backdoors with the ms office file encryption master key and a proposal for a reliable file format
Post on 16-Apr-2017
5.956 Views
Preview:
TRANSCRIPT
Backdoors with the MS Office file encryption master key
and a proposal for a reliable file format
2015/10/28, 29 CODE BLUE
Mitsunari Shigeo(@herumi)
• Attacking Excel files without a password
• This bug is fixed at 2015/Oct/13 (MS15-110)
• Comparison of password encrypted file formats
• How I found this bug
• Proposal for a backdoor-resistant format
Abstract
2/54
• R&D for cloud security and infrastructure at Cybozu Labs, Inc.
• Author of “Applied Cryptography for the Cloud“ (in Japanese)
• about PFS, ECC, IBE, ABE, FE, HE, ZKP,...
• http://herumi.github.io/ango/
• Microsoft MVP Developer Security (2015)
• Author of the fastest implementation of pairing
• https://github.com/herumi/ate-pairing
• Software implementation of an Attribute-Based Encryption Scheme, IEEE trans on computers, 2014
Mitsunari Shigeo(@herumi)
3/54
• Technical Fellow at Recruit Marketing Partners
• Visiting associate professor at Kochi National College of Technology
• Review board for CODE BLUE
• OWASP Japan advisory board
• Chairperson of SECCON CTF
• Leader of Shibuya Perl Mongers
• Microsoft MVP Developer Security in 2008
• Author of "How to Execute Arbitrary Code on x86 JIT Compliers"
• Translator of "Reading ECMA-262 Edition 5.1" (2013)
• Best award of CSSx2.0 at "Computer Security Symposium 2013"
Takesako Yoshinori (@takesako)
4/54
• Comparison of password encrypted file formats
• Demo
• Situations
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
5/54
• Comparison of password encrypted file formats
• Password encryption
• Introduction to attack tools
• Comparison of attack time
• Demo
• Situations
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
6/54
• The very basic way
• input : 𝑝𝑎𝑠𝑠 : password, 𝑚 : message
1. 𝑆𝐾 = 𝐻𝑎𝑠ℎ 𝑝𝑎𝑠𝑠
2. 𝑐 = 𝐸𝑛𝑐 𝑆𝐾 , 𝑚
3. output : 𝑐
• Vulnerable
• The same password always generates the same 𝑆𝐾.
Encrypted file with password
𝑚
𝑝𝑎𝑠𝑠
𝑆𝐾
𝐻𝑎𝑠ℎ
𝐸𝑛𝑐
𝑚 depends on only 𝑝𝑎𝑠𝑠
7/54
• Password attack tool
• http://hashcat.net/oclhashcat/
• GPGPU based very fast engine
hashcat
8/54
• Number of attempts per second
• SHA1 : 4.2 × 1010times/sec on 8x NVidia Titan X
• SHA512 : 5.2 × 109 times/sec
• Time to detect password from 𝐻𝑎𝑠ℎ value
• 𝑝𝑎𝑠𝑠 ∶ assume [a-zA-Z0-9]; 62 letters
• 628 4.2 × 1010 = 1h27m to try all patterns for SHA1
Performance of hashcat
9/54
• Add salt
1. generate 𝑠𝑎𝑙𝑡 randomly
2. 𝑆𝐾 = 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡, 𝑝𝑎𝑠𝑠
3. 𝑖𝑣 : Initialization Vector
4. c = 𝐸𝑛𝑐(𝑖𝑣, 𝑆𝐾 , 𝑚)
• Even the same password generates different 𝑆𝐾
• 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡1 + ′abc′ ≠ 𝐻𝑎𝑠ℎ(𝑠𝑎𝑙𝑡2 + ′abc′)
• Stronger against rainbow tables attacks
More secure file formats
𝑝𝑎𝑠𝑠
𝐻𝑎𝑠ℎ
𝑠𝑎𝑙𝑡
𝑆𝐾 𝑚
𝐸𝑛𝑐
𝑚
𝑖𝑣
10/54
• Iterate the hash function many times
• 𝑑1 = 𝐻𝑀𝐴𝐶(𝑝𝑎𝑠𝑠, 𝑠𝑎𝑙𝑡)
• 𝑛 is iteration count
• for 𝑖 = 1 to 𝑛 − 1:
• 𝑑𝑖+1 = 𝐻𝑀𝐴𝐶(𝑑𝑖 , 𝑠𝑎𝑙𝑡)
• Decrease attack ability to 1/𝑛
• PKCS#5(RFC 2898)
• Password-Based Cryptography Specification
• PBKDF2(password based key derivation functions)
• used by ZIP format, etc.
