This document summarizes a presentation about password encryption in Microsoft Office files and proposes a backdoor-resistant file format. The key points are:
1) The presenter discovered that MS Office 2010/2013 does not update the secret key when the password is changed, allowing files encrypted with different passwords to be attacked with the same secret key.
2) Various password encryption schemes were compared in terms of brute force attack times, showing Office 2013 to be the most secure due to its use of PBKDF2 key stretching.
3) Concerns about the potential for backdoors in encryption schemes that do not independently generate secret keys from passwords led to a proposal for a format using cryptographically secure key derivation.
Highly efficient backups with percona xtrabackupNilnandan Joshi
Percona XtraBackup is an open source, free MySQL hot backup software that performs non-blocking backups for InnoDB and XtraDB databases. In this talk we'll describe below things.
- How it works with MySQL/Percona Server and what are the features provided
- Difference between Xtrabackup and Innobackupex
- How to take full/increment/partial backup and restore
- How to use features like streaming, compression, remote and compact backups
- How to troubleshoot the issue with xtrabackup
Integrating microservices with apache camel on kubernetesClaus Ibsen
Apache Camel has fundamentally changed the way Java developers build system-to-system integrations by using enterprise integration patterns (EIP) with modern microservice architectures. In this session, we’ll show you best practices with Camel and EIPs, in the world of Spring Boot microservices running on Kubernetes. We'll also discuss practices how to build truly cloud-native distributed and fault-tolerant microservices and we’ll introduce the upcoming Camel 3.0 release, which includes serverless capabilities via Camel K. This talk is a mix with slides and live demos.
Highly efficient backups with percona xtrabackupNilnandan Joshi
Percona XtraBackup is an open source, free MySQL hot backup software that performs non-blocking backups for InnoDB and XtraDB databases. In this talk we'll describe below things.
- How it works with MySQL/Percona Server and what are the features provided
- Difference between Xtrabackup and Innobackupex
- How to take full/increment/partial backup and restore
- How to use features like streaming, compression, remote and compact backups
- How to troubleshoot the issue with xtrabackup
Integrating microservices with apache camel on kubernetesClaus Ibsen
Apache Camel has fundamentally changed the way Java developers build system-to-system integrations by using enterprise integration patterns (EIP) with modern microservice architectures. In this session, we’ll show you best practices with Camel and EIPs, in the world of Spring Boot microservices running on Kubernetes. We'll also discuss practices how to build truly cloud-native distributed and fault-tolerant microservices and we’ll introduce the upcoming Camel 3.0 release, which includes serverless capabilities via Camel K. This talk is a mix with slides and live demos.
Introduction to libre « fulltext » technologyRobert Viseur
The presentation will be based on my personal experience on SQLite, MySQL and Zend Search ; on workshops I’ve attended (PostgreSQL) and on tests conducted under my supervision (PostgreSQL, MySQL, Sphinx, Lucene, Xapian). It will cover an exhaustive overview of existing techniques, from the most basic to the more advanced, and will lead to a comparative table of the existing technology.
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
Over the past year, Tripwire Security Researchers Tyler Reguly and Andrew Swoboda have invested numerous hours into understanding the Microsoft Remote Desktop Protocol, specifically the pre-authentication portions of RDP. The Microsoft Open Protocol Specifications were heavily utilized for this projected and, while both researchers had used the specifications before, neither had fully realized their usefulness to security researchers. This session will be a discussion of The Microsoft Open Protocol Specification with RDP as the example. The culmination of the session will be the release of a new RDP Fuzzer and a discussion around the vulnerabilities it has already discovered.
Attendees can expect to walk away with a strong understanding of the Microsoft Open Protocol Specifications and how they can leverage them to build protocol implementations and fuzzers, as well as investigate inherent flaws and discover new vulnerabilities. Attendees will have a better understanding of the pre-authentication RDP connection sequence and exactly what data is exchanged and what an attacker can deduce from this communication. Finally, attendees will gain insight into new RDP vulnerabilities.
