Category Archives: Cryptography

The NSA’s Crypto Museum

Enigma Machine

I was interested last week to discover that the USA has its own Museum of Cryptography. The National Cryptologic Museum is run by the National Security Agency in Fort Meade, Maryland. Curiously, the building used to be a motel, quite literally in Fort Meade’s backyard, but was annexed by the NSA when it came up for sale.

Over the last few years I have been a regular visitor to our own British equivalent, Bletchley Park, which is both a cryptography museum and also houses a historical collection of computers. If you’re in the UK, or visiting (Bletchley is about an hour North of London), then I would highly recommend a visit. Bletchley Park is an estate with a victorian manor house, and during World War II it was the scene of operations of the UK’s codebreakers, including computer pioneer Alan Turing.

It sounds like Bletchley and the NSA’s museum have many things in common, both exhibiting the (in)famous German Enigma coding machine, and both having Cray supercomputers on display. I will certainly put the National Cryptologic Museum on my list of places to visit the next time I’m in the Washington area.

PKI Challenges and Gaps for Federation

I recently interviewed XMPP co-chair Joe Hildebrand for UCfederate.info regarding XMPP Domain Name Assertions (DNA) used to enable certain instant messaging federation use cases where an XMPP server might host multiple domains. Without DNA, it’s effectively impossible to use TLS for these multiple-domain scenarios, but that’s not the main point of this post. During the course of our conversation, we touched on the general problem of how you leverage PKI and digital certificates to establish trust between two domains for a given application protocol (itself a well-understood concept in theory) and the practical challenges that still remain on a protocol-by-protocol basis for ensuring integrity when binding a certificate to a domain for a given protocol.

Take SIP-TLS for example. We’ve run into more than a few implementations that check for a valid certificate but do absolutely no validation of the domain itself, such that if I send a message purporting to be from xyz.com after presenting a valid certificate from abc.com, not even so much as an error message is logged. Moreover, SIP doesn’t actually specify how such validation should take place, leading to vendor-proprietary implementations that utilize different certificate subject mechanisms and complicate SIP federation.

I noticed a few comments on my prior post claim that UC federation is effectively a solved problem. That’s only true if you narrow the meaning of UC federation to an absurdly small subset of the communications and collaboration space. Yes, XMPP federation for simple domain pairs for instant messaging is well defined with many interoperable vendor implementations today. Frankly, XMPP federation is the best story we’ve got for federation in the UC space, as the story degrades quickly from there. The next-best stories are effectively vendor-specific with Microsoft OCS Federation and Cisco’s Intercompany Media Engine (currently the only product using ViPR – (Verification involving PSTN Reachability – an IETF draft standard proposed by Cisco). There’s a lot of work left to do before all communications and collaboration services are federateable between enterprises, and it turns out that these certificate binding problems are one of the big gaps. To date, XMPP is the closest to solving them and the IETF is considering adopting general standards for protocol certificate binding based on related work – see: draft-saintandre-tls-server-id-check-02 for example]

There’s more to come on this topic in the near future, but for now I just want to leave you with this: it doesn’t matter how secure an established TLS connection is for a given protocol if you can’t bind application-layer domain claims with the certificate used for TLS session establishment. It’s a common fallacy that TLS “makes you secure” all by itself – that’s akin to saying that seat belts and airbags will prevent you from crashing. Federation can only succeed when all associated protocols have well-understood certificate and domain bindings that are properly validated by vendor products used by the federation participants. Anyone who tells you that’s a solved problem today for UC is delusional.

Making Phones Theft-Proof

Of course you can’t stop criminals from stealing mobile phones; they’re small, they’re expensive and there are many channels (online and offline) for selling the handsets on. However, it should be possible to make the things useless once stolen, to make resale difficult or impossible, ultimately reducing the demand for theft.

The Design Council in the UK are currently running a competition to generate ideas to make mobile phones safer, with the best idea receiving support to the tune of £100,000 to develop the idea further. This seems to me a whole lot better way to raise money than appearing on Dragons Den for a ritual butt-kicking and dilution of your share capital.

As I discovered to my cost at the recent Mobile World Congress in Barcelona, mobile phone crime is rife, and a barbarian horde of dark ages proportions is seemingly there working the city for February. I heard tales of muggings, crews targetting group dinners in restaurants, and of course pickpockets. One friend of mine had an experience in the Metro with one guy blocking his way, while another tried to slip a hand into his pocket from the other side. My friend is over 2m tall, and looks more like an international rugby player than a telco geek, and probably could have wiped the floor with both of them at the same time. Some of these teams have no fear.

In my case, my Nokia smartphone disappeared never to return. They got no satisfaction from the SIM card (which was PIN-locked), but sadly I had disabled coded locking on the handset itself, making it a useful asset, possibly worth £70 on Ebay. Just look for smartphones with no cables, no charger, no manual; guess where they came from?

Incidentally, my phone was marked with a label from yougetitback.com, a worthwhile property registration and return service. Sadly in this case, the phone didn’t fall into the hands of “friendlies”, but rather those of WeHaveNickedYourPhone.com.

