| Page: 1 | Rating: Unrated [0] |
Defeating Aes
| Good [+1]Toggle ReplyLink» cutterhead replied on Mon Feb 16, 2009 @ 12:00am |
 Coolness: 131815 | source :
[ www.phrack.com ] ==Phrack Inc.== Volume 0x0b, Issue 0x3f, Phile #0x11 of 0x14 |=------------[ Security Review Of Embedded Systems And Its ]------------=| |=------------[ Applications To Hacking Methodology ]------------=| |=-----------------------------------------------------------------------=| |=----[ Cawan: [ ] or [ ] ]----=| --=[ Contents 1. - Introduction 2. - Architectures Classification 3. - Hacking with Embedded System 4. - Hacking with Embedded Linux 5. - "Hacking Machine" Implementation In FPGA 6. - What The Advantages Of Using FPGA In Hacking ? 7. - What Else Of Magic That Embedded Linux Can Do ? 8. - Conclusion --[ 1. - Introduction Embedded systems have been penetrated the daily human life. In residential home, the deployment of "smart" systems have brought out the term of "smart-home". It is dealing with the home security, electronic appliances control and monitoring, audio/video based entertainment, home networking, and etc. In building automation, embedded system provides the ability of network enabled (Lonwork, Bacnet or X10) for extra convenient control and monitoring purposes. For intra-building communication, the physical network media including power-line, RS485, optical fiber, RJ45, IrDA, RF, and etc. In this case, media gateway is playing the roll to provide inter-media interfacing for the system. For personal handheld systems, mobile devices such as handphone/smartphone and PDA/XDA are going to be the necessity in human life. However, the growing of 3G is not as good as what is planning initially. The slow adoption in 3G is because it is lacking of direct compatibility to TCP/IP. As a result, 4G with Wimax technology is more likely to look forward by communication industry regarding to its wireless broadband with OFDM. Obviously, the development trend of embedded systems application is going to be convergence - by applying TCP/IP as "protocol glue" for inter-media interfacing purpose. Since the deployment of IPv6 will cause an unreasonable overshooting cost, so the widespread of IPv6 products still needs some extra times to be negotiated. As a result, IPv4 will continue to dominate the world of networking, especially in embedded applications. As what we know, the brand-old IPv4 is being challenged by its native security problems in terms of confidentiality, integrity, and authentication. Extra value added modules such as SSL and SSH would be the best solution to protect most of the attacks such as Denial of Service, hijacking, spooling, sniffing, and etc. However, the implementation of such value added module in embedded system is optional because it is lacking of available hardware resources. For example, it is not reasonable to implement SSL in SitePlayer[1] for a complicated web-based control and monitoring system by considering the available flash and memory that can be utilized. By the time of IPv4 is going to conquer the embedded system's world, the native characteristic of IPv4 and the reduced structure of embedded system would be problems in security consideration. These would probably a hidden timer-bomb that is waiting to be exploited. As an example, by simply performing port scan with pattern recognition to a range of IP address, any of the running SC12 IPC@CHIP[2] can be identified and exposed. Once the IP address of a running SC12 is confirmed, by applying a sequence of five ping packet with the length of 65500 is sufficient to crash it until reset. --[ 2. - Architectures Classification With the advent of commodity electronics in the 1980s, digital utility began to proliferate beyond the world of technology and industry. By its nature digital signal can be represented exactly and easily, which gives it much more utility. In term of digital system design, programmable logic has a primary advantage over custom gate arrays and standard cells by enabling faster time-to-complete and shorter design cycles. By using software, digital design can be programmed directly into programmable logic and allowing making revisions to the design relatively quickly. The two major types of programmable logic devices are Field Programmable Logic Arrays (FPGAs) and Complex Programmable Logic Devices (CPLDs). FPGAs offer the highest amount of logic density, the most features, and the highest performance. These advanced devices also offer features such as built-in hardwired processors (such as the IBM Power PC), substantial amounts of memory, clock management systems, and support for many of the latest very fast device-to-device signaling technologies. FPGAs are used in a wide variety of applications ranging from data processing and storage, instrumentation, telecommunications, and digital signal processing. Instead, CPLDs offer much smaller amounts of logic (approximately 10,000 gates). But CPLDs offer very predictable timing characteristics and are therefore ideal for critical control applications. Besides, CPLDs also require extremely low amounts of power and are very inexpensive. Well, it is the time to discuss about Hardware Description Language (HDL). HDL is a software programming language used to model the intended operation of a piece of hardware. There are two aspects to the description of hardware that an HDL facilitates: true abstract behavior modeling and hardware structure modeling. The behavior of hardware may be modeled and represented at various levels of abstraction during the design process. Higher level models describe the operation of hardware abstractly, while lower level models include more detail, such as inferred hardware structure. There are two types of HDL: VHDL and Verilog-HDL. The history of VHDL started from 1980 when the USA Department of Defence (DoD) wanted to make circuit design self documenting, follow a common design methodology and be reusable with new technologies. It became clear there was a need for a standard programming language for describing the function and structure of digital circuits for the design of integrated circuits (ICs). The DoD funded a project under the Very High Speed Integrated Circuit (VHSIC) program to create a standard hardware description language. The result was the creation of the VHSIC hardware description language or VHDL as it is now commonly known. The history of Verilog-HDL started from 1981, when a CAE software company called Gateway Design Automation that was founded by Prabhu Goel. One of the Gateway's first employees was Phil Moorby, who was an original author of GenRad's Hardware Description Language (GHDL) and HILO simulator. On 1983, Gateway released the Verilog Hardware Description Language known as Verilog-HDL or simply Verilog together with a Verilog simulator. Both VHDL and Verilog-HDL are reviewed and adopted by IEEE as IEEE standard 1076 and 1364, respectively. Modern hardware implementation of embedded systems can be classified into two categories: hardcore processing and softcore processing. Hardcore processing is a method of applying hard processor(s) such as ARM, MIPS, x86, and etc as processing unit with integrated protocol stack. For example, SC12 with x86, IP2022 with Scenix RISC, eZ80, SitePlayer and Rabbit are dropped in the category of hardcore processing.Instead, softcore processing is applying a synthesizable core that can be targeted into different semiconductor fabrics. The semiconductor fabrics should be programmable as what FPGA and CPLD do. Altera[3] and Xilinx[4] are the only FPGA/CPLD manufacturers in the market that supporting softcore processor. Altera provides NIOS processor that can be implemented in SOPC Builder that is targeted to its Cyclone and Stratix FPGAs. Xilinx provides two types of softcore: Picoblaze, that is targeted to its CoolRunner-2 CPLD; and Microblaze, that is targeted to its Spartan and Virtex FPGAs. For the case of FPGAs with embedded hardcore, for example ARM-core in Stratix, and MIPS-core in Virtex are classified as embedded hardcore processing. On the other hand, FPGAs with embedded softcore such as NIOS-core in Cyclone or Stratix, and Microblaze-core in Spartan or Virtex are classified as softcore processing. Besides, the embedded softcore can be associated with others synthesizable peripherals such as DMA controller for advanced processing purpose. In