How to (not) do Crypto — Episode #962

/via /via http://speakgeek.isovitis.com/
Matthew Green has a nice writeup on the whole MedSec / St. Jude entertainment, specifically, on the underlying vulnerabilities that were the proximate cause for the whole (admittedly serious!) kerfuffle.
It’s worth reading the whole thing in full, but one particularly egregious part is worth explicating, the role of security through obscurity.
(
Note: If you ever, ever, EVER, think it’s a good idea, go take a nap)
I’ll just copy the relevant part below — it says everything that needs to be said…
Programmer commands are authenticated through the inclusion of a three-byte (24 bit) “authentication tag” that must be present and correct within each command message received by the implantable device. If this tag is not correct, the device will refuse to accept the command.
To our surprise, SJM does not appear to use a standard cryptographic function to compute this tag. Instead, they use an unusual and apparently “homebrewed” cryptographic algorithm for the purpose. [Ed: emphasis mine]
Specifically, the PCS Programmer Java code contains a series of hard-coded 32-bit RSA public keys. To issue a command, the implantable device sends a value to the Programmer. This value is then “encrypted” by the Programmer using one of the RSA public keys, and the resulting output is truncated to produce a 24-bit output tag.
The above is not a standard cryptographic protocol, and quite frankly it is difficult to see what St. Jude Medical is trying to accomplish using this technique. From a cryptographic perspective it has several problems:
The RSA public keys used by the PCS Programmers are 32 bits long. Normal RSA keys are expected to be a minimum of 1024 bits in length. Some estimates predictthat a 1024-bit RSA key can be factored (and thus rendered insecure) in approximately one year using a powerful network of supercomputers. Based on experimentation, we were able to factor the SJM public keys in less than one second on a laptop computer.
Even if the RSA keys were of an appropriate length, the SJM protocol does not make use of the corresponding RSA secret keys. Thus the authentication tag is not an RSA signature, nor does it use RSA in any way that we are familiar with.
As noted above, since there is no shared session key established between the specific implantable device and the Programmer, the only shared secret available to both parties is contained within the Programmer’s Java code. Thus any party who extracts the Java code from a PCS Programmer will be able to transmit valid commands to any SJM implantable device.
So yeah, I lied, it was both Security through Obscurity and Roll Your Own Crypto.Yikes!

Comments

Popular posts from this blog

Cannonball Tree!