Vulnerability in the Kaspersky Password Manager

A vulnerability (just patched) in the random number generator used in the Kaspersky Password Manager resulted in easily guessable passwords:

The password generator included in Kaspersky Password Manager had several problems. The most critical one is that it used a PRNG not suited for cryptographic purposes. Its single source of entropy was the current time. All the passwords it created could be bruteforced in seconds. This article explains how to securely generate passwords, why Kaspersky Password Manager failed, and how to exploit this flaw. It also provides a proof of concept to test if your version is vulnerable.

The product has been updated and its newest versions aren’t affected by this issue.

Stupid programming mistake, or intentional backdoor? We don’t know.

More generally: generating random numbers is hard. I recommend my own algorithm: Fortuna. I also recommend my own password manager: Password Safe.

EDITED TO ADD: Commentary from Matthew Green.

Tags: , , ,

Posted on July 6, 2021 at 9:27 AM66 Comments

Comments

Tatütata July 6, 2021 10:30 AM

Time-of-day as RNG seed? From a “cyber security” company? The mind boggles..

Denton Scratch July 6, 2021 10:39 AM

I rely on PasswordSafe.

I have accumulated a lot of passwords. I wish there was a version that would scroll properly on scrollwheel in Windows (muscle memory, dontcha know). And it says in Help/About “Copyright Rony Shapiro”. I have no idea who that is; do you have a pseudonym, Bruce?

I’ve been thinking of switching to pass for several years. I like the idea of a super-lightweight console PM. I expect it’ll be another several years before I pick up my skirts and run with it.

No way would I use an online or browser-based PM. I’m neither competent nor willing to validate the source.

Rob July 6, 2021 10:48 AM

I’m going to go with “backdoor”. If you’re dealing with generating passwords knowing to use secure stuff is rule 1.

But then again, I still wonder how the heck SQL Injection is a thing, so who knows.

Joe D July 6, 2021 11:04 AM

I am reminded of that online casino whose blackjack implementation used the 16-bit PRNG from Microsoft C.

So instead of 52! possible shuffles of the deck, there were only 65536.

The guy that realized this wrote an app that would display the hole cards, and the upcoming cards in the deck.

James July 6, 2021 11:28 AM

@Denton Scratch – Bruce created Password Safe but Rony Shapiro is the developer now.

Etienne July 6, 2021 11:51 AM

I’ve been using Chrome, because it syncs to my smartphone and desktop. It generates good passwords, and I never have to remember them. It auto-pastes them in. I’m an old man…

I back-up the CSV export file in my Google Drive after encrypting with openssl.

lurker July 6, 2021 1:23 PM

Kaspersky? Time in seconds? It’s gotta be a backdoor…

Thirty years ago on a device with no /dev/random I used the 6 digits of the microseconds fraction of time. But this was an educational toy, no pretensions to crypto security.

SpaceLifeForm July 6, 2021 2:38 PM

Kaspersky felt this analysis by Matthew Green was worthy, so they passed it on to their developers

hxtps://threadreaderapp.com/thread/1412411435842519049.html

I was going to laugh off this Kaspersky password manager bug, but it is *amazing*. In the sense that I’ve never seen so many broken things in one simple piece of code.

Clive Robinson July 6, 2021 2:46 PM

@ ALL,

Funny that @Bruce would post this today, over on the current Friday Squid page @Freezing_in_Brazil asked about a “shell script” to generate passwords, and what Freezing had found that too recomended “Date” as an entripy source…

Any way I’m of the opinion that for “Master Secrets” especially “software is not the way to go”.

So I described a workable “manual method”,

https://www.schneier.com/blog/archives/2021/07/friday-squid-blogging-best-squid-related-headline.html/#comment-383190

Nothing particularly new in it.

However it is aimed at q 36 chara alphabet A{a…z,0…9}

If you want only “32bit” then use a an appropriate alphabet in the grid and leave four of the squares blank. If the dice give you a blank square just “throw again” –ie don’t reverse the order of the dice– and the maths will work out propperly.

Have fun.

Tatütata July 6, 2021 2:50 PM

Re: backdoor vs. incompetence

Applying Hanlon’s razor (“never attribute to malice that which is adequately explained by stupidity”), I would rule out a backdoor, as identical passwords would be generated for different users.

A properly implemented backdoor wouldn’t be as obvious and weak as this one. I would have added a few bits of “entropy” to the seed (which would only have to be guessed once for a given user), increasing the search space, while still making an informed brute-force approach entirely manageable.

All major OSes provide (semi-)decent RNGs (*nix: /dev/random; Win: CryptGenRandom , Android: SecureRandom , etc., etc.), which even though they require some leap of faith in trusting their suppliers, are certainly a far cry from using TOD in seconds as a seed.

I recently tried to register for a certain site, and was appalled to discover that some wise-ass programmer managed to disable copy-and-paste and browser-supplied password managers, while still insisting on “complicated” patterns, which must therefore be entered by hand. (lower and upper case, number, special character, a rune, and two symbols from the Cabal). WTF?

Of course, not all sites have identical password requirements, and a password generated for one may not work for the other. I must occasionally patch-up my PW generating script for the silliness du jour…

SpaceLifeForm July 6, 2021 3:26 PM

@ Joe D

Take a 52 card deck. Order it by suit and level. This is just so that you know your exact starting point.

Then, do 7 perfect shuffles. Exactly 26 on each side, then exactly alternate the cards by hand.

Make sure you always split the deck exactly, and always put the top 26 to the same side and put the first new bottom card down from the same pile of 26 on either side. Be consistent.

Do this 7 times. 7 perfect shuffles.

Compare to your original card order.

Rombobjörn July 6, 2021 4:19 PM

This is a funny coincidence. Just hours apart, I find out about similar defects in two different passcode generators.

