SlideShare une entreprise Scribd logo

Backdoors with the MS Office file encryption master key and a proposal for a reliable file format

MITSUNARI Shigeo
MITSUNARI Shigeo

This document summarizes a presentation about password encryption in Microsoft Office files and proposes a backdoor-resistant file format. The key points are: 1) The presenter discovered that MS Office 2010/2013 does not update the secret key when the password is changed, allowing files encrypted with different passwords to be attacked with the same secret key. 2) Various password encryption schemes were compared in terms of brute force attack times, showing Office 2013 to be the most secure due to its use of PBKDF2 key stretching. 3) Concerns about the potential for backdoors in encryption schemes that do not independently generate secret keys from passwords led to a proposal for a format using cryptographically secure key derivation.

Ingénierie
1  sur  54
Télécharger pour lire hors ligne
Backdoors with the MS Office file encryption master key and a proposal for a reliable file format 2015/10/28, 29 CODE BLUE Mitsunari Shigeo(@herumi)
• Attacking Excel files without a password • This bug is fixed at 2015/Oct/13 (MS15-110) • Comparison of password encrypted file formats • How I found this bug • Proposal for a backdoor-resistant format Abstract 2/54
• R&D for cloud security and infrastructure at Cybozu Labs, Inc. • Author of “Applied Cryptography for the Cloud“ (in Japanese) • about PFS, ECC, IBE, ABE, FE, HE, ZKP,... • http://herumi.github.io/ango/ • Microsoft MVP Developer Security (2015) • Author of the fastest implementation of pairing • https://github.com/herumi/ate-pairing • Software implementation of an Attribute-Based Encryption Scheme, IEEE trans on computers, 2014 Mitsunari Shigeo(@herumi) 3/54
• Technical Fellow at Recruit Marketing Partners • Visiting associate professor at Kochi National College of Technology • Review board for CODE BLUE • OWASP Japan advisory board • Chairperson of SECCON CTF • Leader of Shibuya Perl Mongers • Microsoft MVP Developer Security in 2008 • Author of "How to Execute Arbitrary Code on x86 JIT Compliers" • Translator of "Reading ECMA-262 Edition 5.1" (2013) • Best award of CSSx2.0 at "Computer Security Symposium 2013" Takesako Yoshinori (@takesako) 4/54
• Comparison of password encrypted file formats • Demo • Situations • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format Agenda 5/54
• Comparison of password encrypted file formats • Password encryption • Introduction to attack tools • Comparison of attack time • Demo • Situations • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format Agenda 6/54
• The very basic way • input : 𝑝𝑎𝑠𝑠 : password, 𝑚 : message 1. 𝑆 𝐾 = 𝐻𝑎𝑠ℎ 𝑝𝑎𝑠𝑠 2. 𝑐 = 𝐸𝑛𝑐 𝑆 𝐾, 𝑚 3. output : 𝑐 • Vulnerable • The same password always generates the same 𝑆 𝐾. Encrypted file with password 𝑚 𝑝𝑎𝑠𝑠 𝑆 𝐾 𝐻𝑎𝑠ℎ 𝐸𝑛𝑐 𝑚depends on only 𝑝𝑎𝑠𝑠 7/54
• Password attack tool • http://hashcat.net/oclhashcat/ • GPGPU based very fast engine hashcat 8/54
• Number of attempts per second • SHA1 : 4.2 × 1010times/sec on 8x NVidia Titan X • SHA512 : 5.2 × 109 times/sec • Time to detect password from 𝐻𝑎𝑠ℎ value • 𝑝𝑎𝑠𝑠 ∶ assume [a-zA-Z0-9]; 62 letters • 628 4.2 × 1010 = 1h27m to try all patterns for SHA1 Performance of hashcat 9/54
• Add salt 1. generate 𝑠𝑎𝑙𝑡 randomly 2. 𝑆 𝐾 = 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡, 𝑝𝑎𝑠𝑠 3. 𝑖𝑣 : Initialization Vector 4. c = 𝐸𝑛𝑐(𝑖𝑣, 𝑆 𝐾, 𝑚) • Even the same password generates different 𝑆 𝐾 • 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡1 + ′abc′ ≠ 𝐻𝑎𝑠ℎ(𝑠𝑎𝑙𝑡2 + ′abc′) • Stronger against rainbow tables attacks More secure file formats 𝑝𝑎𝑠𝑠 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡 𝑆 𝐾 𝑚 𝐸𝑛𝑐 𝑚 𝑖𝑣 10/54
• Iterate the hash function many times • 𝑑1 = 𝐻𝑀𝐴𝐶(𝑝𝑎𝑠𝑠, 𝑠𝑎𝑙𝑡) • 𝑛 is iteration count • for 𝑖 = 1 to 𝑛 − 1: • 𝑑𝑖+1 = 𝐻𝑀𝐴𝐶(𝑑𝑖, 𝑠𝑎𝑙𝑡) • Decrease attack ability to 1/𝑛 • PKCS#5(RFC 2898) • Password-Based Cryptography Specification • PBKDF2(password based key derivation functions) • used by ZIP format, etc. Key stretching 𝑝𝑎𝑠𝑠 𝐻𝑀𝐴𝐶 𝑑𝑖 𝑆 𝐾 = 𝑑1 ⊕ 𝑑2 ⊕ ⋯ 𝑛 𝑠𝑎𝑙𝑡 𝑝𝑎𝑠𝑠 𝐻𝑀𝐴𝐶 𝑑𝑖+1 11/54
• Another password recovery tool • http://passcovery.com/ Passcovery 12/54
• Brute-force attack time against 8-byte password • by Passcovery on GeForce GTX860M 1019MHz • Office 2013 docx format is strong • Recently, a memory-hard function is recommended • Argon2 is the winner of Password Hashing Competition at 2015/Jul/20 Compare attack time File format # of tries/sec hash stretching days ZIP(96-bit) 230000000 none 10 days Office2003 doc 11000000 ? 220 days ZIP(256-bit AES) 370000 1000 x HMAC SHA1 18 years Office2007 docx 16000 50000 x SHA1 430 years Office2010 docx 8100 100000 x SHA1 854 years Office2013 docx 337 100000 x SHA512 20000 years 13/54
• Comparison of password encrypted file formats • Demo • MS Office file format • Secret key generator of the MS Office file format • Introduction of my tool • Demo • Situations • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format Agenda 14/54
• [MS-OFFCRYPTO] • Office Document Cryptography Structure • [MS-CFB] • Compound File Binary - file format MS Office documents 15/54
• Hashing algorithm 𝐻(𝑝𝑎𝑠𝑠, 𝑠𝑎𝑙𝑡) • ℎ0 = 𝐻𝑎𝑠ℎ(𝑠𝑎𝑙𝑡, 𝑝𝑎𝑠𝑠) • 𝑛 : iteration count • for 𝑖 = 1 to 𝑛: ℎ𝑖 = 𝐻𝑎𝑠ℎ < 𝑖 > +ℎ𝑖−1 • < 𝑖 > : 4-byte little endian Secret key generator of MS Office 𝑝𝑎𝑠𝑠 ℎ 𝑜 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡 ℎ𝑖−1𝑖 𝐻𝑎𝑠ℎ ℎ𝑖 𝑛 𝑆 𝐾 ≔ ℎ 𝑛 16/54
• Use two kinds of secret key • 𝐻 : the above iterated hash function 1. generate 𝑠 from 𝑝𝑎𝑠𝑠 and 𝑠𝑎𝑙𝑡 2. generate 𝑆 𝐾 and encrypt it by 𝑠 3. encrypt 𝑚 by 𝑆 𝐾 • I will explain latter • two keys for key escrow • Administrator can decrypt if password is lost • encrypt 𝑆 𝐾 with public key of Administrator in advance • desabled (default) MS Office Agile format 𝑚 𝑝𝑎𝑠𝑠 𝑆 𝐾 Enc by 𝑆 𝐾 𝑆 𝐾 𝑚 Enc by 𝑠 𝑠 𝐻 𝑠𝑎𝑙𝑡 17/54
• https://github.com/herumi/msoffice/ • My tool to encrypt/decrypt MS Office files • Supports Windows/Linux • Supports OpenXML of Office 2007~ • Support Agile format of Office 2010~ • LibreOffice does not support the format yet • Configurable secret key for Agile format • Configurable iteration count for stretching msoffice-crypt 18/54
demo
• encrypt with password "test" • decrypt with password "test" • attack without password Usage decrypt easy.xlsx with "test" and get 𝑆 𝐾 attack complex.xlsx by 𝑆 𝐾 without password msoffice-crypt -d complex.xlsx -by easy.xlsx -p test msoffice-crypt -e plain.xlsx enc.xlsx –p test msoffice-crypt -d enc.xlsx dec.xlsx –p test 20/54
• Comparison of password encrypted file formats • Demo • Situations • What happened? • Some scenarios • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format Agenda 21/54
• Excel 2010/2013 does not update the secret key in the file when password is changed (Bug). What happened? We can attack them with this one secret key. master file with pass with pass1 with pass2 with pass3 save as... have same secret key 22/54
• At HR • prepares a master Excel file • write pay slip into the file, change password, send to staff Scenario 1(pay slip delivery) master file with pass HR can attack other files 23/54
• Owner • A master Excel file encrypted with an easy pass • Modify it and make an important file with strong pass • Attacker • Brute-force attack against easy pass and attack important file Scenario 2(lost PC) Brute-force attack to easy pass save it with strong pass write secret info. can attack this PC 24/54
• Comparison of password encrypted file formats • Demo • Situations • MS Office file format • Detail of MS Office file encryption structure • Relation between password and secret key • How I found this bug • Proposal for a backdoor-resistant format Agenda 25/54
• Old format and new format • MS OLE2のヘッダは"D0 CF 11 E0" MS Office file encryption details Office file type Format doc, ppt, xls (old Office files) MS OLE2 plain docx, pptx, xlsx ZIP file of Open XML files encrypted docx, pptx, xlsx MS OLE2 including a header and an encrypted ZIP file ZIP files (Open XML) Enc(ZIP files) encrypted with AES header not encrypted encrypted 26/54
• There is a directory structure in one file Layout of encrypted docx root/ EncryptionPackage EncryptionInfo DataSpaces/ Version DataSpaceMap Transformation/ StrongEncryption Transform/ Primary DataSpaceInfo/ StrongEncryption DataSpace not used encrypted main ZIP file encryption information 27/54
• Standard encryption (~Office 2007) • binary format • supports only SHA-1 • spinCount(=# of iteration) is fixed to 50000 • Agile encryption (Office 2010~) • XmlEncryptionDescriptor • supports SHA-1, SHA256, etc. • variable spinCount Version of EncryptionInfo 28/54