Add-On Development: EE Expects that Every Developer will do his Dutyreedmaniac
Add-Ons are what make ExpressionEngine the flexible powerhouse that it is today. Being able to write your own simple plugins or incredibly expansive modules allows you to mold ExpressionEngine to nearly any task that your website might require. However, with that power comes a great responsibility to insure that your code is not slowing down the entire site or unduly stressing the server through bad code architecture.
There are simple tools already built into ExpressionEngine and PHP that you can use to see precisely what your Add-On is doing during page processing and where it might be doing more work than is absolutely necessary. Every developer should use these to optimize their work from the very beginning of development, prior to release. This workshop will explain these tools and how you can use them effectively. It will also delve deeper into optimization techniques and tricks that will keep your code light and clean, while finding a balance between functionality and performance.
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]RootedCON
Peach is a smart and widely used fuzzer, which has lots of advantages like cross-platform, aware of file format, extend easily and so on. But when AFL fuzzer has appeared, peach seems to be out of date, since it doesn't have coverage feedback and run slowly. Due to peach is a flexible fuzzer framework and AFL is not, I extended peach with AFL advantages, making it more smarter.Just like AFL, I use LLVM Pass to add coverage feedback, with that I can see which mutation is interesting viz. explores new paths. The resultant effect is that the modified version is more effective.
Abstract:
A apresentação centra-se na temática de ter forma de controlar, versionar e actualizar toda a parte de Base de Dados de um projecto. Estamos a falar, desde a produção de modelos ER, a versionamento de scripts, passando pelo deploy dos mesmos e terminado na documentação. A apresentação conta ainda com uma breve demonstração do uso da ferramenta Flyway para versionar e controlar a execução de scripts nos diversos ambientes de um projecto.
Sobre o Nuno Alves:
Chamo-me Nuno Alves nascido em Coimbra, Portugal e vivi maioritariamente em Leiria. Licenciado em Engenharia Informática na ESTG-IPLeiria (Escola Superior de Tecnologia e Gestão) onde o gosto por dados e bases de dados se começou a desenvolver. Daí, profissionalmente a minha área de actuação ser em torno de bases de dados e infra-estruturas. Tenho cerca de 10 anos de experiência repartidos pelas áreas Financeira, Seguros, Governo, Militar em tecnologias que vão desde Oracle, PostgreSQL, MSSQLServer a DB2.
Add-On Development: EE Expects that Every Developer will do his DutyLeslie Doherty
A presentation on Add-On Development: EE Expects that Every Developer will do his Duty as given at the EECI2009 conference in Leiden by Paul Burdick, lead developer at Solspace.
Scalable and High available Distributed File System Metadata Service Using gR...Alluxio, Inc.
Alluxio Community Office Hour
Apr 7, 2020
For more Alluxio events: https://www.alluxio.io/events/
Speaker: Bin Fan
Alluxio (alluxio.io) is an open-source data orchestration system that provides a single namespace federating multiple external distributed storage systems. It is critical for Alluxio to be able to store and serve the metadata of all files and directories from all mounted external storage both at scale and at speed.
This talk shares our design, implementation, and optimization of Alluxio metadata service (master node) to address the scalability challenges. Particularly, we will focus on how to apply and combine techniques including tiered metadata storage (based on off-heap KV store RocksDB), fine-grained file system inode tree locking scheme, embedded state-replicate machine (based on RAFT), exploration and performance tuning in the correct RPC frameworks (thrift vs gRPC) and etc. As a result of the combined above techniques, Alluxio 2.0 is able to store at least 1 billion files with a significantly reduced memory requirement, serving 3000 workers and 30000 clients concurrently.
In this Office Hour, we will go over how to:
- Metadata storage challenges
- How to combine different open source technologies as building blocks
- The design, implementation, and optimization of Alluxio metadata service
Welcome to WIPAC Monthly the magazine brought to you by the LinkedIn Group Water Industry Process Automation & Control.
In this month's edition, along with this month's industry news to celebrate the 13 years since the group was created we have articles including
A case study of the used of Advanced Process Control at the Wastewater Treatment works at Lleida in Spain
A look back on an article on smart wastewater networks in order to see how the industry has measured up in the interim around the adoption of Digital Transformation in the Water Industry.
