Invisibility glasses posted March 2015

AVG will reveal its new product: Invisibility glasses at pepcom barcelona.

It seems to be some kind of glasses you wear so that cameras and facial recognition softwares won't recognize you, it works by displaying lights that are only visible to cameras and not human eyes

Keep in touch with crypto posted February 2015

A long time ago, I think around 2007, I got violently addicted to RSS. I was subscribed to hundreds of different blogs about design, tech, web... One new story would pop in my feed every 5 minutes. I had to read everything and I felt stressed all the time. Clicking, reading, clicking, reading... If I wasn't in front of my computer I felt like I was missing out. I then decided to remove my RSS reader software and never touched a feed again. And for the past years my browsing habits have mostly narrowed down to hackernews and a reddit without any default subs. But now that I am studying crypto, I wanted to get more immersed in this world and I had the idea of using my tendency to get addicted for a good purpose. So I tried the latest recommended RSS readers (since google reader doesn't exist anymore) and I subscribed to every crypto/security blog I could find and I started reading. And since, I've been reading a lot. So I guess it works! I've been using Digg Reader mostly because of the ios app that is really good and also because when I have nothing to read I can dig into what's on my twitter.

I have collected a list of 60 blogs about cryptography and security. If you feel like one is missing or one shouldn't be here please tell me! The list is here

Here's the list if you hate RSS:

• Krebs on Security

• Source Code Auditing, Reversing, Web Security

• The Sakurity Blog

• Tony Arcieri

• Frank DENIS random thoughts.

• Breaking Bits

• v0id s3curity

• wroot

• Mysterie's blog

• ...And You Will Know me by the Trail of Bits

• Egor Homakov

• PyTux

• top scoring links : blackhat

• blackhat library: Documenting blackhat hacking techniques

• Kukuruku / Technology Hub

• Firas Kraïem

• Google Doodles

• tssci security

• Mick's Mix

• Moxie Marlinspike's Blog

• This is probably not the site you are looking for

• Matt Blaze's Exhaustive Search

• David Wong | Cryptologie

• Secual Exploits

• Bryan Geraghty

• Jarmoc.com

• Marc's Security Ramblings

• Cryptography Services

• Schneier on Security

• iSEC Research Labs

• TobTu News Feed

• Daemonic Dispatches

• Pascal Junod

• Cryptography Services

• ritter.vg

• Ben Lynn: Openly Geeky

• Project Zero

• WTF Crypto

• The MPC Lounge

• Good Enough Security

• bunnie's blog

• Light Blue Touchpaper

• Travis Goodspeed's Blog

• Bristol Cryptography Blog

• A Few Thoughts on Cryptographic Engineering

• Shtetl-Optimized

• Gustavo Duarte

• Jumpsec Labs

• Cassidian CyberSecurity blog

• Stack Exchange Security Blog » Question of the Week

• Stack Exchange Security Blog

• top scoring links : netsec

• CloudFlare

• Rob McLarty Feed

• root labs rdist

• Sucuri

• Errata Security

• Team PotatoSec

The ghetto way of extracting the private key of superfish posted February 2015

A realy entertaining piece by Errata Security where Robert Graham ghetto reverse the current controversial superfish of Lenovo.

(if you have been living under a rock

The goal is to set the right break point before it actually infects your machine -- reversers have been known to infect themselves this way.

his ghetto way of reversing is first to infect himself with the "virus" and then using procdump to dump the process memory. Then dumping all the strings that the memory contains with the tool strings and voila. You have have the private certificate in the clear.

But the private certificate is protected by a passphrase. But apparently not, it was just protected by a password contained in the memory in clear as well...

I advise you to read the article, it comes with screenshots and nice commands that use text processing tools:

grep "^[a-z]*$" super.txt | sort | uniq > super.dict

spoiler alert, the password to protect the certificate is komodia the name of the company who created this mitm adware.

Note that if they would have used an RSA whitebox this would not have happened... so quickly.

Big Numbers posted February 2015

An amazing story by Scott Aaronson on Big Numbers.

Keywords: exponential growth, NP-complete problems, Ackermann sequence, Turing Machine, Halting Problem, Busy Beaver,

some quotes :)

In an old joke, two noblemen vie to name the bigger number. The first, after ruminating for hours, triumphantly announces "Eighty-three!" The second, mightily impressed, replies "You win."

Consider, for example, the oft-repeated legend of the Grand Vizier in Persia who invented chess. The King, so the legend goes, was delighted with the new game, and invited the Vizier to name his own reward. The Vizier replied that, being a modest man, he desired only one grain of wheat on the first square of a chessboard, two grains on the second, four on the third, and so on, with twice as many grains on each square as on the last. The innumerate King agreed, not realizing that the total number of grains on all 64 squares would be 264-1, or 18.6 quintillion—equivalent to the world’s present wheat production for 150 years.

Rado called this maximum the Nth "Busy Beaver" number. (Ah yes, the early 1960’s were a more innocent age.)

To solve the Halting Problem for super machines, we’d need an even more powerful machine: a ‘super duper machine.’ And to solve the Halting Problem for super duper machines, we’d need a ‘super duper pooper machine.’

