Kauft das PHP-Sicherheitsbuch!

Dritte Auflage

Jetzt bestellen!

ISBN-13: 978-3898643696
€ 36,00

Links

XING
(Profil nur für Xing-Mitglieder sichtbar)
Rootserver, Colocation, Hosting
My amazon wishlist
VServer Hosting

Pages

Frontpage
About Christopher Kunz
Kontaktformular

Syndicate This Blog

Thursday, August 26. 2010

How to NOT solve the DBIR 2010 cover challenge

Rants

EDIT: Number two in the ranking, Jan, shares how he approached the challenge in a posting on the DCSec website. Also, Michael Oglesby, winner of the first place, has blogged about his way to the solution.


In a previous blog post, I had written about a couple of ideas for the DBIR cover challenge. Jan (a colleague from the DCSEC group of University of Hanover) and me finally solved the challenge today and I found out I HAD THE CORRECT SOLUTION FOR OVER A WEEK!


Unfortunately, my methodology seems to have been flawed.


There were a couple of hints for the challenge  (much to the organizers’ mock dismay), all pointing in the same direction:



  • All we need is there in print (FINGERprint! First page!)

  • The F+ is something that looks important at first... a false positive

  • Put it together and google!


Shortly after the F+ hint came out, we already found the notion of the solution being something about the probability of a false positive and combed the report from end to end for anything even remotely resembling a false positive, an error in methodology, an unsolvable case or whatever. Nothing.


Then we thought, hey, wait... A false positive regarding a fingerprint? That might have to do with detection and those circles look like minutiae, too. So, are we looking for fingerprint detection rates? A quick google found us a Wikipedia article stating that the error rate is 1 in 64 billion.


I tried this passphrase and it didn’t work. So we abandoned that train of thought until yesterday and today, the hints got more and more urgent. It was not after Jan solved the riddle today that I re-examined my methodology and found out that I had been using a broken tool.


I, being somewhat PHP-centric, had written a script that used the PHP-OpenSSL extension (from what I know, a fairly straightforward OpenSSL API implementation), took a pass phrase candidate and put decryptions into text files. It iterated through every cipher in PHP-OpenSSL’s list and took string reversal, concatenation, uppercase, lowercase, mixed case and a couple other combinations into account. It could also take word lists and combine them to 1 to 4 word pass phrases.


I thought it was neat. But it doesn’t decrypt properly. Feeding it the base64 encoded ciphertext, the correct passphrase and the correct algorithm yields this result:


absynth@irc:~/public_html/breach$ php -r ‘var_dump( 

openssl_decrypt(

   file_get_contents(“./base64.txt”), 

   “aes-256-cbc”, 

   “1in64billion”));’

bool(false)

Huh? This should work, shouldn’t it? It doesn’t work with AES-256-CBC (in caps, both are in openssl’s cipher list) either.


The bash equivalent works (with an iteration over all ciphers):


for i in `cat ciphers.txt`; 

do

 openssl enc 

   -in base64.txt 

   -base64 

   -d 

   -k 1in64billion 

   -out candidates/dec$i.txt

   $i;

done


This gives us this result:



absynth@irc:~/public_html/breach$ cat candidates/dec-aes-256-cbc.txt
Congratulations! You’ve solved the 2010 DBIR Cover Challenge. If you happen
to be the among the first three people to see this message and email us the
correct answer to the question below, you will receive a prize.


Who calculated the probability of a false positive in using fingerprint
analysis for identification?


Email your answer to dbir@lists.verizonbusiness.com.

It’s annoying: I sat on the solution for over a week and I didn’t once doubt my methodology. 


So, this event teaches us two things:



  1. Don’t use PHP for security purposes :-P (Duh, I should have known)

  2. Always triple-check your methodology.


However, it was great fun, from the start through the “I’m stumped” periods, anxiously awaiting  new hints and leads on Twitter, up to the weak attempt to drown everything in alcohol (that gave all participants a HUGE hangover).


And, as Jan stated in his Twitter feed, the challenge was an awesome bait by the Verizon guys - I have rarely read a publication as thoroughly as this one.


We achieved and turned our solutions in independently today, since I was at home (supposed to be working on my PhD thesis) and he was at work. We turned out second and third; the first place had gone to Michael Oglesby on saturday.


Thanks to all at DCSEC, to Ryan at ZDNet and the folks at Verizon. See you on Twitter ;-)

Posted by Christopher Kunz in Rants at 23:51 | Comments (0) | Trackbacks (0)

Trackbacks
Trackback specific URI for this entry

No Trackbacks

Comments
Display comments as (Linear | Threaded)

No comments

Add Comment

Enclosing asterisks marks text as bold (*word*), underscore are made via _word_.
Standard emoticons like :-) and ;-) are converted to images.

To prevent automated Bots from commentspamming, please enter the string you see in the image below in the appropriate input box. Your comment will only be submitted if the strings match. Please ensure that your browser supports and accepts cookies, or your comment cannot be verified correctly.
CAPTCHA