The What, Why and How of Software Security : Cryptography

Catch the Security Flaw #3

Varun Sharma — Mon, 14 Jul 2008 13:17:49 GMT

Quite a few web applications encrypt query string values. This is generally done as an added measure to prevent unauthorized access. Since the end user cannot chose a value and then encrypt it, changing parameters becomes difficult. But encryption is not a panacea. See if you can spot this bug.

The code behind file looks like this:-

Implementation for the Encrypt and Decrypt methods is not shown. They are using the DES algorithm. There is no flaw in the usage or key management.

The end user can upload files and the screen look like this:-

On clicking Upload, the file gets uploaded and a message is shown. Note the query string values. The HTML source is also shown.

Do you think the code or design is flawed in any way? Can this be exploited?

Confusion property of symmetric block ciphers

Varun Sharma — Mon, 14 Jul 2008 09:43:15 GMT

Modern symmetric block encryption algorithms need to satisfy a number of properties to be considered strong. One such property is the property of “Confusion”.

What it means is that if an attacker is conducting an exhaustive key search, and if the key being tested is incorrect only in a few bits, the decrypted text should give no such indication. If the decrypted text does give such an indication, then the attacker can stop the brute force process, and simply change the incorrect bits in the key and get the actual key. This will take much less time relative to a full brute force attack.

To understand this better, I will demo it using the CrypTool, which is a great tool to learn about cryptography.

1. This will encrypt the text shown in the background using the Simple Substitution Cipher and the key “ONCEUPATIMXBDFGHJKLQRSVWYZ”.

2. Text in the background has been encrypted. Using the tool, I will now perform an automatic analysis of the cipher text to try to get the key. Note: This could have been a brute force attack too.

3. Although the correct key has not been found, since the decrypted text resembles text in English to a great extent, I may be “close” to the the actual key.

4. I will now stop the brute force process and using manual analysis , one by one substitute only those characters in the key that seem to produce incorrect plaintext, thereby getting the actual key.

Modern encryption algorithms like DES and AES have the Confusion property. Therefore if English text has been encrypted using DES or AES and during the brute force process, the key being tested differs from the actual key by only one bit, still the decrypted text does not resemble English text at all.

Block Ciphers: Simple attack on ECB mode

Varun Sharma — Wed, 28 Nov 2007 00:17:00 GMT

This is nothing new, but I just wanted to document it on my blog. Block ciphers encrypt data in blocks of bits. These blocks are generally 64 or 128 bits long. In the ECB (or Electronic Code Book) mode, each block is encrypted independently of the other blocks. As a result if two blocks are same, the same cipher text results. This enables the attacker to figure out all instances of a plaintext if that plaintext-cipher text pair is known and the cipher text is repeating. An attack based on the frequency analysis of the blocks is also possible. Frequently repeating cipher text blocks mean frequently repeating plain text blocks.

I will show the effects of another simple attack. In this case consider that the plain text is "Give Jo one two one two dollars". Note that I have purposely divided the message into blocks of 8 characters (or 64 bits in ASCII). "Give Jo " is the first block, "one two " is the next and so on.

Now I will use the DESCryptoServiceProvider class to encrypt this plaintext using ECB mode. The code used to encrypt is available here. The only difference is that I have changed the mode to ECB, and the block size to 64 bits for this demo to work.

After encrypting the plain text, the cipher text received is:-

First of all note the repeated block because of ECB. "one two one two" (from the plain text) consists of two blocks of 64 bits each. These blocks give identical cipher text blocks because of ECB.

Now consider if an attacker removes one of these blocks. This is the cipher text after removing one of the repeating blocks.

If I decrypt this cipher text, using the same code (and key) I get:-

Notice that the decryption was possible and successful, but the plain text is now different from the original plain text. Jo now gets lot less dollars ;)

Ofcourse these are the reasons why ECB mode is not preferred.

The Unbreakable Cipher

Varun Sharma — Thu, 15 Nov 2007 10:37:00 GMT

The concept of perfect secrecy is that given the cipher text, and any resources and amount of time, the adversary has no way of getting to the plain text. Having the cipher text makes no difference and provides absolutely no additional information. The adversary can try a brute force approach, by trying each and every key, one by one, but this will still require the adversary to guess the plaintext. A cipher that enables this is an unbreakable cipher.

The contemporary symmetric encryption algorithms like AES and Triple-DES are not unbreakable ciphers in this sense. If you know that the plain text is a sentence in English, you have the cipher text, and you brute force, it may take you a long time, but eventually you will get only a few (probably only one) sentence in English as the plain text. This would beyond doubt be the plain text that you were looking for.

There is only one unbreakable cipher, which provides perfect secrecy as defined above. This is the One-time pad. In a One-time pad, the key size is equal to the size of the data to be encrypted. A key is used only once to encrypt data. This one-time key is random. When Alice wants to send an encrypted message (a sentence in English) to Bob, Alice generates a random sequence of bits, equal in length to the message and XOR’s this key and the message. To decrypt, Bob then XOR’s the cipher text with this One-time random key and the plain text is retrieved.

If Eve gets hold of the cipher text in transit, she may decide to get the plain text by brute forcing. If the message is n-bits, Eve can one by one, try all n-bit sequences as the key. But this will create every sentence in English of that length. In other words, given any sentence in English (constructed from n-bits), there will be a key that will transform the given cipher text to that sentence. Hence even knowing the cipher text requires Eve to guess the plaintext and provides absolutely no additional information.

The reason One-time pad is rarely used is because it requires the key to be transferred securely before the cipher text is transmitted, and since the key length is equal to the message length, key distribution becomes a problem.