Hybrid optimization of pumped hydro system and solar- Engr. Abdul-Azeez.pdffxintegritypublishin
Advancements in technology unveil a myriad of electrical and electronic breakthroughs geared towards efficiently harnessing limited resources to meet human energy demands. The optimization of hybrid solar PV panels and pumped hydro energy supply systems plays a pivotal role in utilizing natural resources effectively. This initiative not only benefits humanity but also fosters environmental sustainability. The study investigated the design optimization of these hybrid systems, focusing on understanding solar radiation patterns, identifying geographical influences on solar radiation, formulating a mathematical model for system optimization, and determining the optimal configuration of PV panels and pumped hydro storage. Through a comparative analysis approach and eight weeks of data collection, the study addressed key research questions related to solar radiation patterns and optimal system design. The findings highlighted regions with heightened solar radiation levels, showcasing substantial potential for power generation and emphasizing the system's efficiency. Optimizing system design significantly boosted power generation, promoted renewable energy utilization, and enhanced energy storage capacity. The study underscored the benefits of optimizing hybrid solar PV panels and pumped hydro energy supply systems for sustainable energy usage. Optimizing the design of solar PV panels and pumped hydro energy supply systems as examined across diverse climatic conditions in a developing country, not only enhances power generation but also improves the integration of renewable energy sources and boosts energy storage capacities, particularly beneficial for less economically prosperous regions. Additionally, the study provides valuable insights for advancing energy research in economically viable areas. Recommendations included conducting site-specific assessments, utilizing advanced modeling tools, implementing regular maintenance protocols, and enhancing communication among system components.
Saudi Arabia stands as a titan in the global energy landscape, renowned for its abundant oil and gas resources. It's the largest exporter of petroleum and holds some of the world's most significant reserves. Let's delve into the top 10 oil and gas projects shaping Saudi Arabia's energy future in 2024.
Cosmetic shop management system project report.pdfKamal Acharya
Buying new cosmetic products is difficult. It can even be scary for those who have sensitive skin and are prone to skin trouble. The information needed to alleviate this problem is on the back of each product, but it's thought to interpret those ingredient lists unless you have a background in chemistry.
Instead of buying and hoping for the best, we can use data science to help us predict which products may be good fits for us. It includes various function programs to do the above mentioned tasks.
Data file handling has been effectively used in the program.
The automated cosmetic shop management system should deal with the automation of general workflow and administration process of the shop. The main processes of the system focus on customer's request where the system is able to search the most appropriate products and deliver it to the customers. It should help the employees to quickly identify the list of cosmetic product that have reached the minimum quantity and also keep a track of expired date for each cosmetic product. It should help the employees to find the rack number in which the product is placed.It is also Faster and more efficient way.
CFD Simulation of By-pass Flow in a HRSG module by R&R Consult.pptxR&R Consult
CFD analysis is incredibly effective at solving mysteries and improving the performance of complex systems!
Here's a great example: At a large natural gas-fired power plant, where they use waste heat to generate steam and energy, they were puzzled that their boiler wasn't producing as much steam as expected.
R&R and Tetra Engineering Group Inc. were asked to solve the issue with reduced steam production.
An inspection had shown that a significant amount of hot flue gas was bypassing the boiler tubes, where the heat was supposed to be transferred.
R&R Consult conducted a CFD analysis, which revealed that 6.3% of the flue gas was bypassing the boiler tubes without transferring heat. The analysis also showed that the flue gas was instead being directed along the sides of the boiler and between the modules that were supposed to capture the heat. This was the cause of the reduced performance.
Based on our results, Tetra Engineering installed covering plates to reduce the bypass flow. This improved the boiler's performance and increased electricity production.
It is always satisfying when we can help solve complex challenges like this. Do your systems also need a check-up or optimization? Give us a call!
Work done in cooperation with James Malloy and David Moelling from Tetra Engineering.
More examples of our work https://www.r-r-consult.dk/en/cases-en/
Industrial Training at Shahjalal Fertilizer Company Limited (SFCL)MdTanvirMahtab2
This presentation is about the working procedure of Shahjalal Fertilizer Company Limited (SFCL). A Govt. owned Company of Bangladesh Chemical Industries Corporation under Ministry of Industries.
