Cryptographic Vulnerabilities, News & Research

October 17, 2018

Cryptosense Analyzer finds Crypto Flaw in Java EE

Yesterday’s Oracle Critical Patch Update contains a credit to Cryptosense for CVE-2018-3210, a flaw found by one of our users while they were testing a Java application with our Analyzer software.

The bug involves a repeating IV in AES-CTR mode, a crypto mistake that can be hard to spot in code review. Our run-time testing approach detects it more easily. It’s also rather easy to exploit (see e.g. the Many-time Pad tool).

The result was reported to us by one of our customers, who asked us if we’d like to investigate since the issue didn’t appear to come from their own code. We decided to ask the security group at Università Ca’ Foscari, with whom we have a long-standing collaboration, if they could take a look. Leonardo Veronese carried out the work, and he takes up the story:

Java Server Faces is a Framework for programming web application in the Java language and it’s part of JavaEE (EnterpriseEdition). Through the Oracle JavaEE page it is possible to find and download the specification.

The Oracle implementation of the specification is called mojarra and the source code is available on GitHub. The Project is part of EE4J initiative and it’s being migrated to Eclipse Foundation.

I looked at the source code of the classes that appeared on the stack trace sent to me by Cryptosense to find out what was the feature that they implemented and where the issue about AES-CTR was present.

Inspecting the source code the class com.sun.faces.util.ByteArrayGuardAESCTR is used in the class com.sun.faces.context.flash.ELFlash which implements the interface javax.faces.context.Flash. From the docs:

The Flash concept is taken from Ruby on Rails and provides a way to pass temporary objects between the user views generated by the faces lifecycle. As in Rails, anything one places in the flash will be exposed to the next view encountered by the same user session and then cleared out. It is important to note that “next view” may have the same view id as the previous view.

So in short the flash is a way to store temporary data without using the session scope.

ByteArrayGuardAESCTR.java

This class is responsible for encryption and decryption. The method setupKeyAndCharset is called by the constructor and it is used to initialize objects. By default the key is generated through javax.crypto.KeyGenerator and the IV is generated with java.security.SecureRandom. The key and IV generated are stored in the object state.

The first thing that can be considered as a vulnerability is the “non standard” initialization performed in the setupKeyAndCharset: if the FlashSecretKey property is specified, the key contained in there is used instead and, if this happens the IV is not randomly generated but is just equal to the key:

String encodedKeyArray = (String) context.lookup("java:comp/env/jsf/FlashSecretKey");
if (null != encodedKeyArray) {
   byte[] keyArray = DatatypeConverter.parseBase64Binary(encodedKeyArray);
   if (keyArray.length < 16) {
     throw new FacesException("key must be at least 16 bytes long.");
   }
   sk = new SecretKeySpec(keyArray, KEY_ALGORITHM);
   byte[] iv = new byte[16];
   System.arraycopy(keyArray, 0, iv, 0, 16);
   ivspec = new IvParameterSpec(iv);
}

ELFlash.java

In this class the ByteArrayGuardAESCTR is used, in fact a variable guard is defined and initialized in the constructor. Searching on this class for a new expression of ByteArrayGuardAESCTR only returns line 272 in the constructor, which means that the lifetime of the guard is bound to the lifetime of the ELFlash object.

From the docs, it seems that the ELFlash object is created once in the application (and so the inner variables like flashInnerMap and guard). So it seems the IV is fixed for the lifetime of the application.

What's in the cookies?

In the ELFlash class a constant called FLASH_COOKIE_NAME is defined that contains csfcfc: The ciphertext is stored on a cookie. We can make a guess that some information about the flash are stored on a cookie to be retrieved after a redirect.

The method encode creates the string to encrypt, encrypts it and then builds a cookie with it.
From this we discover that the character _ is used as separator for the two encoded objects of the class FlashInfo. Each FlashInfo encoded information has a number, character X as a separator, then two letters that represent Lifetime and the mode.

Looking at the decode method we can see that the cookie value is decrypted then used to restore the state by searching the sequence number on the inner map of the ELFlash instance.

Conclusions

The implementation of the Flash mechanism in Java Server Faces does contain a fixed IV in AES-CTR mode. An attacker could likely decrypt the ciphertexts in the cookies by observing several and applying knowledge of the structure of the plaintext.

It's unlikely any confidential information would be stored in these short-term cookies, but a more interesting attack would be to tamper with the cookies to force the server to restore a different state than the one the user was supposed to go back to, possibly allowing access to states that would not have been available to him, and thereby circumventing security controls.

October 3, 2018

Post-Quantum Crypto: How to Start Preparing

post quantum crypto

UPDATE: Graham recently contributed to this article in The Economist on Post-Quantum Cryptography.

Computers that exploit quantum mechanical properties offer the promise of (supposedly) unbreakable cryptography and other exciting applications, but they will also cause a huge, immediate problem: the day a large, practical quantum computer is developed, all existing widely-used asymmetric cryptography will be broken.

This will have serious consequences: massive amounts of secret information exchanged over the internet under public-key or hybrid cryptography could be revealed. Computers will no longer be able to ensure the updates they are downloading and installing are legitimate, since code signing will be broken. The owner of the first powerful quantum computer (which will probably be a large state organisation, who will keep it a secret) could have the power to take over almost every computer and mobile phone connected to the Internet. Even though nobody knows when this will occur, it makes sense to start preparing.

