Slashdot Mirror
QNX Crypt Cracked
The Crypt algorithm for the QNX operating system was just cracked. QNX runs on banks computers, ATM's, Medical Equipment, and the almighty i-opener. Source code is there if you're interested.
← Back to Stories (view on slashdot.org)
Man--given how heated DeCSS has gotten, I cringe at the thought of how, uh, unhappy some huge organizations are going to be with this one.
Bah, on second though, we're only talking about ATM machines, no big deal.
--
But, if the QNX people were really lazy, they could have just grabbed crypt function from one of the BSD source trees and used it. (remember, the BSD license doesn't not dissallow the use of their code in a closed-source system like the GPL does.)
Surely it would have been nicer to have let the QNX people know first so that they could let their customers know the problem.
Kuro5hin has a write-up on this here and Advogato has one here. They've had these articles for most of today they have some interesting posts already.
It's even got a modest execution time... (largest loop -- while (rot--){...} -- rot is max 127 -- rot=(...)%128;) nothin too complex there...
Why not blowfish or some other BSD licensed stuff???
Don't encrypt passwords, hash them! Make sure there's enough information to identify a correct password, but not enough to reproduce it!
:)
That having been said, I don't know enough to write a secure crypto algorithm without following in someone else's footsteps. (I know the basics of public-key cryptography, I could probably code that) But you know what? I wouldn't try to reinvent the wheel here, not unless I proved it mathematically first.
...and if that decryption algorithm works, this'll be really embarrassing for them. (because it's *so* computationally simple, it should run in no time at all. I just don't have any random QNX "encrypted" data lying around to try it with...)
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
The possibilities are truly endless.
TO BUY A NEW CAR WOULD MAKE YOU SEXUALLY ATTRACTIVE.
Yet again a company thinks that Jim the guy down the hall who "knows some crypto" can design a critical algorithm. After all, it looked kinda mashed up in testing, so how could anyone break that? :) Really, people, there are enough freely available one-way hash algorithms, which you can, and always could, export... Good crypto is hard to do, so if somebody has already done the work for you, take advantage of it! Don't waste time making up your own. You'll get shot in the foot later, like the QNX people did here.
seineew era sreenigne XNQ
---
guillaume
give me all your garmonbozia
Okay, with that out of the way, even if you stole an ATM and decrypted everything in it, here's what you'd find: Nothing.
The network is specifically designed to avoid silly things like that - the ATM stores no persistent information beyond who used it, some accounting information, and when it was used. *that* information *may* be compromised, but a) it wouldn't do you any good and b) it's unlikely they're using anything less than 3DES. Give these people some credit, ok?
Now, if somebody was able to do realtime decoding of the ATM network itself... that would do several things a) panic people who normally don't panic, b) increase the local population drastically after the influx of federal agents, c) make international headlines and d) would not be submitted by an anonymous coward.
Guys.. I know people who work/have worked for financial institutions. I'd estimate the security to be B2 or above (if it was government certified). Unlike the DoD's "NIPR" net which was /supposed/ to be physically disconnected from any/every other network, the financial institutions just plain don't transfer important info over networks. The data is too valuable.
For example, credit bureaus will not accept an update to anybody's credit report electronically - it is done by hand with tape drives. Makes the movie "Hackers" seem more than alittle unrealistic. =) In short, DON'T PANIC. This crack means nothing to the financial industry. Now, if you want to be worried... you should note some of them run Windows 95..................
This isn't as serious as you might think. Sure the "encryption" of crypt on QNX was cracked. But good security assumes that the crypt function returns the plain text anyway. All crypt is used for is to encrypt the passwords in /etc/passwd This was all fine and dandy 20 years ago when it took lots of time to decrypt passwords. But these days you can break through the passwords with brute force in a week or less. Good systems use shadow passwords. So the real passwords go in /etc/shadow, which is unreadable by anyone but root and anyone but root can't even look at the encrypted passwords.
Anyone remember the first try Microsoft had at passwords in WinCE? IIRC, they just did a XOR of the password with the work "pegasus" spelled backwords! The original Win95 password hash was equally silly but I don't remember the algorithm right now. I guess some people never learn.