Overview of the fundamental roles in Hydropower generation and the components involved in wider Electrical Engineering.
This paper presents the design and construction of hydroelectric dams from the hydrologist’s survey of the valley before construction, all aspects and involved disciplines, fluid dynamics, structural engineering, generation and mains frequency regulation to the very transmission of power through the network in the United Kingdom.
Author: Robbie Edward Sayers
Collaborators and co editors: Charlie Sims and Connor Healey.
(C) 2024 Robbie E. Sayers
Explore the innovative world of trenchless pipe repair with our comprehensive guide, "The Benefits and Techniques of Trenchless Pipe Repair." This document delves into the modern methods of repairing underground pipes without the need for extensive excavation, highlighting the numerous advantages and the latest techniques used in the industry.
Learn about the cost savings, reduced environmental impact, and minimal disruption associated with trenchless technology. Discover detailed explanations of popular techniques such as pipe bursting, cured-in-place pipe (CIPP) lining, and directional drilling. Understand how these methods can be applied to various types of infrastructure, from residential plumbing to large-scale municipal systems.
Ideal for homeowners, contractors, engineers, and anyone interested in modern plumbing solutions, this guide provides valuable insights into why trenchless pipe repair is becoming the preferred choice for pipe rehabilitation. Stay informed about the latest advancements and best practices in the field.
Hierarchical Digital Twin of a Naval Power SystemKerry Sado
A hierarchical digital twin of a Naval DC power system has been developed and experimentally verified. Similar to other state-of-the-art digital twins, this technology creates a digital replica of the physical system executed in real-time or faster, which can modify hardware controls. However, its advantage stems from distributing computational efforts by utilizing a hierarchical structure composed of lower-level digital twin blocks and a higher-level system digital twin. Each digital twin block is associated with a physical subsystem of the hardware and communicates with a singular system digital twin, which creates a system-level response. By extracting information from each level of the hierarchy, power system controls of the hardware were reconfigured autonomously. This hierarchical digital twin development offers several advantages over other digital twins, particularly in the field of naval power systems. The hierarchical structure allows for greater computational efficiency and scalability while the ability to autonomously reconfigure hardware controls offers increased flexibility and responsiveness. The hierarchical decomposition and models utilized were well aligned with the physical twin, as indicated by the maximum deviations between the developed digital twin hierarchy and the hardware.
Backdoors with the MS Office file encryption master key and a proposal for a reliable file format
1. Backdoors with the MS Office file
encryption master key
and a proposal for a reliable file format
2015/10/28, 29 CODE BLUE
Mitsunari Shigeo(@herumi)
2. • Attacking Excel files without a password
• This bug is fixed at 2015/Oct/13 (MS15-110)
• Comparison of password encrypted file formats
• How I found this bug
• Proposal for a backdoor-resistant format
Abstract
2/54
3. • R&D for cloud security and
infrastructure at Cybozu Labs, Inc.
• Author of “Applied Cryptography for
the Cloud“ (in Japanese)
• about PFS, ECC, IBE, ABE, FE, HE, ZKP,...
• http://herumi.github.io/ango/
• Microsoft MVP Developer Security (2015)
• Author of the fastest implementation of pairing
• https://github.com/herumi/ate-pairing
• Software implementation of an Attribute-Based
Encryption Scheme, IEEE trans on computers, 2014
Mitsunari Shigeo(@herumi)
3/54
4. • Technical Fellow at Recruit Marketing Partners
• Visiting associate professor at Kochi National
College of Technology
• Review board for CODE BLUE
• OWASP Japan advisory board
• Chairperson of SECCON CTF
• Leader of Shibuya Perl Mongers
• Microsoft MVP Developer Security in 2008
• Author of "How to Execute Arbitrary Code on x86 JIT Compliers"
• Translator of "Reading ECMA-262 Edition 5.1" (2013)
• Best award of CSSx2.0 at "Computer Security Symposium 2013"
Takesako Yoshinori (@takesako)
4/54
5. • Comparison of password encrypted file formats
• Demo
• Situations
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
5/54
6. • Comparison of password encrypted file formats
• Password encryption
• Introduction to attack tools
• Comparison of attack time
• Demo
• Situations
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
6/54
7. • The very basic way
• input : 𝑝𝑎𝑠𝑠 : password, 𝑚 : message
1. 𝑆 𝐾 = 𝐻𝑎𝑠ℎ 𝑝𝑎𝑠𝑠
2. 𝑐 = 𝐸𝑛𝑐 𝑆 𝐾, 𝑚
3. output : 𝑐
• Vulnerable
• The same password always generates
the same 𝑆 𝐾.
