-LARS
In an effort to comply with the European cybercrime directive Article 8313, potentially harmful data must be kept in a state where it is unable to interfere or disrupt telecommunication infrastructure. If the data would in any way incite or aid an attempt of “seriously hindering or interrupting the functioning of an information system by ...
altering ... data”314 (Article 4) it would be a criminal act.
15.1.1 Shamir Secret Sharing
-LARS
Shamir secret sharing is a way of splitting a secret into multiple pieces (shards) so that more than one
piece(shard) is needed to be combined in order to extract the secret315. This is done by transforming the data into multidimensional planes that intersect at specific points and only with multiple of these fields available the right intersection points and the original data can be found.
The drawback is that the shards have almost the same size as the secret, but on their own they are just random data.
In order to comply with the law and limit the probability of misuse the RSA key for the forged European
Commission certificate (that can be seen in appendix 20.1.1, page 115) was split into 5 shards, with the need for at least 3 to be combined to extract the key again.
Meaning that if there had been a 2nd pre-image collision no single person could use the key to sign documents on behalf of the European Commission with the forged certificate, it would need 3 people to be present.
In the case of illness or death of an author 2 shard holders could be summoned and would be able to re-create the key with the remaining author if needed, with the shards acting as safe backups distributed throughout the Nordic countries.
15.1.2 Setup
-LARS
The chosen field and software is GF(28)316 and libgfshare317.
The software was run in a Virtual Machine on a freshly formatted air-gapped computer running ESXi 6.
The client computers were also freshly formatted and air-gapped, running Kali Linux getting the dependencies from USB pen or DVD.
1) The setup script was written, tested and run in this environment and did the following:
Install the dependencies from local storage (with the github links available, but outcommented) 2) Generate the certificate key and save it in a file
312 “Terms of Service - HackerOne.”
313 The European parliament and council, Directive 2013/40/EU (Cybercrime).
314 Ibid.
315 McVittie, “Theory Used by Libgfshare.”
316 Ibid.
317 “Djpohly/libgfshare.”
3) Sign the original European Commission certificate with the key to verify existence and ownership of private key by signing a "Nothing up my sleeve"318 value
4) Split the key into 5 shards
5) Test that permutations of 3 shards can recreate the key, but that 2 or a single one cannot.
6) Securely delete the key (200 passes, ending with a 201st pass consisting of zeros) 7) Encrypt each shard with the public OpenPGP key of the precipitants
8) Securely delete each shard once encrypted (200 passes, ending with a 201st pass consisting of zeros) 9) Sign each shard to verify integrity and sender
Each shard was then loaded into individual USB pens (that were bought from a physical shop using cash and freshly formatted at one of the air-gapped computers)
Then immediately hand delivered to the recipients while making sure that they were under the supervision of at least 2 people while 3 or more keys were at the same place (even though the contents is encrypted).
15.1.3 Other usage
-LARS
It is a bit precautionary to use Shamir secret sharing in order to store the key of a forged certificate that has its complete ASN.1 code in several countries’ TSL, on the other hand it is a practical exercise in good security.
Instances where it could be of use is where a high value key is used sparingly, an example could be the major updates of an OS like OS X and iOS where a key could be generated to sign the key, then deleted or split ensuring that no one else could generate that signature, while relying on less critical keys for intermediate updates.
16 Summary of Part 3
-LARS
As it has been shown there are several instances of older hashing algorithms being used.
It has also been shown that searching for bugs and managing vulnerabilities has proven to be a complex problem for even the largest of companies on this planet.
A mitigation to this seems to be an effort to crowdsource vulnerability reports through in-house or 3rd party bug bounty systems.
While companies still have a legal responsibility to keep their services secure, bug bounty systems provide an opportunity to expand the knowledge of previously unknown vulnerabilities.
For government entities and pan-national standards an open proof approach can ease the understanding and third party testing of security.
Along with a culture welcoming incident reports from 3rd parties interested in security.
318 “Sha 1 - Why Initialize SHA1 with Specific Buffer?”
Part 4 Conclusion
17 Conclusion
A HPC application was developed and tested, and while it was not capable of generating a valid forged certificate, it successfully provided a benchmark of the brute-force generation rates attainable by the ABACUS 2.0 GPU Nodes, and by extension what is possible with current hardware.
An estimate of the efficiency of known SHA-1 optimization techniques and cryptographic attacks has also been performed using this HPC.
With the overarching goal of updating the price estimates of Schneier319 this report has produced a figure comparatively in CPU price with the Stevens320 estimate for a general collision with 60 secure bits, but also a new figure: The lower bound for the price of 50% chance for a 2nd pre-image (specific on specific), which is 1,488×1034 USD or 10’000’000’000’000’000’000’000 times more than the amount of US D in the world.
Secondly it has been established that precautionary measures in the order of SIL 4 should be taken regarding equipment using SHA-1 (or low entropy authentication messages below NIST SP 800-57321 recommendations) doing safety related tasks, as the consequences are catastrophic and though experts disagree on the specific timeframe, they all caution a change away from SHA-1 as the first hints of a broken algorithm appears and better alternatives are tested and available in the form of SHA-3.
Thirdly, the method of forging an X.509 certificate has been reproduced and verified, as done by Stevens in 2009322.
This was a blind test, as the method was devised and tested, before the article of Stevens was revealed, further strengthening it as a good target for 2nd pre-image attacks, illustrating the current reliability of hashing for security.
Finally, while the BitTorrent application did prove successful in gathering and analysing a significant amount of torrent metadata files, the results were clear; the amount of SHA-1 data available in the entire BitTorrent network is simply not enough to be useful as a rainbow table and the BitTorrent network as such has no impact on the security of the SHA-1 function. Furthermore, the BitTorrent protocol is not in any specific risk of collision attacks, since the piece sizes are spread across a large set of values and the amount of pieces in each piece size group is insignificant.
319 Schneier, “When Will We See Collisions for SHA-1? - Schneier on Security.”
320 Stevens, Karpman, and Peyrin, “Freestart Collision on Full SHA-1.”
321 Barker, “Recommendation for Key Management: Part 1: General (Revision 4) DRAFT SP800 -57.”
322 Stevens et al., “Short Chosen-Prefix Collisions for MD5 and the Creation of a Rogue CA Certificate.”