r3s - RemoteRheinRuhr Talk

Practical bruteforce of military grade AES-1024

r3s - Monheim/Rhein
Sony, SanDisk, and Lexar provide encryption software for their USB keys, hard drives, and other storage products. The software is already present when buying a new product and used to keep data on the storage safe. This solution is developed by a 3rd party called ENCSecurity. The security claims of this solution were very strong *i.e.* "Ultimate encryption using 1024 bit AES keys Military grade". Our analysis of the DataVault software revealed three serious flaws impacting the security of the DataVault solution. This presentation is a look the flaws we identified along with our process for discovery and how the vulnerabilities were addressed.
The DataVault solution is a stand-alone application used by default as an encryption solution for many Sony, SanDisk, and Lexar products and as well used by some libraries to offer data security. This solution was not analyzed before, and the strong security claims were not assessed to match the reality. This presentation gives background details of the analysis and the context which brought us to perform the analysis. The method for reverse engineering and inspecting the DataVault solution will be presented. It turned out that the key derivation function was PBKDF2 using 1000 iteration of MD5 to derive the encryption key. The salt used to derive the keys is constant and hardcoded in all the solutions and all the vendors. This makes it easier for an attacker to guess the user password of a vault using time/memory tradeoff attack techniques such as rainbow tables and to re-use the tables to retrieve passwords for all users using the software. The implementation itself was incorrect and even with a randomly generated unique salt, it would be effortless to recover the password of a user. Other flaws of the key derivation function will be discussed and compared with nowadays good practices. The data encryption method was also found to be malleable, allowing malicious modifications of files in a vault without any detection. No data integrity mechanism was set up. The settings of the full version of the software allows choosing between 4 different levels of security, namely AES-128, 256, 512 and 1024 bits. The encryption method has been reversed and is a CTR like construction based on AES-128 using a single key. Multiple iterations of encryptions are chained with the keys obtained by the key derivation function used as IVs. However, it turned out after the analysis that all these modes offer only a security level of 128-bit. A plugin in John the ripper software to allow everyone to "practically brute force military grade AES-1024" will be released at the time of the presentation. We have a continuous, welcomed, and constructive collaboration with the ENCSecurity company. During this presentation, we will explain the coordinated disclosure process, which was difficult since it impacted several vendors and some deployed libraries. The solution which was provided for the correction will be presented and compared to the best practice standards along with a discussion of the process of selecting the specific improvements.

Additional information

Live Stream https://streaming.media.ccc.de/rc3/r3s
Type Talk
Language English

More sessions

12/27/21
r3s - RemoteRheinRuhr Talk
Daniel Maslowski
r3s - Monheim/Rhein
With approaches dating back to the 20th century, the idea of a TPM is simple: An isolated, constrained environment to offload trust establishment in a larger computing environment. That implies cryptography, firmware, hardware, and per application, different requirements. This talk elaborates on how the seemingly simple concept has been expanded over the years, enumerating implementations in hardware, firmware, other layers of software, and even web browsers, explaining why it is in fact far ...
12/27/21
r3s - RemoteRheinRuhr Talk
Siebo M. H. Janssen
r3s - Monheim/Rhein
kommt noch - wird nachgereicht - Wunschtermin: 27.12.2021 gegen Mittag - einzige Möglichkeit
12/27/21
r3s - RemoteRheinRuhr Talk
Theresa Gier
r3s - Monheim/Rhein
Potato Presenter ist eine Desktopanwendung mit der man Präsentationen erstellen kann. Es erwartet einen Textinput und generiert daraus eine Vorschau, auf welcher der User die einzelnen Elemente beliebig mit Hilfe der Maus manipulieren kann.
12/27/21
r3s - RemoteRheinRuhr Talk
Joseph P. De Veaugh-Geiss
r3s - Monheim/Rhein
The Blauer Engel 4 FOSS (BE4FOSS) project from KDE e.V. seeks to collect, summarize, and spread information related to eco-certification and resource efficiency as it relates to FOSS development. In this talk I will focus primarily on the energy consumption of software, which is also the focus of the Free & Open Source Software Energy Efficiency Project, or FEEP for short. I will walk the audience through the 3 steps for obtaining *Blauer Engel* certification: (1) *Measure*, (2) *Analyze*, (3) ...
12/27/21
r3s - RemoteRheinRuhr Talk
r3s - Monheim/Rhein
Freifunk hat einen Bildungsauftrag. Wie kann dem gerecht werden?
12/27/21
r3s - RemoteRheinRuhr Talk
Roland Meertens
r3s - Monheim/Rhein
Some websites offer a spinning wheel where you, in return for your e-mail address, can win prices and discounts and products. I dove into the code which powers this 'game', and discovered that many prices can't be won, even when altering the probabilities. In this talk I will discuss what I discovered, what I tried, and what the results were.
12/27/21
r3s - RemoteRheinRuhr Talk
r3s - Monheim/Rhein
You like tinkering with single board computers, mesh networks and antennas? You've done it all! But what's next? Maybe this talk is for you. Using Linux, software defined radio and dirty little scripts, we built a realtime marine & airborne vehicle tracking network.