE 04 8B D5 33 44 98 7B 02
23 97 F8 B5 BD 63 3F 6D F8 AB 13 64 76 DD 37 BE
5A 8D 7D B4 DB B4 05 E9 AB CC 2D 46 AD AD 21 7F

8
SECURITY STRIKES BACK

9
NO EXPLOITATION, NO FUN
POTENTIALLY EXPLOITABLE
WE PRESUME THAT WITH ENOUGH EFFORT IT COULD BE EXPLOITED

10
QUICK LOOK AT THE BINARY
$ rabin2 -i server.exe | grep -i crypt
ordinal=001 plt=0x005c80c4 bind=NONE type=FUNC name=CRYPTUI.dll_CryptUIDlgViewCertificateW
ordinal=001 plt=0x005c8098 bind=NONE type=FUNC name=CRYPT32.dll_CertEnumCertificatesInStore
ordinal=002 plt=0x005c809c bind=NONE type=FUNC name=CRYPT32.dll_CertCloseStore
ordinal=003 plt=0x005c80a0 bind=NONE type=FUNC name=CRYPT32.dll_CertFreeCertificateContext
ordinal=004 plt=0x005c80a4 bind=NONE type=FUNC name=CRYPT32.dll_CertGetCertificateContextProperty
ordinal=005 plt=0x005c80a8 bind=NONE type=FUNC name=CRYPT32.dll_CertDuplicateCertificateContext
ordinal=006 plt=0x005c80ac bind=NONE type=FUNC name=CRYPT32.dll_CertGetEnhancedKeyUsage
ordinal=007 plt=0x005c80b0 bind=NONE type=FUNC name=CRYPT32.dll_CertGetNameStringW
ordinal=008 plt=0x005c80b4 bind=NONE type=FUNC name=CRYPT32.dll_CertOpenStore
ordinal=009 plt=0x005c80b8 bind=NONE type=FUNC name=CRYPT32.dll_CryptProtectData
ordinal=010 plt=0x005c80bc bind=NONE type=FUNC name=CRYPT32.dll_CryptUnprotectData
$ rabin2 -zz server.exe | grep -i crypt
vaddr=0x00626ff6 paddr=0x002257f6 ordinal=21488 sz=27 len=26 section=.rdata type=ascii
string=CryptUIDlgViewCertificateW
vaddr=0x00627012 paddr=0x00225812 ordinal=21489 sz=12 len=11 section=.rdata type=ascii string=CRYPTUI.dll
vaddr=0x0062755a paddr=0x00225d5a ordinal=21555 sz=17 len=16 section=.rdata type=ascii string=CryptProtectData
vaddr=0x0062756e paddr=0x00225d6e ordinal=21556 sz=19 len=18 section=.rdata type=ascii string=CryptUnprotectData
vaddr=0x00627582 paddr=0x00225d82 ordinal=21557 sz=12 len=11 section=.rdata type=ascii string=CRYPT32.dll
vaddr=0x0062f6e0 paddr=0x0022dae0 ordinal=22387 sz=40 len=39 section=.data type=ascii string=.?AU?
$Deleter@UCryptData@@P6AHPAU1@@Z@@
vaddr=0x0062f710 paddr=0x0022db10 ordinal=22388 sz=30 len=29 section=.data type=ascii string=.?AV?
$TPointer@UCryptData@@@@
vaddr=0x0062f738 paddr=0x0022db38 ordinal=22389 sz=34 len=33 section=.data type=ascii string=.?AV?
$TAutoFreeObj@UCryptData@@@@

11

12
HASHING ALGORITHMS
static void reset(uint32_t digest[], std::string &buffer, uint64_t &transforms)
{
/* SHA1 initialization constants */
digest[0] = 0x67452301;
digest[1] = 0xefcdab89;
digest[2] = 0x98badcfe;
digest[3] = 0x10325476;
digest[4] = 0xc3d2e1f0;
/* Reset counters */
buffer = "";
transforms = 0;
}