Key stretching
𝑝𝑎𝑠𝑠
𝐻𝑀𝐴𝐶
𝑑𝑖
𝑆𝐾 = 𝑑1 ⊕𝑑2 ⊕⋯
𝑛
𝑠𝑎𝑙𝑡
𝑝𝑎𝑠𝑠
𝐻𝑀𝐴𝐶
𝑑𝑖+1
11/54
• Brute-force attack time against 8-byte password
• by Passcovery on GeForce GTX860M 1019MHz
• Office 2013 docx format is strong
• Recently, a memory-hard function is recommended
• Argon2 is the winner of Password Hashing Competition at 2015/Jul/20
Compare attack time
File format # of tries/sec hash stretching days
ZIP(96-bit) 230000000 none 10 days
Office2003 doc 11000000 ? 220 days
ZIP(256-bit AES) 370000 1000 x HMAC SHA1 18 years
Office2007 docx 16000 50000 x SHA1 430 years
Office2010 docx 8100 100000 x SHA1 854 years
Office2013 docx 337 100000 x SHA512 20000 years
13/54
• Comparison of password encrypted file formats
• Demo
• MS Office file format
• Secret key generator of the MS Office file format
• Introduction of my tool
• Demo
• Situations
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
14/54
• [MS-OFFCRYPTO]
• Office Document Cryptography Structure
• [MS-CFB]
• Compound File Binary - file format
MS Office documents
15/54
• Hashing algorithm 𝐻(𝑝𝑎𝑠𝑠, 𝑠𝑎𝑙𝑡)
• ℎ0 = 𝐻𝑎𝑠ℎ(𝑠𝑎𝑙𝑡, 𝑝𝑎𝑠𝑠)
• 𝑛 : iteration count
• for 𝑖 = 1 to 𝑛: ℎ𝑖 = 𝐻𝑎𝑠ℎ < 𝑖 > +ℎ𝑖−1
• < 𝑖 > : 4-byte little endian
Secret key generator of MS Office
𝑝𝑎𝑠𝑠
ℎ𝑜
𝐻𝑎𝑠ℎ
𝑠𝑎𝑙𝑡
ℎ𝑖−1 𝑖
𝐻𝑎𝑠ℎ
ℎ𝑖 𝑛
𝑆𝐾 ≔ ℎ𝑛
16/54
• Use two kinds of secret key
• 𝐻 : the above iterated hash function
1. generate 𝑠 from 𝑝𝑎𝑠𝑠 and 𝑠𝑎𝑙𝑡
2. generate 𝑆𝐾 and encrypt it by 𝑠
3. encrypt 𝑚 by 𝑆𝐾
• I will explain latter
• two keys for key escrow
• Administrator can decrypt if password is lost
• encrypt 𝑆𝐾 with public key of Administrator in advance
• desabled (default)
MS Office Agile format
𝑚
𝑝𝑎𝑠𝑠
𝑆𝐾
Enc by 𝑆𝐾
𝑆𝐾
𝑚
Enc by 𝑠
𝑠
𝐻
𝑠𝑎𝑙𝑡
17/54
• https://github.com/herumi/msoffice/
• My tool to encrypt/decrypt MS Office files
• Supports Windows/Linux
• Supports OpenXML of Office 2007~
• Support Agile format of Office 2010~
• LibreOffice does not support the format yet
• Configurable secret key for Agile format
• Configurable iteration count for stretching
msoffice-crypt
18/54
demo
• encrypt with password "test"
• decrypt with password "test"
• attack without password
Usage
decrypt easy.xlsx with "test" and get 𝑆𝐾
attack complex.xlsx by 𝑆𝐾 without password
msoffice-crypt -d complex.xlsx -by easy.xlsx -p test
msoffice-crypt -e plain.xlsx enc.xlsx –p test
msoffice-crypt -d enc.xlsx dec.xlsx –p test
20/54
• Comparison of password encrypted file formats
• Demo
• Situations
• What happened?
• Some scenarios
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
21/54
• Excel 2010/2013 does not update the secret key in the file when password is changed (Bug).
What happened?