Of course with smartphones the problems don’t stop with your cellco contract being exposed to call fraud, or the sale of the handset itself. The phone also contains signup information in applications, and the data itself. In my case, several applications were installed including Skype, Truphone and Gizmo. A lot of VoIP apps have the capability to connect out to the PSTN using some kind of pre-pay balance, which of course could also be at the mercy of a crim once he gets his hands on your smartphone.

With the proliferation of app-stores, many handsets may also be ready to provide “free” downloads to the enterprising criminal. In general, there is a lot of industry work going into making mobile phones into “wallets” that can be used for a whole variety of micro-payments, for example car parking fees. In addition there maybe DRM-locked content that is in the handset when stolen; it has a monetary value, and yet is difficult claim on insurance.

Smartphones can potentially have a lot of different apps loaded, and if we are lazy we mght have them setup (for our own convenience) to logon automatically to countless online systems. The risk is not only financial, but also opening you to impersonation and data theft, via a variety of online services that you access from your phone.

We certainly need to think hard about the way we use services and the way we buy using our mobile handsets. PIN-codes, passwords, time-locks and encryption are tools that we should have enabled, even though it means more inconvenience for us to make calls, lookup our location and so on. I hope the £100K Design Council bursary generates some good ideas, and for my barbarian friends that visit Barcelona each February, let me wish you failure and humiliation in your every venture.

Amusingly, at the time my phone was stolen, I was running a number of location applications including Palringo, Buddycloud and I think also Google Latitude (and yes, it does run hot with all the apps running!). A friend suggested that we go and look-up where the handset travelled to, and then put the Police on to them! Sadly, in this case the crim was not so dumb, and had already powered-off the phone. That would have been sweet revenge indeed.

China’s TOM-Skype Surveillance

According to a report published on October 1st by Citizen Lab, full chat text messages from TOM-Skype users were found on publicly-accessible web servers as well as the encryption key required to decrypt the data.  Additional data such as millions of IP address, user names, and land-line phone numbers, and records of international users who regularly communicated with Chinese users were found alongside the chat logs.

From an Ars Technica article about the report:

Clearly, there are a number of problems with this discovery, starting with security. Villeneuve notes that the information contained on the servers could be used to exploit the TOM-Skype server network, and an attacker can access detailed user profiles. “In fact, evidence suggests that the servers used to store captured data have been compromised in the past and used to host pirated movies and torrents (for peer-to-peer file sharing),” reads the report. Clearly, crafty hackers already know where these servers are and how to get into them.

While troubling from an overall Skype security standpoint, it’s not much of a surprise that the Chinese government had a way to monitor their Skype users, especially with Skype being partnered with TOM Online, a Chinese company.

Since around September 2005, Chinese users attempting to download the Skype client were blocked from doing so, instead being redirected to a modified Chinese version hosted by TOM.  Did anyone really think that this modified version wasn’t backdoored?  Who wants to bet that they have keys to decrypt the voice channels as well?

Oyster not all it’s Cracked-up to be

Some Dutch researchers recently illustrated once again that “security by obscurity” is not a good way to secure systems. Transport for London (TFL) have for some years been running a prepay card system called the “Oyster Card”. The Oyster Card is an RFID card that you wave over a sensor at the start and end of your train trip, which takes money from your prepay account with TFL. Oyster offers a preferential rate, cheaper than paper tickets, and has had a very high take-up rate with London commuters and residents.

However, the system has now been cracked. At the heart of the Oyster card is a chip called the Mifare Classic, which uses a secret algorithm. Some Dutch researchers decided to target this system, and have discovered how this works. As a demonstration, they used their knowledge to create their own card, which they used to travel around free on the London Underground for a day.

Their interest in the Oyster Card probably stems from the fact that the same Mifare Classic chip is also used in access cards used to secure Government buildings in the Netherlands. In a rather nice demonstration of the separation of powers working in a democratic country, they now have leave from a Dutch judge to publish details of how the Mifare algorithm works, which they will be doing at a security conference in the coming October. This would not have been the outcome that the Dutch government would want, since they now have to take extra steps to secure buildings with more security personnel.

But “hushing the problem up” is not a solution in the security world. The problems don’t go away when you punish the researchers. For every ethical hacker there are probably another two Black-Hats who want to sell the information to those that could profit from free travel in London, or access to Dutch Government property.

Underpowered Hardware

One of the issues with VoIP endpoints that I regularly encounter as a security researcher is the problem with underpowered hardware. Many VoIP hardware devices are initially designed with just enough horsepower to do their job in order to keep costs low and stay competitive in the market. Due to VoIP technologies evolving so rapidly and devices being updated to include many additional new features shortly after being brought to market, the software running on these devices generally outgrow the hardware and will consume the few remaining unused resources available on the device. Vendors then have to play a balancing game of what software features can be crammed onto a particular device and it still work properly.

Not only does this condition of the technology promote attacks like Denial of Service via resource exhaustion, floods, and so forth, but it also gives rise to other vulnerabilities such as this one which was detailed yesterday by Larry Dignan & George Ou. Due to the resource limitations of the hardware device, corners were cut when adding support for the device’s 802.1x PEAP authentication feature which resulted in the server certificate not being checked during authentication, which then devolves into a number of other security issues. Not only does this affect the device being discussed in the article, but it apparently also affects a number of other devices as well who’s designers cut the same corner, likely for the same reason.