I was looking at Qtpass today. Before 2018 it used a non-cryptographic pseudo-random number generator, seeded with the time, and also had modulo bias. And now I read about how Kaspersky Password Manager did essentially the same.

Clive Robinson July 6, 2021 5:16 PM

@ Rombobjörn, ALL,

This is a funny coincidence. Just hours apart, I find out about similar defects in two different passcode generators.

Oh if it were only two…

Have a look at this,

https://www.howtogeek.com/howto/30184/10-ways-to-generate-a-random-password-from-the-command-line/

It’s only a little over a year and a half old so you would think should be fairly uptodate security wise, and know about “known security faults” going back to the late 1970’s if not further right?…

Now look and see how many of the examples use “Date”?

Any warnings about it’s lack of entropy?

See the fatal assumption with the last one using MD5?[1]

The internet is full of such “pearls of wisdom”, and if you do not know any better, which obviously many don’t… You end up with “Blaim the Intern Syndrome”, where what someone who should know better but obviously does not gives what they think is a simple task to the “summer intern”. The intern not having a clue looks up the problem on the Internet and “Cuts-n-Pastes” some example from someone who is equally as cluless. Nobody then actually checks and several years later…

Call it a failure of the “creative commons” or “Cut-n-Paste coding”…

I’ve seen so much of this nonsense I actually think that the ICTsec industry is facing an existential threat, because it does not learn from past mistakes, just relives them over and over and over.

[1] For some reason I’ve never been able to get to the bottom of there is “magic thinking” about hash/crypto algorithms some how generating “entropy” they don’t and can not by definition even though they can up complexity.

The way most hashes and crypto functions used to do a similar job are used they are in fact nothing more than “simple substitution ciphers”…

So imagine your input is one of the first eight letters of the alphabet or digits. The hash might give you a 256bit string output… But you are only ever going to get the same eight 256bit strings… So no more secure at the output than at the input at all. I call it “magic pixie dust thinking” and you would be surprised just how much of it there is. Even Intel, who should no betyer a lot lot better built such nonsense into their on chip hardware supposadly “True Random Number Generators”.

Technotron July 6, 2021 5:19 PM

Time of day!! Why? Was getCurrentMillennium() taken? They should be banned from selling security software. I wonder if their encryption software uses a Caesar cipher.

SpaceLifeForm July 6, 2021 5:21 PM

@ Tatütata, Clive

I recently tried to register for a certain site, and was appalled to discover that some wise-ass programmer managed to disable copy-and-paste and browser-supplied password managers, while still insisting on “complicated” patterns, which must therefore be entered by hand. (lower and upper case, number, special character, a rune, and two symbols from the Cabal). WTF?

That ‘wise-ass programmer’ is actually thinking and deserves a raise.

When it comes to security, you must look at the attack angles.

No cut-and-paste? This is good. The password will not be in the C+P buffer where other software may be able to grab.

No browser based password manager? This is good. No rogue javascript to deal with.

This is not to say that you can trust all of the other software involved. Kernel, leaky keyboard, firmware, etc.

But it is actually logical to try and trim the low-hanging fruit.

Ultimately, the crypto must be separate from the comms. There is no other choice.

Tatütata July 6, 2021 7:43 PM

When it comes to security, you must look at the attack angles.

Yeah, sure. This isn’t a life-and-death facility, just some sort of document drop-box which was imposed to me by a service provider.

If I can’t access the site with a strong stored password protected by a master password, then I’ll have to settle for a weaker password, as “#Bunn1es” is easier to remember and type on a real keyboard (or a smartphone) than “1eOg,QB5a&Q~p”…

Martin July 6, 2021 7:56 PM

Multiple xoroshiro128+ PRNGs each seeded once, their outputs all XOR’d together is much faster and stronger than constantly reseeding the same PRNG from some pool you have to maintain, then trying to make up for it with a block cipher. Are you really worried about the binary being compromised, for something like that?

Fake July 6, 2021 9:20 PM

Since I haven’t seen anyone say this,

IF YOU USE KASPERSKY FOR PASSWORDS, ESPECIALLY FORUMS WHERE PEOPLE CAN SEE WHEN YOU REGISTERED OR FIRST POSTED: change your passwords.

Who would be using KASPERSKY?

😁

Both articles are worth reading, do not limit yourself to only the last one there is apparently a methodology to some of the decisions made.

For a few moments the way things were phrased I thought this was an added-in feature, it is not. It goes all the way back to version 1.0.

I’m still not sure this could be considered an absolute mistake, KAV lost a couple higher ups last year and it looks like this may have only ever had a single set of eyes. If a second set was there we cannot see tweaks in final products only revisions and source.

The first link says the product was reviewed 2 years prior, obviously only a product review not a coffee review.

Eh? Google interdictinarying again?
Makes for good sport.

echo July 6, 2021 9:35 PM

The problem with these “mostly male dominated” industries and technical “boys toys” discussions is the discussion is so technical and narrow it contrains thinking to the point where the basic principles become none transferable behind a wall of fist bumping technobabble.

Taking a step back you need to look at the organisation in the round and understand how organisations and people and lower level decisions are made. This brings in recklessness, inadequacy, and negligence.

Anyway, before anyone kills me for being mean to developers doing the best they can… The real takeaway here is that (obviously) nobody with even modest cryptographic knowledge ever audited, thought about, or came near this product.

[…]

And please, get someone to look at your code. Especially if it’s going to be in a mainstream product. You cannot ever ship anything bespoke like this without having an expert glance it over. Even an hour would have flagged all this stuff.

Life doesn’t always work like that for the reasons previously stated. You really would not believe the stuff “experts” miss. “Experts” are human too and this is missing from the analysis.