general, the classical point of view regarding to the hardcore processing might assuming it is always running faster than softcore processing. However, it is not the fact. Processor performance is often limited by how fast the instruction and data can be pipelined from external memory into execution unit. As a result, hardcore processing is more suitable for general application purpose but softcore processing is more liable to be used in customized application purpose with parallel processing and DSP. It is targeted to flexible implementation in adaptive platform. --[ 3. - Hacking with Embedded System When the advantages of softcore processing are applied in hacking, it brings out more creative methods of attack, the only limitation is the imagination. Richard Clayton had shown the method of extracting a 3DES key from an IBM 4758 that is running Common Cryptographic Architecture (CCA)[5]. The IBM 4758 with its CCA software is widely used in the banking industry to hold encryption keys securely. The device is extremely tamper-resistant and no physical attack is known that will allow keys to be accessed. According to Richard, about 20 minutes of uninterrupted access to the IBM 4758 with Combine_Key_Parts permission is sufficient to export the DES and 3DES keys. For convenience purpose, it is more likely to implement an embedded system with customized application to get the keys within the 20 minutes of accessing to the device. An evaluation board from Altera was selected by Richard Clayton for the purpose of keys exporting and additional two days of offline key cracking. In practice, by using multiple NIOS-core with customized peripherals would provide better performance in offline key cracking. In fact, customized parallel processing is very suitable to exploit both symmetrical and asymmetrical encrypted keys. --[ 4. - Hacking with Embedded Linux For application based hacking, such as buffer overflow and SQL injection, it is more preferred to have RTOS installed in the embedded system. For code reusability purpose, embedded linux would be the best choice of embedded hacking platform. The following examples have clearly shown the possible attacks under an embedded platform. The condition of the embedded platform is come with a Nios-core in Stratix and uClinux being installed. By recompiling the source code of netcat and make it run in uClinux, a swiss army knife is created and ready to perform penetration as listed below: - a) Port Scan With Pattern Recognition A list of subnet can be defined initially in the embedded system and bring it into a commercial building. Plug the embedded system into any RJ45 socket in the building, press a button to perform port scan with pattern recognition and identify any vulnerable network embedded system in the building. Press another button to launch attack (Denial of Service) to the target network embedded system(s). This is a serious problem when the target network embedded system(s) is/are related to the building evacuation system, surveillance system or security system. b) Automatic Brute-Force Attack Defines server(s) address, dictionary, and brute-force pattern in the embedded system. Again, plug the embedded system into any RJ45 socket in the building, press a button to start the password guessing process. While this small box of embedded system is located in a hidden corner of any RJ45 socket, it can perform the task of cracking over days, powered by battery. c) LAN Hacking By pre-identify the server(s) address, version of patch, type of service(s), a structured attack can be launched within the area of the building. For example, by defining: [ 192.168.1.1 ] 8,7,load_file(char(47,101,116,99,47,112,97,115,115,119,100)),5,4, 3,2,1 **char(47,101,116,99,47,112,97,115,115,119,100) = /etc/passwd in the embedded system initially. Again, plug the embedded system into any RJ45 socket in the building (within the LAN), press a button to start SQL injection attack to grab the password file of the Unix machine (in the LAN). The password file is then store in the flash memory and ready to be loaded out for offline cracking. Instead of performing SQL injection, exploits can be used for the same purpose. d) Virus/Worm Spreading The virus/worm can be pre-loaded in the embedded system. Again, plug the embedded system into any RJ45 socket in the building, press a button to run an exploit to any vulnerable target machine, and load the virus/worm into the LAN. e) Embedded Sniffer Switch the network interface from normal mode into promiscuous mode and define the sniffing conditions. Again, plug the embedded system into any RJ45 socket in the building, press a button to start the sniffer. To make sure the sniffing process can be proceed in switch LAN, ARP sniffer is recommended for this purpose. --[ 5. - "Hacking Machine" Implementation In FPGA The implementation of embedded "hacking machine" will be demonstrated in Altera's NIOS development board with Stratix EP1S10 FPGA. The board provides a 10/100-base-T ethernet and a compact-flash connector. Two RS-232 ports are also provided for serial interfacing and system configuration purposes, respectively. Besides, the onboard 1MB of SRAM, 16MB of SDRAM, and 8MB of flash memory are ready for embedded linux installation[6]. The version of embedded linux that is going to be applied is uClinux from microtronix[7]. Ok, that is the specification of the board. Now, we start our journey of "hacking machine" design. We use three tools provided by Altera to implement our "hardware" design. In this case, the term of "hardware" means it is synthesizable and to be designed in Verilog-HDL. The three tools being used are: QuartusII ( as synthesis tool), SOPC Builder (as Nios-core design tool), and C compiler. Others synthesis tools such as leonardo-spectrum from mentor graphic, and synplify from synplicity are optional to be used for special purpose. In this case, the synthesized design in edif format is defined as external module. It is needed to import the module from QuartusII to perform place-and-route (PAR). The outcome of PAR is defined as hardware-core. For advanced user, Modelsim from mentor graphic is highly recommended to perform behavioral simulation and Post-PAR simulation. Behavioral simulation is a type of functional verification to the digital hardware design. Timing issues are not put into the consideration in this state. Instead, Post-PAR simulation is a type of real-case verification. In this state, all the real-case factors such as power-consumption and timing conditions (in sdf format) are put into the consideration. [8,9,10,11,12] A reference design is provided by microtronix and it is highly recommended to be the design framework for any others custom design with appropriate modifications [13]. Well, for our "hacking machine" design purpose, the only modification that we need to do is to assign the interrupts of four onboard push-buttons [14]. So, once the design framework is loaded into QuartusII, SOPC Builder is ready to start the design of Nios-core, Boot-ROM, SRAM and SDRAM inteface, Ethernet interface, compact-flash interface and so on. Before starting to generate synthesizable codes from the design, it is crucial to ensure the check-box of "Microtronix uClinux" under Software Components is selected (it is in the "More CPU Settings" tab of the main configuration windows in SOPC Builder). By selecting this option, it is enabling to build a uClinux kernel, uClibc library, and some uClinux's general purpose applications by the time of generating synthesizable codes. Once ready, generate the design as synthesizable codes in SOPC Builder following by performing PAR in QuartusII to get a hardware core. In general, there are two formats of hardware core:- a) .sof core: To be downloaded into the EP1S10 directly by JTAG and will require a re-load if the board is power cycled **(Think as volatile) b) .pof core: To be downloaded into EPC16 (enhanced configuration device) and will automatically be loaded into the FPGA every time the board is power cycled **(Think as non-volatile) The raw format of .sof and .pof hardware core is .hexout. As hacker, we would prefer to work in command line, so we use the hexout2flash tool to convert the hardware core from .hexout into .flash and relocate the base address of the core to 0x600000 in flash. The 0x600000 is the startup core loading address of