seed – Gea-Suan Lin's BLOG

NIST P-curve 的 Seed Bounty Program

Filippo Valsorda 發起了 seed bounty program，針對 NIST P-curve 裡 seed 的部分尋找 SHA-1 的 pre-image：「Announcing the $12k NIST Elliptic Curves Seeds Bounty」。

先講一下這次的 bounty program，希望找出下面這些 SHA-1 的 pre-image input (也就是找出 input，使得 SHA1(input) 會等於下面的東西)：

3045AE6FC8422F64ED579528D38120EAE12196D5
BD71344799D5C7FCDC45B59FA3B9AB8F6A948BC5
C49D360886E704936A6678E1139D26B7819F7E90
A335926AA319A27A1D00896A6773A4827ACDAC73
D09E8800291CB85396CC6717393284AAA0DA64BA

金額是 US$12288，但是要五個都找到。

話說在寫這篇時，查資料發現 P-384 有獨立條目，但 P-256 與 P-521 都是重導指到 Elliptic-curve cryptography 這個條目，但 P-384 看起來也沒什麼特別的，不知道當初編輯的人是怎麼想的...

回來原來的問題，要從一些背景開始講，橢圓曲線的表示法有多種，像是：

$y^2 = x^3 + ax + b (Weierstrass form)$ $y^2 = x^3 + ax^2 + bx (Montgomery form)$

而這些常數 a 與 b 的選擇會影響到計算速度，所以通常會挑過，但畢竟是密碼學用的東西，挑的過程如果都不解釋的話，會讓人懷疑是不是挑一個有後門的數字，尤其 NIST (NSA) 後來被證實在 Dual_EC_DRBG 裡面埋後門的醜聞，大家對於 NIST 選擇或是設計的密碼系統都有很多疑慮。

舉個例子來說，2005 年時 djb 發明了 Curve25519 (論文「Curve25519: new Diffie-Hellman speed records」則是記錄 2006)，選擇的橢圓曲線是：

$y^2 = x^3 + 486662x^2 + x$

他就有提到這邊的 486662 是怎麼來的：他先在前一個段落說明，這邊數字如果挑的不好的話，會有哪些攻擊可以用，接下來把最小的三個值列出來，然後說明原因：

To protect against various attacks discussed in Section 3, I rejected choices of A whose curve and twist orders were not {4 · prime, 8 · prime}; here 4, 8 are minimal since p ∈ 1+4Z. The smallest positive choices for A are 358990, 464586, and 486662. I rejected A = 358990 because one of its primes is slightly smaller than 2^252, raising the question of how standards and implementations should handle the theoretical possibility of a user’s secret key matching the prime; discussing this question is more difficult than switching to another A. I rejected 464586 for the same reason. So I ended up with A = 486662.

而 P-192、P-224、P-256、P-384 與 P-521 的值都很怪，這是十六進位的值，在正式的文件或是正式的說明上都沒有解釋，屬於「magic number」：

3045AE6FC8422F64ED579528D38120EAE12196D5 # NIST P-192, ANSI prime192v1
BD71344799D5C7FCDC45B59FA3B9AB8F6A948BC5 # NIST P-224
C49D360886E704936A6678E1139D26B7819F7E90 # NIST P-256, ANSI prime256v1
A335926AA319A27A1D00896A6773A4827ACDAC73 # NIST P-384
D09E8800291CB85396CC6717393284AAA0DA64BA # NIST P-521

依照 Steve Weis 說，這些值當初是 Jerry Solinas 是隨便抓個字串，再用 SHA-1 生出來的：

Apparently, they were provided by the NSA, and generated by Jerry Solinas in 1997. He allegedly generated them by hashing, presumably with SHA-1, some English sentences that he later forgot.

這是 Steve Weis 的敘述，出自「How were the NIST ECDSA curve parameters generated?」：

[Jerry] told me that he used a seed that was something like:
SEED = SHA1("Jerry deserves a raise.")
After he did the work, his machine was replaced or upgraded, and the actual phrase that he used was lost. When the controversy first came up, Jerry tried every phrase that he could think of that was similar to this, but none matched.