Algortithms and theories can appear to be very “hard science” and confer great status on those who invent them and great status on those who roll up and discover flaws after the even but this “expertise” is itself subject to human nature and social structures and belief systems. But, oh yes, the certainty, the POWER of expertise. Tremble ye all.

At the same time experts have come under assault from the libertarian right and others they take advantage of. They scoff and mock for ideological or emotional reasons but then they are “experts” in acquiring power and “experts” in persuasion.

Would a real “expert” use or endorse a password manager at all? Perhaps those ideologues and the emotionally reactive have their reasons to promote password managers because the illusion of expertise aligns with their interests elsewhere?

So “expert” becomes a somewhat liquid definition.

@Spacelifeform

That ‘wise-ass programmer’ is actually thinking and deserves a raise.

When it comes to security, you must look at the attack angles.

No cut-and-paste? This is good. The password will not be in the C+P buffer where other software may be able to grab.

No browser based password manager? This is good. No rogue javascript to deal with.

This is not to say that you can trust all of the other software involved. Kernel, leaky keyboard, firmware, etc.

But it is actually logical to try and trim the low-hanging fruit.

Ultimately, the crypto must be separate from the comms. There is no other choice.

I came across this cut-and-paste block yesterday where the “expert” had slipped in some sneaky GDPR busting options into other parts of the web interface. Logical to trim the low hanging fruit? Perhaps in a very narrow cherry picking theoretical way but not in others so maybe not an “expert” at all.

Oh Lord protect me from “experts” with the arrogance of certainty who try to be clever and follow fashion and bandwagon with the emotional maturity of a teenager.

Only the other week I had a shop substitute sea bream instead of mackeral. Some “expert” had decided and implemented this algorithmically, I’m sure. So now instead of doing a mackeral recipe I had to find a sea bream recipe. The “expert” whose recipe I used did not dress or debone the fish. Never having had whole sea bream before I ended up with a mouth full of fish bones. Cue finding another “expert” who did dress the fish properly. Their receipe is okay but I wouldn’t recommend it myself.

Overall I think a real expert is someone who has expertise in expertise. One is then less bound by take a perfect sphere and roll it in a straight line kind of institutionalised stupidity and flummery and fist bumping, and less prone to prevailing fashion and emotional attachments and lazy short cuts. One sees the whole problem from beginning to end and the multiple domains and layers within. One also recognises that the “expert view” and even “critique” is simply a perspective. The expertise can be here or can be there, reside in one thing or reside in many things. The scene or framing, the emotion or attitude, the plating or presentation.

I think security like chefing has a bit of a “man” problem. Men tend to rely too much on expertise being a pilalr of “stuff” propped up by status and emotional attachment. Often security is an issue of men fighting other men in increasingly complex and reductive ways much like the shouty chef who becomes overly fussy. But then nod along follow the herd women are their own form of security nightmare with their own form of inward looking subjectivity as evidenced by some of the fence sitting and rah rah papers and comment referenced by the blog author.

In a long and roundabout way we come back to the beginning of the topic and the question “What has been overlooked?” It is a mistake to be blinded by your own expertise and subjectivity. It is sometimes wise to doubt the formula in your own mind and to be aware the problem problem may be elsewhere. Sometimes the authority is not the authority. Sometimes the concern is not the concern. Perhaps the cake you bake is a fabulous thing or has gone horribly wrong for reasons you cannot fathom. Sometimes you may have a happy accdient. Sometimes you may have baked a fabulous cake but the wrong cake for the occasion. This is something the expert but not the “expert” will be concerned with.

Fake July 6, 2021 9:35 PM

I’m curious to see what was uploaded when to virustotal.

Who has one of their user databases and checksum history to play with?

Fake July 6, 2021 9:53 PM

@echo, disregard

@mod, an I hallucinating?

Or Is there a bug with block quotes on the bottom of the forum?

Denton Scratch July 6, 2021 10:13 PM

@Clive

You chucked a hand-grenade at the Intel hardware TRNG, implying that it outputs a hash of a small range of ‘entropic’ inputs.

AIUI the output is not a hash of the input; the whitening function is AES.

Now, I think I know how the entropic input is supposedly generated – from a pair of free-running ring oscillators. But Intel hasn’t made it possible to inspect the raw output from that entropy source. So I would be very interested to learn how you know that the whitening function is being performed on a small range of possible inputs. Do you have a source?

I don’t trust Intel’s TRNG, because I don’t have any reason to trust a black box; if I can’t see the input to the whitening function, then the output is no more use than a hash of the time-of-day clock. But if the Intel TRNG is really just mashing up a low-quality entropy source, that would be pretty scandalous, and would presumably hurt Intel’s bottom line quite badly.

So can you substantiate that claim?

I’m not meaning to challenge you, it’s just that you made that claim rather confidently, and I’d like to know what you know.

Weather July 6, 2021 11:37 PM

@denton
The program can workout weather its 1-10,11-20,21-31 but you need human intervention, for the last part,it’s broken, should not be used.

Dave July 7, 2021 1:47 AM

@Tatütata: Yup. It’s someone trying to be excessively clever, as shown by the password-cracker-defeating generation method. My guess is a mathematician, knows all the theory behind how to do it but couldn’t engineer their way out of a wet paper bag.

Uh, yeah, I’ve been exposed to way too much code written by mathematicians and physicists…

Clive Robinson July 7, 2021 2:20 AM

@ SpaceLifeForm, Tatütata, ALL,

When it comes to security, you must look at the attack angles.

Sometimes folks never find out things even though they are ages old known attacks…

Try asking “is generating a password in a script a good idea or not?”

Well the answer is very much “depends”, because very many these days will not know about how data gets transfered from one utility to the next.