EP1S10. So, once the .flash file is created, we use nios-run or nr command to download the hardware core into flash memory as following: [Linux Developer] ...uClinux/: nios-run hackcore.hexout.flash After nios-run indicates that the download has completed successfully, restart the board. The downloaded core will now start as the default core whenever the board is restarted. Fine, the "hardware" part is completed. Now, we look into the "software" implementation. We start from uClinux. As what is stated, the SOPC Builder had generated a framework of uClinux kernel, uClibc library, and some uClinux general purpose applications such as cat, mv, rm, and etc. We start to reconfigure the kernel by using "make xconfig". [Linux Developer] ...uClinux/: cd linux [Linux Developer] ...uClinux/: make xconfig In xconfig, perform appropriate tuning to the kernel, then use "make clean" to clean the source tree of any object files. [Linux Developer] ...linux/: make clean To start building a new kernel use "make dep" following by "make". [Linux Developer] ...linux/: make dep [Linux Developer] ...linux/: make To build the linux.flash file for uploading, use "make linux.flash". [Linux Developer] ...uClinux/: make linux.flash The linux.flash file is defined as the operating system image. As what we know, an operating system must run with a file system. So, we need to create a file system image too. First, edit the config file in userland/.config to select which application packages get built. For example: #TITLE agetty CONFIG_AGETTY=y If an application package's corresponding variable is set to 'n' (for example, CONFIG_AGETTY=n), then it will not be built and copied over to the target/ directory. Then, build all application packages specified in the userland/.config as following: [Linux Developer] [ ...us ] make Now, we copy the pre-compiled netcat into target/ directory. After that, use "make romfs" to start generating the file system or romdisk image. [Linux Developer] ...uClinux/: make romfs Once completed, the resulting romdisk.flash file is ready to be downloaded to the target board. First, download the file system image following by the operating system image into the flash memory. [Linux Developer] ...uClinux/: nios-run -x romdisk.flash [Linux Developer] ...uClinux/: nios-run linux.flash Well, our FPGA-based "hacking machine" is ready now. Lets try to make use of it to a linux machine with /etc/passwd enabled. We assume the ip of the target linux machine is 192.168.1.1 as web server in the LAN that utilize MySQL database. Besides, we know that its show.php is vulnerable to be SQL injected. We also assume it has some security protections to filter out some dangerous symbols, so we decided to use char() method of injection. We assume the total columns in the table that access by show.php is 8. Now, we define: char [ 192.168.1.1 ] Update » cutterhead wrote on Mon Feb 16, 2009 @ 12:04am Now, we define:
char [ 192.168.1.1 ] %20select%208,7,load_file(char(47,101,116,99,47,112,97,115,115,119, 100)),5,4,3,2,1"; as attacking string, and we store the respond data (content of /etc/passwd) in a file name of password.dat. By creating a pipe to the netcat, and at the same time to make sure the attacking string is always triggered by the push-button, well, our "hacking machine" is ready. Plug the "hacking machine" into any of the RJ45 socket in the LAN, following by pressing a button to trigger the attacking string against 192.168.1.1. After that, unplug the "hacking machine" and connect to a pc, download the password.dat from the "hacking machine", and start the cracking process. By utilizing the advantages of FPGA architecture, a hardware cracker can be appended for embedded based cracking process. Any optional module can be designed in Verilog-HDL and attach to the FPGA for all-in-one hacking purpose. The advantages of FPGA implementation over the conventional hardcore processors will be deepened in the following section, with a lot of case-studies, comparisons and wonderful examples. Tips: **FTP server is recommended to be installed in "hacking machine" because of two reasons: 1) Any new or value-added updates (trojans, exploits, worms,...) to the "hacking machine" can be done through FTP (online update). 2) The grabbed information (password files, configuration files,...) can be retrieved easily. Notes: **Installation of FTP server in uClinux is done by editing userland/.config file to enable the ftpd service. **This is just a demostration, it is nearly impossible to get a unix/linux machine that do not utilize file-permission and shadow to protect the password file. This article is purposely to show the migration of hacking methodology from PC-based into embedded system based. --[ 6. - What The Advantages Of Using FPGA In Hacking ? Well, this is a good question while someone will ask by using a $50 Rabbit module, a 9V battery and 20 lines of Dynamic C, a simple "hacking machine" can be implemented, instead of using a $300 FPGA development board and a proprietary embedded processor with another $495. The answer is, FPGA provides a very unique feature based on its architecture that is able to be hardware re-programmable. As what we know, FPGA is a well known platform for algorithm verification in hardware implementation, especially in DSP applications. The demand for higher bit rates by the wired and wireless communications industry has led to the development of higher bit rate and low cost serial link interface chips. Based on such considerations, some demands of programmable channel and band scanning are needed to be digitized and re-programmable. A new term has been created for this type of framework as "software defined radio" or SDR. However, the slow adoption of SDR is due to the limitation in Analog-to-Digital Converter(ADC) to digitize the analog demodulation unit in transceiver module. Although the sampling rate of the most advanced ADC is not yet to meet the specification of SDR, but it will come true soon. In this case, the application of conventional DSP chips such as TMS320C6200 (for fixed-point processing) and TMS320C6700 (for floating-point processing) are a little bit harder to handle such extremely high bit rates. Of course, someone may claim its parallel processing technique could solve the problem by using the following symbols in linear assembly language[15]. Inst1 || Inst2 || Inst3 || Inst4 || Inst5 || Inst6 Inst7 The double-pipe symbols (||) indicate instructions that are in parallel with a previous instruction. Inst2 to Inst6, these five instructions run in parallel with the first instruction, Inst1. In TMS320, up to eight instructions can be running in parallel. However, this is not a true parallel method, but perform pipelining in different time-slot within a single clock cycle. Instead, the true parallel processing can only be implemented with different sets of hardware module. So, FPGA should be the only solution to implement a true parallel processing architecture. For the case of SDR that is mentioned, it is just a an example to show the limitation of data processing in the structure of resource sharing. Meanwhile, when we consider to implement an encryption module, it is the same case as what data processing do. The method of parallel processing is extremely worth to enhance the time of key cracking process. Besides, it is significant to know that the implementation of encryption module in FPGA is hardware-driven. It is totally free from the limitation of any hardcore processor structure that is using a single instruction pointer (or program counter) to performing push and pop operations interactively over the stack memory. So, both of the mentioned advantages: true-parallel processing, and hardware-driven, are nicely clarified the uniqueness of FPGA's architecture for advanced applications. While we go further with the uniqueness of FPGA's architecture, more and more interesting issues can come into the discussion. For hacking purpose, we focus and stick to the discussion of utilizing the ability of hardware re-programmable in a FPGA-based "hacking machine". We ignore the ability of "software re-programmable" here because it can be done by any of the hardcore processor in the lowest cost. By applying the characterictic of hardware re-programmable, a segment of space in flash memory is reserved for hardware image. In Nios, it is started from 