Sunday, May 18, 2008

Debian OpenSSL bug

A huge security hole has been discovered in the Debian OpenSSL and OpenSSH packages:
Modern-day cryptography relies on computer-generated, random encryption keys. Random keys are used everywhere - from generation of public/private key pairs, signatures and certificates, all way to basic login onto ssl or ssh server, when you enter password - the Diffie-Hellman key exchange is used to negotiate random encryption key.

It is absolutely crucial that the "random numbers" are hard for attacker to guess. Normally, the keys have insanely high number of possibilities, in the billion billion billion billion billion billion possibilities range. But in Debian Linux (and anything Debian-based, e.g. Ubuntu), for almost *2 years*, it had only 32 thousands possible keys (per every architecture). That could be cracked with WW2-era hardware. Enigma machine was more secure than that!

Now, how and why this happened?

Theres original conversation from when the bug was introduced:

There was 2 "MD_Update(&m,buf,j);" lines commented out in 2 functions.

static void ssleay_rand_add(const void *buf, int num, double add)
(which was the only place in the function that made use of "buf")


static int ssleay_rand_bytes(unsigned char *buf, int num)
#ifndef PURIFY
MD_Update(&m,buf,j); /* purify complains */

The first function, ssleay_rand_add, adds the input data into the "entropy pool". It is used to add bytes from /dev/[u]random and from various events such as mouse motion etc. The buff parameter is input-only, named "const void *buf" . And this MD_Update is the only place where it reads from buff. So commenting out almost entirely disabled the random number genration.

Second function outputs random numbers into buff (its output parameter); nonetheless, it does read content of the buff to enhance randomness. This is not very good thing to do as it confuses some debuggers.
Hence, there is
#ifndef PURIFY
block around it, allowing you to use -DPURIFY if you want to improve debugging.

Rather than using common sense, "dont mess with other people's code unless you have to" and using -DPURIFY , which is *the official way of dealing with problem* , Kurt comments out that line. And more, he searches for anything similar and comments the other one out too!

He does take the time to ask the SSL team about the change, just posting the line numbers, no context, no even function declarations. Just an overly long blabla text. What kind of manners is that? Developer is supposed to open files, go to those lines, and look? Note that he's *not* submitting proper patch asking for it to be accepted. Keep in mind that Debian is just one distribution out of many.
He doesnt take the time to look at the code (and is not a competent programmer); the const in "const void *buf" means that buf is input, "read-only" parameter, and is obviously here for something useful.

Now the fix. It is still very moronic: rather than simply removing the breaking patch and sticking to official openssl without custom changes (maybe using -DPURIFY when compiling) , only the first line is uncommented. WTF. The original break was moronic, the solution was moronic too.

This is just tip of big iceberg. Linux distro maintainers (read: largely, incompetent programmers and n00bs, wannabe elite hackers) do "fixes" in the code that they absolutely do not understand. Being n00bs, they don't properly submit patches to real developers (not that it would help for those "fixes" which are crap and are not accepted anyway). It also highlights the possibility of planting backdoors into open source code. When simple comment out like this remains undetected for almost 2 years, a cleverly hidden backdoor may remain undetected forever.

The advice is: If security is important to you, *stay away from distro packages*. The OpenSSL package in your distro is not OpenSSL. It is a fork of OpenSSL. Which may contain ANY sort of shit, all way from idiocy to clever, deliberate backdoors.

Also, general comment on OpenSSL code. It is over-complicated, and code quality looks bad. There is a lot of room for hidden backdoors.

Wednesday, April 16, 2008

Skype times again

(follow up on previous post about skype.)

So, i'm getting asked to explain the calculations for skype timer overflow date.
Note: to understand this post, you need to know some mathematics, especially different bases numbers (such as binary (base 2) and hexadecimal (base 16))

There you can find sample data (in hex) from skype log:

To get nice data to analyze, you can send messages to echo123 (aka "Echo / Sound Test Service") with text ` (backward quote, the key left of 1).
If you're lucky, echo123 will reply to you with something like this:
Echo / Sound Test Service : yournickname 2008.04.12 12:42:22
so that in chatmsg256.dbb you have both skype's binary timestamp, and human readable time in message text. (Note, this time is in GMT+1 now, not GMT, dunno why.)

The binary timestamp in that sample message is 0x85 0xA4 0x82 0xC0 . I located timestamp by comparing multiple messages in the log and looking what is different between those.

As you can see all bytes are bigger than 0x80 . That means first bits of those bytes are 1. As i found out (again, by looking at many messages in the log), them are always set to 1, for all times, and whole thing increments as if those bits are not present here at all. So, these bits have to be ignored to get the number that skype actually stores there. In whole number, we get only 28 bits (4 bytes, each has one bit that is ignored and 7 data bits. Total 28 data bits).