Standard “shell scripts” from the *nix Command Line Interface(CLI) are often seen as very different to scripting languages like Perl or Python but are they? How about C or other high level programs like say an editor or Email client?

Well in some circumstances no they are all alike. Because they may not have support for certain functions (say crypto / hashes) but there are Command Line Interface(CLI) utilities that do these functions, many programs can “shell out to” use via the standard interfaces provided by the OS…

Thus whilst they may or may not be aware of “process status”(ps) CLI utility in it’s “all” and “long” modes showing up the other users command lines. Even those who are aware at the back of their minds may not realise that what they thought was a standard program/executable may “shell out” from within it’s self to use another program.

But… even those who do know about the “ps” command are often not aware that it is realy just a front end to the process tables tucked away under /proc/xxxx (where xxxx is the process ID).

So the first instinct of many loking to limit a security risk would be to hide “ps” from users, but… It’s not realy the “ps” command you need to take care of, it’s just a front end for information found in the /proc filesystem.

So you can do similar to the “ps” command to see the command line of another process say 4321 with,

cat /proc/4321/cmdline

Or any other of very many CLI utilities to print out text…

Thus your real problem is to fix access to the /proc file system and that can be very unwise to play with as it can bring down the whole OS if you get it wrong.

Yes I’ve deliberately used an example that has a long white beard Gandalf would be proud of, but supprisingly few know about the “ps” CLI or the underlying /proc file system. But importantly this is just one of many little issues that can cause security failings for even quite experienced people.

And I’m fairly sure there are some I don’t know about tucked away somewhere especially in MS OS’s that appear to delight in obfuscating what actually goes on at the lower levels.

Clive Robinson July 7, 2021 2:44 AM

@ Martin,

Multiple xoroshiro128+ PRNGs each seeded once, their outputs all XOR’d together is much faster and stronger than constantly reseeding the same PRNG from some pool you have to maintain, then trying to make up for it with a block cipher.

Is not in any way secure.

Xoroshiro128+ has significant linear issues in the lower four bits, and statistical problems extend far beyond the bottom few bits upwards. It actually fails the PractRand test even when the low bits are truncated. Likewise it fails multiple tests in BigCrush even when the bits are reversed.

It is in no way a CS-PRNG.

But worse your suggestion of,

“their outputs all XOR’d together is much faster and stronger”

Is most definately not going to be stronger or improve things it’s going to make them worse. The XOR function is the equivalent of “vector addition over GF(2)” which is very much a linear operation.

Xoroshiro128+ was desined to be fast on modern CPU’s for the likes of “statistical packages” in engineering and simulations where it’s failings are less noticable.

But it is entirely unsuitable for any Computer Security related activities, and the authors/designers have said as much.

Clive Robinson July 7, 2021 2:57 AM

@ Denton Scratch,

You chucked a hand-grenade at the Intel hardware TRNG, implying that it outputs a hash of a small range of ‘entropic’ inputs.

It would not be the first and it won’t be the last search this blog for “pixie dust” it you want to read through it.

But Intel hasn’t made it possible to inspect the raw output from that entropy source. So I would be very interested to learn how you know that the whitening function is being performed on a small range of possible inputs.

Intel never have “made it possible to inspect the raw output from that entropy source.” and nore are they ever likely to because it is very poor quality when it comes to “entropy” but it is good on “chaos” which is not the same thing.

Other researchers have come to the same conclusions having made their own “ring oscillators”.

If you want me to go through it, wait a few days for this thread to quieten down and I’ll go through it with you.

Ollie Jones July 7, 2021 6:29 AM

Back in earlier days of the ‘toobz (a quarter century ago) I wrote a web app which used a “random” 32-bit number as the session key. Naive? yeah. Released into the wild? No.

Good thing I’m “trust but verify” suspicious. I did one of those little x/y plots of sequences of numbers from that PRNG and found lots of little stripes and squares.

I fixed the session keys before the product made it to the wild (using /dev/random). In 1998.

There is, bluntly, no plausible scenario in which this was an honest mistake. It’s nothing new.

Martin July 7, 2021 8:01 AM

@Clive you’re wrong on almost every count. I don’t think you even understand the problem and just argue to be arguing.
So, do you have a PRNG that magically behaves as a TRNG no matter what the seed? No..I didn’t think so. And you’re saying that if someone gives you the sum of three numbers you can tell what the original numbers were?

Tatütata July 7, 2021 8:19 AM

And you’re saying that if someone gives you the sum of three numbers you can tell what the original numbers were?

Take the sum of three balanced dice.

First row is the sum.
Second row is the relative probability of the outcome.

sum: 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18
prb: 01 03 06 10 15 21 25 27 27 25 21 15 10 06 03 01

If your result is at the tail of the distribution, you already have a good idea as to what the draw was…

Martin July 7, 2021 8:49 AM

@Tatütata
Your argument is absurd.

Hoping Clive would be willing to take part in a live chat. A number of us here would like to hear his explanations of how the first output can tell him what the seed was. And if what he says is true about addition mod 2 then no block cipher is safe. Maybe he can defend some of the other assertions regarding design and implementation made in CE chapter 9.

Clive Robinson July 7, 2021 8:49 AM

@ Martin,

Clive you’re wrong on almost every count. I don’t think you even understand the problem and just argue to be arguing.

No it’s you who are unknowing and to prideful to realise it.

You’ve been told the author/designer of the algorithm has said it is not even CS secure and that it fails some basic statistical steps it would need to pass.

But have you bothered to check that?

Of course not, hence your failings start to show.

After all who do you expect people to believe some person who uses the handle “Martin” who makes obviouslt and easily incorect statments or the author/designer of the algorithm?

But it gets better, you then go on with this ridiculous comment,

So, do you have a PRNG that magically behaves as a TRNG no matter what the seed?