XmlEncryptionDescriptor <encryption> <keyData saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512" saltValue="..."/> <dataIntegrity encryptedHmacKey="..." encryptedHmacValue="..."/> <keyEncryptors><keyEncryptor uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password"> <p:encryptedKey spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512" saltValue="..." encryptedVerifierHashInput="..." encryptedVerifierHashValue="..." encryptedKeyValue="..."/> </keyEncryptor></keyEncryptors> </encryption> 29/54
Dependency of variables in encryption generate encryptedKey.saltValue encryptedVerifierHashValue encryptedVerifierHashInput encryptedKeyValue encryptedHmacKey encryptedHmacValue password gen. secretKey hash EncryptionPackage Enc(ZIP file) ZIP file gen. keyData.saltValue gen. verifierHashInput verifierHashValue gen. HmacKey hash 30/54
Check password integrity generate encryptedKey.saltValue encryptedVerifierHashValue encryptedVerifierHashInput encryptedKeyValue encryptedHmacKey encryptedHmacValue password gen. secretKey hash EncryptionPackage Enc(ZIP file) ZIP file gen. keyData.saltValue gen. verifierHashInput verifierHashValue gen. HmacKey hash 31/54
Check data integrity generate encryptedKey.saltValue encryptedVerifierHashValue encryptedVerifierHashInput encryptedKeyValue encryptedHmacKey encryptedHmacValue password gen. secretKey hash EncryptionPackage Enc(ZIP file) ZIP file gen. keyData.saltValue gen. verifierHashInput verifierHashValue gen. HmacKey hash 32/54
Dependency of encryption generate encryptedKey.saltValue encryptedVerifierHashValue encryptedVerifierHashInput encryptedKeyValue encryptedHmacKey encryptedHmacValue password gen. secretKey hash EncryptionPackage Enc(ZIP file) ZIP file gen. keyData.saltValue gen. verifierHashInput verifierHashValue gen. HmacKey hash irrelevant to pass 𝑐 = 𝐸𝑛𝑐(𝑆 𝐾, 𝑠𝑎𝑙𝑡, 𝑚) 33/54
• Comparison of password encrypted file formats • Demo • Situations • MS Office file format • How I found this bug • Motivation • CSPRG • Example of known backdoor • Hooking into MS Office's secret key generator • Proposal for a backdoor-resistant format Agenda 34/54
• Normal encryptor • main part to encrypt 𝑚 • You can not decrypt (𝑠𝑎𝑙𝑡, 𝑐) without 𝑆 𝐾 • We can make a backdoor if the generator of 𝑆 𝐾 is controlled. generate 𝑠𝑎𝑙𝑡 randomly generate 𝑆 𝐾 randomly 𝑐 = 𝐸𝑛𝑐 𝑆 𝐾, 𝑠𝑎𝑙𝑡, 𝑚 Motivation 𝑚 (𝑠𝑎𝑙𝑡, 𝑐) 35/54
• Malicious (having backdoor)encryptor • Malicious Eve prepares a master secret key 𝑋 • Eve embeds 𝑋 into an encryptor • Eve can get 𝑆 𝐾 = 𝐻 𝑋, 𝑠𝑎𝑙𝑡 by 𝑋 then decrypt it • You can not notice that (𝑠𝑎𝑙𝑡, 𝑐) has a backdoor An example of controlled 𝑆 𝐾 𝑚 (𝑠𝑎𝑙𝑡, 𝑐) generate 𝑠𝑎𝑙𝑡 randomly 𝑆 𝐾 = 𝐻 𝑋, 𝑠𝑎𝑙𝑡 𝑐 = 𝐸𝑛𝑐 𝑚 by (𝑠𝑎𝑙𝑡, 𝑆 𝐾) Eve 𝑋 𝑆 𝐾 36/54
• 5 p.m. on Friday, Make a proof of concept for MS Office Hi Mitsunari, could you hook into the random generator of MS Office? I'll try it. By when do you need it? Coming Monday. ... 37/54
• PRG(Pseudo Random Generator) • used for game and simulation • MT(Mersenne Twister) is popular • CSPRG(Cryptographically Secure PRG) • Nobody should be able to predict next bit from previous bits • used for secret key generator • MT is not CSPRG • inner status is determined by 624x4-byte output CSPRG 0 1 0 0 1 1 1 0 1 ? known previous bits CSPRG next bit 38/54
• I strongly discourage you from implementing your own CSPRG • Use CSPRG provided by system vendor instead • /dev/urandom on Linux • non blocking device for CSPRG • entropy from mouse, keyboard, disk I/O and interrupts Example of CSPRG 39/54
• Intel hardware CSPRG instruction • Meets the NIST SP 800-90A standard • Uses an on-chip non-deterministic entropy source • Easy to use • Difficult to use it safely • Retry limit should be employed to prevent a busy loop (extremely rare) rdrand // uint64_t getRand(); getRand: .lp: rdrand rax // store random number in rax jnc .lp // retry if failure (rare) ret 40/54
• Output of /dev/urandom is fixed by only modified rdrand (kernel 3.8.13 by Taylor Hornby) • rdrand() { return [edx] ^ 0x41414141; } • Combine other entropy sources to avoid having a single point of failure If rdrand has a backdoor? 41/54
• CSPRG of Microsoft CryptoAPI • Used to generate salt and secret key • Hook this function • I expected that MS Office calls this to make a secret key • If my hooked CryptGenRandom always return fixed bytes, then a secret key may be fixed. • First, I tried to my (very old) DLL injection library • Did not work as expected due to ASLR CryptGenRandom() 42/54
• A library to hook Win32 APIs by MS Research • http://research.microsoft.com/en-us/projects/detours/ • 64-bit version costs $9,999.95 (32-bit version is free) • Usage • Source code of dll to hook Detours library (1/2) BOOL HookCryptGenRandom(HCRYPTPROV, DWORD len, BYTE *p) { memset(p, 'a', len); return TRUE; } BOOL DllMain(HINSTANCE, DWORD reason, LPVOID) { if (reason == DLL_PROCESS_ATTACH) { orgFunc = DetourFindFunction("adapi32.dll", "CryptGenRandom"); DetourAttach(&orgFunc, HookCryptGenRandom); ... 43/54
• test.exe • Run test.exe with withdll.exe in Detours • CryptGenRandom is now hooked! • But, the function is not called by MS Office... Detours library (2/2) int main() { RandomGenerator rg; // wrapper of CryptGenRandom() for (int i = 0; i < 3; i++) printf("%08x¥n", rg.get32()); } >test.exe 812e1af0 // random ad990e76 865cb964 >withdll.exe /d:hook.dll test.exe 61616161 // "aaaa" 61616161 61616161 44/54
• Run Excel on debugger, see loaded DLLs • I found rsaenh.dll Trial and error (1/3) 45/54
• Extract symbols of rsaenh.dll • dumpbin /exports rsaenh.dll • What is CPGenRandom? Trial and error (2/3) ordinal hint RVA name 1 0 0000230C CPAcquireContext 2 1 00003A80 CPCreateHash 3 2 0001CC1C CPDecrypt 4 3 0001DBC8 CPDeriveKey ... 11 A 00009A80 CPGenKey 12 B 00001D3C CPGenRandom 46/54
• CPxxx functions are obsolete • CPxxx is renamed to Cryptxxx • CPxxx is called from Cryptxxx • Cryptxxx is hooked automatically if CPxxx is hooked • Excel calls CPGenRandom • Excel seems to generate secret key! • However, Trial and error (3/3) >msoffice-crypt –psk easy.xlsx –p test ... secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5 >msoffice-crypt –psk complex.xlsx –p testtest ... secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5 47/54
• Excel generates same secret key without hook • MS Office Word, PowerPoint generate different key • Only Excel has a bug • About hooking CPGenRandom • This hook was not enough to take control over the generator • Hooking timer functions were not enough yet • Details unknown because of no investigation made It is a bug of Excel 48/54
• Comparison of password encrypted file formats • Demo • Situations • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format • Check your Excel files • Improved format Agenda 49/54
• This bug is fixed at 2015/Oct/13 (MS15-110) • But, the generated files won't be fixed • Verify secret keys in your files by msoffice-crypt • Re-encrypt files if you find the same secret keys Check your Excel files 50/54
• What is a reliable format? • MS Office format is secure enough, but it is difficult to prove no backdoor exists in the file • The problem generally exists for tools provided in binary • (again) malicious encryptor • We want a format that is provably secure against the backdoor Future work 𝑚 𝑠𝑎𝑙𝑡, 𝑐 , 𝑆 𝐾 blackbox encryptor 𝑠𝑎𝑙𝑡 : random number 𝑋 : master secret key in the encryptor 𝑆 𝐾 : 𝐻(𝑠𝑎𝑙𝑡, 𝑋) Eve gets 𝑆 𝐾 by (𝑠𝑎𝑙𝑡, 𝑋) 51/54
• Generate 𝑆 𝐾 with KDF(Key Derivation Function) 1. generate 𝑟0, 𝑟1 randomly 2. 𝑠𝑎𝑙𝑡 = 𝐻 𝑝𝑎𝑠𝑠, 𝑟0 , 𝐻 : KDF 3. 𝑆 𝐾 = 𝐻(𝑝𝑎𝑠𝑠, 𝑟1) 4. 𝑐 = 𝐸𝑛𝑐 𝑟0, 𝑟1, 𝑚 by 𝑠𝑎𝑙𝑡, 𝑆 𝐾 5. output: 𝑐, 𝑠𝑎𝑙𝑡 • Format validation • Verify the output follows the correct steps 1. 𝑟0, 𝑟1, 𝑚 ≔ 𝐷𝑒𝑐 𝑐 2. 𝑠𝑎𝑙𝑡 = ? 𝐻(𝑝𝑎𝑠𝑠, 𝑟0) 3. 𝑆 𝐾 = ? 𝐻(𝑝𝑎𝑠𝑠, 𝑟1) A backdoor-resistant format 𝑆 𝐾 𝑚 𝑚 𝑟0 𝑟1𝑝𝑎𝑠𝑠 𝐻 𝐻 𝑠𝑎𝑙𝑡 𝐸𝑛𝑐 52/54
• For a person who knows only (𝑠𝑎𝑙𝑡, 𝑐) • same difficulty as previous formats • For Eve • same difficulty of the attack against KDF to get 𝑝𝑎𝑠𝑠 from 𝑠𝑎𝑙𝑡 when 𝑟0 is known • Detection of maliciousness is easy if 𝑟0 is fixed • seems to be safe if all 𝑟0 are different from each other when 10000 times encrypted • then, the attack is 10000 times harder for Eve Difficutly of the proposed format 𝑆 𝐾 𝑚 𝑚 𝑟0 𝑟1𝑝𝑎𝑠𝑠 𝐻 𝐻 𝑠𝑎𝑙𝑡 𝐸𝑛𝑐 53/54
• Excel files can be attacked through their secret key without knowing the pass • It is a bug of Excel and is fixed • Proposal for a backdoor-resistant format • It can be applied to general password based encrypted file formats Conclusion 54/54