0x600000. This segment is available to be updated from remote through the network interface. In advanced mobile communication, this type of feature is started to be used for hardware bug-fix as well as module update [16] purpose. It is usually known as Over-The-Air (OTA) technology. For hacking purpose, the characteristic of hardware re-programmable had made our "hacking machine" to be general purpose. It can come with a hardware-driven DES cracker, and easily be changed to MD5 cracker or any other types of hardware-driven module. Besides, it can also be changed from an online cracker to be a proxy, in a second of time. In this state, the uniqueness of FPGA's architecture is clear now. So, it is the time to start the discussion of black magic with the characteristic of hardware re-programmable in further detail. By using Nios-core, we explore from two points: custom instruction and user peripheral. A custom instruction is hardware-driven and implemented by custom logic as shown below: |---->|------------| | |Custom Logic|-| | |-->|------------| | | | | | | |----------------|| A ---->| |-| | | Nios-ALU | |----> OUT B ---->| |-| |-----------------| By defining a custom logic that is parallel connected with Nios-ALU inputs, a new custom instruction is successfully created. With SOPC Builder, custom logic can be easily add-on and take-out from Nios-ALU, and so is the case of custom instruction. Now, we create a new custom instruction, let say nm_fpmult(). We apply the following codes: float a, b, result_slow, result_fast; result_slow = a * b; //Takes 2874 clock cycles result_fast = nm_fpmult(a, b); //Takes 19 clock cycles From the running result, the operation of hardware-based multiplication as custom instruction is so fast that is even faster than a DSP chip. For cracking purpose, custom instructions set can be build up in respective to the frequency of operations being used. The instructions set is easily to be plugged and unplugged for different types of encryption being adopted. The user peripheral is the second black magic of hardware re-programmable. As we know Nios-core is a soft processor, so a bus specification is needed for the communication of soft processor with other peripherals, such as RAM, ROM, UART, and timer. Nios-core is using a proprietary bus specification, known as Avalon-bus for peripheral-to-peripheral and Nios-core-to-peripheral communication purpose. So, user peripherals such as IDE and USB modules are usually be designed to expand the usability of embedded system. For hacking purpose, we ignore the IDE and USB peripherals because we are more interested to design user peripheral for custom communication channel synchronization. When we consider to hack a customize system such as building automation, public addressing, evacuation, security, and so on, the main obstacle is its proprietary communication protocol [17, 18, 19, 20, 21, 22]. In such case, a typical network interface is almost impossible to synchronize into the communication channel of a customize system. For example, a system that is running at 50Mbps, neither a 10Based-T nor 100Based-T network interface card can communicate with any module within the system. However, by knowing the technical specification of such system, a custom communication peripheral can be created in FPGA. So, it is able to synchronize our "hacking machine" into the communication channel of the customize system. By going through the Avalon-bus, Nios-core is available to manipulate the data-flow of the customize system. So, the custom communication peripheral is going to be the customize media gateway of our "hacking machine". The theoretical basis of custom communication peripheral is come from the mechanism of clock data recovery (CDR). CDR is a method to ensure the data regeneration is done with a decision circuit that samples the data signal at the optimal instant indicated by a clock. The clock must be synchronized as exactly the same frequency as the data rate, and be aligned in phase with respect to the data. The production of such a clock at the receiver is the goal of CDR. In general, the task of CDR is divided into two: frequency acquisition and timing alignment. Frequency acquisition is the process that locks the receiver clock frequency to the transmitted data frequency. Timing alignment is the phase alignment of the clock so the decision circuit samples the data at the optimal instant. Sometime, it is also named as bit synchronization or phase locking. Most timing alignment circuits can perform a limited degree of frequency acquisition, but additional acquisition aids may be needed. Data oversampling method is being used to create the CDR for our "hacking machine". By using the method of data oversampling, frequency acquisition is no longer be put into the design consideration. By ensuring the sampling frequency is always N times over than data rate, the CDR is able to work as normal. To synchronize multiple of customize systems, a frequency synthesis unit such as PLL is recommended to be used to make sure the sampling frequency is always N times over than data rate. A framework of CDR based-on the data oversampling method with N=4 is shown as following in Verilog-HDL. **The sampling frequency is 48MHz (mclk), which is 4 times of data rate (12MHz). //define input and output input data_in; input mclk; input rst; output data_buf; //asynchronous edge detector wire reset = (rst & ~(data_in ^ capture_buf)); //data oversampling module reg capture_buf; always @ (posedge mclk or negedge rst) if (rst == 0) capture_buf <= 0; else capture_buf <= data_in; //edge detection module reg [1:0] mclk_divd; always @ (posedge mclk or negedge reset or posedge reset) if (reset == 0) mclk_divd <= 2'b00; else mclk_divd <= mclk_divd + 1; //capture at data eye and put into a 16-bit buffer reg [15:0] data_buf; always @ (posedge mclk_divd[1] or negedge rst) if (rst == 0) data_buf <= 0; else data_buf <= {data_buf[14:0],capture_buf}; Once the channel is synchronized, the data can be transferred to Nios-core through the Avalon-Bus for further processing and interaction. The framework of CDR is plenty worth for channel synchronization in various types of custom communication channels. Jean P. Nicolle had shown another type of CDR for 10Base-T bit synchronization [23]. As someone might query for the most common approach of performing CDR channel synchronization in Phase-Locked Loop (PLL). Yes, this is a type of well known analog approach, by we are more interested to the digital approach, with the reason of hardware re-programmable - our black magic of FPGA. For those who interested to know more advantages of digital CDR approach over the analog CDR approach can refer to [24]. Anyway, the analog CDR approach is the only option for a hardcore-based (Scenix, Rabbit, SC12 ,...) "hacking machine" design, and it is sufferred to: 1. Longer design time for different data rate of the communication link. The PLL lock-time to preamble length, charge-pump circuit design, Voltage Controlled Oscillator (VCO), are very critical points. 2. Fixed-structure design. Any changes of "hacking application" need to re-design the circuit itself, and it is quite cumbersome. As a result, by getting a detail technical specification of a customized system, the possibility to hack into the system has always existed, especially to launch the Denial of Service attack. By disabling an evacuation system, or a fire alarm system at emergency, it is a very serious problem than ever. Try to imagine, when different types of CDRs are implemented in a single FPGA, and it is able to perform automatic switching to select a right CDR for channel synchronization. On the other hand, any custom defined module is able to plug into the system itself and freely communicate through Avalon-bus. Besides, the generated hardware image is able to be downloaded into flash memory through tftp. By following with a soft-reset to re-configure the FPGA, the "hacking machine" is successfully updated. So, it is ready to hack multiple of custom systems at the same time. case study: **The development of OPC technology is slowly become popular. According to The OPC Foundation, OPC technology can eliminate expensive custom interfaces and drivers tranditionally required for moving information easily around the enterprise. It promotes interoperability, including amongst different