We can attack them with this one secret key.
master file with pass
with pass1
with pass2
with pass3
save as...
have same secret key
22/54
• At HR
• prepares a master Excel file
• write pay slip into the file, change password, send to staff
Scenario 1(pay slip delivery)
master file with pass HR
can attack other files
23/54
• Owner
• A master Excel file encrypted with an easy pass
• Modify it and make an important file with strong pass
• Attacker
• Brute-force attack against easy pass and attack important file
Scenario 2(lost PC)
Brute-force attack to easy pass
save it with strong pass
write secret info.
can attack this
PC
24/54
• Comparison of password encrypted file formats
• Demo
• Situations
• MS Office file format
• Detail of MS Office file encryption structure
• Relation between password and secret key
• How I found this bug
• Proposal for a backdoor-resistant format
Agenda
25/54
• Old format and new format
• MS OLE2のヘッダは"D0 CF 11 E0"
MS Office file encryption details
Office file type Format
doc, ppt, xls (old Office files) MS OLE2
plain docx, pptx, xlsx ZIP file of Open XML files
encrypted docx, pptx, xlsx MS OLE2 including a header and an encrypted ZIP file
ZIP files (Open XML)
Enc(ZIP files)
encrypted with AES
header
not encrypted
encrypted
26/54
• There is a directory structure in one file
Layout of encrypted docx
root/
EncryptionPackage
EncryptionInfo
DataSpaces/
Version
DataSpaceMap
Transformation/
StrongEncryption
Transform/ Primary
DataSpaceInfo/ StrongEncryption
DataSpace
not used
encrypted main ZIP file
encryption information
27/54
• Standard encryption (~Office 2007)
• binary format
• supports only SHA-1
• spinCount(=# of iteration) is fixed to 50000
• Agile encryption (Office 2010~)
• XmlEncryptionDescriptor
• supports SHA-1, SHA256, etc.
• variable spinCount
Version of EncryptionInfo
28/54
XmlEncryptionDescriptor <encryption>
<keyData saltSize="16" blockSize="16" keyBits="256" hashSize="64"
cipherAlgorithm="AES" cipherChaining="ChainingModeCBC"
hashAlgorithm="SHA512" saltValue="..."/>
<dataIntegrity encryptedHmacKey="..." encryptedHmacValue="..."/>
<keyEncryptors><keyEncryptor
uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password">
<p:encryptedKey spinCount="100000"
saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES"
cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512" saltValue="..."
encryptedVerifierHashInput="..."
encryptedVerifierHashValue="..."
encryptedKeyValue="..."/>
</keyEncryptor></keyEncryptors>
</encryption>
29/54
Dependency of variables in encryption
generate encryptedKey.saltValue
encryptedVerifierHashValue
encryptedVerifierHashInput
encryptedKeyValue
encryptedHmacKey
encryptedHmacValue
password
gen. secretKey
hash
EncryptionPackage Enc(ZIP file)
ZIP file gen.
keyData.saltValue
gen. verifierHashInput
verifierHashValue
gen. HmacKey
hash 30/54
Check password integrity
generate encryptedKey.saltValue
encryptedVerifierHashValue
encryptedVerifierHashInput
encryptedKeyValue
encryptedHmacKey
encryptedHmacValue
password
gen. secretKey
hash
EncryptionPackage Enc(ZIP file)
ZIP file gen.
keyData.saltValue
gen. verifierHashInput
verifierHashValue
gen. HmacKey
hash 31/54
Check data integrity
generate encryptedKey.saltValue
encryptedVerifierHashValue
encryptedVerifierHashInput
encryptedKeyValue
encryptedHmacKey
encryptedHmacValue
password
gen. secretKey
hash
EncryptionPackage Enc(ZIP file)
ZIP file gen.
keyData.saltValue
gen. verifierHashInput
verifierHashValue
gen. HmacKey
hash 32/54
Dependency of encryption
generate encryptedKey.saltValue
encryptedVerifierHashValue
encryptedVerifierHashInput
encryptedKeyValue
encryptedHmacKey
encryptedHmacValue
password
gen. secretKey
hash
EncryptionPackage Enc(ZIP file)
ZIP file gen.
keyData.saltValue
gen. verifierHashInput
verifierHashValue
gen. HmacKey
hash
irrelevant to pass 𝑐 = 𝐸𝑛𝑐(𝑆𝐾 , 𝑠𝑎𝑙𝑡,𝑚)
33/54
• Comparison of password encrypted file formats
• Demo
• Situations
• MS Office file format
• How I found this bug
• Motivation
• CSPRG
• Example of known backdoor
• Hooking into MS Office's secret key generator
• Proposal for a backdoor-resistant format
Agenda
34/54
• Normal encryptor
• main part to encrypt 𝑚
• You can not decrypt (𝑠𝑎𝑙𝑡, 𝑐) without 𝑆𝐾
• We can make a backdoor if the generator of 𝑆𝐾 is controlled.