Recommandé

Backdoors with the MS Office file encryption master key and a proposal for a ...
Backdoors with the MS Office file encryption master key and a proposal for a ...Backdoors with the MS Office file encryption master key and a proposal for a ...
Backdoors with the MS Office file encryption master key and a proposal for a ...CODE BLUE
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Reflectionのパフォーマンス
ReflectionのパフォーマンスReflectionのパフォーマンス
Reflectionのパフォーマンス明 高橋
 
Async-await best practices in 10 minutes
Async-await best practices in 10 minutesAsync-await best practices in 10 minutes
Async-await best practices in 10 minutesPaulo Morgado
 
PHPの今とこれから2023
PHPの今とこれから2023PHPの今とこれから2023
PHPの今とこれから2023Rui Hirokawa
 
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Scrum Breakfast Vietnam
 
サービス開発における フロントエンド・ドメイン駆動設計の実践
サービス開発における フロントエンド・ドメイン駆動設計の実践サービス開発における フロントエンド・ドメイン駆動設計の実践
サービス開発における フロントエンド・ドメイン駆動設計の実践TakefumiYoshii
 
今日からできる!簡単 .NET 高速化 Tips
今日からできる!簡単 .NET 高速化 Tips今日からできる!簡単 .NET 高速化 Tips
今日からできる!簡単 .NET 高速化 TipsTakaaki Suzuki
 

Recommandé

Backdoors with the MS Office file encryption master key and a proposal for a ...
Backdoors with the MS Office file encryption master key and a proposal for a ...Backdoors with the MS Office file encryption master key and a proposal for a ...
Backdoors with the MS Office file encryption master key and a proposal for a ...CODE BLUE
 
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat v17 || Dangerous Contents - Securing .Net Deserialization
BlueHat v17 || Dangerous Contents - Securing .Net Deserialization BlueHat Security Conference
 
Reflectionのパフォーマンス
ReflectionのパフォーマンスReflectionのパフォーマンス
Reflectionのパフォーマンス明 高橋
 
Async-await best practices in 10 minutes
Async-await best practices in 10 minutesAsync-await best practices in 10 minutes
Async-await best practices in 10 minutesPaulo Morgado
 
PHPの今とこれから2023
PHPの今とこれから2023PHPの今とこれから2023
PHPの今とこれから2023Rui Hirokawa
 
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018
Reactive programming by spring webflux - DN Scrum Breakfast - Nov 2018Scrum Breakfast Vietnam
 
サービス開発における フロントエンド・ドメイン駆動設計の実践
サービス開発における フロントエンド・ドメイン駆動設計の実践サービス開発における フロントエンド・ドメイン駆動設計の実践
サービス開発における フロントエンド・ドメイン駆動設計の実践TakefumiYoshii
 
