Socat Weak Crypto Draws Suspicions Of a Backdoor (threatpost.com)

← Back to Stories (view on slashdot.org)

Socat Weak Crypto Draws Suspicions Of a Backdoor (threatpost.com)

Posted by timothy on Tuesday February 2, 2016 @09:24AM from the giving-away-our-best-tricks dept.

msm1267 writes: Socat is the latest open source tool to come under suspicion that it is backdoored. A security advisory published Monday warned that the OpenSSL address implementation in Socat contains a hard-coded Diffie-Hellman 1024-bit prime number that was not prime. "The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p," the advisory said. "Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out." Socat said it has generated a new prime that is 2048 bits long; versions 1.7.3.0 and 2.0.0-b8 are affected. The advisory adds that a temporary workaround would be to disable the Diffie-Hellman ciphers.

27 of 50 comments (clear)

Min score:

Reason:

Sort:

There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 09:30 · Score: 2, Insightful

Putting on my tin-foil hat, it almost seems like there is a coordinated program to backdoor security products, and attribute them to a 'mistake'. But that's just me being paranoid.
1. Re:There seem to be a lot of these backdoors by gstoddart · 2016-02-02 09:35 · Score: 4, Insightful
  
  Putting on my tin-foil hat, it almost seems like there is a coordinated program to backdoor security products, and attribute them to a 'mistake'. But that's just me being paranoid.
  In fairness, intentionally weakening crypto requires as much understanding of it as doing it right.
  Screwing it up, however, can be done by any moron.
  Which happened here? Who the hell knows.
  
  --
  Lost at C:>. Found at C.
2. Re:There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 09:39 · Score: 2, Insightful
  
  > Which happened here? Who the hell knows.
  Oh please.
  You're probably trying to do the "it's just incompetence, not malice" thing.
  But after seeing this pattern over and over.. no, it reeks of manipulation.
  Any advanced malice is indistinguishable from incompetence.
3. Re: There seem to be a lot of these backdoors by Anonymous Coward · 2016-02-02 09:50 · Score: 1
  
  I thought it was called a backhole?
  Just like your mother, Trebek.
4. Re:There seem to be a lot of these backdoors by mugurel · 2016-02-02 09:52 · Score: 2
  
  Putting on my tin-foil hat, it almost seems like there is a coordinated program to backdoor security products, and attribute them to a 'mistake'. But that's just me being paranoid.
  speaking of which, did you ever check your tin-foil hat for backdoors?
5. Re:There seem to be a lot of these backdoors by arglebargle_xiv · 2016-02-02 12:19 · Score: 3, Interesting
  
  Given that it also used 512-bit primes, which are toy keys that were weak twenty years ago, it's more likely a screwup. Seeing messed-up crypto written by people whose crypto knowledge extends to reading the Wikipedia page on RSA and perhaps one or two chapters of Applied Cryptography is pretty much par for the course.
  From a very brief Google of socat howtos, I couldn't see much about enabling or applying checking of certs, which means it probably doesn't do that either. In addition the advisory is pretty confusing, what does "OpenSSL address implementation" mean? Since the server supplies the DH values and OpenSSL itself has known-good DH values, why is there some other value hardcoded into socat?
6. Re:There seem to be a lot of these backdoors by techno-vampire · 2016-02-02 16:02 · Score: 1
  
  In fairness, intentionally weakening crypto requires as much understanding of it as doing it right.
  
  In this case, all it would have needed is understanding that it's important that the numbers used to generate the keys are prime and that substituting a composite number would make the keys easier to find. I'm not claiming that this is what happened, but it's not something that only a cryptography specialist could have come up with.
  
  --
  Good, inexpensive web hosting
This cannot happen accidentally by JoshuaZ · 2016-02-02 09:33 · Score: 5, Insightful

This cannot happen accidentally. We have for example versions of the Miller-Rabin test https://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test which easily test primality if you believe the Riemann Hypothesis and other versions which unconditionally give such a high probability that one is more likely to have had a cosmic ray wreck your computing results than for the test to be erroneous. You can use for example this Javascript http://www.javascripter.net/math/primes/millerrabinprimalitytest.htm. There's no obvious way one would come up with a composite number unless one was deliberately trying. Hopefully there's enough of a record to note when this fake prime was put in.
1. Re:This cannot happen accidentally by Anonymous Coward · 2016-02-02 09:37 · Score: 5, Funny
  
  This evening I'll reflect on your rant while performing the Miller-Coors test
2. Re:This cannot happen accidentally by JoshuaZ · 2016-02-02 09:43 · Score: 5, Informative
  
  Followup: acording to this thread https://news.ycombinator.com/item?id=11014175 the number in question fails at even being a pseudoprime for small bases, which means that even the most simple checks were not done. That thread also mentions the individual responsible for giving the "prime"- I'm not sure why he's not being grilled pretty heavily right now.
3. Re:This cannot happen accidentally by Pseudonym · 2016-02-02 10:48 · Score: 3, Informative
  
  It easily can happen accidentally. The probability of a bug in your implementation of the Miller-Rabin test (for a general "you") is quite high.
  Now look at the history here. The patch was submitted by someone who admitted "I don't have enough knowledge to implement the merge", and was accepted without any serious review. Looking at my own history of screwing up commits, it's fairly easy to see how this might have happened.
  I'm just lucky that none of mine had implications that serious. There but for the grace of His Noodly Appendage...
  