Nobody has by the very definition of the terms PRNG and TRNG… Go look them up and you will realise why your statment makes you look even less knowledgeable.

But to crown your inadequacies you go on with this pathetic strawman,

And you’re saying that if someone gives you the sum of three numbers you can tell what the original numbers were?

Go get yourself some actual factual knowledge. You could start with Knuth “Art of Computer Programing” Vol2, but get the latest edition as he’s had to make changes due to the advancment of art over the last five decades.

You could also download and read Menezes et al, “Handbook of Applied Cryptography” the 5th edition is admittedly 20years old and things have moved on apace since then. But the authors and publishers have put it up on line so you can download and read it,

http://cacr.uwaterloo.ca/hac/

You will find in it a couple of one paragraph definitions for PRNG and TRNG, so should be able to see your errors in a half hour or so.

So will others, and I expect some will… But will you come back and appologise, something tells me you will not, but you could prove me wrong on that count it’s upto you.

Tatütata July 7, 2021 9:10 AM

Try asking “is generating a password in a script a good idea or not?”

Well the answer is very much “depends”, because very many these days will not know about how data gets transfered from one utility to the next.

The procedure is simple enough:

1) Pick N characters from the allowed alphabet at random. [For each character, read one byte from /dev/random and keep the last ceil(log2(size_of_alphabet)) bits. Repeat if the truncated value is greater than the length of the alphabet, otherwise use it to index the allowed alphabet.]

2) Test if the generated word conforms to imposed constraints (“at least one of X, Y and Z”, which technically makes a password more predictable than if it were purely randomly selected from a certain alphabet…). If not, go back to step 1.

The result is going to be in practically all cases less guessable than anything I could generate in my brain.

If a third party can intercept the channel between the script and the service, it’s game over anyway.

Tatütata July 7, 2021 9:24 AM

Your argument is absurd.

Yep, “Reductio ad absurdum.” Merci! I accept this as a compliment.

I recently came across a 2010 paper by Solomon W Golomb titled “On factoring Jevons’ number”.

In the 1870s, William S Jevons, who is better known for the disturbing paradox bearing his name, wrote:

Can the reader say what two numbers multiplied together will produce the number 8,616,460,7997 I think 1t is unlikely that anyone but myself will ever know.”

Golomb goes on to show how this could have been solved by pencil and paper in a reasonable time, and concludes “There is a lesson in this for users of the RSA algorithm as well.”, in that the prime factors shouldn’t be chosen to be too close to each other.

Clive Robinson July 7, 2021 9:47 AM

@ Tatütata,

If a third party can intercept the channel between the script and the service, it’s game over anyway.

Half way there 😉

The real problem I was getting at was,

1, Firstly do you know if they can or not?

Which is actually quite difficult in it’s self with side channels of all varieties. But more importantly lets assume you’ve been told they by a “red team” report they can,

2, Do you actually know the real reason they can or can you work it out?

Because if you do not know the answer to 2 you can not stop the “channel” being used if it’s there and not coincidence.

Oh and I think @Martin owes you an appology as well… I guess they have never tried doing one of those puzzles in newspapers that thousands if not hundreds of thousands of people do successfully in “their coffee break”.

Clive Robinson July 7, 2021 10:57 AM

@ Tatütata, ALL,

I recently came across a 2010 paper by Solomon W Golomb

It’s a fun little paper and typical of his less formal writings, and is easy to get into.

Solomon led a curious life, and like several others missed out on things “because of Government” who try to hold things back (and actually prove in the process NOBUS will always fail).

He died just over half a decade back and Stephen Wolfram who knew him and his family for around half a lifetime wrote,

https://writings.stephenwolfram.com/2016/05/solomon-golomb-19322016/

You will see from it, just how relevant he has been to the subjects more recently covered on this blog.

And how his work is very probably in arms reach of all of us right now.

Anonymous July 7, 2021 12:35 PM

Would someone care to explain one of his final point; to never use floats in crypto?

Fake July 7, 2021 1:54 PM

Number one, floats are inexact and suffer from rounding.

One can’t reverse values that we’re rounded and may not be rounded the same on a different computer.

Outside of that… I’m not sure if there’s a second reasoning or not.

Floats are not real numbers, they are extrapolated for speed so the computer doesn’t have to calculate the full value.

Clive Robinson July 7, 2021 2:31 PM

@ Anonymous,

Would someone care to explain one of his final point; to never use floats in crypto?

Floats are inhearently “upper bit opperators” and get numerically less accurate in the lower bits very quickly. This gives an uneven number distribution and things like adds can become unpredictable at best.

Being normalised they do not have a flat distribution (see Newcomb-Benford Law). Which you can easily see for yourself just by making up a simple 10×10 multiplication table and tabulating the leading digit distribution.

In fact when you print out a float result from a calculation to the screen the bottom one or two decimal digits are probably garbage depending on what you were doing.

The FP values are effectively “normalized fractions” that are at best poorly aproximates to reals. Which the representative data set for is extreamly sparse and many numbers even quite simple numbers like 1/10 can not be represented. Worse the way they get “rounded” when used is dependent on the other number magnitude. Also there is no guarentee that all FP values in the data set will be valid…

Even using FP outside of crypto people get warned to use Greater than or Less than and not Equal to in a lot of functions or to use ints then as a final step convert to a FP. Oh and look up the likes of “never use floating point in loops”

https://wiki.sei.cmu.edu/confluence/spaces/flyingpdf/pdfpageexport.action?pageId=87152157

FP is horrible in oh so many ways you are almost always going to end up “shooting yourself in the foot” one way or another with them at some point.

Donald Knuth in his “Art of Computer Programing” has quite a section on why FP representation needs to be treated with caution.