今日からできる!簡単 .NET 高速化 Tips
今日からできる!簡単 .NET 高速化 Tips今日からできる!簡単 .NET 高速化 Tips
今日からできる!簡単 .NET 高速化 TipsTakaaki Suzuki
 
golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기
golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기
golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기Sangik Bae
 
Clojureの世界と実際のWeb開発
Clojureの世界と実際のWeb開発Clojureの世界と実際のWeb開発
Clojureの世界と実際のWeb開発Tsutomu Yano
 
40歳過ぎてもエンジニアでいるためにやっていること
40歳過ぎてもエンジニアでいるためにやっていること40歳過ぎてもエンジニアでいるためにやっていること
40歳過ぎてもエンジニアでいるためにやっていることonozaty
 
A5 SQL Mk-2の便利な機能をお教えします
A5 SQL Mk-2の便利な機能をお教えしますA5 SQL Mk-2の便利な機能をお教えします
A5 SQL Mk-2の便利な機能をお教えしますester41
 
Djangoフレームワークのユーザーモデルと認証
Djangoフレームワークのユーザーモデルと認証Djangoフレームワークのユーザーモデルと認証
Djangoフレームワークのユーザーモデルと認証Shinya Okano
 
導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について
導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について
導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来についてshinjiigarashi
 
イベント・ソーシングを知る
イベント・ソーシングを知るイベント・ソーシングを知る
イベント・ソーシングを知るShuhei Fujita
 
システムアーキテクト~My batis編~
システムアーキテクト~My batis編~システムアーキテクト~My batis編~
システムアーキテクト~My batis編~Shinichi Kozake
 
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)abend_cve_9999_0001
 
BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)
BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)
BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)Takashi Kawasaki
 
react-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのかreact-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのか暁 三宅
 
形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta
形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta
形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfestay_taka_23
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―
モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―
モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―shinjiigarashi
 
TLS, HTTP/2演習
TLS, HTTP/2演習TLS, HTTP/2演習
TLS, HTTP/2演習shigeki_ohtsu
 
ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能
ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能
ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能Yoshifumi Kawai
 
Sphinxでまとめる多言語環境APIドキュメント
Sphinxでまとめる多言語環境APIドキュメントSphinxでまとめる多言語環境APIドキュメント
Sphinxでまとめる多言語環境APIドキュメントIosif Takakura
 
オンラインゲームのRails複数db戦略
オンラインゲームのRails複数db戦略オンラインゲームのRails複数db戦略
オンラインゲームのRails複数db戦略Yasutomo Uemori
 
Terraformディレクトリ構成のベスプラを考えてみた
Terraformディレクトリ構成のベスプラを考えてみたTerraformディレクトリ構成のベスプラを考えてみた
Terraformディレクトリ構成のベスプラを考えてみた山下 達也
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Modern PHP
Modern PHPModern PHP
Modern PHPSimon Jones
 

Contenu connexe

Tendances

golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기
golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기
golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기Sangik Bae
 
Clojureの世界と実際のWeb開発
Clojureの世界と実際のWeb開発Clojureの世界と実際のWeb開発
Clojureの世界と実際のWeb開発Tsutomu Yano
 
40歳過ぎてもエンジニアでいるためにやっていること
40歳過ぎてもエンジニアでいるためにやっていること40歳過ぎてもエンジニアでいるためにやっていること
40歳過ぎてもエンジニアでいるためにやっていることonozaty
 
A5 SQL Mk-2の便利な機能をお教えします
A5 SQL Mk-2の便利な機能をお教えしますA5 SQL Mk-2の便利な機能をお教えします
A5 SQL Mk-2の便利な機能をお教えしますester41
 
Djangoフレームワークのユーザーモデルと認証
Djangoフレームワークのユーザーモデルと認証Djangoフレームワークのユーザーモデルと認証
Djangoフレームワークのユーザーモデルと認証Shinya Okano
 
導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について
導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について
導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来についてshinjiigarashi
 
イベント・ソーシングを知る
イベント・ソーシングを知るイベント・ソーシングを知る
イベント・ソーシングを知るShuhei Fujita
 
システムアーキテクト~My batis編~
システムアーキテクト~My batis編~システムアーキテクト~My batis編~
システムアーキテクト~My batis編~Shinichi Kozake
 
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)abend_cve_9999_0001
 
BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)
BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)
BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)Takashi Kawasaki
 
react-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのかreact-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのか暁 三宅
 
形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta
形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta
形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfestay_taka_23
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―
モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―
モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―shinjiigarashi
 
ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能
ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能
ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能Yoshifumi Kawai
 
Sphinxでまとめる多言語環境APIドキュメント
Sphinxでまとめる多言語環境APIドキュメントSphinxでまとめる多言語環境APIドキュメント
Sphinxでまとめる多言語環境APIドキュメントIosif Takakura
 
オンラインゲームのRails複数db戦略
オンラインゲームのRails複数db戦略オンラインゲームのRails複数db戦略
オンラインゲームのRails複数db戦略Yasutomo Uemori
 
Terraformディレクトリ構成のベスプラを考えてみた
Terraformディレクトリ構成のベスプラを考えてみたTerraformディレクトリ構成のベスプラを考えてみた
Terraformディレクトリ構成のベスプラを考えてみた山下 達也
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesseskuza55
 

Tendances (20)

golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기
golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기
golang과 websocket을 활용한 서버프로그래밍 - 장애없는 서버 런칭 도전기
 
Clojureの世界と実際のWeb開発
Clojureの世界と実際のWeb開発Clojureの世界と実際のWeb開発
Clojureの世界と実際のWeb開発
 
40歳過ぎてもエンジニアでいるためにやっていること
40歳過ぎてもエンジニアでいるためにやっていること40歳過ぎてもエンジニアでいるためにやっていること
40歳過ぎてもエンジニアでいるためにやっていること
 
A5 SQL Mk-2の便利な機能をお教えします
A5 SQL Mk-2の便利な機能をお教えしますA5 SQL Mk-2の便利な機能をお教えします
A5 SQL Mk-2の便利な機能をお教えします
 
Djangoフレームワークのユーザーモデルと認証
Djangoフレームワークのユーザーモデルと認証Djangoフレームワークのユーザーモデルと認証
Djangoフレームワークのユーザーモデルと認証
 
導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について
導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について
導入から 10 年、PHP の trait は滅びるべきなのか その適切な使いどころと弱点、将来について
 
イベント・ソーシングを知る
イベント・ソーシングを知るイベント・ソーシングを知る
イベント・ソーシングを知る
 
システムアーキテクト~My batis編~
システムアーキテクト~My batis編~システムアーキテクト~My batis編~
システムアーキテクト~My batis編~
 
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
フリーでできるセキュリティWeb編(SQLMあpを楽しもう)
 
BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)
BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)
BindableProperty 書くのクソダリーんだけど、 あいつなんやねん(仮)
 
react-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのかreact-scriptsはwebpackで何をしているのか
react-scriptsはwebpackで何をしているのか
 
形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta
形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta
形式手法と AWS のおいしい関係。- モデル検査器 Alloy によるインフラ設計技法 #jawsfesta
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―
モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―
モダン PHP テクニック 12 選 ―PsalmとPHP 8.1で今はこんなこともできる!―
 
TLS, HTTP/2演習
TLS, HTTP/2演習TLS, HTTP/2演習
TLS, HTTP/2演習
 
ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能
ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能
ライブラリ作成のすゝめ - 事例から見る個人OSS開発の効能
 
Sphinxでまとめる多言語環境APIドキュメント
Sphinxでまとめる多言語環境APIドキュメントSphinxでまとめる多言語環境APIドキュメント
Sphinxでまとめる多言語環境APIドキュメント
 
オンラインゲームのRails複数db戦略
オンラインゲームのRails複数db戦略オンラインゲームのRails複数db戦略
オンラインゲームのRails複数db戦略
 
Terraformディレクトリ構成のベスプラを考えてみた
Terraformディレクトリ構成のベスプラを考えてみたTerraformディレクトリ構成のベスプラを考えてみた
Terraformディレクトリ構成のベスプラを考えてみた
 
