Loading presentation...

Present Remotely

Send the link below via email or IM


Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.


Make your likes visible on Facebook?

Connect your Facebook account to Prezi and let your likes appear on your timeline.
You can change this under Settings & Account at any time.

No, thanks


No description

flx flx

on 16 January 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of HGI Chm

Reverse Engineering of Chiasmus

Felix Schuster
HGI-Kolloquium, 16th January 2014, Bochum
1st - Reverse Engineering
2nd - Cryptanalysis
13MB behemoth
Visual Basic 6
10.000+ functions
Initial IDA Pro output is a mess
Wasted hours/days trying to locate the crypto-algo.
My faults:
Didn't do any high-level analysis up-front (e.g., look for suspicious strings)
Didn't think of COM...
What is Chiasmus?
124KB lightweight
Visual C++ 6.0
809 functions
Some suspicious strings...
... but no smoking-gun-exports
Main purpos
e is management and risk assessment of IT landscapes according to "IT-Grundschutz"
Cryptographic functionality is just a bonus (Extras -> Verschlüsselung...)
key-store (including key generator)
encryption of files
decryption of files
"COM is a platform-independent, distributed, object-oriented system for creating binary software components that can interact. COM is the foundation technology for Microsoft's OLE and ActiveX technologies." - MSDN

A COM server provides certain classes to other applications in a programming-language agnostic way.
Normally a COM server registers itself under a unique CLSID in the registry:
Windows (Phone) 8 apps are COM servers.
We can easily interact with COM servers using a variety of ways:
The Component Object Model (COM)
=> COM in-process server (defines and implements the GSTOOL's custom ICrypt interface)
The ICrypt Interface
Chiasmus encryption
12 full rounds + prologue and epilogue
26 round keys of 32 bits each
64 bits block size
Substitution and permutation network (SPN)?
like AES
unlike DES (Feistel network)
2 bijective and inverse s-boxes GF(2)^8 -> GF(2)^8
2 mappings GF(2)^32 x GF(2)^32 -> GF(2)^32
multiplication and addition modulo 2^32
=> 2x2 Matrix multiplication in GF(2^32)
The Chiasmus key-schedule
Derives 26 round keys of 32 bits each from 160 bits input key.
First 5 round keys (5*32 bits = 160 bits) are equal to the input key.
Last 21 round keys are calculated from the first for round keys:
Chiasmus In GSTOOL
Chiasmus In General
... and ECB mode is used.
Key generation
Each of the 20 key bytes is generated by a simple call to
Seed is set once through
Key complexity
rand() taken for itself:
32 bits
rand() with srand(time()):
~24.91 bits
for 1 year period,
~28.23 bits
for 10 year period
Already easily brute-forcable within seconds/minutes but can be reduced further...
Visual C's rand() implementation (linear congruential generator):
GSTOOL's key generation only uses the 8 lsbits and throws away the 8 msbits of each rand() invocation.
The upper 8 bits of the LCG's internal state do not need to be taken into account.
=> Complexity can be reduced to 24 bits from initially 160 bits.
=> Overall key space consists of only roughly 17 million keys!
=> Every encrypted file can be decrypted in 2-3 seconds on this laptop.
Differential Cryptanalysis
Difference Distribution Table AES s-box
Difference Distribution Table Chiasmus s-box
Difference Distribution Table randomly chosen s-box
Quality measure for sboxes: How big is the chance that a certain difference
of two input bytes X' and X'' results in a certain difference
of the two corresponding output bytes Y' and Y''.
dX = X' xor X''
dY = Y' xor Y''
To my knowledge both the AES and Chiasmus s-boxes are optimally strong.
Linear Cryptanalysis
Walsh Coefficients AES s-box
Walsh Coefficients Chiasmus s-box
Walsh Coefficients randomly chosen sbox
Quality measure for s-boxes: How big is the chance that the sum of certain input bits is equal to the sum of certain output bits in GF(2)?
The maximum "Walsh Coefficient" is measure of quality
AES and Chiasmus sboxes both have a
maximum Walsh Coefficient of
, whereas the random sbox has maximum Walsh Coefficient of
The AES s-box represents an inversion in GF(2^8) and a subsequent affine mapping in GF(2)^8.

Currently this is apparently the only known way to construct an sbox with optimal properties.

It can be shown that the Chiasmus s-boxes are constructed differently than the AES s-boxes.
I.e. there exists no combination of any inversion in GF(2^8) that in combination with any affine mapping in GF(2)^8 constructs the Chiasmus s-boxes.
This does not mean though that the BSI knows a secret way to construct optimal s-boxes.
Probably there is just another affine mapping before the inversion applied.
Chiasmus appears to be well constructed and modern.
Its implementation in GSTOOL is broken.
Thanks! Questions?
AES is 4-5 times faster
(on my old laptop,
no loop-unroll)
Related Work
Jan Schejbal recently a similar talk at 30C3 last year.
Acknowledged that I was first ;-)
Heard of other people who did similar work privately.
Full transcript