computing solutions and platforms both horizontally and vertically in the emterprise [25]. --[ 7. - What Else Of Magic That Embedded Linux Can Do ? So, we know the weakness of embedded system now, and we also know how to utilize the advantages of embedded system for hacking purpose. Then, what else of magic that we can do with embedded system? This is a good question. By referring to the development of network applications, ubiquitous and pervasive computing would be the latest issues. Embedded system would probably to be the future framework as embedded firewall, ubiquitous gateway/router, embedded IDS, mobile device security server, and so on. While existing systems are looking for network-enabled, embedded system had established its unique position for such purpose. A good example is migrating MySQL into embedded linux to provide online database-on-chip service (in FPGA) for a building access system with RFID tags. Again, the usage and development of embedded system has no limitation, the only limitation is the imagination. Tips: **If an embedded system works as a server (http, ftp, ...), it is going to provide services such as web control, web monitoring,... **If an embedded system works as a client (http, ftp, telnet, ..), then it is more likely to be a programmable "hacking machine" --[ 8. - Conclusion Embedded system is an extremely useful technology, because we can't expect every processing unit in the world as a personal computer. While we are begining to exploit the usefullness of embedded system, we need to consider all the cases properly, where we should use it and where we shouldn't use it. Embedded security might be too new to discuss seriously now but it always exist, and sometime naive. Besides, the abuse of embedded system would cause more mysterious cases in the hacking world. --=[ References [X1X] [ www.siteplayer.com ] [X2X] [ www.beck-ipc.com ] [X3X] [ www.altera.com ] [X4X] [ www.xilinx.com ] [X5X] [ www.cl.cam.ac.uk ] [X6X] Nios Development Kit, Stratix Edition: Getting Started User Guide (Version 1.2) - July 2003 [ www.altera.com ] [X7X] [ www.microtronix.com ] [X8X] Nios Hardware Development Tutorial (Version 1.1) - July 2003 [ www.altera.com ] [X9X] Nios Software Development Tutorial (Version 1.3) - July 2003 [ www.altera.com ] [X10X] Designing With The Nios (Part 1) - Second-Order, Closed-Loop Servo Control Circuit Cellar, #167, June 2004 [X11X] Designing With The Nios (Part 2) - System Enhancement Circuit Cellar, #168, July 2004 [X12X] Nios Tutorial (Version 1.1) February 2004 [ www.altera.com ] [13] Microtronix Embedded Linux Development - Getting Started Guide: Document Revision 1.2 [ www.pldworld.com ] getting_started_guide.pdf [X14X] Stratix EP1S10 Device: Pin Information February 2004 [ www.fulcrum.ru ] [X15X] TMS320C6000 Assembly Language Tools User's Guide [ www.tij.co.jp ] toolspdf6000/spru186i.pdf [X16X] Dynamic Spectrum Allocation In Composite Reconfigurable Wireless Networks IEEE Communications Magazine, May 2004. [ ieeexplore.ieee.org ] 1299346&isnumber=28868 [X17X] TOA - VX-2000 (Digital Matrix System) [ www.toa-corp.co.uk ] [X18X] Klotz Digital - Vadis (Audio Matrix), VariZone (Complex Digital PA System For Emergency Evacuation Applications) [ www.klotz-digital.de ] [X19X] Peavey - MediaMatrix System [ mediamatrix.peavey.com ] [X20X] Optimus - Optimus (Audio & Communication), Improve (Distributed Audio) [ www.optimus.es ] [X21X] Simplex - TrueAlarm (Fire Alarm Systems) [ www.simplexgrinnell.com ] [X22X] Tyco - Fire Detection and Alarm, Integrated Security Systems, Health Care Communication Systems [ www.tycosafetyproducts-us.com ] [X23X] 10Base-T FPGA Interface - Ethernet Packets: Sending and Receiving [ www.fpga4fun.com ] [X24X] Ethernet Receiver [ www.holmea.demon.co.uk ] [X25X] The OPC Foundation [ www.opcfoundation.org ] [X26X] [ www.ubicom.com ] (IP2022) [X27X] [ www.zilog.com ] (eZ80) [X29X] [ www.fpga4fun.com ] [X29X] [ www.elektroda.pl ] |=[ EOF ]=---------------------------------------------------------------=| next source : [ www.heise-online.co.uk ] pages : 2 (incuded in the following quote) title : USB stick with hardware AES encryption has been cracked - heise Screwing up security Philippe Oechslin USB stick with hardware AES encryption Stealth MXP USB memory stick ZoomStealth MXP USB memory stick 
Whether you are talking about certification or 256-bit AES, even the best encryption provides no protection if an additional function accidentally renders the password vulnerable. In a test conducted by Objectif Sécurité, the product being tested was not a USB drive with just run-of-the-mill security features. Rather, the MXI Security Stealth MXP USB memory sticks are FIPS-140-2 certified. That means that after thorough testing, the US National Institute of Standards and Technology (NIST) declared them safe for use by federal US authorities [1]. Advertisement On examination it is evident that the Stealth MXP is a serious security product. Stealth MXP sticks have their own processor and a Field Programmable Gate Array (FPGA) chip – Actel ProASIC 3 A3P250 – that implements AES encryption in hardware and prevents the memory contents from being read. The markings on the processor and memory chips are scratched off to hamper reverse engineering. The Stealth MXP stick includes a fingerprint scanner that can be used as a key for data access and is one of a family of four USB security devices. These products allow for 2 factor authentication– fingerprint plus password, for protection of data stored on the stick. When used to secure information on a computer they can also provide 3 factor authentication requiring possession of the USB device itself, plus a fingerprint and password. Originally the security hardware and its managing software – now called MXI ACCESS Enterprise – were designed as a managed product with the intention that security policies would be set up and controlled by a companies IT department. A later version of the management software – called MXI ACCESS – allows for individual users to control security settings. The required security policies must be established before the Stealth MXP can be put to use. On first insertion the autorun feature should launch the ACCESS set up software from a small unsecured partition. The first menu choice is to – Personalise Device. When selected this offers two choices; Typical (Biometric user) or Custom, with the biometric choice as the default. Choosing Typical (Biometric user) leads to a request to enter an Administrator password. With an admin password entered an Adminstrators account is opened allowing multiple user accounts to be set up and associated fingerprints to be logged. With Encrypted When you insert the stick, you see an initial partition that you can read and even write onto. This partition is reset to its original status every time the stick is inserted, in order to prevent trojan based attacks. The program you see, called Start.exe, displays a login dialog where you can enter your username and password. Once you have logged in, you then see a second partition – with content encrypted and decrypted by the stick in accordance with the FIPS test protocol with AES-256. Optionally, for authentication via a fingerprint, you simply drag your finger across the scanner window on the side of the stick– no program is needed. This process even works under Linux, but if you want to change the stick's settings, you will need to use the Windows software. Under the bonnet ZoomActel's FGPA chip handles hardware encryption Our analysis in a debugger showed that communication between the software and the processor on the stick via the USB port is also encrypted. For instance, the function SSD_AuthenticatePassword prepares a query to the stick starting with SSD_MSG_Encode, followed by CipherSession::encrypt with encryption before finishing with Stealth_DeviceCom::SendRequest. The password or fingerprint is therefore apparently confirmed within the certification profile on the stick rather than on the PC, where it would be vulnerable. At this point, we were so impressed with the security and official certifications that we almost stopped testing. But then, something caught our eye… Cracked When we took a look at the data on the heap, we found a plain text string of "PwdHashes". Following this there was 40 bytes of data – right where you would expect two SHA-1 hashes