I’ve got a very long list of “Don’ts” for FP, so I almost always where possible use integers or arrays of intergers rather than have floats take a chunk out of me.

If you want to see a disaster appear quite rapidly, matrices are used to solve many engineering simultanious equations. Whilst you can add, subtract and multiply matrices you can not divide them, so you multiply by a small fraction instead. Part of this is finding the “inverse matrix” and you get taught a way to do this in college. However the technique involves the use of “pivot points” which I won’t go into but it’s very very easy to end up with quite bizar fractions of fractions of fractions, that there is no way FP numbers have a snow ball in hells chance of keeping the “book-keeping” straight for in the methods usually taught… Thus other more complex ways have to be used which can come as quite a shock to many programmers.

ADFGVX July 7, 2021 3:39 PM

@ Clive

Being normalised they do not have a flat distribution (see Newcomb-Benford Law).

Benford’s Law, or the Newcomb–Benford “Law” not really a “law” so to speak, or even properly speaking a probability distribution, but a ‘measure’ ν that assigns a weight to each of digits 1–9.

Whenever the “common” or base-ten logarithm of a random variable X is uniformly distributed on an interval of integral length, then the leading non-zero digit of the decimal expansion of X is distributed according to the Newcomb–Benford measure.

ν({1}) = log102 – log101
ν({2}) = log103 – log102
ν({3}) = log104 – log103
ν({4}) = log105 – log104
ν({5}) = log106 – log105
ν({6}) = log107 – log106
ν({7}) = log108 – log107
ν({8}) = log109 – log108
ν({9}) = log1010 – log109

ν({1,2…9}) = log1010 – log101 = 1

Oftentimes a so-called “improper prior distribution” π is assumed with the use of the Newcomb–Benford measure, which assigns equal weights to intervals of equal length in the measure of log10X over the real numbers.

Such a uniform “distribution” π is said to be “improper” because the entire real number line is not finite under any uniform measure.

Clive Robinson July 7, 2021 4:19 PM

@ ADFGVX,

Benford’s Law, or the Newcomb–Benford “Law” not really a “law” so to speak, or even properly speaking a probability distribution

Hey I know it’s an “observation” but I did not name it, so I have to live with other peoples conventions.

but a ‘measure’ ν that assigns a weight to each of digits 1–9.

Actually it’s a bit broader than that as it applies to more than just Base10 numbers, it just gets less obvious the larger the base is.

The point is if you “normalize” in the way you do with floating point numbers, then that leading digit bias, gets pulled into the upper bits of the FP number… Thus the distribution in those upper bits is not flat…

But we’ve had this conversation before when you had a different handle.

No Such Agency July 7, 2021 7:28 PM

“More generally: generating random numbers is hard. I recommend my own algorithm: Fortuna. I also recommend my own password manager: Password Safe.”

Yes. Our backdoored solutions are a LOT safer than Russian backdoored solution! If you got hacked – hey, at least it’s American one, be a true patriot!

M July 8, 2021 1:40 AM

Intentionally installed a back door? This wouldn’t be the first time. Remember the story of PX1000cr.

Philips came out with a new version, the PX1000Cr. Research by Argos and Crypto Museum Eindhoven reveals that the encryption algorithm had been weakened from 64 bits to 32 bits. Where it would initially take a year to crack the encryption (hypothetically speaking), it would take less than a second with the new algorithm.

Link to the article: Former Philips top cryptographer admits to compromising encryption devices

Tatütata July 8, 2021 7:28 AM

The weakening of the PX1000 “Pocket Telex” is quite another story.

Neither Text Lite of Amsterdam, the original designer, nor Philips would have been able to continue the sale of the initial unmodified model because of both IBM patents and COCOM export restrictions, as I explain here. But why would the electronics giant take over a company whose sole product would be shown to be a liability after any reasonable amount of due diligence, when they could have designed their own version in a fortnight? Was the relative exclusivity and goodwill a good enough reason for the conglomerate to buy out the pipsqueaks, or did the suggestion come from elsewhere, higher up? Forty years later the surviving witnesses claim that they were made the proverbial offer they couldn’t refuse, but if they had really been shown the facts, or figured them out themselves, the sale would have been a blessing.

Here, Kaspersky is faced with the classic dilemma of the politician caught with his hand in the bag, and who must choose between appearing incompetent or dishonest.

Winter July 8, 2021 8:02 AM

@Tatütata
“Forty years later the surviving witnesses claim that they were made the proverbial offer they couldn’t refuse, but if they had really been shown the facts, or figured them out themselves, the sale would have been a blessing.”

An unofficial history of the Dutch domestic intelligence agency (BVD, now AIVD) I once heard was that they were founded after WWII using staff from the Philips Security department. Also, Philips was a world player in electronics and signal processing. They built all types of communication gear. including telecommunication switches. There were very close connections between Dutch intelligence and Philips.

The offer they could not refuse must be seen in Godfather terms.

Fake July 8, 2021 6:01 PM

Why was this held so close to the chest for so long?

Is this signaling? You hack and compromise or companies too?

Surely it was an emergency for their customers the minute they found out about it, was there a private email sent to customers how did that not get leaked? There wasn’t? Did they let somebody else know who was in a better position to study the situation?

SpaceLifeForm July 8, 2021 6:43 PM

The point is if you “normalize” in the way you do with floating point numbers, then that leading digit bias, gets pulled into the upper bits of the FP number… Thus the distribution in those upper bits is not flat…

Funny you mention that. Because you can, using that high bit, get the binary digits of pi. Without inspecting the lower bits. Though you must keep some of the lower bits in memory in order to iterate.

Tatütata July 8, 2021 7:36 PM

@Winter

Have you a source? I tried to look up books and videos, and came up with this:

https://www.youtube.com/watch?v=m4HDWZw9Jfw

“De Geheime Dienst BVD tijdens de Koude Oorlog”, after a book of the same name.