generate 𝑠𝑎𝑙𝑡 randomly generate 𝑆𝐾 randomly
𝑐 = 𝐸𝑛𝑐 𝑆𝐾 , 𝑠𝑎𝑙𝑡,𝑚
Motivation
𝑚 (𝑠𝑎𝑙𝑡, 𝑐)
35/54
• Malicious (having backdoor)encryptor
• Malicious Eve prepares a master secret key 𝑋
• Eve embeds 𝑋 into an encryptor
• Eve can get 𝑆𝐾 = 𝐻 𝑋, 𝑠𝑎𝑙𝑡 by 𝑋 then decrypt it
• You can not notice that (𝑠𝑎𝑙𝑡, 𝑐) has a backdoor
An example of controlled 𝑆𝐾
𝑚 (𝑠𝑎𝑙𝑡, 𝑐) generate 𝑠𝑎𝑙𝑡 randomly
𝑆𝐾 = 𝐻 𝑋, 𝑠𝑎𝑙𝑡 𝑐 = 𝐸𝑛𝑐 𝑚 by (𝑠𝑎𝑙𝑡, 𝑆𝐾)
Eve 𝑋
𝑆𝐾
36/54
• 5 p.m. on Friday,
Make a proof of concept for MS Office
Hi Mitsunari, could you hook into the random
generator of MS Office?
I'll try it. By when do you need it?
Coming Monday.
...
37/54
• PRG(Pseudo Random Generator)
• used for game and simulation
• MT(Mersenne Twister) is popular
• CSPRG(Cryptographically Secure PRG)
• Nobody should be able to predict next bit from previous bits
• used for secret key generator
• MT is not CSPRG
• inner status is determined by 624x4-byte output
CSPRG
0 1 0 0 1 1 1 0 1 ?
known previous bits
CSPRG
next bit
38/54
• I strongly discourage you from implementing your own CSPRG
• Use CSPRG provided by system vendor instead
• /dev/urandom on Linux
• non blocking device for CSPRG
• entropy from mouse, keyboard, disk I/O and interrupts
Example of CSPRG
39/54
• Intel hardware CSPRG instruction
• Meets the NIST SP 800-90A standard
• Uses an on-chip non-deterministic entropy source
• Easy to use
• Difficult to use it safely
• Retry limit should be employed to prevent a busy loop (extremely rare)
rdrand
// uint64_t getRand(); getRand: .lp: rdrand rax // store random number in rax jnc .lp // retry if failure (rare) ret
40/54
• Output of /dev/urandom is fixed by only modified rdrand (kernel 3.8.13 by Taylor Hornby)
• rdrand() { return [edx] ^ 0x41414141; }
• Combine other entropy sources to avoid having a single point of failure
If rdrand has a backdoor?
41/54
• CSPRG of Microsoft CryptoAPI
• Used to generate salt and secret key
• Hook this function
• I expected that MS Office calls this to make a secret key
• If my hooked CryptGenRandom always return fixed bytes, then a secret key may be fixed.
• First, I tried to my (very old) DLL injection library
• Did not work as expected due to ASLR
CryptGenRandom()
42/54
• A library to hook Win32 APIs by MS Research
• http://research.microsoft.com/en-us/projects/detours/
• 64-bit version costs $9,999.95 (32-bit version is free)
• Usage
• Source code of dll to hook
Detours library (1/2)
BOOL HookCryptGenRandom(HCRYPTPROV, DWORD len, BYTE *p) { memset(p, 'a', len); return TRUE; } BOOL DllMain(HINSTANCE, DWORD reason, LPVOID) { if (reason == DLL_PROCESS_ATTACH) { orgFunc = DetourFindFunction("adapi32.dll", "CryptGenRandom"); DetourAttach(&orgFunc, HookCryptGenRandom); ...
43/54
• test.exe
• Run test.exe with withdll.exe in Detours
• CryptGenRandom is now hooked!
• But, the function is not called by MS Office...
Detours library (2/2)
int main() { RandomGenerator rg; // wrapper of CryptGenRandom() for (int i = 0; i < 3; i++) printf("%08x¥n", rg.get32()); }
>test.exe 812e1af0 // random ad990e76 865cb964
>withdll.exe /d:hook.dll test.exe 61616161 // "aaaa" 61616161 61616161
44/54
• Run Excel on debugger, see loaded DLLs
• I found rsaenh.dll
Trial and error (1/3)
45/54
• Extract symbols of rsaenh.dll
• dumpbin /exports rsaenh.dll
• What is CPGenRandom?