The skype's time number can be obtained as
(0x85-0x80) + (0xA4-0x80)*27 + (0x82-0x80)*214+ (0xC0-0x80)*221 = 134 255 109
The subtraction of 0x80 is to compensate for those first bits being always set to 1 . Multiplications by power of two are to get those 4x7 bits together into single 28 bit number.

Sample message, for which we got the skype's timestamp number, was sent on 2008.04.12 12:42:22 as we can see in the message itself (the message was automated reply from echo123 with current time), and GMT+1 , not GMT . so thats 11:42:22 GMT

The time overflow date is
T = [2008.04.12 11:42:22] - 134255109 seconds + 228 seconds
where first part is the date of message, second part is skype's timestamp value (we subtract timestamp value from date to find from which date the skype counts seconds), and 228-1 is maximal number that can be storen in 28 bits, next number causing overflow.

It is bit difficult to add and subtract large numers of seconds from datetimes. As far as i know, Google calculator does not support datetime values.
Fortunately, theres tools on the web which can do that. You can simply convert date to standard unix timestamp (seconds elapsed since 1970), then add your seconds, then convert back to year/month/day etc
to convert [2008.04.12 12:42:22] we get Epoch timestamp: 1208000542
Using google calculator again, we get
1208000542 - 134255109 + 2^28 = 1342180889
and last step, converting it to human readable date using
we get Fri, 13 Jul 2012 12:01:29 GMT

I think it came out 1 and half minute off because skype used one clocks to set timestamp, and another clocks were used by echo123 when replying; also echo123 replies with large delay. In the converter program, i use 12:00:00 GMT exactly.

numbers like 0x1ABCD2 and so on are in hexadecimal, i.e. base-16 notation. 0x is standard prefix for hexadecimal numbers, used to tell those apart from decimal. the rest is number itself. For digits past 9, alphabet is used. A=10 , B=11 , C=12 and so on.

The echo123 bot does not always reply, you can check without echo123 but then you need to yourself get date and time as skype shows them to you.

Sunday, April 13, 2008

Friday, 13th July 2012, 12:00 GMT - the apocalypse is about 5 months closer than mayans believed

Maya were possibly the first to have their calendar end in 2012 , but sure they weren't last.
Today i found that popular internet telephony program Skype followed the trend.
On Friday, 13th July 2012, 12:00 GMT , the skype's time counter gonna overflow ! Or at least its gonna enter the New Byte Epoch, or how skype developers call their equivalent of mayan "Galactic Day".
(Unfortunately, skype seem to use server time to store timestamps, rather than client computer's own clock time. I tried setting time to past 13th July 2012, 12:00 GMT, but the times in the log were correct times of today. We'll either have to wait till 2012 to see what happens, or reverse engineer skype's binaries, or set up some fake server, or something like that.)
More on this:

There wasnt any good tools avaliable for converting skype logs (which are binary) to text, and i needed to convert a few logs, so i had to write tool myself.

On my website, you can get more information about skype chat log format.
Development of tool:
Extracting sender and messages themselves from logs was easy, the harder part was decoding message timestamps.
I found that timestamp is stored in 4 bytes, and all bytes have their first (sign) bit set, which looked quite weird. Ignoring first bits and interpreting it as 28-bit number, i got some number that looked like number of seconds since some date.
Then, comparing time to skype timestamp, i found that e.g. 2008-04-12 17:33:43 corresponds to skype timestamp 134276281
From now on finding times was easy job :-)
Standard unix epoch time (seconds since 1970) for [2008-04-12 17:33:43] is 1208021623, and the difference between standard and skype's timestamps is about 1073745342 . In other words, skype's timestamp is number of seconds since approximately Sat 10 Jan 2004 14:35:42 (the difference converted to human readable format).
That date and time looks like pretty strange choice of time to count seconds from. Not a midnight or midday...
I got curious, when does it overflow? As quick calculation showed, it overflows on friday 13th july 2012 , 12:00 GMT (my time was few seconds off, but thats allright). Which is obviously by design.
So, i thought, wow, thats first class blogging material! So there we go :)

This also explained weird thing about first bits of all bytes being set. If you interpret the bytes as signed 8 bit numbers, they're all negative. So if you add them like first byte + second byte*27 + third byte*214+fourth byte*221, you get negative number which is number of seconds to friday 13th july 2012 , 12:00 GMT

This also means that skype timestamps will probably continue working after friday 13th july 2012 , 12:00 GMT , just they wont have first bits set anymore.

For geek readers, in skype (version for linux, at least) the timestamps in skype .dbb files are fairy easy to spot in hex viewer. Them are placed between list of people in the "chatroom", and the sender's skype name. The timestamp is prefixed with E5 03 . It is 4(?) bytes long. The fifth byte after those four is always equal to 4 so i dont know if fifth is part of timestamp and timestamp is actually 5 bytes long, or fifth byte is just some sort of delimeter or control character. It is followed by 03 , like all other skype's delimiters, so i think it probably is just a delimiter.

p.s. i used to convert seconds to time and back during testing.

p.p.s if you found this interesting, visit my website on