If we could run at 280,000,000 meters per second, there’d be no need for a special theory of relativity: it’d be obvious to everyone that the faster we go, the heavier and squatter we get, and the faster time elapses in the rest of the world. If we could live for 70,000,000 years, there’d be no theory of evolution, and certainly no creationism: we could watch speciation and adaptation with our eyes, instead of painstakingly reconstructing events from fossils and DNA. If we could bake bread at 20,000,000 degrees Kelvin, nuclear fusion would be not the esoteric domain of physicists but ordinary household knowledge.

But do people fear big numbers? Certainly they do. I’ve met people who don’t know the difference between a million and a billion, and don’t care. We play a lottery with ‘six ways to win!,’ overlooking the twenty million ways to lose. We yawn at six billion tons of carbon dioxide released into the atmosphere each year, and speak of ‘sustainable development’ in the jaws of exponential growth.

Using crypto to replace database access. posted February 2015

A pretty fresh article on how you could use crypto to replace a lot of complicated schemes you might use on your website like password reset or mail confirmation:

https://neosmart.net/blog/2015/using-hmac-signatures-to-avoid-database-writes/

tl;dr: instead of creating a table for tokens, you could create the password reset url like this:

http://www.example.com/password_reset/?user=username&expires=15649848949849&[email protected]&token=

and at the place of the token you would put the output of a MAC. Checking the MAC again after receiving the url would confirm that YOU created that url and it has not been modified. Remember, MAC provides integrity and authentication. The author also provides a way to only render this usable once: use the original hashed password as a nonce.

Babun, Cmder and Tmux posted February 2015

I've used Cmder for a while on Windows. Which is a pretty terminal that brings a lot of tools and shortcuts from the linux world. I also have Chocolatey as packet manager. And all in all it works pretty great except Cmder is pretty slow.

I've ran into Babun yesterday, that seems to be kind of the same thing, but with zsh, oh-my-zsh and another packet manager: pact. The first thing I did was downloading tmux and learning how to use it. It works pretty well and I think I have found a replacement for Cmder =)

Here is a video of what is tmux:

and an awesome cheatsheet

Implementation of Coppersmith attack (RSA attack using lattice reductions) posted February 2015

I've implemented the work of Coppersmith (to be correct the reformulation of his attack by Howgrave-Graham) in Sage.

You can see the code here on github.

I won't go too much into the details because this is for a later post, but you can use such an attack on several relaxed RSA models (meaning you have partial information, you are not totally in the dark).

I've used it in two examples in the above code:

Stereotyped messages

For example if you know the most significant bits of the message. You can find the rest of the message with this method.

The usual RSA model is this one: you have a ciphertext c a modulus N and a public exponent e. Find m such that m^e = c mod N.

Now, this is the relaxed model we can solve: you have c = (m + x)^e, you know a part of the message, m, but you don't know x. For example the message is always something like "the password today is: [password]". Coppersmith says that if you are looking for N^1/e of the message it is then a small root and you should be able to find it pretty quickly.

let our polynomial be f(x) = (m + x)^e - c which has a root we want to find modulo N. Here's how to do it with my implementation:

dd = f.degree()
beta = 1
epsilon = beta / 7
mm = ceil(beta**2 / (dd * epsilon))
tt = floor(dd * mm * ((1/beta) - 1))
XX = ceil(N**((beta**2/dd) - epsilon))
roots = coppersmith_howgrave_univariate(f, N, beta, mm, tt, XX)

You can play with the values until it finds the root. The default values should be a good start. If you want to tweak:

• beta is always 1 in this case.
• XX is your upper bound on the root. The bigger is the unknown, the bigger XX should be. And the bigger it is... the more time it takes.

Factoring with high bits known

Another case is factoring N knowing high bits of q.

The Factorization problem normally is: give N = pq, find q. In our relaxed model we know an approximation q' of q.

Here's how to do it with my implementation:

let f(x) = x - q' which has a root modulo q.
This is because x - q' = x - ( q + diff ) = x - diff mod q with the difference being diff = | q - q' |.

beta = 0.5
dd = f.degree()
epsilon = beta / 7
mm = ceil(beta**2 / (dd * epsilon))
tt = floor(dd * mm * ((1/beta) - 1))
XX = ceil(N**((beta**2/dd) - epsilon)) + 1000000000000000000000000000000000
roots = coppersmith_howgrave_univariate(f, N, beta, mm, tt, XX)

What is important here if you want to find a solution:

• we should have q >= N^beta
• as usual XX is the upper bound of the root, so the difference should be: |diff| < XX

Nothing up my sleeve numbers posted February 2015

Why does the round constants in sha1 have those specific values?

Kt is the round constant of round t;

from SH1-1 - Wikipedia:

The constant values used are chosen to be nothing up my sleeve numbers: the four round constants k are 230 times the square roots of 2, 3, 5 and 10. The first four starting values for h0 through h3 are the same with the MD5 algorithm, and the fifth (for h4) is similar.

from Nothing up my sleeve number:

In cryptography, nothing up my sleeve numbers are any numbers which, by their construction, are above suspicion of hidden properties. They are used in creating cryptographic functions such as hashes and ciphers. These algorithms often need randomized constants for mixing or initialization purposes. The cryptographer may wish to pick these values in a way that demonstrates the constants were not selected for a nefarious purpose, for example, to create a backdoor to the algorithm. These fears can be allayed by using numbers created in a way that leaves little room for adjustment. An example would be the use of initial digits from the number π as the constants. Using digits of π millions of places into its definition would not be considered as trustworthy because the algorithm designer might have selected that starting point because it created a secret weakness the designer could later exploit.