Encrypted file with password
𝑚
𝑝𝑎𝑠𝑠
𝑆 𝐾
𝐻𝑎𝑠ℎ
𝐸𝑛𝑐
𝑚depends on only 𝑝𝑎𝑠𝑠
7/54
8. • Password attack tool
• http://hashcat.net/oclhashcat/
• GPGPU based very fast engine
hashcat
8/54
9. • Number of attempts per second
• SHA1 : 4.2 × 1010times/sec on 8x NVidia Titan X
• SHA512 : 5.2 × 109 times/sec
• Time to detect password from 𝐻𝑎𝑠ℎ value
• 𝑝𝑎𝑠𝑠 ∶ assume [a-zA-Z0-9]; 62 letters
• 628
4.2 × 1010
= 1h27m to try all patterns for SHA1
Performance of hashcat
9/54
10. • Add salt
1. generate 𝑠𝑎𝑙𝑡 randomly
2. 𝑆 𝐾 = 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡, 𝑝𝑎𝑠𝑠
3. 𝑖𝑣 : Initialization Vector
4. c = 𝐸𝑛𝑐(𝑖𝑣, 𝑆 𝐾, 𝑚)
• Even the same password generates
different 𝑆 𝐾
• 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡1 + ′abc′ ≠ 𝐻𝑎𝑠ℎ(𝑠𝑎𝑙𝑡2 + ′abc′)
• Stronger against rainbow tables attacks
More secure file formats
𝑝𝑎𝑠𝑠
𝐻𝑎𝑠ℎ
𝑠𝑎𝑙𝑡
𝑆 𝐾 𝑚
𝐸𝑛𝑐
𝑚
𝑖𝑣
10/54
11. • Iterate the hash function many times
• 𝑑1 = 𝐻𝑀𝐴𝐶(𝑝𝑎𝑠𝑠, 𝑠𝑎𝑙𝑡)
• 𝑛 is iteration count
• for 𝑖 = 1 to 𝑛 − 1:
• 𝑑𝑖+1 = 𝐻𝑀𝐴𝐶(𝑑𝑖, 𝑠𝑎𝑙𝑡)
• Decrease attack ability to 1/𝑛
• PKCS#5(RFC 2898)
• Password-Based Cryptography
Specification
• PBKDF2(password based key
derivation functions)
• used by ZIP format, etc.
Key stretching
𝑝𝑎𝑠𝑠
𝐻𝑀𝐴𝐶
𝑑𝑖
𝑆 𝐾 = 𝑑1 ⊕ 𝑑2 ⊕ ⋯
𝑛
𝑠𝑎𝑙𝑡
𝑝𝑎𝑠𝑠
𝐻𝑀𝐴𝐶
𝑑𝑖+1
11/54
12. • Another password recovery tool
• http://passcovery.com/
Passcovery
12/54
13. • Brute-force attack time against 8-byte password
• by Passcovery on GeForce GTX860M 1019MHz
• Office 2013 docx format is strong
• Recently, a memory-hard function is recommended
• Argon2 is the winner of Password Hashing Competition
at 2015/Jul/20
Compare attack time
File format # of tries/sec hash stretching days
ZIP(96-bit) 230000000 none 10 days
Office2003 doc 11000000 ? 220 days
ZIP(256-bit AES) 370000 1000 x HMAC SHA1 18 years
Office2007 docx 16000 50000 x SHA1 430 years
Office2010 docx 8100 100000 x SHA1 854 years
Office2013 docx 337 100000 x SHA512 20000 years
13/54
14. • Comparison of password encrypted file formats
• Demo
• MS Office file format
• Secret key generator of the MS Office file format
• Introduction of my tool
• Demo
• Situations
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
14/54
17. • Use two kinds of secret key
• 𝐻 : the above iterated hash function
1. generate 𝑠 from 𝑝𝑎𝑠𝑠 and 𝑠𝑎𝑙𝑡
2. generate 𝑆 𝐾 and encrypt it by 𝑠
3. encrypt 𝑚 by 𝑆 𝐾
• I will explain latter
• two keys for key escrow
• Administrator can decrypt
if password is lost
• encrypt 𝑆 𝐾 with public key of Administrator in advance
• desabled (default)
MS Office Agile format
𝑚
𝑝𝑎𝑠𝑠
𝑆 𝐾
Enc by 𝑆 𝐾
𝑆 𝐾
𝑚
Enc by 𝑠
𝑠
𝐻
𝑠𝑎𝑙𝑡
17/54
18. • https://github.com/herumi/msoffice/
• My tool to encrypt/decrypt MS Office files
• Supports Windows/Linux
• Supports OpenXML of Office 2007~
• Support Agile format of Office 2010~
• LibreOffice does not support the format yet
• Configurable secret key for Agile format
