Send the link below via email or IMCopy
Present to your audienceStart remote presentation
- Invited audience members will follow you as you navigate and present
- People invited to a presentation do not need a Prezi account
- This link expires 10 minutes after you close the presentation
- A maximum of 30 users can follow your presentation
- Learn more about this feature in our knowledge base article
Do you really want to delete this prezi?
Neither you, nor the coeditors you shared it with will be able to recover it again.
Make your likes visible on Facebook?
You can change this under Settings & Account at any time.
Transcript of HGI Chm
HGI-Kolloquium, 16th January 2014, Bochum
1st - Reverse Engineering
2nd - Cryptanalysis
Visual Basic 6
Initial IDA Pro output is a mess
Wasted hours/days trying to locate the crypto-algo.
Didn't do any high-level analysis up-front (e.g., look for suspicious strings)
Didn't think of COM...
What is Chiasmus?
Visual C++ 6.0
Some suspicious strings...
... but no smoking-gun-exports
e is management and risk assessment of IT landscapes according to "IT-Grundschutz"
Cryptographic functionality is just a bonus (Extras -> Verschlüsselung...)
key-store (including key generator)
encryption of files
decryption of files
"COM is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE and ActiveX technologies." - MSDN
A COM server provides certain classes to other applications in a programming-language agnostic way.
Normally a COM server registers itself under a unique CLSID in the registry:
Windows (Phone) 8 apps are COM servers.
We can easily interact with COM servers using a variety of ways:
The Component Object Model (COM)
=> COM in-process server (defines and implements the GSTOOL's custom ICrypt interface)
The ICrypt Interface
12 full rounds + prologue and epilogue
26 round keys of 32 bits each
64 bits block size
Substitution and permutation network (SPN)?
unlike DES (Feistel network)
2 bijective and inverse s-boxes GF(2)^8 -> GF(2)^8
2 mappings GF(2)^32 x GF(2)^32 -> GF(2)^32
multiplication and addition modulo 2^32
=> 2x2 Matrix multiplication in GF(2^32)
The Chiasmus key-schedule
Derives 26 round keys of 32 bits each from 160 bits input key.
First 5 round keys (5*32 bits = 160 bits) are equal to the input key.
Last 21 round keys are calculated from the first for round keys:
Chiasmus In GSTOOL
Chiasmus In General
... and ECB mode is used.
Each of the 20 key bytes is generated by a simple call to
Seed is set once through
rand() taken for itself:
rand() with srand(time()):
for 1 year period,
for 10 year period
Already easily brute-forcable within seconds/minutes but can be reduced further...
Visual C's rand() implementation (linear congruential generator):
GSTOOL's key generation only uses the 8 lsbits and throws away the 8 msbits of each rand() invocation.
The upper 8 bits of the LCG's internal state do not need to be taken into account.
=> Complexity can be reduced to 24 bits from initially 160 bits.
=> Overall key space consists of only roughly 17 million keys!
=> Every encrypted file can be decrypted in 2-3 seconds on this laptop.
Difference Distribution Table AES s-box
Difference Distribution Table Chiasmus s-box
Difference Distribution Table randomly chosen s-box
Quality measure for sboxes: How big is the chance that a certain difference
of two input bytes X' and X'' results in a certain difference
of the two corresponding output bytes Y' and Y''.
dX = X' xor X''
dY = Y' xor Y''
To my knowledge both the AES and Chiasmus s-boxes are optimally strong.
Walsh Coefficients AES s-box
Walsh Coefficients Chiasmus s-box
Walsh Coefficients randomly chosen sbox
Quality measure for s-boxes: How big is the chance that the sum of certain input bits is equal to the sum of certain output bits in GF(2)?
The maximum "Walsh Coefficient" is measure of quality
AES and Chiasmus sboxes both have a
maximum Walsh Coefficient of
, whereas the random sbox has maximum Walsh Coefficient of
The AES s-box represents an inversion in GF(2^8) and a subsequent affine mapping in GF(2)^8.
Currently this is apparently the only known way to construct an sbox with optimal properties.
It can be shown that the Chiasmus s-boxes are constructed differently than the AES s-boxes.
I.e. there exists no combination of any inversion in GF(2^8) that in combination with any affine mapping in GF(2)^8 constructs the Chiasmus s-boxes.
This does not mean though that the BSI knows a secret way to construct optimal s-boxes.
Probably there is just another affine mapping before the inversion applied.
Chiasmus appears to be well constructed and modern.
Its implementation in GSTOOL is broken.
AES is 4-5 times faster
(on my old laptop,
Jan Schejbal recently a similar talk at 30C3 last year.
Acknowledged that I was first ;-)
Heard of other people who did similar work privately.