Same Origin Policy Weaknesses
Same Origin Policy WeaknessesSame Origin Policy Weaknesses
Same Origin Policy Weaknesses
 

Similaire à Backdoors with the MS Office file encryption master key and a proposal for a reliable file format

Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesDefconRussia
 
Introduction to libre « fulltext » technology
Introduction to libre « fulltext » technologyIntroduction to libre « fulltext » technology
Introduction to libre « fulltext » technologyRobert Viseur
 
Using existing language skillsets to create large-scale, cloud-based analytics
Using existing language skillsets to create large-scale, cloud-based analyticsUsing existing language skillsets to create large-scale, cloud-based analytics
Using existing language skillsets to create large-scale, cloud-based analyticsMicrosoft Tech Community
 
2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL ApplicationsMicro Focus
 
Introduction to webprogramming using PHP and MySQL
Introduction to webprogramming using PHP and MySQLIntroduction to webprogramming using PHP and MySQL
Introduction to webprogramming using PHP and MySQLanand raj
 
Introducing U-SQL (SQLPASS 2016)
Introducing U-SQL (SQLPASS 2016)Introducing U-SQL (SQLPASS 2016)
Introducing U-SQL (SQLPASS 2016)Michael Rys
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...EC-Council
 
Json Rpc Proxy Generation With Php
Json Rpc Proxy Generation With PhpJson Rpc Proxy Generation With Php
Json Rpc Proxy Generation With Phpthinkphp
 
Add-On Development: EE Expects that Every Developer will do his Duty
Add-On Development: EE Expects that Every Developer will do his DutyAdd-On Development: EE Expects that Every Developer will do his Duty
Add-On Development: EE Expects that Every Developer will do his Dutyreedmaniac
 
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]RootedCON
 
Pf cs102 programming-8 [file handling] (1)
Pf cs102 programming-8 [file handling] (1)Pf cs102 programming-8 [file handling] (1)
Pf cs102 programming-8 [file handling] (1)Abdullah khawar
 
KYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlKYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlCoimbra JUG
 
Add-On Development: EE Expects that Every Developer will do his Duty
Add-On Development: EE Expects that Every Developer will do his DutyAdd-On Development: EE Expects that Every Developer will do his Duty
Add-On Development: EE Expects that Every Developer will do his DutyLeslie Doherty
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
Scalable and High available Distributed File System Metadata Service Using gR...
Scalable and High available Distributed File System Metadata Service Using gR...Scalable and High available Distributed File System Metadata Service Using gR...
Scalable and High available Distributed File System Metadata Service Using gR...Alluxio, Inc.
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development SecuritySam Bowne
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecuritySam Bowne
 

Similaire à Backdoors with the MS Office file encryption master key and a proposal for a reliable file format (20)

Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilitiesVorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
Vorontsov, golovko ssrf attacks and sockets. smorgasbord of vulnerabilities
 
Modern PHP
Modern PHPModern PHP
Modern PHP
 
Introduction to libre « fulltext » technology
Introduction to libre « fulltext » technologyIntroduction to libre « fulltext » technology
Introduction to libre « fulltext » technology
 
Using existing language skillsets to create large-scale, cloud-based analytics
Using existing language skillsets to create large-scale, cloud-based analyticsUsing existing language skillsets to create large-scale, cloud-based analytics
Using existing language skillsets to create large-scale, cloud-based analytics
 
2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications2.4 Optimizing your Visual COBOL Applications
2.4 Optimizing your Visual COBOL Applications
 
Introduction to webprogramming using PHP and MySQL
Introduction to webprogramming using PHP and MySQLIntroduction to webprogramming using PHP and MySQL
Introduction to webprogramming using PHP and MySQL
 
Introducing U-SQL (SQLPASS 2016)
Introducing U-SQL (SQLPASS 2016)Introducing U-SQL (SQLPASS 2016)
Introducing U-SQL (SQLPASS 2016)
 
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
Hacker Halted 2014 - RDP Fuzzing And Why the Microsoft Open Protocol Specific...
 
Json Rpc Proxy Generation With Php
Json Rpc Proxy Generation With PhpJson Rpc Proxy Generation With Php
Json Rpc Proxy Generation With Php
 
Add-On Development: EE Expects that Every Developer will do his Duty
Add-On Development: EE Expects that Every Developer will do his DutyAdd-On Development: EE Expects that Every Developer will do his Duty
Add-On Development: EE Expects that Every Developer will do his Duty
 
presentation
presentationpresentation
presentation
 
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
Yihan Lian & Zhibin Hu - Smarter Peach: Add Eyes to Peach Fuzzer [rooted2017]
 
Pf cs102 programming-8 [file handling] (1)
Pf cs102 programming-8 [file handling] (1)Pf cs102 programming-8 [file handling] (1)
Pf cs102 programming-8 [file handling] (1)
 
KYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under ControlKYSUC - Keep Your Schema Under Control
KYSUC - Keep Your Schema Under Control
 
Add-On Development: EE Expects that Every Developer will do his Duty
Add-On Development: EE Expects that Every Developer will do his DutyAdd-On Development: EE Expects that Every Developer will do his Duty
Add-On Development: EE Expects that Every Developer will do his Duty
 
presentation
presentationpresentation
presentation
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
Scalable and High available Distributed File System Metadata Service Using gR...
Scalable and High available Distributed File System Metadata Service Using gR...Scalable and High available Distributed File System Metadata Service Using gR...
Scalable and High available Distributed File System Metadata Service Using gR...
 
8. Software Development Security
8. Software Development Security8. Software Development Security
8. Software Development Security
 
CISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development SecurityCISSP Prep: Ch 9. Software Development Security
CISSP Prep: Ch 9. Software Development Security
 

Plus de MITSUNARI Shigeo

暗号技術の実装と数学
暗号技術の実装と数学暗号技術の実装と数学
暗号技術の実装と数学MITSUNARI Shigeo
 
範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコル範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコルMITSUNARI Shigeo
 
暗認本読書会13 advanced
暗認本読書会13 advanced暗認本読書会13 advanced
暗認本読書会13 advancedMITSUNARI Shigeo
 
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgenIntel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgenMITSUNARI Shigeo
 
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法MITSUNARI Shigeo
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装MITSUNARI Shigeo
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化MITSUNARI Shigeo
 
BLS署名の実装とその応用
BLS署名の実装とその応用BLS署名の実装とその応用
BLS署名の実装とその応用MITSUNARI Shigeo
 

Plus de MITSUNARI Shigeo (20)

暗号技術の実装と数学
暗号技術の実装と数学暗号技術の実装と数学
暗号技術の実装と数学
 
範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコル範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコル
 
暗認本読書会13 advanced
暗認本読書会13 advanced暗認本読書会13 advanced
暗認本読書会13 advanced
 
暗認本読書会12
暗認本読書会12暗認本読書会12
暗認本読書会12
 
暗認本読書会11
暗認本読書会11暗認本読書会11
暗認本読書会11
 
暗認本読書会10
暗認本読書会10暗認本読書会10
暗認本読書会10
 
暗認本読書会9
暗認本読書会9暗認本読書会9
暗認本読書会9
 
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgenIntel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
 
暗認本読書会8
暗認本読書会8暗認本読書会8
暗認本読書会8
 
暗認本読書会7
暗認本読書会7暗認本読書会7
暗認本読書会7
 
暗認本読書会6
暗認本読書会6暗認本読書会6
暗認本読書会6
 
暗認本読書会5
暗認本読書会5暗認本読書会5
暗認本読書会5
 
暗認本読書会4
暗認本読書会4暗認本読書会4
暗認本読書会4
 
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
 
私とOSSの25年
私とOSSの25年私とOSSの25年
私とOSSの25年
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
 
楕円曲線と暗号
楕円曲線と暗号楕円曲線と暗号
楕円曲線と暗号
 
HPC Phys-20201203
HPC Phys-20201203HPC Phys-20201203
HPC Phys-20201203
 
BLS署名の実装とその応用
BLS署名の実装とその応用BLS署名の実装とその応用
BLS署名の実装とその応用
 

Dernier

CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxupamatechverse
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxpurnimasatapathy1234
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlysanyuktamishra911
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130Suhani Kapoor
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Call Girls in Nagpur High Profile
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )Tsuyoshi Horigome
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSRajkumarAkumalla
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performancesivaprakash250
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Serviceranjana rawat
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations120cr0395
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).pptssuser5c9d4b1
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingrknatarajan
 

Dernier (20)

CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Introduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptxIntroduction to IEEE STANDARDS and its different types.pptx
Introduction to IEEE STANDARDS and its different types.pptx
 
Microscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptxMicroscopic Analysis of Ceramic Materials.pptx
Microscopic Analysis of Ceramic Materials.pptx
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service NashikCall Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
Call Girls Service Nashik Vaishnavi 7001305949 Independent Escort Service Nashik
 
KubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghlyKubeKraft presentation @CloudNativeHooghly
KubeKraft presentation @CloudNativeHooghly
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur EscortsCall Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
Call Girls Service Nagpur Tanvi Call 7001035870 Meet With Nagpur Escorts
 
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
VIP Call Girls Service Hitech City Hyderabad Call +91-8250192130
 
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
Booking open Available Pune Call Girls Koregaon Park 6297143586 Call Hot Ind...
 
SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )SPICE PARK APR2024 ( 6,793 SPICE Models )
SPICE PARK APR2024 ( 6,793 SPICE Models )
 
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICSHARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
HARDNESS, FRACTURE TOUGHNESS AND STRENGTH OF CERAMICS
 
UNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its PerformanceUNIT - IV - Air Compressors and its Performance
UNIT - IV - Air Compressors and its Performance
 
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANJALI) Dange Chowk Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
(RIA) Call Girls Bhosari ( 7001035870 ) HI-Fi Pune Escorts Service
 
Extrusion Processes and Their Limitations
Extrusion Processes and Their LimitationsExtrusion Processes and Their Limitations
Extrusion Processes and Their Limitations
 
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
247267395-1-Symmetric-and-distributed-shared-memory-architectures-ppt (1).ppt
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and workingUNIT-V FMM.HYDRAULIC TURBINE - Construction and working
UNIT-V FMM.HYDRAULIC TURBINE - Construction and working
 

Backdoors with the MS Office file encryption master key and a proposal for a reliable file format

  • 1. Backdoors with the MS Office file encryption master key and a proposal for a reliable file format 2015/10/28, 29 CODE BLUE Mitsunari Shigeo(@herumi)
  • 2. • Attacking Excel files without a password • This bug is fixed at 2015/Oct/13 (MS15-110) • Comparison of password encrypted file formats • How I found this bug • Proposal for a backdoor-resistant format Abstract 2/54
  • 3. • R&D for cloud security and infrastructure at Cybozu Labs, Inc. • Author of “Applied Cryptography for the Cloud“ (in Japanese) • about PFS, ECC, IBE, ABE, FE, HE, ZKP,... • http://herumi.github.io/ango/ • Microsoft MVP Developer Security (2015) • Author of the fastest implementation of pairing • https://github.com/herumi/ate-pairing • Software implementation of an Attribute-Based Encryption Scheme, IEEE trans on computers, 2014 Mitsunari Shigeo(@herumi) 3/54
  • 4. • Technical Fellow at Recruit Marketing Partners • Visiting associate professor at Kochi National College of Technology • Review board for CODE BLUE • OWASP Japan advisory board • Chairperson of SECCON CTF • Leader of Shibuya Perl Mongers • Microsoft MVP Developer Security in 2008 • Author of "How to Execute Arbitrary Code on x86 JIT Compliers" • Translator of "Reading ECMA-262 Edition 5.1" (2013) • Best award of CSSx2.0 at "Computer Security Symposium 2013" Takesako Yoshinori (@takesako) 4/54
  • 5. • Comparison of password encrypted file formats • Demo • Situations • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format Agenda 5/54
  • 6. • Comparison of password encrypted file formats • Password encryption • Introduction to attack tools • Comparison of attack time • Demo • Situations • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format Agenda 6/54
  • 7. • The very basic way • input : 𝑝𝑎𝑠𝑠 : password, 𝑚 : message 1. 𝑆 𝐾 = 𝐻𝑎𝑠ℎ 𝑝𝑎𝑠𝑠 2. 𝑐 = 𝐸𝑛𝑐 𝑆 𝐾, 𝑚 3. output : 𝑐 • Vulnerable • The same password always generates the same 𝑆 𝐾. Encrypted file with password 𝑚 𝑝𝑎𝑠𝑠 𝑆 𝐾 𝐻𝑎𝑠ℎ 𝐸𝑛𝑐 𝑚depends on only 𝑝𝑎𝑠𝑠 7/54
  • 8. • Password attack tool • http://hashcat.net/oclhashcat/ • GPGPU based very fast engine hashcat 8/54
  • 9. • Number of attempts per second • SHA1 : 4.2 × 1010times/sec on 8x NVidia Titan X • SHA512 : 5.2 × 109 times/sec • Time to detect password from 𝐻𝑎𝑠ℎ value • 𝑝𝑎𝑠𝑠 ∶ assume [a-zA-Z0-9]; 62 letters • 628 4.2 × 1010 = 1h27m to try all patterns for SHA1 Performance of hashcat 9/54
  • 10. • Add salt 1. generate 𝑠𝑎𝑙𝑡 randomly 2. 𝑆 𝐾 = 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡, 𝑝𝑎𝑠𝑠 3. 𝑖𝑣 : Initialization Vector 4. c = 𝐸𝑛𝑐(𝑖𝑣, 𝑆 𝐾, 𝑚) • Even the same password generates different 𝑆 𝐾 • 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡1 + ′abc′ ≠ 𝐻𝑎𝑠ℎ(𝑠𝑎𝑙𝑡2 + ′abc′) • Stronger against rainbow tables attacks More secure file formats 𝑝𝑎𝑠𝑠 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡 𝑆 𝐾 𝑚 𝐸𝑛𝑐 𝑚 𝑖𝑣 10/54
  • 11. • Iterate the hash function many times • 𝑑1 = 𝐻𝑀𝐴𝐶(𝑝𝑎𝑠𝑠, 𝑠𝑎𝑙𝑡) • 𝑛 is iteration count • for 𝑖 = 1 to 𝑛 − 1: • 𝑑𝑖+1 = 𝐻𝑀𝐴𝐶(𝑑𝑖, 𝑠𝑎𝑙𝑡) • Decrease attack ability to 1/𝑛 • PKCS#5(RFC 2898) • Password-Based Cryptography Specification • PBKDF2(password based key derivation functions) • used by ZIP format, etc. Key stretching 𝑝𝑎𝑠𝑠 𝐻𝑀𝐴𝐶 𝑑𝑖 𝑆 𝐾 = 𝑑1 ⊕ 𝑑2 ⊕ ⋯ 𝑛 𝑠𝑎𝑙𝑡 𝑝𝑎𝑠𝑠 𝐻𝑀𝐴𝐶 𝑑𝑖+1 11/54
  • 12. • Another password recovery tool • http://passcovery.com/ Passcovery 12/54
  • 13. • Brute-force attack time against 8-byte password • by Passcovery on GeForce GTX860M 1019MHz • Office 2013 docx format is strong • Recently, a memory-hard function is recommended • Argon2 is the winner of Password Hashing Competition at 2015/Jul/20 Compare attack time File format # of tries/sec hash stretching days ZIP(96-bit) 230000000 none 10 days Office2003 doc 11000000 ? 220 days ZIP(256-bit AES) 370000 1000 x HMAC SHA1 18 years Office2007 docx 16000 50000 x SHA1 430 years Office2010 docx 8100 100000 x SHA1 854 years Office2013 docx 337 100000 x SHA512 20000 years 13/54
  • 14. • Comparison of password encrypted file formats • Demo • MS Office file format • Secret key generator of the MS Office file format • Introduction of my tool • Demo • Situations • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format Agenda 14/54
  • 15. • [MS-OFFCRYPTO] • Office Document Cryptography Structure • [MS-CFB] • Compound File Binary - file format MS Office documents 15/54
  • 16. • Hashing algorithm 𝐻(𝑝𝑎𝑠𝑠, 𝑠𝑎𝑙𝑡) • ℎ0 = 𝐻𝑎𝑠ℎ(𝑠𝑎𝑙𝑡, 𝑝𝑎𝑠𝑠) • 𝑛 : iteration count • for 𝑖 = 1 to 𝑛: ℎ𝑖 = 𝐻𝑎𝑠ℎ < 𝑖 > +ℎ𝑖−1 • < 𝑖 > : 4-byte little endian Secret key generator of MS Office 𝑝𝑎𝑠𝑠 ℎ 𝑜 𝐻𝑎𝑠ℎ 𝑠𝑎𝑙𝑡 ℎ𝑖−1𝑖 𝐻𝑎𝑠ℎ ℎ𝑖 𝑛 𝑆 𝐾 ≔ ℎ 𝑛 16/54