QNX 4.25 uses shadow passwords. The crack still works on the shadow passwords, but at least it's one step removed from the world-readable /etc/passwd file.
/* I'd like to thank the morons at QNX for writing their own crypt
function,
and thus making this program possible.
-sean
See LICENSE for licensing information...yes..its gpl
*/
#include
#include
static ascii2bin(short x)
{
if (x>='0' && x='A' && x='Z')
return (x-'A')+9;
return (x-'a')+26+9;
}
char bits[77];
char *quncrypt(char *pw)
{
static char newpw[14];
int i;
int j,rot;
int bit,ofs;
char salt[2];
int temp;
salt[0]=*pw++;
salt[1]=*pw++;
for (i=0;i72;i++)
bits[i]=0;
for (i=0;i12;i++)
newpw[i]=ascii2bin(pw[i]);
newpw[13]=0;
rot=(salt[1]*4-salt[0])%128;
for (i=0;i12;i++)
{
for (j=0;j6;j++)
{
bit=newpw[i]&(1j);
bits[i*6+j]=bit?1:0;
}
}
bits[66]=1;
bits[67]=0;
while (rot--)
{
bits[66]=bits[0];
for (i=0;i=65;i++)
bits[i]=bits[i+1];
}
for (i=0;i8;i++)
{
newpw[i]=0;
for (j=0;j7;j++)
{
bit=bits[i+j*8];
newpw[i]|=(bitj);
}
}
newpw[8]=0;
return newpw;
}
int main(int argc, char *argv[])
{
char *cr;
if (argc!=2)
{
printf("QNX Crypt Defeater.. by Sean\n");
printf("reverse [hashcode]\n");
exit(0);
}
printf("Uncrypting...booya!\n");
cr=quncrypt(argv[1]);
printf("Cleartext:%s\n",cr);
}
The reason, I suspect, that they didn't use DES is that they were afraid of legal issues - I'm sure that QNX is sold all over the world, and they didn't want to make a diferent non-DES release for idiotic contries (France, US) with restrictive crypto laws. Even if an expensive legal effort would determine what's exportable where, laws change all the time. This way, there is no "export controlled" code that they need to worry about.
[slashcode parser sucks ass. what part of "plain text" don't you understand?]
:) :) 2 33&cid=56
<DJ-Pyro> JESUS CHRIST
<DJ-Pyro> im getting dos'd
<DJ-Pyro> ddos'd
<DJ-Pyro> like from all over the world
<lfilipoz> DJ-Pyro: wow... you can still IRC, tho?
<DJ-Pyro> not me
<DJ-Pyro> my server
<DJ-Pyro> colo at digitalNATION
<lfilipoz> is it just your box or all of digitalNation?
<DJ-Pyro> my box
<lfilipoz> and what's the url, so i can try to ping
<DJ-Pyro> we just shutdown apache
<DJ-Pyro> and now all of the clients are doing a CLOSE on tcp
<DJ-Pyro> netstat > netstat made a 30k log file
<DJ-Pyro> DAMN
<DJ-Pyro> they are back!
* jeff looks at DJ-Pyro
<DJ-Pyro> this is bigger than last time
<jeff> DJ-Pyro, you don't by chance host i-opener-linux.net, do you?
<lfilipoz> last time?
<DJ-Pyro> yes
<DJ-Pyro> why?
<lfilipoz> slashdot post
<DJ-Pyro> SHIT!
* lfilipoz already posted to that story and got the source code
<lfilipoz> bwahahaha
* jeff laughs
<jeff> source is here: http://slashdot.org/comments.pl?sid=00/04/16/1324
<DJ-Pyro> oh jesus fscking christ!
For anyone who actually knows the details of some of the systems mentioned: how much of a security compromise is this. For medical equipment, I suppose this might allow you to break into it and compromise it, causing it to operate in fatal ways. That would make tampering with over-the-counter medication look like the work of amateurs (wait, it was). However, since none of the systems mentioned are known for being on the Net, any tampering would require physical access. It would likely be an inside job.
The net will not be what we demand, but what we make it. Build it well.
