The Owncloud net utility has an encryption module. I first turned conscious of it when a press launch was printed promoting this encryption module containing this:
Imagine you’re an IT group utilizing business normal AES 256 encryption keys. Shall we say that a vulnerability is discovered within the algorithm, and also you now want to enhance your general safety by switching over to RSA-2048, a very totally different algorithm and key set. Now, with ownClouds modular encryption method, you probably can swap out the prevailing AES 256 encryption with the model new RSA algorithm, providing you with added safety whereas nonetheless enabling seamless entry to enterprise-class file sharing and collaboration for your whole end-users.
To anybody realizing something about crypto this sounds fairly bizarre. AES and RSA are very totally different algorithms AES is a symmetric algorithm and RSA is a public key algorithm – and it is unnecessary to exchange one by the opposite. Additionally RSA is far older than AES. This press launch has since been eliminated from the Owncloud webpage, however its content material can nonetheless be present in this Reuters information article. This and a few conversations with Owncloud builders prompted me to take a look at this encryption module.
To anybody realizing something about crypto this sounds fairly bizarre. AES and RSA are very totally different algorithms AES is a symmetric algorithm and RSA is a public key algorithm – and it is unnecessary to exchange one by the opposite. Additionally RSA is far older than AES. This press launch has since been eliminated from the Owncloud webpage, however its content material can nonetheless be discovered on this Reuters information article. This and a few conversations with Owncloud builders prompted me to take a look at this encryption module.
When one uploads a file with the encryption module enabled it finally ends up beneath the identical filename within the user’s listing on the file storage. Now this is a primary, fairly apparent drawback: The filename itself is not protected, so an attacker that is assumed to have the flexibility to see the cupboard space can already study one thing concerning the supposedly encrypted data.
The content material of the file begins with this:
It is then padded with additional dashes until place 0x2000 after which the encrypted contend follows Base64-encoded in blocks of 8192 bytes. The header tells us what encryption algorithm and mode is used: AES-256 in CFB-mode. CFB stands for Cipher Feedback.
Authenticated and unauthenticated encryption modes
In order to proceed we’d like some fundamental understanding of encryption modes. AES is a block cipher with a block measurement of 128 bit. Meaning we can’t simply encrypt arbitrary enter with it, the algorithm itself solely encrypts blocks of 128 bit (or sixteen byte) at a time. The naive method to encrypt extra knowledge is to separate it into sixteen byte blocks and encrypt each block. That is referred to as Digital Codebook mode or ECB and it ought to by no means be used, as a outcome of it’s utterly insecure.
Common modes for encryption are Cipherblock Chaining (CBC) and Counter mode (CTR). These modes are unauthenticated and have a property that is referred to as malleability. This implies an attacker that is prepared to manipulate encrypted knowledge is prepared to manipulate it in a method which will trigger a sure outlined habits within the output. Usually this merely means an attacker can flip bits within the ciphertext and the identical bits can be flipped within the decrypted data.
To counter this these modes are often mixed with some authentication mechanism, a typical one is named HMAC. Nonetheless expertise has proven that this combining of encryption and authentication can go fallacious. Many vulnerabilities in each TLS and SSH had been as a consequence of dangerous mixtures of those two mechanism. Due to this fact trendy protocols often use devoted authenticated encryption modes (AEADs), well-liked ones embody Galois/Counter-Mode (GCM), Poly1305 and OCB.
Cipher Suggestions (CFB) mode is a self-correcting mode. When an error occurs, which may be easy knowledge transmission error or a tough disk failure, two blocks later the decryption can be right once more. This additionally permits decrypting components of an encrypted knowledge stream. However the essential factor for our assault is that CFB is not authenticated and malleable. And Owncloud did not use any authentication mechanism at all.
Therefore the info is encrypted and an attacker can’t see the content material of a file (however he learns some metadata: the dimensions and the filename), however an Owncloud consumer can’t ensure that the downloaded knowledge is absolutely the info that was uploaded within the first place. The malleability of CFB mode works like this: An attacker can flip arbitrary bits within the ciphertext, the identical bit can be flipped within the decrypted knowledge. Nonetheless if he flips a bit in any block then the next block will comprise unpredictable garbage.