  • 17. • Use two kinds of secret key • 𝐻 : the above iterated hash function 1. generate 𝑠 from 𝑝𝑎𝑠𝑠 and 𝑠𝑎𝑙𝑡 2. generate 𝑆 𝐾 and encrypt it by 𝑠 3. encrypt 𝑚 by 𝑆 𝐾 • I will explain latter • two keys for key escrow • Administrator can decrypt if password is lost • encrypt 𝑆 𝐾 with public key of Administrator in advance • desabled (default) MS Office Agile format 𝑚 𝑝𝑎𝑠𝑠 𝑆 𝐾 Enc by 𝑆 𝐾 𝑆 𝐾 𝑚 Enc by 𝑠 𝑠 𝐻 𝑠𝑎𝑙𝑡 17/54
  • 18. • https://github.com/herumi/msoffice/ • My tool to encrypt/decrypt MS Office files • Supports Windows/Linux • Supports OpenXML of Office 2007~ • Support Agile format of Office 2010~ • LibreOffice does not support the format yet • Configurable secret key for Agile format • Configurable iteration count for stretching msoffice-crypt 18/54
  • 19. demo
  • 20. • encrypt with password "test" • decrypt with password "test" • attack without password Usage decrypt easy.xlsx with "test" and get 𝑆 𝐾 attack complex.xlsx by 𝑆 𝐾 without password msoffice-crypt -d complex.xlsx -by easy.xlsx -p test msoffice-crypt -e plain.xlsx enc.xlsx –p test msoffice-crypt -d enc.xlsx dec.xlsx –p test 20/54
  • 21. • Comparison of password encrypted file formats • Demo • Situations • What happened? • Some scenarios • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format Agenda 21/54
  • 22. • Excel 2010/2013 does not update the secret key in the file when password is changed (Bug). What happened? We can attack them with this one secret key. master file with pass with pass1 with pass2 with pass3 save as... have same secret key 22/54
  • 23. • At HR • prepares a master Excel file • write pay slip into the file, change password, send to staff Scenario 1(pay slip delivery) master file with pass HR can attack other files 23/54
  • 24. • Owner • A master Excel file encrypted with an easy pass • Modify it and make an important file with strong pass • Attacker • Brute-force attack against easy pass and attack important file Scenario 2(lost PC) Brute-force attack to easy pass save it with strong pass write secret info. can attack this PC 24/54
  • 25. • Comparison of password encrypted file formats • Demo • Situations • MS Office file format • Detail of MS Office file encryption structure • Relation between password and secret key • How I found this bug • Proposal for a backdoor-resistant format Agenda 25/54
  • 26. • Old format and new format • MS OLE2のヘッダは"D0 CF 11 E0" MS Office file encryption details Office file type Format doc, ppt, xls (old Office files) MS OLE2 plain docx, pptx, xlsx ZIP file of Open XML files encrypted docx, pptx, xlsx MS OLE2 including a header and an encrypted ZIP file ZIP files (Open XML) Enc(ZIP files) encrypted with AES header not encrypted encrypted 26/54
  • 27. • There is a directory structure in one file Layout of encrypted docx root/ EncryptionPackage EncryptionInfo DataSpaces/ Version DataSpaceMap Transformation/ StrongEncryption Transform/ Primary DataSpaceInfo/ StrongEncryption DataSpace not used encrypted main ZIP file encryption information 27/54
  • 28. • Standard encryption (~Office 2007) • binary format • supports only SHA-1 • spinCount(=# of iteration) is fixed to 50000 • Agile encryption (Office 2010~) • XmlEncryptionDescriptor • supports SHA-1, SHA256, etc. • variable spinCount Version of EncryptionInfo 28/54
  • 29. XmlEncryptionDescriptor <encryption> <keyData saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512" saltValue="..."/> <dataIntegrity encryptedHmacKey="..." encryptedHmacValue="..."/> <keyEncryptors><keyEncryptor uri="http://schemas.microsoft.com/office/2006/keyEncryptor/password"> <p:encryptedKey spinCount="100000" saltSize="16" blockSize="16" keyBits="256" hashSize="64" cipherAlgorithm="AES" cipherChaining="ChainingModeCBC" hashAlgorithm="SHA512" saltValue="..." encryptedVerifierHashInput="..." encryptedVerifierHashValue="..." encryptedKeyValue="..."/> </keyEncryptor></keyEncryptors> </encryption> 29/54
  • 30. Dependency of variables in encryption generate encryptedKey.saltValue encryptedVerifierHashValue encryptedVerifierHashInput encryptedKeyValue encryptedHmacKey encryptedHmacValue password gen. secretKey hash EncryptionPackage Enc(ZIP file) ZIP file gen. keyData.saltValue gen. verifierHashInput verifierHashValue gen. HmacKey hash 30/54
  • 31. Check password integrity generate encryptedKey.saltValue encryptedVerifierHashValue encryptedVerifierHashInput encryptedKeyValue encryptedHmacKey encryptedHmacValue password gen. secretKey hash EncryptionPackage Enc(ZIP file) ZIP file gen. keyData.saltValue gen. verifierHashInput verifierHashValue gen. HmacKey hash 31/54
  • 32. Check data integrity generate encryptedKey.saltValue encryptedVerifierHashValue encryptedVerifierHashInput encryptedKeyValue encryptedHmacKey encryptedHmacValue password gen. secretKey hash EncryptionPackage Enc(ZIP file) ZIP file gen. keyData.saltValue gen. verifierHashInput verifierHashValue gen. HmacKey hash 32/54
  • 33. Dependency of encryption generate encryptedKey.saltValue encryptedVerifierHashValue encryptedVerifierHashInput encryptedKeyValue encryptedHmacKey encryptedHmacValue password gen. secretKey hash EncryptionPackage Enc(ZIP file) ZIP file gen. keyData.saltValue gen. verifierHashInput verifierHashValue gen. HmacKey hash irrelevant to pass 𝑐 = 𝐸𝑛𝑐(𝑆 𝐾, 𝑠𝑎𝑙𝑡, 𝑚) 33/54
  • 34. • Comparison of password encrypted file formats • Demo • Situations • MS Office file format • How I found this bug • Motivation • CSPRG • Example of known backdoor • Hooking into MS Office's secret key generator • Proposal for a backdoor-resistant format Agenda 34/54
  • 35. • Normal encryptor • main part to encrypt 𝑚 • You can not decrypt (𝑠𝑎𝑙𝑡, 𝑐) without 𝑆 𝐾 • We can make a backdoor if the generator of 𝑆 𝐾 is controlled. generate 𝑠𝑎𝑙𝑡 randomly generate 𝑆 𝐾 randomly 𝑐 = 𝐸𝑛𝑐 𝑆 𝐾, 𝑠𝑎𝑙𝑡, 𝑚 Motivation 𝑚 (𝑠𝑎𝑙𝑡, 𝑐) 35/54
  • 36. • Malicious (having backdoor)encryptor • Malicious Eve prepares a master secret key 𝑋 • Eve embeds 𝑋 into an encryptor • Eve can get 𝑆 𝐾 = 𝐻 𝑋, 𝑠𝑎𝑙𝑡 by 𝑋 then decrypt it • You can not notice that (𝑠𝑎𝑙𝑡, 𝑐) has a backdoor An example of controlled 𝑆 𝐾 𝑚 (𝑠𝑎𝑙𝑡, 𝑐) generate 𝑠𝑎𝑙𝑡 randomly 𝑆 𝐾 = 𝐻 𝑋, 𝑠𝑎𝑙𝑡 𝑐 = 𝐸𝑛𝑐 𝑚 by (𝑠𝑎𝑙𝑡, 𝑆 𝐾) Eve 𝑋 𝑆 𝐾 36/54
