[Full-disclosure] 30c3: The Year in Crypto default engines loaded in openssl-1.x through openssl-1.0.1e]

[coderman]

in 30c3: The Year in Crypto
 with djb, Nadia Heninger, Tanja Lange
http://www.youtube.com/watch?v=Fty107Us7oc
at ~28min discussion of RDRAND,
 Intel's pass the buck to NIST no-comment,
  (after initial just trust us, we looked at a lab sample close
didn't fly far enough...)
alt slides: hyperelliptic.org/tanja/vortraege/talk-30C3.pdf


also, Tor 0.2.4.20 (Mon Dec 23 07:21:35 UTC 2013)
 updates to avoid direct RDRAND use in specific circumstances:
  https://lists.torproject.org/pipermail/tor-talk/2013-December/031483.html
 per previous discussion on OpenSSL use of RDRAND directly when engines on.[0]
  TL; DR - very rare case you may want to re-gen relay and hidden service keys


 now,,
you may wonder if IETF could apply resistance to NSA seducing of NIST,
 but you'd be stepping into a quagmire  :P
  
http://arstechnica.com/security/2013/12/critics-nsa-agent-co-chairing-key-crypto-standards-body-should-be-removed/
  http://www.ietf.org/mail-archive/web/cfrg/current/msg03554.html
 [specifically, all of Dan Harkins appeals for legitimacy bear
striking resemblance to other demonstratively failed approaches to
failure by default designs. Dragonfly is not sufficiently justified.
insert pleas to appeal to decency and step away from CFRG and IETF
authority roles for propriety sake, regardless of any reasonable
claims or other implications best exemplified by RSA[1]]


 also,,
SIMON and SPECK is lulz; no really: fuck those guys!
 and remember that AES GCM is a choice between:
  - user-land side channels galore  /or/
  - hardware instruction back-door
.
.

2013 was indeed a year for crypto
  let's not do this again soon?



best regards,



0. BADRAND and testing OpenSSL engines enabled behavior with direct
RDRAND engine
 https://peertech.org/goodrand
BADRAND lets you link a test version of your application or library
against OpenSSL 1.0.1e that uses a specific sequence of deterministic
random numbers in OpenSSL. e.g. standard C lib function rand()
seeded at zero replacing RDRAND. the debug logging to stderr can
identify bad fork() assumptions.

1. Dual-EC-DRBG is bad and RSA should feel bad. No excuses.
 https://gist.github.com/0xabad1dea/8101758
 IETF standards not a good reference for formal proof level thoroughness,
  and highly deployed does not mean highly used nor scrutinized (WEP,
LEAP, OpenSSL's Dual_EC_DRBG implementation, [the set is large])

X. see that one top post ...  [was: RDRAND used directly when...
 On Sat, Dec 14, 2013 at 4:33 AM, coderman coder...@gmail.com wrote:
 as per the FreeBSD announcement[0] and others[1][2] direct use of
 RDRAND as sole entropy source is not recommended...

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] Happy Holidays / Xmas Advisory

[Matthew Gow]

joernchen, your dedication to making it a happy holidays by helping this
project become secure is much appreciated.

Henri Salo cleverly created a github issue which quickly led to some work
being done on the issues reported.
https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-(27th-Dec-2013)


Please continue bringing happiness to the holidays by grabbing the latest
source and make tickets in github for the next round of security flaws you
find (pull requests for any the fixes you write would be even better!)

Gage, Brandon and PsychoBilly we haven't updated the demo site yet (trying
to get keys to it's hosting location) but could you bring up an instance
with the latest code and take the time to dick around a bit more seeking
out more duh code?

Good work guys. Thanks.
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Re: [Full-disclosure] vm86 syscall kernel-panic and some more goodies waiting to be analyzed

[halfdog]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

halfdog wrote:
 It seems that at least on 32-bit Debian-sid kernel in VirtualBox 
 guest, [1] triggers a kernel-panic. This simple POC does not allow 
 privilege escalation although there might be also some time-race 
 component involved, sometimes similar code seems to access 
 uninitialized memory or triggers NULL-dereferences. Therefore the 
 simple POC code could be extended for more extensive testing. See
 [2] for more information.
 
 hd

I've created [1] to ease discovery of new problematic code
combinations. Good use is to run it with e.g.

socat TCP4-LISTEN:1234,reuseaddr=1,fork=1
EXEC:./Virtual86RandomCode,nofork=1

And send random data via network:

tee TestInput  /dev/urandom | socat - TCP4:x.x.x.x:1234  ProcessedBlocks

And watch your console or dmesg output (when your kernel did not lock
up completely)


hd

[1]
http://www.halfdog.net/Security/2013/Vm86SyscallTaskSwitchKernelPanic/Virtual86RandomCode.c

- -- 
http://www.halfdog.net/
PGP: 156A AE98 B91F 0114 FE88  2BD8 C459 9386 feed a bee
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlLAiroACgkQxFmThv7tq+58dACggUEhW1toL8/9UnZkcEXZ+Ukk
yvUAnjFTETZf/nXr/96fbp8soRpUdJiv
=mLVT
-END PGP SIGNATURE-

___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/