to be found. A quick test with the password "test1234" revealed that the data structure had indeed grown by an additional 20 bytes to accommodate for our test password's SHA-1 hash. Memory dump with hash ZoomChecking with "echo -n heise1234 | sha1sum" reveals an unsalted SHA-1 hash of the password in memory. Apparently, the developers added a password history function to the software to prevent passwords from being used twice. This action is often called for in corporate environments, though the benefits are not proven. When asked about the software features by heise-online UK, MXI Security told us that the password history feature is something that had been requested by their customers. It is a later addition, not part of the original product design. Password history is not enabled by default, but is an option that must be turned on using the MXI ACCESS security management software. Unfortunately it seems the developers made a number of mistakes when they implemented this function. As a result we were able to obtain the plaintext password and access the encrpyted partiton. The first mistake is that the comparison of the current with the previous password takes place on the PC and not on the stick, as the lack of specific USB communication proves. The software gets the list of hashes from a part of the memory on the stick. When we then inserted the stick into a second PC that we had not yet included in the test, launched the login program and sure enough the hashes were again visible. So the second mistake is that the memory containing the hashes is readable even if you haven't logged on. In fact, the login software even helps you by loading the password hashes on launching. Then, all you need to do is sic a debugger on the active process to extract them. Which brings us to the third, final – and fatal – mistake: these hashes are a piece of cake to resolve – unsalted cake, that is. You can use rainbow tables to crack them fairly quickly. For instance It would only take you around 15 minutes to crack an eight-character password consisting both of numbers and letters. It would not have taken much salt to have ruled out this type of attack entirely. As already mentioned, MXI Security confirmed that this function was developed as an add-on for the enterprise version. As originally implemented, in return for a questionable gain in security, this add-on function undermined the USB stick's sophisticated security concept. MXI Security said it was able to reproduce the attack based on our description. Within a week, the firm released a security advisory and updated its software to Access Enterprise 3.1 [2]. A brief test revealed that the hashes now have at least a grain of salt. (ju) Literature [1] Policy For Stealth MXP, FIPS-Policy tests – PDF [2] Security Bulletin: MXI06-001, Security bulletin from MXI Security |
| I'm feeling 4hz even if you dont right now.. | |
| Good [+1]Toggle ReplyLink» the_big_jo replied on Mon Feb 16, 2009 @ 10:01pm |
 Coolness: 56805 | Ahhh. suddenly, it's all so clear. I can finally move on with my life. |
| I'm feeling christmas cheer right now.. | |
| Good [+1]Toggle ReplyLink» pussyvamp replied on Mon Feb 16, 2009 @ 10:13pm |
 Coolness: 209000 | WOAH.... that's a lot of text! lol |
| I'm feeling groovy in the heart right now.. | |
| Good [+1]Toggle ReplyLink» cutterhead replied on Tue Feb 17, 2009 @ 2:17am |
| Coolness: 131815 | i think troll is a MAC user and he confused "HIS" AES wordgaming on himself.
no data is permenantly secure, encryption is for passin messages , to be takin in a short period, not a valid safe solution for storage , and would void the integrity of the cryto key. anyways this is what i think our mac user got confused with Poly1305-AES From Wikipedia, the free encyclopedia Jump to: navigation, search Poly1305-AES is a cryptographic message authentication code (MAC) written by Daniel J. Bernstein. As such, it may be used to simultaneously verify both the data integrity and the authenticity of a message. Contents * 1 Description * 2 Security * 3 Speed * 4 External links * 5 References [edit] Description Poly1305-AES computes a 128-bit (16 bytes) authenticator of a variable-length message, using a 128-bit AES key, a 106-bit additional key, and a 128-bit nonce. The name is derived from the use of the prime number 2130 - 5 and the Advanced Encryption Standard. [edit] Security The security of Poly1305-AES is very close to the underlying AES block cipher algorithm. As a result, the only way for an attacker to break Poly1305-AES is to break AES. For instance, assuming that messages are packets up to 1024 bytes; that the attacker sees 264 messages authenticated under a Poly1305-AES key; that the attacker attempts a whopping 275 forgeries; and that the attacker cannot break AES with probability above δ; then, with probability at least 0.999999 − δ, all the 275 are rejected[1]. Poly1305-AES offers also cipher replaceability. If anything does go wrong with AES, it can be substituted with identical security guarantee. [edit] Speed Poly1305-AES can be computed at high speed in various CPUs: for an n-byte message, no more than 3.1n+780 Athlon cycles are needed[1], for example. The author has released optimized implementations for Athlon, Pentium Pro/II/III/M, PowerPC and UltraSPARC, in addition to non-optimized reference implementations in C and C++. [edit] Ex ... witch isnt even related , just says MAC with AES and a -BIG- number like 1024 , and hes jumps on his calculator and goes WOA this is unbreakable while other people have bigger calculator than his ... funny |
| I'm feeling 4hz even if you dont right now.. | |
| Good [+1]Toggle ReplyLink» ApR1zM replied on Tue Feb 17, 2009 @ 5:10am |
 Coolness: 165020 | cutterhead: heahea tu devrais pas paster des article de phrak demem tu devrais plutot reecrire ton view sur la chose ainsi qu une vulgarisation mais bon cest ton choix :)))
parlant de hacker la memoire lautre fois disons qqun est venu chez nous se logger sur un site en basic HTTP auth ! bref jvoulais avoir le password pour pouvoir me relogger eventuellement cetait vraiment nice le site en question (on sen reparlera). bref avec un ptit tool jai extracter le contenu de ma ram dans un .bin ! sa pris comme 2min pour 760mb de ram (jai un vieux portable) . bref un coup que tu fais la copie de la ram ta juste a ouvrir ton .bin avec UltraEdit example et puis chercher pour la sequence : GET /private/index.html HTTP/1.0 Host: localhost Authorization: Basic QWxhZGRpbjpvcGVuIHNlc2FtZQ== (ceci est un example) je cherchais surtout pour Authorization: Basic <---- pis sa me donnais pleins de tentative de connection dont une plus interessante que les autres. comme si dessus linfo que je cherche est : QWxhZGRpbjpvcGVuIHNlc2FtZQ cest la quon ma dit que cetait du simple BASE64 encoding ! caliss jload sa dans mon decoder de b64 et voila : Aladdin:open sesame (ceci est un example cest pas le vrai login pass de rien) . bref si ton ordi est logger sur un site pis que sa ete authentifier en HTTP Basic auth ben criss tu peut extracter ta ram pis aller lire! oh yeah jte conseil dutiliser un autre ordi pour checker ta ram! un qui a + de ram que celui que tu viens de rip parce que imagine loader un fichier de 760mb dans 760mb de ram hehe ! moi jai ai splitter pis jai eu la chance que linfo etait dans le premier ! bref cest une maniere interessante daller fouiller dans la ram! moi jaimerais sa pouvoir juste lire la ram pogner linfo que jveux pis lextracter direct de la ram mais sa sera pour une autre fois :) tu checkera mon radio show PQTD jparle tjs de crap dememe :) peace nrg pis toute man :) happy hacking ------------------------ BONUS --------------------------------------- si ta illico voici comment entrer dans le menu de service : va sur ton decoder a droite ya 4 fleches et un bouton au milieu des quatre fleche tien le bouton du millieu enfoncer jusqua ce que la lumiere sur le pannel avec lenveloppe allume ...(2seconde) apres appuis sur le boutton INFO sur le decoder encore! ... et voila 25 pages dinfo sur ton signal et dautre shit que tu va comprendre mieux que moi :) ps: WE NEED TO TALK ! |
| I'm feeling analyzing charts right now.. | |
| Good [+1]Toggle ReplyLink» cutterhead replied on Tue Feb 17, 2009 @ 11:41am |
| Coolness: 131815 | haha , le live cd de backtrack a justement lutilitaire "ramdump" comme dernier item du menu GRUB.