According to the introduction around the 2′ mark, the main founding members of the BVD were drawn from colonial types repatriated from Indonesia, and the “Albrecht group” of resistance fighters. (I thought that all SOE operatives airdropped over the country had all been slaughtered in the “Englandspiel”, but this seems to refer to different people.)

If I believe this film (and a couple other I found), the essential occupation of this bunch was chasing “commies”, “pinkos”, etc., and wiretapping embassies (using US-made kit). (The first spoken archive sequence is some guy claiming “we are not a secret police”)

Are there other episodes?

echo July 9, 2021 2:15 AM

Myself I feel people have dodged doing a thorough analysis of whether this was deliberate or not simply because bikeshedding technical material is a lot easier.

Clive Robinson July 9, 2021 5:51 AM

@ echo,

Myself I feel people have dodged doing a thorough analysis of whether this was deliberate or not…

To do a “thorough analysis” requires reliable data.

If the data is not available for some reason all you can analyze is,

1, The data you have
2, The reasons other data may not be available.

Whilst the first can give give some definitive answers, the second can only give rise to speculative answers, on to which some may hang what they consider “probabilities”. Thereby to give the illusions of maths and logic as a veneer to arrive at their prechosen conclusion based on emotion, cognative bias, political mantra, or many other sins. Thus there is good reason for “lies, damn lies and statistics” type quotations.

So it’s hardly “bikesheding” to “do what can be done with what you have, rather than waste time on what can not be done with nothing to do it with”.

Jon July 9, 2021 12:20 PM

@ Tatütata, Clive,

I recently came across a 2010 paper by Solomon W Golomb

It’s a fun little paper and typical of his less formal writings, and is easy to get into.

For fun I dashed off a spreadsheet that uses Dr. Golumb’s method as described in the paper*. It works just fine. J.

  • ht tps://www.cs.umd.edu/users/gasarch/COURSES/456/F19/notes/jevons.pdf

Clive Robinson July 9, 2021 4:05 PM

@ Jon,

For fun I dashed off a spreadsheet that uses Dr. Golumb’s method as described in the paper*. It works just fine. J.

I suspected the method woukd work when I read it, the man could not just line his ducks up he could make them dance.

The question is do you have a website or anywhere else to post your spreadsheet for others to play with, and as they say “spread the joy”?

Jon July 9, 2021 5:39 PM

@ Clive

Nah. It only took me a few minutes to make, and I deleted it without saving. It would have been faster, except I committed a small blunder: I was (originally; I fixed it) calculating

ak = ak-1 + k

instead of

ak = a0 + k

Which managed to make ak skip the relevant value.

Oops. My bad. The rest worked out fine. J.

Roger Schlafly July 9, 2021 10:05 PM

No, there is nothing wrong with using floats in crypto. Yes, they can be rounded, but refusing to use them for that reason is like refusing to use integers because they can overflow.

The worst part of this story is that Kaspersky sat on this for almost two years, even after being notified. Users should have been told that they need to change their passwords.

echo July 9, 2021 10:23 PM

@Clive

To do a “thorough analysis” requires reliable data.

If the data is not available for some reason all you can analyze is,

1, The data you have
2, The reasons other data may not be available.

Whilst the first can give give some definitive answers, the second can only give rise to speculative answers, on to which some may hang what they consider “probabilities”. Thereby to give the illusions of maths and logic as a veneer to arrive at their prechosen conclusion based on emotion, cognative bias, political mantra, or many other sins. Thus there is good reason for “lies, damn lies and statistics” type quotations.

So it’s hardly “bikesheding” to “do what can be done with what you have, rather than waste time on what can not be done with nothing to do it with”.

You left out:

  1. Ask or go looking for it.

Then:

Spent the next topic going on about stacks of probabilities and heuristics and fuzzy stuff. You’re Newtonian when you want to be. Quantum when you want to be. Which one is it?

There is a reason why STEM is no longer STEM but STEAM. The whole point is to provide people with foundations which aren’t one sized fits all linear rote learned silo mentality mental models.

There’s actually quite a lot of data in the breakdown and surrounding company annoncements but nobody is looking at it. Most of the commentary is a mostly male dominated trying to look superior with a trace of mocking thrown in. The surrounding public discussion isn’t that hot either. Journalists have run with the easily wrapped up meme, and most below the line comment across the internet is either nitpicking or made in hindsight. Very little of it is usable.

Myself I feel Kaseya feel foul of this kind of model themselves.

We build more and more complex systems which exist to deal with more and more complex problems caused by building more and more complex systems. Organisational dynamics creeps in. Ego creeps in. The original aim and purpose begins to be swapped for firefighting under pressure.

You can find all of this in public law as well as other spheres of law as the underlying paperns are the same. The you can have other specialisms kick in. Most of this is spread around all over the place from tribunals examining gross misconduct to the high court. There can be a lot of science buried under this from information flows, to discovering deleted or manipulated data, to health and safety including occupational health, psychology, sociology, and formal philosophy. People rarely get to see this as courts and lawyers take shortcuts. It’s very very rare anyone gets to see the full free form raw data as debriefing to get that would take as long as bringing court case. There’s also deep analysis which you can begin to extract otherwise hidden data from spare data points.

The maths and handwaving about power, status, and wealth can only go so far. Yes, it is right that people be aware of general principles but being aware of general principles and learning about the underlying skills and knowing what data to collect are something else and these are typically not within the remit or experience or competencies of most people as for good or ill we specialise due to the sheer weight of work required or very simply we do not have the time.