  • 37. • 5 p.m. on Friday, Make a proof of concept for MS Office Hi Mitsunari, could you hook into the random generator of MS Office? I'll try it. By when do you need it? Coming Monday. ... 37/54
  • 38. • PRG(Pseudo Random Generator) • used for game and simulation • MT(Mersenne Twister) is popular • CSPRG(Cryptographically Secure PRG) • Nobody should be able to predict next bit from previous bits • used for secret key generator • MT is not CSPRG • inner status is determined by 624x4-byte output CSPRG 0 1 0 0 1 1 1 0 1 ? known previous bits CSPRG next bit 38/54
  • 39. • I strongly discourage you from implementing your own CSPRG • Use CSPRG provided by system vendor instead • /dev/urandom on Linux • non blocking device for CSPRG • entropy from mouse, keyboard, disk I/O and interrupts Example of CSPRG 39/54
  • 40. • Intel hardware CSPRG instruction • Meets the NIST SP 800-90A standard • Uses an on-chip non-deterministic entropy source • Easy to use • Difficult to use it safely • Retry limit should be employed to prevent a busy loop (extremely rare) rdrand // uint64_t getRand(); getRand: .lp: rdrand rax // store random number in rax jnc .lp // retry if failure (rare) ret 40/54
  • 41. • Output of /dev/urandom is fixed by only modified rdrand (kernel 3.8.13 by Taylor Hornby) • rdrand() { return [edx] ^ 0x41414141; } • Combine other entropy sources to avoid having a single point of failure If rdrand has a backdoor? 41/54
  • 42. • CSPRG of Microsoft CryptoAPI • Used to generate salt and secret key • Hook this function • I expected that MS Office calls this to make a secret key • If my hooked CryptGenRandom always return fixed bytes, then a secret key may be fixed. • First, I tried to my (very old) DLL injection library • Did not work as expected due to ASLR CryptGenRandom() 42/54
  • 43. • A library to hook Win32 APIs by MS Research • http://research.microsoft.com/en-us/projects/detours/ • 64-bit version costs $9,999.95 (32-bit version is free) • Usage • Source code of dll to hook Detours library (1/2) BOOL HookCryptGenRandom(HCRYPTPROV, DWORD len, BYTE *p) { memset(p, 'a', len); return TRUE; } BOOL DllMain(HINSTANCE, DWORD reason, LPVOID) { if (reason == DLL_PROCESS_ATTACH) { orgFunc = DetourFindFunction("adapi32.dll", "CryptGenRandom"); DetourAttach(&orgFunc, HookCryptGenRandom); ... 43/54
  • 44. • test.exe • Run test.exe with withdll.exe in Detours • CryptGenRandom is now hooked! • But, the function is not called by MS Office... Detours library (2/2) int main() { RandomGenerator rg; // wrapper of CryptGenRandom() for (int i = 0; i < 3; i++) printf("%08x¥n", rg.get32()); } >test.exe 812e1af0 // random ad990e76 865cb964 >withdll.exe /d:hook.dll test.exe 61616161 // "aaaa" 61616161 61616161 44/54
  • 45. • Run Excel on debugger, see loaded DLLs • I found rsaenh.dll Trial and error (1/3) 45/54
  • 46. • Extract symbols of rsaenh.dll • dumpbin /exports rsaenh.dll • What is CPGenRandom? Trial and error (2/3) ordinal hint RVA name 1 0 0000230C CPAcquireContext 2 1 00003A80 CPCreateHash 3 2 0001CC1C CPDecrypt 4 3 0001DBC8 CPDeriveKey ... 11 A 00009A80 CPGenKey 12 B 00001D3C CPGenRandom 46/54
  • 47. • CPxxx functions are obsolete • CPxxx is renamed to Cryptxxx • CPxxx is called from Cryptxxx • Cryptxxx is hooked automatically if CPxxx is hooked • Excel calls CPGenRandom • Excel seems to generate secret key! • However, Trial and error (3/3) >msoffice-crypt –psk easy.xlsx –p test ... secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5 >msoffice-crypt –psk complex.xlsx –p testtest ... secretKey = 8BBE31319EA4CAB9F...33013EB8853F8C6A7F5 47/54
  • 48. • Excel generates same secret key without hook • MS Office Word, PowerPoint generate different key • Only Excel has a bug • About hooking CPGenRandom • This hook was not enough to take control over the generator • Hooking timer functions were not enough yet • Details unknown because of no investigation made It is a bug of Excel 48/54
  • 49. • Comparison of password encrypted file formats • Demo • Situations • MS Office file format • How I found this bug • Proposal for a backdoor-resistant format • Check your Excel files • Improved format Agenda 49/54
  • 50. • This bug is fixed at 2015/Oct/13 (MS15-110) • But, the generated files won't be fixed • Verify secret keys in your files by msoffice-crypt • Re-encrypt files if you find the same secret keys Check your Excel files 50/54
  • 51. • What is a reliable format? • MS Office format is secure enough, but it is difficult to prove no backdoor exists in the file • The problem generally exists for tools provided in binary • (again) malicious encryptor • We want a format that is provably secure against the backdoor Future work 𝑚 𝑠𝑎𝑙𝑡, 𝑐 , 𝑆 𝐾 blackbox encryptor 𝑠𝑎𝑙𝑡 : random number 𝑋 : master secret key in the encryptor 𝑆 𝐾 : 𝐻(𝑠𝑎𝑙𝑡, 𝑋) Eve gets 𝑆 𝐾 by (𝑠𝑎𝑙𝑡, 𝑋) 51/54
  • 52. • Generate 𝑆 𝐾 with KDF(Key Derivation Function) 1. generate 𝑟0, 𝑟1 randomly 2. 𝑠𝑎𝑙𝑡 = 𝐻 𝑝𝑎𝑠𝑠, 𝑟0 , 𝐻 : KDF 3. 𝑆 𝐾 = 𝐻(𝑝𝑎𝑠𝑠, 𝑟1) 4. 𝑐 = 𝐸𝑛𝑐 𝑟0, 𝑟1, 𝑚 by 𝑠𝑎𝑙𝑡, 𝑆 𝐾 5. output: 𝑐, 𝑠𝑎𝑙𝑡 • Format validation • Verify the output follows the correct steps 1. 𝑟0, 𝑟1, 𝑚 ≔ 𝐷𝑒𝑐 𝑐 2. 𝑠𝑎𝑙𝑡 = ? 𝐻(𝑝𝑎𝑠𝑠, 𝑟0) 3. 𝑆 𝐾 = ? 𝐻(𝑝𝑎𝑠𝑠, 𝑟1) A backdoor-resistant format 𝑆 𝐾 𝑚 𝑚 𝑟0 𝑟1𝑝𝑎𝑠𝑠 𝐻 𝐻 𝑠𝑎𝑙𝑡 𝐸𝑛𝑐 52/54
  • 53. • For a person who knows only (𝑠𝑎𝑙𝑡, 𝑐) • same difficulty as previous formats • For Eve • same difficulty of the attack against KDF to get 𝑝𝑎𝑠𝑠 from 𝑠𝑎𝑙𝑡 when 𝑟0 is known • Detection of maliciousness is easy if 𝑟0 is fixed • seems to be safe if all 𝑟0 are different from each other when 10000 times encrypted • then, the attack is 10000 times harder for Eve Difficutly of the proposed format 𝑆 𝐾 𝑚 𝑚 𝑟0 𝑟1𝑝𝑎𝑠𝑠 𝐻 𝐻 𝑠𝑎𝑙𝑡 𝐸𝑛𝑐 53/54
  • 54. • Excel files can be attacked through their secret key without knowing the pass • It is a bug of Excel and is fixed • Proposal for a backdoor-resistant format • It can be applied to general password based encrypted file formats Conclusion 54/54