Trial and error (2/3)
ordinal hint RVA name 1 0 0000230C CPAcquireContext 2 1 00003A80 CPCreateHash 3 2 0001CC1C CPDecrypt 4 3 0001DBC8 CPDeriveKey ... 11 A 00009A80 CPGenKey 12 B 00001D3C CPGenRandom
46/54
• CPxxx functions are obsolete
• CPxxx is renamed to Cryptxxx
• CPxxx is called from Cryptxxx
• Cryptxxx is hooked automatically if CPxxx is hooked
• Excel calls CPGenRandom
• Excel seems to generate secret key!
• However,
Trial and error (3/3)
>msoffice-crypt –psk easy.xlsx –p test ... secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5
>msoffice-crypt –psk complex.xlsx –p testtest ... secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5
47/54
• Excel generates same secret key without hook
• MS Office Word, PowerPoint generate different key
• Only Excel has a bug
• About hooking CPGenRandom
• This hook was not enough to take control over the generator
• Hooking timer functions were not enough yet
• Details unknown because of no investigation made
It is a bug of Excel
48/54
• Comparison of password encrypted file formats
• Demo
• Situations
• MS Office file format
• How I found this bug
• Proposal for a backdoor-resistant format
• Check your Excel files
• Improved format
Agenda
49/54
• This bug is fixed at 2015/Oct/13 (MS15-110)
• But, the generated files won't be fixed
• Verify secret keys in your files by msoffice-crypt
• Re-encrypt files if you find the same secret keys
Check your Excel files
50/54
• What is a reliable format?
• MS Office format is secure enough, but it is difficult to prove no backdoor exists in the file
• The problem generally exists for tools provided in binary
• (again) malicious encryptor
• We want a format that is provably secure against the backdoor
Future work
𝑚 𝑠𝑎𝑙𝑡, 𝑐 , 𝑆𝐾 blackbox encryptor
𝑠𝑎𝑙𝑡 : random number 𝑋 : master secret key in the encryptor 𝑆𝐾 : 𝐻(𝑠𝑎𝑙𝑡, 𝑋) Eve gets 𝑆𝐾 by (𝑠𝑎𝑙𝑡, 𝑋)
51/54
• Generate 𝑆𝐾 with KDF(Key Derivation Function)
1. generate 𝑟0, 𝑟1 randomly
2. 𝑠𝑎𝑙𝑡 = 𝐻 𝑝𝑎𝑠𝑠, 𝑟0 , 𝐻 : KDF
3. 𝑆𝐾 = 𝐻(𝑝𝑎𝑠𝑠, 𝑟1)
4. 𝑐 = 𝐸𝑛𝑐 𝑟0, 𝑟1, 𝑚 by 𝑠𝑎𝑙𝑡, 𝑆𝐾
5. output: 𝑐, 𝑠𝑎𝑙𝑡
• Format validation
• Verify the output follows the correct steps
1. 𝑟0, 𝑟1, 𝑚 ≔ 𝐷𝑒𝑐 𝑐
2. 𝑠𝑎𝑙𝑡 =?𝐻(𝑝𝑎𝑠𝑠, 𝑟0)
3. 𝑆𝐾 =?𝐻(𝑝𝑎𝑠𝑠, 𝑟1)
A backdoor-resistant format
𝑆𝐾 𝑚
𝑚
𝑟0 𝑟1 𝑝𝑎𝑠𝑠
𝐻 𝐻
𝑠𝑎𝑙𝑡
𝐸𝑛𝑐
52/54
• For a person who knows only (𝑠𝑎𝑙𝑡, 𝑐)
• same difficulty as previous formats
• For Eve
• same difficulty of the attack against KDF to get 𝑝𝑎𝑠𝑠 from 𝑠𝑎𝑙𝑡 when 𝑟0 is known
• Detection of maliciousness is easy if 𝑟0 is fixed
• seems to be safe if all 𝑟0 are different from each other when 10000 times encrypted
• then, the attack is 10000 times harder for Eve
Difficutly of the proposed format
𝑆𝐾 𝑚
𝑚
𝑟0 𝑟1 𝑝𝑎𝑠𝑠
𝐻 𝐻
𝑠𝑎𝑙𝑡
𝐸𝑛𝑐
53/54
• Excel files can be attacked through their secret key without knowing the pass
• It is a bug of Excel and is fixed
• Proposal for a backdoor-resistant format
• It can be applied to general password based encrypted file formats
Conclusion
54/54
top related