Because VoIP technology evolves so rapidly, and generally grows in resource requirements by leaps and bounds while doing so, VoIP hardware vendors really should be providing much more processing power than the initial software needs when the devices are brought to market. Unfortunately the cost of including this extra horsepower initially is borne by the vendor, whereas the cost of having to upgrade (i.e., replace) masses of deployed hardware devices when their resource limitations become insurmountable is borne by the consumer.  Device replacement results in additional sales and profits for the vendor, so don’t expect properly resilient hardware devices anytime soon…

Breaking Ciphers on a 5.8MHz Pentium?

The UK’s National Codes Centre recently ran a competition for amateur codebreakers to try their hands on breaking one of the original WW2 codes (Lorenz Cipher) using modern PC hardware. The National Codes Centre at Bletchley Park (known as “Station X” during the war) is a museum and heritage site for early computing as well as codebreaking. In a nice irony, the winner of the competition was a German programmer, Joachim Schueth, who ran his software on a 1.4 GHz laptop with NetBSD as the O/S, beating the original Colossus codebreaker by a factor of hours. The original Colossus could break the code in 3 hours and 15 minutes, whereas Schueth’s code took just 46 seconds.

On the performance difference, Schueth himself said: “My laptop digested ciphertext at a speed of 1.2 million characters per second – 240 times faster than Colossus. If you scale the CPU frequency by that factor, you get an equivalent clock of 5.8 MHz for Colossus. That is a remarkable speed for a computer built in 1944. Even 40 years later many computers did not reach that speed. So the Cipher Challenge would have been very much closer had it taken place 20 years ago.” That’s right, not GHz, but MHz. The original Colossus was not so much a Pentium, but rather a Z80.

At Bletchley Park, they have a working Colossus which was lovingly rebuilt over many years by a team of enthusiasts, with help from some of the original designers. The Colossus MKII can be seen working by visitors to Bletchley Park.

Colossus Redux

Bletchley Park is the UK’s mecca for people interested in the history of code breaking, and in particular the codes of World War 2. Bletchley Park (in WW2 known as “Station X”) was the home of the code breakers, and where early computing pioneers like Alan Turing worked on the science of breaking cyphers.

This week, a team of volunteers led by Tony Sale completed a 14 year project to rebuild Colossus, one of the code-breaking computers used at Bletchley Park. After the war the machines were dismantled and even the plans destroyed by order of the military, so the Colossus had to be painstakingly remembered and reconstructed, with the help of some of the original engineers that built it. Tony Sale has had a long association with Bletchley Park, and also with remembering and rebuilding the most important antique computers in the British history of computing.

Although the Colossus was somewhat single-minded in its operation, its use of valves as electronic switches paved the way for the general-purpose computers of the 1940s and 50s, and of course the work they did at Bletchley paved the way for the use of encryption technologies that we use today in data and voice applications across the Internet.

Link: Silicon.com report on the Colossus rebuilt.

FYI – I’m speaking on VoIP security at Ingate SIP Trunking Seminar Series Sept 11 in LA (concurrent with Internet Telephony Expo)

image FYI, for those of you attending the Internet Telephony Conference & Expo in Los Angeles on September 10-12, I’ll be participating in a panel session that is part of Ingate’s SIP Trunking Seminar Series.  I expect it will surprise no one to learn that I’ll be on the panel about “Enterprise Security and VoIP” speaking on behalf of VOIPSA.  My particular session is Tuesday, September 11, 2007, from 9:30-11:00 am.  More details and the schedule are available online.

The sessions are free and open to anyone to attend.  Simply fill out the pre-registration form. If you are going to be there at the show, please do drop me a note, as I’m always interested in meeting readers or others interested in VoIP security.

Rampant Italian Wiretapping Spurs Consumer Encryption Use

According to the New York Times, it appears as if consumers in Italy are rapidly moving toward encryption for voice technologies due to rampant publication of private conversations, both due to leaked conversations that were a result of government wiretaps as well as conversations recorded through private means. From the article:

What has spurred encryption sales is not so much the legal wiretapping authorized by Italian magistrates–though information about those calls is also frequently leaked to the press–but the widespread availability of wiretapping technology over the Internet, which has created a growing pool of amateur eavesdroppers. Those snoops have a ready market in the Italian media for filched celebrity conversations.

It would seem that in Italy, it’s fairly common to take someone’s private conversations straight to the press… Even the national telco’s head of Security was in on the game:

This year, Bonini’s name was among thousands that surfaced in an illegal-wiretapping scandal involving employees of Telecom Italia, the Italian phone company.

Twenty people were arrested, including the former chief of Telecom Italia security, in what investigators say was an attempt to use the intercepted phone conversations to blackmail Italian public figures.

Many of the cell-phone encryption products mentioned in the article that are being marketed to Italian consumers sound a lot like Zfone, essentially providing end-to-end encryption for the audio between two devices that run the encryption software in advance of the call.