Then there is the issue of culture whcih wraps all this up. To keep it short most nation states or regions have their competencies too. The US is very technochratic and unipolar and to some degree macho as well as having priorities and interests hence the main strand of dicussion. Other countries have a different arrangements. By way of A/B testing a problem is going to look very different to a technocrat and a social engineer.

I’m waffling but you know as well as I do the problem is often something else somewhere else and never found in the maths or historical record.

ADFGVX July 9, 2021 10:45 PM

Roger Schlafly • July 9, 2021 10:05 PM

No, there is nothing wrong with using floats in crypto. Yes, they can be rounded, but refusing to use them for that reason is like refusing to use integers because they can overflow.

I am of the same opinion. If there is a sort of function like a hash intended to be “one-way” then the rounding might not be a problem as long as it is guaranteed (as for example to IEEE standards) to the same result for the same computation on every architecture.

If a crypto computation involving floats is intended to be reversible, then there needs to be some accounting or allowance or extra storage or restoration for the bits that are rounded off.

Let’s say for example some sort of Fast Fourier Transform based technique using floating point arithmetic to “scramble” or “encrypt” a jpeg or other image file — or even a movie or audio file — which may be perfectly acceptable if the bits rounded off do not affect the image or sound quality noticeably.

Pictures, audio, and video are essentially the types of analog information good to encrypt and most suitable for floating point computation.

Goat July 10, 2021 2:51 AM

Free/Libre pw managers like keepassxc abd bitwarden are available why use kaspersky?

Clive Robinson July 10, 2021 5:30 AM

@ echo,

You left out

Not realy it’s covered by,

“If the data is not available for some reason all you can analyze is,”

It covers all manner of sins we see played out as “commercial in confidence” or similar “we are not going to make it available” arguments that organisations pull.

Along with the old “not testifying in court, Barrister will speak on behalf of the organisation” where a Barrister can not commit perjury as what they present is the Barristers understanding of information provided not under testomony” by their client.

Thus the old,

“I see no evil, I hear no evil, Therefore I speak no evil, Thus there is no evil”

argument that gets the client neatly off the hook and falsehoods magically become truths.

Even though I’ve seen it going on in court the judges just nod it by… I suspect that you are likewise aware of it. But to bring it up gets you viewed as a “conspiracy nut” or “being awkward” at best.

Anonymous July 12, 2021 8:19 PM

@Clive Robinson

On “shelling out”, and using ps or /proc to see the list of running commands:
Any shell command worth its salt offers methods to transfer sensitive information that aren’t command-line flags. Be that a permissions locked domain socket, a localhost port, a permissions locked file in /tmp or in a tmpfs mount, getpass utility, etc. None of those leak data through ps.

So it “depends” on whether or not the tools in use were built in a manner competent to the attack surface in question. Monolithic binaries can do things poorly, but even collections of bash scripts authored by a sea of different people can potentially do things right as long as every single party in the chain employs the right data hygiene practices. 🙂

Clive Robinson July 13, 2021 1:46 AM

@ Anonymous,

but even collections of bash scripts authored by a sea of different people can potentially do things right as long as every single party in the chain employs the right data hygiene practices.

So three primary problems,

1, Every,single party.
2, The right methods.
3, Knowledge of all the methods.

Whilst the first problem area can be reduced using a small team and appropriate secure build and operate practices[1].

You actually need the team people to have a high level of knowledge in the second problem area.

And to check over those people… in another group you need to have significant knowledge in the third problem area to,

A, Sanity check the, first group.
B, Hunt for “insider attacks”.

Which brings in the fourth problem area,

4, Are managment going to alow such experience to become available in an organisation.

To which the sad answer is “probably not”. The SysAdmins over in the “Powershell camp” have a historic record of getting it wrong often badly in that commercial OS Domain. There are many actual “whys” but behind it, “managment underinvestment” is the root cause.

Whilst back in the original “sh/csh” domain the history is sketchy so difficult to judge and often happens because of SysAdmins “self learning”. Which whilst it is “generally a good thing” often leads to “incompleate knowledge”.

I’ve personally written *nix shell scripts that have “hidden side effects” in the past that appear to do exactly as they are supposed to… untill they don’t and are very hard to spot even by supposed “top flight Old School SysAdmins”.

So whilst what you suggest is possible, actually how probable is it?

It’s a question I asked myself many many years ago, and did some research into it. So if you look on this blog under Castle’s -v- Prison’s, or C-v-P or just CvP you will find numerous discussions on how to make the equivalent of shell scripting very much more secure not just to write them but also when they are executed.

[1] No I’m not talking about “code signing” here, that is just “encrypted comms” and it’s security end points fall well short at either end, to be even remotely considered secure.

Me July 13, 2021 6:51 AM

@Bruce

“Its single source of entropy was the current time”
I wouldn’t call it source of entropy. Sequence of any sort, time included, does not provide entropy.

Clive Robinson July 13, 2021 8:38 AM

@ Me,

Sequence of any sort, time included, does not provide entropy.

There is quite a difference between a “sequence” and the output of a physical source like a “clock”.

Whilst the former being in effect “dimensionless” the latter is not.

So you get the likes of “jitter”, “drift” and “meta-stability” in the clock generator. Along with thermal noise, avalanche noise and flicker noise in the devices, as well as power supply noise, and cross modulation from other parts of the circuit all crrating a “signal in noise” which by dedinition creates measurement “uncertainty”.

It is the uncertainty and other defects that you are exploiting to get your entropy source from the noise surounding the clock signal, not the sequence that ordinarily would be the desired clock sequence.

On a PC you would expect about 1 part in 500,000 “noise” that would be averaged down by clock division.

So not particularly high, rate of “entropy” but it is there, you can “see it” therefore you can “use it”.

The real question of course is “Is the noise, random or chaotic” of the latter then there are ways to remove it down stream of the measurment processes.

I hope that helps.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.