13
STREAM CIPHERS

14
BLOCK CIPHERS

15

16

17
AES has 10 rounds for 128-bit
keys, 12 rounds for 192-bit
keys, and 14 rounds for 256-bit
keys.

18

19

20

21

22
CRACKING THE “HASH”
$ ./crack my@email.com 52796b
User: my@email.com
Password: test123456

23
RESULT

24
DO NOT USE ECB MODE NEVER EVER

25
$ echo Testing1234 | openssl enc -aes-128-ecb -K 1234 -iv 1 | hexd
0000000 8d 47 5c 5f bb 1b 1c 0a 79 ca e5 45 6a 8f c4 58
$ echo Testing1234 | openssl enc -aes-128-ecb -K 1234 -iv 2 | hexd
0000000 8d 47 5c 5f bb 1b 1c 0a 79 ca e5 45 6a 8f c4 58
$ echo Testing1234 | openssl enc -aes-128-cbc -K 1234 -iv
0001 | hexdump
0000000 d5 1e 92 d4 ce 72 dc ab 6d e9 c0 b6 bb 39 de f7
$ echo Testing1234 | openssl enc -aes-128-cbc -K 1234 -iv
0002 | hexdump
0000000 1b 28 1f e3 10 fa 69 14 8b 80 e2 64 97 2e 93 d0

26
https://github.com/golang/go/issues/5597

27
ALWAYS USE DIFFERENT IVs ON EACH MESSAGE

28
REUSING IVs ON AES
$ echo Testing1234 | openssl enc -aes-128-cbc -K 1234 -iv 1 | hexdump
0000000 d5 1e 92 d4 ce 72 dc ab 6d e9 c0 b6 bb 39 de f7
$ echo Testing1234 | openssl enc -aes-128-cbc -K 1234 -iv 1 | hexdump
0000000 d5 1e 92 d4 ce 72 dc ab 6d e9 c0 b6 bb 39 de f7
$ echo Testing1234 | openssl enc -aes-128-cbc -K 1234 -iv 1 | hexdump
0000000 d5 1e 92 d4 ce 72 dc ab 6d e9 c0 b6 bb 39 de f7
$ echo Testing1234 | openssl enc -aes-128-cbc -K 1234 -iv 1 | hexdump
0000000 d5 1e 92 d4 ce 72 dc ab 6d e9 c0 b6 bb 39 de f7
$ echo Testing1234 | openssl enc -aes-128-cbc -K 1234 -iv 1 | hexdump
0000000 d5 1e 92 d4 ce 72 dc ab 6d e9 c0 b6 bb 39 de f7

29
REUSING IVs ON STREAM CIPHERS
W E L C O M E T O T H I S
12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
H I D D E N M E S S A G E ! .
12 34 56 78 9A BC DE F0 12 34 56 78 9A BC DE F0
(M1 ⊕ KEY) ⊕ (M2 ⊕ KEY)
M1 ⊕ M2

30
DO NOT USE REVERSIBLE ENCRYPTION FOR PASSWORDS

Credentials Storage
31
AUTHENTICATION & HASHING
pass1234
Client Side Server Side
XYZW
XYZW

Code
Credentials Storage
32
SALT & PEPPER
pass1234
Client Side Server Side
SALT$XYZW
SALT$XYZW
PEPPER
PEPPERSALT

33
PASSWORD SPECIFIC HASHING: PBKDF2, BCRYPT, SCRYPT, …

34
SERIOUSLY, DO NOT KEEP SECRETS AT CLIENT SIDE

XYZWABCD
Random Token Generator
Token Storage
35
RANDOM TOKENS
Client Side Server Side
XYZWABCD

JSON Token Generator
XYZWABCD
Token Storage
36
JSON WEB TOKENS (JWT)
Client Side Server Side
Certification Authority
CA

www.prosegur.comwww.prosegur.com
THANKS A LOT!
ANY QUESTIONS?
jose.selvi@prosegur.com
jselvi@pentester.es
@JoseSelvi