Don't encrypt passwords, hash them! Make sure there's enough information to identify a correct password, but not enough to reproduce it!
Why are hashes inherently more secure?
A hash is a non-injective function, so it is by definition not invertible, but a weak hash function can still be cracked. The reverse algorithm may not return the original password, but isn't one that yields the same hash just as powerful as the original?
Is it simply that when you lift the requirement of injectivity (and thus invertibility) it becomes easier to write a more crack resistant algorithm?
So do I read this right? The crypt() used in some libraries provided by QNX (which is analogous to unix crypt()?) is not a one-way hash?
Oh.. btw....
it would do really well for a lot of people to remember that just because people are using QNX as a kernel does not at all mean they are using these functions for anything. The embedded OS merely servers as a base for development. It's like they took the linux kernel ONLY and started development (okay.. maybe with libc too)
This isn't like that. Nobody broke into your QNX system and decrypted your passwords to demonstrate the insecurity to you. This is more like a staged demonstration at a home security conference where they show how easy it is to pick a lock.
QNX is designed for embedded systems, and its' big selling point is that it's a true real-time operating system. We actually use it at my office for a variety of purposes where we have to guarantee that a procedure runs, for example, 1500 times per second, no matter what.
----------------------------
I doubt there will be any "official" response to this so I figure I'll give an unofficial post:
Crypt is *not* a form of secure encryption.
QNX Neutrino 2.0 has the option of using a more modern crypt, not the version which has been cracked.
QNX customers DO NOT use this as a form of strong encryption. Implying that QNX customers are suddenly at risk is irresponsible journalism, at best.
There were a few comments about export restrictions. Yes, QNX does have secure technology which falls under these restrictions, no it's not crypt.
...oh yes, if you're interested in attending QNX200 please email us, there will be *major* announcements which you won't want to miss (linux users in particular).
That's right, but there's no good way to find this.
:)
If you have a good hashing algorithm, you'd still have to brute-force search the keyspace to find a password that hashes to that value. And chances are, there aren't many other values that hash to it (hopefully none, use more bits for the hash if needed...)
If you had a *really* bad hashing algorithm, then there would be a lot of collisions, and it would be easy to find another password. But that's why we have peer review and whatnot...
And you can't reverse a hash to steal a password, that's the big advantage.
---
pb Reply or e-mail; don't vaguely moderate.
pb Reply or e-mail; don't vaguely moderate.
Stupidity alone may not be immoral, but abject negligence usually is. If someone's actions will have adverse consequences for an enormous number of people, then by most moral systems, he has an obligation to exercise due care, including hiring an expert if his own capabilities are insufficient. Remember, it's not his state of mind that matters but rather the state of mind of the hypothetical reasonably prudent person.
And your notions of libel are equally off-base, at least by American legal principles. Since pyxd isn't a public figure, all he has to demonstrate is that his reputation suffered because of someone's false statements. Malicious intentions needn't be proved.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
The frightening thing is that some ATMs run Windows. There was a link on Slashdot about a year ago to an ATM screen that was hanging there unavailable because something in Windows had crashed and was displaying the standard error requester waiting for some non-existent operator to click on "OK".
...
Meanwhile the people wanting their cash waited, and waited, while the geeks giggled
"The question of whether machines can think is no more interesting than [] whether submarines can swim" - Dijkstra
Well there is a way to do cryptanalysis on DES,
* **
kinda, sorta, not really,
it's called
differential cryptanalysis and it's based on a
known plaintext attack (which means you have some
plaintext and some cyphertext), but it's
really nasty to do and even harder past 6 round
DES.
*****************************************
Superstition is a word the ignorant use to describe their ignorance. -Sifu
So I should just copy/paste every article into a /. post and I'd rack up the point? The new quick n' easy way to become a karma whore!</i><p>
by all means if you're a karma whore... but where it's actually useful is when it's something that could be slashdotted or taken down for "stealing IP"... like someone posting the crucial parts of decss...
I am a professional InfoSec consultant, but I am not speaking professionally here. This is not my professional advice.
Don't encrypt passwords, hash them!
