Wednesday, 3 August 2022

Operation ARC4

 

Operation ARC4

We (cyberstorm.mu ) decided to take this as a challenge: How can we make the Internet in Mauritius a little bit more secure against “Sniffing” attacks ?

We, the cyberstorm group, have been working on encryption since 2017, way before “Sniffing” became news for Mauritius. We implemented TLS 1.3 (An encryption system) inside several open source applications and forever changed the perception about Mauritius as a tourist-only destination (see: https://blogs.cisco.com/developer/ietf-103-hackathon) ! We are therefore keenly aware of where there could be potential weaknesses in the current Internet encryption systems.

In our efforts to make encrypted traffic more resistant for attackers, we have to think very hard about current weaknesses of encryption protocols such as TLS or SSH. One of the most critical components of ANY cryptographic protocol is a good source of random number generation. We have published our work within the Internet Engineering Task Force (IETF) which is the standards body for several encryption protocols such as TLS.

Indeed, if you look at TLS 1.3 IETF RFC 8446 :

If a server established a TLS connection with a previous version of
TLS and receives a TLS 1.3 ClientHello in a renegotiation, it MUST
retain the previous protocol version. In particular, it MUST NOT
negotiate TLS 1.3.
Structure of this message:
uint16 ProtocolVersion;
opaque Random[32];

Now, let us assume that the Random 32 bytes field wasn’t as randomized. After all, randomization is hard. Could this lead to a country being able to decrypt partially Internet traffic ? 


Could we make it more random ? Turns out OpenBSD developers got an idea. How about we make the rekey interval of arc4random(), a popular randomization API, less predictable ?


This is what we worked on during Operation ARC4 . A hackathon is a collaborative event where developers get together to work on specific goals in a limited amount of time. We audited several implementations of the arc4random() API and attempted to make it better. This particular patch was adopted in libbsd. There’s no time for long talks or endless debates. Our efforts will eventually ship in your Smartphones (Android or Iphone). If you're building any kind of online service using Linux or *BSD servers, you will also benefit from this ! The faster you update your servers and phones, the more secure you will be.


Why does cyberstorm.mu work on encryption? Short answer: We love it. Long answer is that we care about privacy of Internet Users. We see ourselves as artists and the internet is one big canvas. Unlike a lot of other IT people who have 0 coding in Open Source cryptographic/encryption code, we believe in “Rough consensus and running code”. In other words, actions speak louder than words. You can join the cyberstorm.mu community and actively take part in making the internet in Mauritius and around the world more secure by working with us on the facebook group:

https://www.facebook.com/groups/Cyberstorm.mu

Twitter:

https://twitter.com/CyberstormMu/



Loganaden Velvindron

(Cyberstorm.mu founding member)





xz without seatbelts ?

 XZ without seatbelts ? After the discovery of the xz backdoor by Andres Freund ( https://www.openwall.com/lists/oss-security/2024/03/29/4 )...