A journey through the discovery of a broken encryption system, how I uncovered it, how I proved it, the (lack of) response, and the implications.

1. When Strong
Encryption, Isn’t
Philology, XOR, and Unintended Messages
Kurt Kincaid
kurt@kurtkincaid.com
@kurt_kincaid
THOTCON 0xA - 2019

2. The Situation
▪ NFC encryption from large vendor, broken to the
point that data can be decrypted without the
key
2

3. Today’s Roadmap
▪ Setting the Stage
▪ How did I find the problem?
▪ How did I prove it?
▪ Implications and further considerations
3

4. Level Setting
4

5. Stipulation #1
▪ I cannot reveal the name of the company
▪ I would love to
▪ So why don't you?
5

6. Stipulation #2
6
Crypto ≠ Cryptocurrency

7. Setting the Stage
▪ Philology background
▫ Language is fascinating
▫ How language works, how it evolves, how it conveys
messages and information
▫ Not only what is said, but how it is said
▪ Author of a broken encryption module
▫ Pay attention to the details
▫ I have an appreciation for sticking your foot in it
7

8. Unintended Messages
▪ Spy The Lie
▫ Philip Houston, Michael Floyd, Susan Carnicero
▫ Signs of deceptive behavior
▫ Refusal to answer, referral statements, attacking the
questioner, inappropriate level of concern, overly specific,
etc.
▪ Quick Examples
▫ “Perfectly plausible explanation”
▫ “Some of these changes…”
▪ Techniques useful in many situations8

9. The Whitepaper
▪ NFC encryption
▪ 21 pages
▪ Excellent design decisions, high security margin
▫ SHA512, AES256 in CTR mode, NIST SP 800-56A Single-
Step Key Derivation, etc.
▪ …and at the bottom of page 20…
▫ Unnecessarily long explanation on use of static Initialization
Vector (IV)
▫ Permitted per the NIST pub, but why the long explanation?
9

10. Line of Questioning
▪ Used IV issue as method for starting
conversation
▪ String of dismissive, condescending responses
▪ Kept redirecting conversation to NIST
compliance
▪ Finally, the culprit:
▫ "…we encrypt a non-incrementing counter…"
▪ TO BE CONTINUED
10

11. The Encryption (1)
▪ Plaintext is a JSON*
string
▪ AES
▫ Winner of NIST Advanced Encryption Standard competition in 2001
▫ Block cipher, uses 128 bit blocks
▫ Key sizes of 128, 192, or 256 bits
▪ Mode of Operation: algorithm for using block ciphers on data
larger than a single block
▪ Counter (CTR) Mode
▫ Passphrase encrypts the counter
▫ Encrypted counter is XOR'd with next byte of plaintext
▫ Counter is incremented* and process repeats
11

12. The Encryption (2) – XOR
▪ Formally "Exclusive Disjunction"
▪ Boolean "either A or B, but not both"
▫ 1 ⊕ 1 = 0
▫ 0 ⊕ 0 = 0
▫ 1 ⊕ 0 = 1
▫ 0 ⊕ 1 = 1
12

13. The Encryption (3) – XOR cont'd
• Example:
A = 0110
B = 1011
A ⊕ B = 1101
▪ Interesting Properties…
▫ Really fast
▫ A B = C; A C = B; B C = A⊕ ⊕ ⊕
▪ J = encrypted, non-incrementing counter
▪ P1 ⊕ J = C1 ; P2 ⊕ J = C2, etc.
13

14. The Encryption (4) – XOR cont'd
▪ Difference equation
▫ P1 ⊕ Pn = X
▫ C1 ⊕ Cn = X
▫ P1 ⊕ Pn = C1 ⊕ Cn
14

15. Breaking the Encryption
▪ Knowns:
▫ Complete ciphertext (C1…Cn)
▫ Plaintext is a JSON string
▫ {"userName":"kurt"}
▫ Counter is never incremented
▪ A little guesswork
▫ Our initial guess is first character is "{"
▫ {⊕ C1 = J
▫ Once we have J, we can decrypt the entire string
▫ C1 ⊕ J = P1 ; C2 ⊕ J = P2 ; Cn ⊕ J = Pn
15

16. End Result
▪ Might be able to get by with this on
unstructured data
▪ "Well, you clearly don't understand how this
works."
▪ Provided proof
▪ And in response…
Silence
16

17. Implications and Considerations
▪ Where else is this method being used?
▪ Was this ever fixed?
▪ What other broken implementations like this
have we blindly accepted?
▫ XOR everything with the number 74
▫ It's proprietary encryption. Ok, well, it's base 64 encoded.
But you can't read it!
17

18. Further Considerations
▪ Was this done intentionally?
▫ Refusal to answer
▫ Referral statements
▫ Attacking the questioner
▫ Inappropriate level of concern
▫ Overly specific
▪ If I was creating a backdoor…
18

19. Takeaways
▪ The initial red flag came from textual analysis,
not technical analysis
▪ Need to expand beyond raw technical skill
▪ People say what they think they can get away
with
▪ Need to look at what people write and say from
a different perspective
19

20. Contact info:
●
Kurt Kincaid
●
kurt@kurtkincaid.com
●
Twitter: @kurt_kincaid
20 Presentation template by SlidesCarnival