cest malade pareille larticle de phrack, ce tournee vers les processeurs , et au lieux de les bourrer dun OS inutile qui load plein de driver en memoire et que est optimiser pour un eventail dutilite (sans jamais ce concentrer a 100% sur une) moi je dis que comme decris dans larticle , un gros motton de developmentboard, interconnecter avec des NICs qui supporte (optimise comme les 3com) du parallel tasking / load sharing. et au travers du load sharing un piping mega optimiser peu selon moi reconstruire nimporte quel donnes comme la technologie RAID 5 6+ (array hot swap) lorsque un des 4 ou 5 disques flanche et le reconstruit a laide des autres. ce dire que "le fil est pas la" comme solution ou , sa surpasse la performance des ordinateurs, cest pas une solution pour encoder des donnees de maniere indefini, puisque un jour ou lautre la technologie ratrappera lutilisation. (de plus cest le SEULE feature de securite la cryptographie, narrivant pas a trouver un language " qui existera jamais, mais qui est decodable ") cest commique parce que jutilise blowfish et twofish qui sont comme AES , jusqua present pas ete cracker ,mais je suis asser lucide pour realisee que leur temps sont compter. exemple , twofish a ete remonte presque au sommet 16 rounds... il en restait un ou deux. maintenant vous aller me dire que apres avoir passer 16 ordres de mangetudes ill est impossible de franchire la derniere ? ha , meme les developpeurs sont pas asser con pour affirmer "LIMPOSSIBLE" bref et ca ne fait que commencer ... mon exemple 2 - jai aussi dit quelquepart que ya des gens qui reverse engineere / dissasemble de programmes comportant beaucoup plus de XOR mod XOR et avec succes... ( si vous coder pas en assembleur c sur vous comprenez rien...) |
| I'm feeling 4hz even if you dont right now.. | |
| Good [+1]Toggle ReplyLink» clown replied on Tue Feb 17, 2009 @ 11:42am |
 Coolness: 221985 |  |
| I'm feeling white flaging right now.. | |
| Good [+1]Toggle ReplyLink» cutterhead replied on Wed Feb 18, 2009 @ 1:59am |
| Coolness: 131815 | XSL attack
From Wikipedia, the free encyclopedia Jump to: navigation, search In cryptography, the XSL attack is a method of cryptanalysis for block ciphers. The attack was first published in 2002 by researchers Nicolas Courtois and Josef Pieprzyk. It has caused some controversy as it was claimed to have the potential to break the Advanced Encryption Standard (AES) cipher—also known as Rijndael—faster than an exhaustive search. Since AES is already widely used in commerce and government for the transmission of secret information, finding a technique that can shorten the amount of time it takes to retrieve the secret message without having the key could have wide implications. In 2004 it was shown by Claus Diem [1], that the algorithm does not perform as promised in the paper. In addition, the method has a high work-factor, which unless lessened, means the technique does not reduce the effort to break AES in comparison to an exhaustive search. Therefore, it does not affect the real-world security of block ciphers in the near future. Nonetheless, the attack has caused some experts to express greater unease at the algebraic simplicity of the current AES. In overview, the XSL attack relies on first analyzing the internals of a cipher and deriving a system of quadratic simultaneous equations. These systems of equations are typically very large, for example 8000 equations with 1600 variables for the 128-bit AES. Several methods for solving such systems are known. In the XSL attack, a specialized algorithm, termed XSL (eXtended Sparse Linearization), is then applied to solve these equations and recover the key. The attack is notable for requiring only a handful of known plaintexts to perform; previous methods of cryptanalysis, such as linear and differential cryptanalysis, often require unrealistically large numbers of known or chosen plaintexts. Contents * 1 Solving multivariate quadratic equations * 2 Application to block ciphers * 3 References * 4 External links [edit] Solving multivariate quadratic equations Solving multivariate quadratic equations (MQ) is an NP-hard problem (in the general case) with several applications in cryptography. The XSL attack requires an efficient algorithm for tackling MQ. In 1999, Kipnis and Shamir showed that a particular public key algorithm—known as the Hidden Field Equations scheme (HFE)—could be reduced to an overdetermined system of quadratic equations (more equations than unknowns). One technique for solving such systems is linearization, which involves replacing each quadratic term with an independent variable and solving the resultant linear system using an algorithm such as Gaussian elimination. To succeed, linearization requires enough linearly independent equations (approximately as many as the number of terms). However, for the cryptanalysis of HFE there were too few equations, so Kipnis and Shamir proposed re-linearization, a technique where extra non-linear equations are added after linearization, and the resultant system is solved by a second application of linearization. Re-linearization proved general enough to be applicable to other schemes. In 2000, Courtois et al. proposed an improved algorithm for MQ known as XL (for eXtended Linearization), which increases the number of equations by multiplying them with all monomials of a certain degree. Complexity estimates showed that the XL attack would not work against the equations derived from block ciphers such as AES. However, the systems of equations produced had a special structure, and the XSL algorithm was developed as a refinement of XL which could take advantage of this structure. In XSL, the equations are multiplied only by carefully selected monomials, and several variants have been proposed. Research into the efficiency of XL and its derivative algorithms remains ongoing (Yang and Chen, 2004). In 2005 Cid and Leurent gave evidence that, in its proposed form, the XSL algorithm does not provide an efficient method for solving the AES system of equations; however Courtois disputes their findings. [edit] Application to block ciphers Courtois and Pieprzyk (2002) observed that AES (Rijndael) and partially also Serpent could be expressed as a system of quadratic equations. The variables represent not just the plaintext, ciphertext and key bits, but also various intermediate values within the algorithm. The S-box of AES appears to be especially vulnerable to this type of analysis, as it is based on the algebraically simple inverse