• Configurable iteration count for stretching
msoffice-crypt
18/54
20. • encrypt with password "test"
• decrypt with password "test"
• attack without password
Usage
decrypt easy.xlsx
with "test" and get 𝑆 𝐾
attack complex.xlsx by 𝑆 𝐾 without password
msoffice-crypt -d complex.xlsx -by easy.xlsx -p test
msoffice-crypt -e plain.xlsx enc.xlsx –p test
msoffice-crypt -d enc.xlsx dec.xlsx –p test
20/54
21. • Comparison of password encrypted file formats
• Demo
• Situations
• What happened?
• Some scenarios
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
21/54
22. • Excel 2010/2013 does not update the secret key
in the file when password is changed (Bug).
What happened?
We can attack them with this one secret key.
master file
with pass
with pass1
with pass2
with pass3
save as...
have same secret key
22/54
23. • At HR
• prepares a master Excel file
• write pay slip into the file, change password, send to
staff
Scenario 1(pay slip delivery)
master file
with pass HR
can attack other files
23/54
24. • Owner
• A master Excel file encrypted with an easy pass
• Modify it and make an important file with strong pass
• Attacker
• Brute-force attack against easy pass
and attack important file
Scenario 2(lost PC)
Brute-force attack
to easy pass
save it
with strong pass
write secret info.
can attack this
PC
24/54
25. • Comparison of password encrypted file formats
• Demo
• Situations
• MS Office file format
• Detail of MS Office file encryption structure
• Relation between password and secret key
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
25/54
26. • Old format and new format
• MS OLE2のヘッダは"D0 CF 11 E0"
MS Office file encryption details
Office file type Format
doc, ppt, xls (old Office files) MS OLE2
plain docx, pptx, xlsx ZIP file of Open XML files
encrypted docx, pptx, xlsx MS OLE2 including a header
and an encrypted ZIP file
ZIP files (Open XML)
Enc(ZIP files)
encrypted with AES
header
not encrypted
encrypted
26/54
27. • There is a directory structure in one file
Layout of encrypted docx
root/
EncryptionPackage
EncryptionInfo
DataSpaces/
Version
DataSpaceMap
Transformation/
StrongEncryption
Transform/
Primary
DataSpaceInfo/
StrongEncryption
DataSpace
not used
encrypted main ZIP file
encryption information
27/54
28. • Standard encryption (~Office 2007)
• binary format
• supports only SHA-1
• spinCount(=# of iteration) is fixed to 50000
• Agile encryption (Office 2010~)
• XmlEncryptionDescriptor
• supports SHA-1, SHA256, etc.
• variable spinCount
Version of EncryptionInfo
28/54
30. Dependency of variables in encryption
generate
encryptedKey.saltValue
encryptedVerifierHashValue
encryptedVerifierHashInput
encryptedKeyValue
encryptedHmacKey
encryptedHmacValue
password
gen. secretKey
hash
EncryptionPackage
Enc(ZIP file)
ZIP file
gen.
keyData.saltValue
gen. verifierHashInput
verifierHashValue
gen.