The solution is not quantum cryptography, but post-quantum cryptography: algorithms that run on classical computers now, and resist attack by future quantum computers. The trouble is, they don’t exist yet, or at least not in a practical form.

NIST has launched a competition to find and standardise practical quantum-resistant algorithms. The first round of the competition closed at a conference this April. Researchers around the world are racing to break and/or improve the submissions. You can see them all here – there is plenty of exotic and infrequently used mathematics being employed, like supersingular isogenies, lattices and quasi-cyclic codes.

In the end, unlike for previous NIST competitions such as that which fixed the standard algorithm for symmetric cryptography (the AES standard), there will be more than one winner. That’s because there are going to be some painful trade-offs around performance, size of key, size of ciphertext or signature, etc. that will mean difficult decisions for future application developers.

Get Ready

Meanwhile, large companies are already starting their post-quantum crypto migration, without waiting for the results. This is because the job is so huge: imagine you’re a big software company with more than 5000 applications. Every one of these applications employs cryptography in multiple ways, in some cases hidden in legacy libraries and components without up-to-date documentation. Finding each use, deciding what to replace it with and making the changes to the application is a huge undertaking. A good first step is to complete your cryptography map, finding out what is used and where, something which Cryptosense Analyzer can help you do.

September 28, 2018

Updating our Cloud Crypto Provider Comparison

Our comparison of cloud crypto services is one of the most popular pages on our site, so we’re making an effort to keep it up to date as the “big three” providers announce new features. The latest update includes faster KMS speeds recently announced by Amazon, the PKCS#12 method for Bring-your-own-key that’s supported by Microsoft Azure (but not so easy to find details of), and the Google KMS support for asymmetric keys.

The latest version of the infographic is below. If you’re interested in integrating your application with cloud crypto services or cloud HSMs, you might want to check out our new cloud crypto whitepaper, where we compare in detail these services and various migration approaches.

cloud security comparison - AWS KMS, Google Cloud KMS, Microsoft Azure Key Vault

August 27, 2018

Dangerous Tutorials: How not to learn C# cryptography

Our recent work to add coverage of the Microsoft .NET API to Cryptosense Analyzer has led us into a dark and dangerous part of the internet: C# crypto tutorials.

It’s extremely dangerous to treat a cryptography API like just another interface where all you need to do is figure out how to “make it work”. It is theoretically possible to make, say, encryption and decryption “work” using a cryptography API while leaving a slew of terrible security holes. The C# Crypto API is no exception.

Continue reading

July 26, 2018

Cloud HSMs – The New Wave

Hardware Security Modules (HSMs) are generally viewed as expensive and painful to maintain. It’s not surprising that a lot of HSM users are looking for a cloud-based solution that would allow them to hand over maintenance to a third party and move to an opex instead of capex model (i.e. rent the HSM instead of buying it).

At the same time, companies looking to migrate their more complex business-critical applications are finding that Cloud Service Provider (CSP) key management APIs (e.g. AWS KMS, GCP KMS, and Azure keyvault as covered in an earlier post) often don’t offer the cryptographic flexibility they need to migrate securely and in compliance.

Responding to these market forces, a new wave of cloud-hosted HSMs is arriving. Equipped with standard APIs like PKCS#11, they offer the promise of flexible crypto services while keeping keys secure from cloud application compromise.

Continue reading

June 25, 2018

Crypto Audit of the Jenkins CI System

Jenkins is a popular tool for managing continuous integration (CI), i.e. coordinating builds, tests and deployment of a software project in an automated way.

In an enterprise context Jenkins has some security requirements, like ensuring that only users with the right permissions can access certain projects and carry out certain tasks, protecting sensitive data such as tokens for access to APIs, etc.
Continue reading

March 28, 2018

Cloud Crypto Providers Part III – Logging Crypto Operations

compare cloud crypto providers

This is the third post in a series about cloud crypto functionality provided by the “big three” cloud providers – Amazon Web Services, Microsoft Azure, and Google Cloud Platform (you can find parts one and two here).

Having set up an application and protected its keys with the cloud provider’s crypto API, we’d like to be able to monitor usage of these keys and any key management operations that take place, to be sure all is well and to meet audit requirements. What facilities do the big three providers offer for this?

Continue reading

February 22, 2018

Testing Java Crypto Provider Vulnerabilities in Cryptosense Analyzer

Java Crypto Provider Vulnerabilities

In a 2014 article “Why does cryptographic software fail?”, Lazar et al. took the most recent 269 CVEs marked as “cryptographic issues” and classified the site of the failure. While 17% of the failures were in crypto libraries, 83% were in the way the applications use the libraries. Up until now, Cryptosense Analyzer for Java applications only treated the 83%. Today that’s changing as we’ve added provider vulnerability testing.

Continue reading

Try a Free 14-day Trial

Cryptosense Analyzer audits your applications and infrastructure to find vulnerabilities and understand your crypto landscape. Use it to optimise bug-fix resources and demonstrate compliance.
Start free trial