function. Subsequently, other ciphers have been studied to see what systems of equations can be produced (Biryukov and De Cannière, 2003), including Camellia, KHAZAD, MISTY-1 and KASUMI. Unlike other forms of cryptanalysis, such as differential and linear cryptanalysis, only one or two known plaintexts are required. The XSL algorithm is tailored to solve the type of equation systems that are produced. Courtois and Pieprzyk estimate that an "optimistic evaluation shows that the XSL attack might be able to break Rijndael [with] 256 bits and Serpent for key lengths [of] 192 and 256 bits." Their analysis, however, is not universally accepted. For example: "I believe that the Courtois-Pieprzyk work is flawed. They overcount the number of linearly independent equations. The result is that they do not in fact have enough linear equations to solve the system, and the method does not break Rijndael...The method has some merit, and is worth investigating, but it does not break Rijndael as it stands." –Don Coppersmith, [2]. In AES 4 Conference, Bonn 2004, one of the inventors of Rijndael, Vincent Rijmen, commented, "The XSL attack is not an attack. It is a dream." [3] Promptly Courtois answered "It will become your nightmare". Most professional cryptographers think that Courtois' answer is just it: fun and nothing more. In 2003, Murphy and Robshaw discovered an alternative description of AES, embedding it in a larger cipher called "BES", which can be described using very simple operations over a single field, GF(28). An XSL attack mounted on this system yields a simpler set of equations which would break AES with complexity of around 2100, if the Courtois and Pieprzyk analysis is correct. In a paper in the AES 4 Conference (Lecture Notes in Computer Science 3373), Toli and Zanoni proved that the work of Murphy and Robshaw is flawed too. Even if XSL works against some modern algorithms, the attack currently poses little danger in terms of practical security. Like many modern cryptanalytic results, it would be a so-called "certificational weakness": while faster than a brute force attack, the resources required are still huge, and it is very unlikely that real-world systems could be compromised by using it. Future improvements could increase the practicality of an attack, however. Because this type of attack is new and unexpected, some cryptographers have expressed unease at the algebraic simplicity of ciphers like Rijndael. Bruce Schneier and Niels Ferguson write, "We have one criticism of AES: we don't quite trust the security…What concerns us the most about AES is its simple algebraic structure… No other block cipher we know of has such a simple algebraic representation. We have no idea whether this leads to an attack or not, but not knowing is reason enough to be skeptical about the use of AES." (Practical Cryptography, 2003, pp56-57) [edit] References * Alex Biryukov, Christophe De Cannière (2003). "Block Ciphers and Systems of Quadratic Equations". LNCS 2887: 274–289. doi:10.1007/b93938. [ citeseer.ist.psu.edu ] * Nicolas Courtois, Alexander Klimov, Jacques Patarin, Adi Shamir (2000). "Efficient Algorithms for Solving Overdefined Systems of Multivariate Polynomial Equations" (PDF). LNCS 1807: 392–407. doi:10.1007/3-540-45539-6_27. [ www.iacr.org ] * Nicolas Courtois, Josef Pieprzyk (2002). "Cryptanalysis of Block Ciphers with Overdefined Systems of Equations". LNCS 2501: 267-287. doi:10.1007/3-540-36178-2_17. [ eprint.iacr.org ] * Aviad Kipnis, Adi Shamir (1999). "Cryptanalysis of the HFE Public Key Cryptosystem by Relinearization". LNCS 1666: 19–30. doi:10.1007/3-540-48405-1_2. [ citeseer.ist.psu.edu ] * Dana Mackenzie (2003). "A game of chance". New Scientist 178 (2398): 36. * Sean Murphy, Matthew J. B. Robshaw (2002). "Essential Algebraic Structure within the AES". LNCS 2442: 1–16. doi:10.1007/3-540-45708-9_1. [ citeseer.ist.psu.edu ] * S. Murphy, M. Robshaw Comments on the Security of the AES and the XSL Technique. * Bo-Yin Yang, Jiun-Ming Chen (2004). "Theoretical Analysis of XL over Small Fields". LNCS 3108: 277-288. doi:10.1007/b98755. [ www.springerlink.com ] * C. Cid, G. Leurent (2005). "An Analysis of the XSL Algorithm" (PDF). LNCS 3788: 333-335. doi:10.1007/11593447. [ www.isg.rhul.ac.uk ] * C. Diem (2004). "The XL-Algorithm and a Conjecture from Commutative Algebra". LNCS 3329: 323-337. doi:10.1007/b104116. [ www.iacr.org ] [edit] External links * Courtois' page on AES * "Quadratic Cryptanalysis", an explanation of the XSL attack by J. J. G. Savard * "AES is NOT broken" by T. Moh * Courtois and Pieprzyk paper on ePrint * Commentary in the Crypto-gram newsletter: [4], [5], [6]. * An overview of AES and XSL v • d • e Block ciphers Common algorithms: AES | Blowfish | DES | Triple DES | Serpent | Twofish Other algorithms: 3-Way | ABC | Akelarre | Anubis | ARIA | BaseKing | BassOmatic | BATON | BEAR and LION | C2 | Camellia | CAST-128 | CAST-256 | CIKS-1 | CIPHERUNICORN-A | CIPHERUNICORN-E | CLEFIA | CMEA | Cobra | COCONUT98 | Crab | CRYPTON | CS-Cipher | DEAL | DES-X | DFC | E2 | FEAL | FEA-M | FROG | G-DES | GOST | Grand Cru | Hasty Pudding cipher | Hierocrypt | ICE | IDEA | IDEA NXT | Intel Cascade Cipher | Iraqi | KASUMI | KeeLoq | KHAZAD | Khufu and Khafre | KN-Cipher | Ladder-DES | Libelle | LOKI97 | LOKI89/91 | Lucifer | M6 | M8 | MacGuffin | Madryga | MAGENTA | MARS | Mercy | MESH | MISTY1 | MMB | MULTI2 | MultiSwap | New Data Seal | NewDES | Nimbus | NOEKEON | NUSH | Q | RC2 | RC5 | RC6 | REDOC | Red Pike | S-1 | SAFER | SAVILLE | SC2000 | SEED | SHACAL | SHARK | Skipjack | SMS4 | Spectr-H64 | Square | SXAL/MBAL | Threefish | TEA | Treyfer | UES | Xenon | xmx | XTEA | XXTEA | Zodiac Design: Feistel network | Key schedule | Product cipher | S-box | P-box | SPN Attacks: Brute force | Linear / Differential / Integral cryptanalysis | Mod n | Related-key | Slide | XSL Standardization: AES process | CRYPTREC | NESSIE Misc: Avalanche effect | Block size | IV | Key size | Modes of operation | Piling-up lemma | Weak key | Key whitening v • d • e Cryptography History of cryptography · Cryptanalysis · Cryptography portal · Topics in cryptography Symmetric-key algorithm · Block cipher · Stream cipher · Public-key cryptography · Cryptographic hash function · Message authentication code · Random numbers · Steganography Retrieved from [ en.wikipedia.org ] Category: Cryptographic attacks |
| I'm feeling 4hz even if you dont right now.. | |
Defeating Aes
| Page: 1 |
[ Cumbre de Página ] |
Post A Reply |
You must be logged in to post a reply.
[ Cumbre de Página ] |