HmacKey
hash
30/54
34. • Comparison of password encrypted file formats
• Demo
• Situations
• MS Office file format
• How I found this bug
• Motivation
• CSPRG
• Example of known backdoor
• Hooking into MS Office's secret key generator
• Proposal for a backdoor-resistant format
Agenda
34/54
35. • Normal encryptor
• main part to encrypt 𝑚
• You can not decrypt (𝑠𝑎𝑙𝑡, 𝑐) without 𝑆 𝐾
• We can make a backdoor
if the generator of 𝑆 𝐾 is controlled.
generate 𝑠𝑎𝑙𝑡 randomly
generate 𝑆 𝐾 randomly
𝑐 = 𝐸𝑛𝑐 𝑆 𝐾, 𝑠𝑎𝑙𝑡, 𝑚
Motivation
𝑚 (𝑠𝑎𝑙𝑡, 𝑐)
35/54
36. • Malicious (having backdoor)encryptor
• Malicious Eve prepares a master secret key 𝑋
• Eve embeds 𝑋 into an encryptor
• Eve can get 𝑆 𝐾 = 𝐻 𝑋, 𝑠𝑎𝑙𝑡 by 𝑋 then decrypt it
• You can not notice that (𝑠𝑎𝑙𝑡, 𝑐) has a backdoor
An example of controlled 𝑆 𝐾
𝑚 (𝑠𝑎𝑙𝑡, 𝑐)
generate 𝑠𝑎𝑙𝑡 randomly
𝑆 𝐾 = 𝐻 𝑋, 𝑠𝑎𝑙𝑡
𝑐 = 𝐸𝑛𝑐 𝑚 by (𝑠𝑎𝑙𝑡, 𝑆 𝐾)
Eve
𝑋
𝑆 𝐾
36/54
37. • 5 p.m. on Friday,
Make a proof of concept for MS Office
Hi Mitsunari,
could you hook into the random
generator of MS Office?
I'll try it.
By when do
you need it?
Coming
Monday.
...
37/54
38. • PRG(Pseudo Random Generator)
• used for game and simulation
• MT(Mersenne Twister) is popular
• CSPRG(Cryptographically Secure PRG)
• Nobody should be able to predict next bit
from previous bits
• used for secret key generator
• MT is not CSPRG
• inner status is determined by 624x4-byte output
CSPRG
0 1 0 0 1 1 1 0 1 ?
known previous bits
CSPRG
next bit
38/54
39. • I strongly discourage you from implementing
your own CSPRG
• Use CSPRG provided by system vendor instead
• /dev/urandom on Linux
• non blocking device for CSPRG
• entropy from mouse, keyboard, disk I/O and interrupts
Example of CSPRG
39/54
40. • Intel hardware CSPRG instruction
• Meets the NIST SP 800-90A standard
• Uses an on-chip non-deterministic entropy source
• Easy to use
• Difficult to use it safely
• Retry limit should be employed to prevent a busy loop
(extremely rare)
rdrand
// uint64_t getRand();
getRand:
.lp:
rdrand rax // store random number in rax
jnc .lp // retry if failure (rare)
ret
40/54
41. • Output of /dev/urandom is fixed by only modified
rdrand (kernel 3.8.13 by Taylor Hornby)
• rdrand() { return [edx] ^ 0x41414141; }
• Combine other entropy sources to avoid having a
single point of failure
If rdrand has a backdoor?
41/54
42. • CSPRG of Microsoft CryptoAPI
• Used to generate salt and secret key
• Hook this function
• I expected that MS Office calls this to make a secret key
• If my hooked CryptGenRandom always return fixed
bytes, then a secret key may be fixed.
• First, I tried to my (very old) DLL injection library
• Did not work as expected due to ASLR
CryptGenRandom()
42/54
43. • A library to hook Win32 APIs by MS Research
• http://research.microsoft.com/en-us/projects/detours/
• 64-bit version costs $9,999.95 (32-bit version is free)
• Usage
• Source code of dll to hook
Detours library (1/2)
BOOL HookCryptGenRandom(HCRYPTPROV, DWORD len, BYTE *p) {
memset(p, 'a', len);
return TRUE;
}
BOOL DllMain(HINSTANCE, DWORD reason, LPVOID) {
if (reason == DLL_PROCESS_ATTACH) {
orgFunc = DetourFindFunction("adapi32.dll", "CryptGenRandom");
DetourAttach(&orgFunc, HookCryptGenRandom);
...