如果可以證實當初的字串，那麼 NIST 在裡面埋後門的疑慮會再降低一些，這就是這次發起 bounty program 的原因。

Kaspersky Password Manager 的漏洞

在 Hacker News Daily 上看到「Kaspersky Password Manager: All your passwords are belong to us」這篇，講 Kaspersky Password Manager (KPM) 嚴重的安全漏洞，另外在 Hacker News 上的討論「Kaspersky Password Manager: All your passwords are belong to us (ledger.com)」也有提到一些有趣的東西。

標題的 All your passwords are belong to us 是出自「All your base are belong to us」這個梗的變形。

這包安全問題主要的原因是因為 KPM 沒有使用 CSPRNG，而且也沒有正確 seed，所以極為容易被猜出密碼本身。

KPM 的 Web 版使用了 Math.random()，在各家瀏覽器主要是用 xorshift128+ 實做 Math.random()，作者沒有針對這塊再花時間研究，但很明顯的 Math.random() 不是個 CSPRNG：

The underlying PRNG used by Chrome, Firefox and Safari for Math.random() is xorshift128+. It is very fast, but not suitable to generate cryptographic material. The security consequences in KPM has not been studied, but we advised Kaspersky to replace it with window.crypto.getRandomValues(), as recommended by the Mozilla documentation page previously mentioned.

Note: Math.random() does not provide cryptographically secure random numbers. Do not use them for anything related to security. Use the Web Crypto API instead, and more precisely the window.crypto.getRandomValues() method.

而桌機版則是用了 MT19937，理論上取得 624 bytes 的輸出後就可以重建整個 PRNG 的內部狀態 (於是就可以預測後續的 output)，但這代表你要知道其他網站的密碼，這點其實有點困難。

但作者發現 KPM 在產生 MT19937 的 seed 只跟時間有關，超級容易被預測：

So the seed used to generate every password is the current system time, in seconds. It means every instance of Kaspersky Password Manager in the world will generate the exact same password at a given second.

於是可以直接暴力解出所有的可能性：

The consequences are obviously bad: every password could be bruteforced. For example, there are 315619200 seconds between 2010 and 2021, so KPM could generate at most 315619200 passwords for a given charset. Bruteforcing them takes a few minutes.

Hacker News 上有不少陰謀論的討論，像是：

Getting some DUAL_EC prng vibes.

Insert Kaspersky owned by Russia intelligence conspiracy here...

另外 Kaspersky 跟俄羅斯軍方的關係也是很知名，這些東西大概要到十來年後才會知道...

The DUHK Attack：因為亂數產生器的問題而造成的安全漏洞

在 Bruce Schneier 那邊看到的：「Attack on Old ANSI Random Number Generator」，攻擊的網站在「The DUHK Attack」，論文在「Practical state recovery attacks against legacy RNG implementations (PDF)」。

攻擊的對象是 ANSI X9.31 Random Number Generator：

DUHK (Don't Use Hard-coded Keys) is a vulnerability that affects devices using the ANSI X9.31 Random Number Generator (RNG) in conjunction with a hard-coded seed key.

然後攻擊的對象是 Fortinet 的 FortiOS：

Traffic from any VPN using FortiOS 4.3.0 to FortiOS 4.3.18 can be decrypted by a passive network adversary who can observe the encrypted handshake traffic.

如果照說明的只到 4.3.18，那麼去年 11 月更新的 4.3.19 (參考「FortiOS 4.3.19 Release Notes」) 應該是修正了？不過裡面沒翻到類似的資料，是剛好把 RNG 換掉了嗎？

htpasswd 的 SHA 不會帶 salt (seed)...

剛剛發現 htpasswd (Apache 的 .htpasswd 檔案產生程式) 提供的 SHA-1 不會使用 salt，不過 MD5 格式會...

以密碼「test」測試：

gslin@colo-p [~] [17:44/W7] touch test.txt
gslin@colo-p [~] [17:44/W7] htpasswd -b -m test.txt test1 test
Adding password for user test1
gslin@colo-p [~] [17:44/W7] htpasswd -b -m test.txt test2 test
Adding password for user test2
gslin@colo-p [~] [17:44/W7] htpasswd -b -s test.txt test3 test
Adding password for user test3
gslin@colo-p [~] [17:44/W7] htpasswd -b -s test.txt test4 test
Adding password for user test4

結果是：

test1:$apr1$GU6SyO0y$I.Ng9o4H8Tcje.M2A6ECb0
test2:$apr1$uqoX9b/x$7zGMAKqRjvoi6HHSKtaRO.
test3:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=
test4:{SHA}qUqP5cyxm6YcTAhz05Hph5gvu9M=

依照說明，htpasswd 使用的 SHA 是移植自 Netscape server 的 LDAP Directory Interchange Format (ldif)：

Use SHA encryption for passwords. Facilitates migration from/to Netscape servers using the LDAP Directory Interchange Format (ldif).

在安全疑慮 (Security Considerations) 上也有註明 htpasswd 使用的 SHA 是不帶 salt：

The SHA encryption format does not use salting: for a given password, there is only one encrypted representation.

現在密碼儲存應該是朝 bcrypt 與 PBKDF2 發展，參考依林姊姊的「請愛用 bcrypt 和 PBKDF2」，後者 PBKDF2 被用在 WPA2 上。