  --
  sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
4. Re:This cannot happen accidentally by Pseudonym · 2016-02-02 10:50 · Score: 1
  
  I'm not sure why he's not being grilled pretty heavily right now.
  Because 99% of the time, the process is to blame, not the person.
  
  --
  sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
5. Re:This cannot happen accidentally by Impy+the+Impiuos+Imp · 2016-02-02 11:33 · Score: 1
  
  Do we know the process that generated this number, and how it didn't include apparently minimal verification?
  
  --
  (-1: Post disagrees with my already-settled worldview) is not a valid mod option.
6. Re:This cannot happen accidentally by Gravis+Zero · 2016-02-02 12:12 · Score: 1
  
  A note in the commit indicates that Socat was not working in FIPS mode because it requires a 1024 Diffie-Hellman prime, and added that a developer named Zhiang Wang provided a patch with the new prime. The poster revealed that Wang works at Oracle and contributes to Socat.
  accidental or malicious, Mr. Wang is about to have a very bad day.
  
  --
  Anons need not reply. Questions end with a question mark.
7. Re:This cannot happen accidentally by sumdumass · 2016-02-02 12:13 · Score: 1
  
  While your at it, check to see if the numbers within the number can actually make a prime. What I mean is 457 is a prime but 475 isn't. So could it be a matter of a digit being transposed?
8. Re:This cannot happen accidentally by arglebargle_xiv · 2016-02-02 12:25 · Score: 1
  
  Yes it can. I get asked to do audits of crypto code and see stuff like this all over the place. You mention things like the Miller-Rabin test (I kinda like Frobenius myself) and the extended Riemann Hypothesis when the guy who wrote the code/made the change probably didn't get any further than using Google and copying the result from the first hit he found on Stackexchange, which copied it from somewhere else and got the endianness wrong or something (hmm, must find a machine with Mathematica and feed it in byte-reversed to see what drops out).
9. Re:This cannot happen accidentally by Dwedit · 2016-02-02 13:03 · Score: 1
  
  I was once in computer security class, and my miller-rabin primality test ended up calling an even number prime. I can totally see these failures happening.
10. Re:This cannot happen accidentally by germansausage · 2016-02-02 16:49 · Score: 1
  
  What sort of evil hold do they have on you that they can force you to drink Miller-Coors.
Technical discussion by bill_mcgonigle · 2016-02-02 09:49 · Score: 2

link to the technical discussion from the article (which propeller heads may safely skip).

--
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
The article doesn't mention by superwiz · 2016-02-02 10:02 · Score: 1

what is the length of the smallest prime factor of this "prime". the length of the smallest prime factor would determine the actual strength of the encryption.

--
Any guest worker system is indistinguishable from indentured servitude.
1. Re:The article doesn't mention by vux984 · 2016-02-02 10:20 · Score: 1
  
  Well, we can presume that at BEST its 512. (As two 512 bit numbers multiplied together is 1024 bits.)
2. Re:The article doesn't mention by superwiz · 2016-02-02 10:36 · Score: 1
  
  ageed. but it would just be nice if they mentioned what it was.
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
3. Re:The article doesn't mention by xorbe · 2016-02-02 10:37 · Score: 1
  
  257 and 13597 were immediately found, per the thread
4. Re:The article doesn't mention by superwiz · 2016-02-02 10:49 · Score: 2
  
  eewwh... 271 is a factor:
  https://news.ycombinator.com/i...
  
  --
  Any guest worker system is indistinguishable from indentured servitude.
Let's use the proper terminology by pjcreath · 2016-02-02 10:20 · Score: 3, Informative

The correct term for this is backhole.
They can neither confirm nor deny by WillAffleckUW · 2016-02-02 10:39 · Score: 2

They can neither confirm nor deny, nor admit electronically or in print, that they have been backdoored.
Even if it's obvious (and a requirement) that they are.

--
-- Tigger warning: This post may contain tiggers! --
Oh, so now it's back to "backdoored"? by wonkey_monkey · 2016-02-02 11:25 · Score: 1

Socat Weak Crypto Draws Suspicions Of a Backdoor
I thought we were calling them "backholes" now?

--
systemd is Roko's Basilisk.