43/54
44. • test.exe
• Run test.exe with withdll.exe in Detours
• CryptGenRandom is now hooked!
• But, the function is not called by MS Office...
Detours library (2/2)
int main() {
RandomGenerator rg; // wrapper of CryptGenRandom()
for (int i = 0; i < 3; i++) printf("%08x¥n", rg.get32());
}
>test.exe
812e1af0 // random
ad990e76
865cb964
>withdll.exe /d:hook.dll test.exe
61616161 // "aaaa"
61616161
61616161
44/54
45. • Run Excel on debugger, see loaded DLLs
• I found rsaenh.dll
Trial and error (1/3)
45/54
46. • Extract symbols of rsaenh.dll
• dumpbin /exports rsaenh.dll
• What is CPGenRandom?
Trial and error (2/3)
ordinal hint RVA name
1 0 0000230C CPAcquireContext
2 1 00003A80 CPCreateHash
3 2 0001CC1C CPDecrypt
4 3 0001DBC8 CPDeriveKey
...
11 A 00009A80 CPGenKey
12 B 00001D3C CPGenRandom
46/54
47. • CPxxx functions are obsolete
• CPxxx is renamed to Cryptxxx
• CPxxx is called from Cryptxxx
• Cryptxxx is hooked automatically if CPxxx is hooked
• Excel calls CPGenRandom
• Excel seems to generate secret key!
• However,
Trial and error (3/3)
>msoffice-crypt –psk easy.xlsx –p test
...
secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5
>msoffice-crypt –psk complex.xlsx –p testtest
...
secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5
47/54
48. • Excel generates same secret key without hook
• MS Office Word, PowerPoint generate different key
• Only Excel has a bug
• About hooking CPGenRandom
• This hook was not enough to take control over the
generator
• Hooking timer functions were not enough yet
• Details unknown because of no investigation made
It is a bug of Excel
48/54
49. • Comparison of password encrypted file formats
• Demo
• Situations
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
• Check your Excel files
• Improved format
Agenda
49/54
50. • This bug is fixed at 2015/Oct/13 (MS15-110)
• But, the generated files won't be fixed
• Verify secret keys in your files by msoffice-crypt
• Re-encrypt files if you find the same secret keys
Check your Excel files
50/54
51. • What is a reliable format?
• MS Office format is secure enough,
but it is difficult to prove no backdoor exists in the file
• The problem generally exists for tools provided in binary
• (again) malicious encryptor
• We want a format that is provably secure against
the backdoor
Future work
𝑚 𝑠𝑎𝑙𝑡, 𝑐 , 𝑆 𝐾
blackbox
encryptor
𝑠𝑎𝑙𝑡 : random number
𝑋 : master secret key in the encryptor
𝑆 𝐾 : 𝐻(𝑠𝑎𝑙𝑡, 𝑋)
Eve gets 𝑆 𝐾 by (𝑠𝑎𝑙𝑡, 𝑋)
51/54
53. • For a person who knows only (𝑠𝑎𝑙𝑡, 𝑐)
• same difficulty as previous formats
• For Eve
• same difficulty of the attack against
KDF to get 𝑝𝑎𝑠𝑠 from 𝑠𝑎𝑙𝑡
when 𝑟0 is known
• Detection of maliciousness is easy
if 𝑟0 is fixed
• seems to be safe if all 𝑟0 are
different from each other when
10000 times encrypted
• then, the attack is 10000 times harder for Eve
Difficutly of the proposed format
𝑆 𝐾 𝑚
𝑚
𝑟0 𝑟1𝑝𝑎𝑠𝑠
𝐻 𝐻
𝑠𝑎𝑙𝑡
𝐸𝑛𝑐
53/54
54. • Excel files can be attacked through their secret
key without knowing the pass
• It is a bug of Excel and is fixed
• Proposal for a backdoor-resistant format
• It can be applied to general password based encrypted
file formats
Conclusion
54/54