Saturday, June 15, 2013

Are the Germans really breaking PGP and SSH?

I saw this on Twitter today, suggesting that German intelligence agencies are able to break SSH and/or PGP.  The question asked whether intelligence was in a position to "decrypt, at least partially or evaluate" traffic encrypted, such as via SSH or PGP.  The answer was a conditional yes.

What does this mean?  Are the Germans that awesome at math?  Do they have ten-pound brains capable of performing 'impossible' decryption in a single bound?  I think not.

Malware anyone?
Here's what I think: malware is to blame.

The Germans have specific network traffic they'd like to decrypt.  They have three options:
1. They could hire a team of crack cryptanalysts and lock them in a room until they maybe do the impossible and come up with a decryption solution.
2. Harness more computing power than anyone knows exists (maybe quantum computing?) and brute force a solution.
3. Compromise one of the endpoints in the communication and install malware to steal the keys.

I'm a strong believer in Occam's razor.  That belief forces me to believe that it is the third option at play here.  I don't know what the budgets are for the first two operations.  The budget for option 3 could be dirt cheap.  You can hire college CS majors to write the malware and rent an exploit kit to deliver it to the intended victims to steal the keys.  Total budget: < $5,000.

Okay, so it's possible. Does malware really do that?
In the HBGary Malware Reverse engineering course I used to teach, we examined a piece of malware that did this.  It dates back to at least 2009.  The malware injected into the user's Outlook process and then made a Windows API call to dump the certificate store.  These are the private keys that you import into Outlook to make sure you can read encrypted email.  On disk, these are always encrypted with your (undoubtedly strong) password.  What's an attacker to do?  Just dump them from Outlook's certificate store to the disk.  Outlook happily complies since it thinks the user is making the request.  The API requires the output file to be protected with a password, but that's no problem.  The attacker supplied a known password and then exfiltrates the certificates to a waiting server.  Given the keys, decryption is trivial.

The Windows API the attackers used was PFXExportCertStoreEx.  If you see this in malware, know they are looking for your private keys.  Yeah, it can be used to just dump your trusted certificates (without private keys) but what's the fun in that?

The PFXExportCertStoreEx function takes five arguments.  The fifth argument contains a set of flags used to control the export behavior.  In order for private keys to be exported, the aptly named EXPORT_PRIVATE_KEYS flag must be set.  Of course you won't see flag names when reversing the malware, so look for the constant value 0x0004 being set in the fifth argument to PFXExportCertStoreEx.

If I've been teaching a fairly uncomplicated malware sample with this functionality for more than four years, you can bet German intelligence knows about it too.  I think this answer makes the most sense because it explains the conditional yes answer that was given.  In other words, they can break everything they have the keys for (so can you) and nothing they don't.

Countermeasures:
Every time I introduce someone to certificate stealing malware, I get jaw drops, face palms, and other sorts of 'why can they even do that' comments.  A starting countermeasure to this is simple. When you import your private keys, mark them as non-exportable (offered as a check the box option).  This prevents the keys from being exported using the API.  This is enough to stop most attackers who can only use the API.  Note however that your keys are still present and could be dumped directly from memory or using some other trick.

The real countermeasure is to stop attackers from running malware on your machine in the first place.  Of course that's easier said than done.

If this is the first time you've heard of certificate stealing malware, I'm glad I could educate you today.   If you think I'm wrong, feel free to post a comment and tell me why.

Note: While I was writing this, @WeldPond re-posted the article link and got a comment back I obviously agree with:

1 comment:

  1. I have been using Kaspersky anti virus for a couple of years now, I would recommend this anti virus to all you.

    ReplyDelete

Note: Only a member of this blog may post a comment.