Backdooring an EXE file
How does that matter in apply? Let’s assume we’ve a bunch of those that share a software program package deal over Owncloud. One consumer uploads a Home windows EXE installer and the others obtain it from there and set up it. Let’s additional assume that the attacker does not know the content material of the EXE file (this is a beneficiant assumption, in lots of instances he’ll know, as he is conscious of the filename).
EXE information begin with a so-called MZ-header, which is the previous DOS EXE header that will get often ignored. At a sure offset (0x3C), which is on the finish of the fourth sixteen byte block, there could be an tackle of the PE header, which on Home windows methods is the actual EXE header. After the MZ header even on trendy executables there could be nonetheless a small DOS program. This begins with the fifth sixteen byte block. This DOS program often solely reveals the message Th is program canno t be run in DOS mode. And this DOS stub program is kind of all the time the precisely the same.
Therefore our attacker can do the next: First flip any non-relevant bit within the third sixteen byte block. This can trigger the fourth block to comprise rubbish. The fourth block comprises the offset of the PE header. As that is now garbled Home windows will not think about this executable to be a Home windows utility and can due to this fact execute the DOS stub.
The attacker can then XOR sixteen bytes of his personal code with the primary sixteen bytes of the usual DOS stub code. He then XORs the outcome with the fifth block of the EXE file the place he expects the DOS stub to be. Voila: The ensuing decrypted EXE file will comprise sixteen bytes of code managed by the attacker.
I created a proof of idea of this assault. This is not sufficient to launch an actual assault, as a outcome of an attacker solely has sixteen bytes of DOS assembler code, which could be very little. For an actual assault an attacker must establish additional items of the executable which can be predictable and soar via the code segments.
The first fix
I reported this to Owncloud via Hacker One in January. The primary repair they proposed was a change the place they used Counter-Mode (CTR) together with HMAC. They nonetheless encrypt the file in blocks of 8192 bytes measurement. Whereas that is actually much less problematic than the unique building it nonetheless had an apparent drawback: All of the 8192 bytes sized file blocks the place encrypted the identical method. Due to this fact an attacker can swap or take away chunks of a file. The encryption remains to be malleable.
The second repair then included a counter of the file and likewise averted assaults the place an attacker can return to an earlier model of a file. This resolution is shipped in Owncloud 9.0, which has just lately been released.
Is this new building safe? I truthfully do not know. It’s safe sufficient that I did not discover one other apparent flaw in it, however that does not imply a complete lot.
You could surprise at this level why they did not change to an authenticated encryption mode like GCM. The rationale for that’s that PHP does not help any authenticated encryption modes. There’s a proposal and most probably help for authenticated encryption will land in PHP 7.1. Nonetheless provided that utilizing outdated PHP variations is a really widespread apply it’s going to in all probability take one other decade until anybody can use that in mainstream net applications.
Don’t invent your personal crypto protocols
The sensible relevance of this vulnerability might be restricted, as a outcome of the situation that it protects from is comparatively obscure. However I believe there’s a lesson to study right here. When folks with out a sturdy cryptographic background create ad-hoc designs of cryptographic protocols it’s going to virtually all the time go wrong.
It is broadly recognized that designing your personal crypto algorithms is a foul thought and that it is finest to use standardized and nicely examined algorithms like AES. However utilizing safe algorithms does not routinely create a safe protocol. One has to know the interactions and limitations of crypto primitives and that is removed from trivial. There’s a worrying development particularly because the Snowden revelations that new crypto merchandise that by no means noticed any skilled evaluation get developed and marketed in lots. Numerous these merchandise are in all probability extraordinarily insecure and should not be trusted at all.
If you do crypto it is finest to both do it proper (which could imply paying somebody to evaluation your design or to create it within the first place) otherwise you higher do not do it in any respect. Folks belief your crypto, and if that belief is not justified you should not ship a product that creates the impression it comprises safe cryptography.
There’s one other factor that bothers me about this. Though this appears to be a fairly normal use case of crypto you could have a symmetric key and also you wish to encrypt some knowledge there is not a simple and broadly accessible normal resolution for it. Utilizing authenticated encryption solves plenty of points, however not all of them (this speak by Adam Langley covers some fascinating points and caveats with authenticated encryption).
The proof of idea can be discovered on Github. I offered this vulnerability in a chat at the Easterhegg conference, a video recording is available.
Please check this great service at: http://www.test-net.org/services/bandwidth-meter/ or visit FREE SERVICES menu