Hash algorithms are intimately related to encryption algorithms; so much so, in fact, that you can take any iterative block cipher and turn it into a hash. Just run it in CBC mode with a fixed key and IV, and your last ciphertext block becomes a hash of the algorithm. The hashes which are produced with most block ciphers are weak, but that's because most block ciphers today use 64-bit blocks--64-bit hashes simply aren't big enough. Using an algorithm like Twofish or Rijndael (both AES candidates, which have 128-bit block sizes) allows you to create a modestly good hash algorithm.
That said, dedicated hash algorithms are likely going to be stronger than strong crypto converted into a hash algorithm. It's just as much of a fickle art to craft a good hash algorithm as it is to craft a good encryption algorithm. Ron Rivest is (rightly) hailed as a brilliant cryptographer, but he's still yet to make a uniformly strong hash algorithm. (MD5, while still in wide use, has some vulnerabilities; while it's secure enough for most purposes, it is not -uniformly- strong. Even the NSA has problems, as demonstrated by how quickly SHA-0 was abandoned for SHA-1.)
An interesting login scheme that I've heard of is ridiculously simple. Have a user send a timestamp to the server, signed with their asymmetric public key. The server attempts to check out the signature; if it passes, great, the user is authenticated. It's not perfect by any stretch of the imagination--it's vulnerable to all the attacks presently existing against asymmetric cryptography, and probably has another vulnerability or two in there somewhere--but it's an interesting and simple solution to the problem.
I use QNX just about every day, so I can tell you that they simply don't care about security that much. If I get root on a QNX box, that's enough permissions to overwrite all the passwd and shadow files on all the QNX boxes on the same network. This is a feature, not a bug, since it means I can also write to //27/dev/modem from node 12. QNX is *legions* ahead of Linux in terms of clustering, it's just less sexy because it's proprietary. The quality of the engineering in that product is nothing less than stellar in all areas that they care about. So what if you can decrypt the passwd file on my life support or Air Traffic Control? By the time those systems are deployed, they don't even have a shell installed, let alone telnetd! QNX was not the right choice for the I-Opener, because the I-Opener hasn't ended up being the kind of embedded device QNX was designed for. Nobody cares if you root a QNX box because any QNX box where that would be a problem isn't rootable even by the people that should have root. Do you think people go around telnetting to traffic lights or to the ABS system in your car? Of course not. Those systems don't allow anyone to log in at all, period, whether you know the password or not. QNX is so heavily optimized for high-performance clusters and hard real-time systems that nobody in their right mind would use it for something where this was an issue. You have to use the right tool for the job, and while QNX is a great tool for its jobs, it was not the right tool for the I-Opener. Fixing this problem won't be worth their time.
So, I read this and I tried this out on a couple of the QNX machines I use. Guess what??? You still need to have root access to use the frigging program in the first place. Shit, if I have root access I can just change people's passwords and make my own accounts. It sucks that the encryption ended up not being one-way, but it doesn't make all QNX machines wide open for attack! This would be the same as under any other UNIX style OS that uses /etc/passwd in combination with /etc/shadow. It would be nice of people actually had a bit of a clue before jumping up and down. Oh, and for the record, Neutrino (the new QNX OS) uses a different password encryption by default.
chris mckillop
........ "The faster I go, the behinder I get" - Lewis Carroll
I knew nothing more than DOS, and yet I made Slackware install back in 1994. It wasn't that hard. Red Hat, on the other hand seems to want to make things intentionally different, which is a bad thing, IMHO. Oh well. Shrug. Got Slack?
Hey Rob, Thanks for that tarball!
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin
that they were probably trying to write a hash function but accidentally used only reversible contructs.
The operations they use look like lots of amateur "crypto" I have seen - an obfuscation of meaningless operations. I guess an algorithm like DES looks equally meaningless and obfuscated to someone who doesn't understand the underlying principles.
BTW, the BSD md5_crypt includes some equally meaningless and obfuscated operations and was probably written by someone without serious crypto knowledge. However, since he had the good sense to use MD5 as the underlying building block it is still secure.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
I don't complain. I use E. :-)
Hey Rob, Thanks for that tarball!
"Going to war without France is like going deer hunting without your accordion." - Jed Babbin