The Internet of Broken Protocols: Showcase #6
(complete list of showcases: https://vnhacker.blogspot.com/search/label/The%20Internet%20of%20Broken%20Protocols)
It's been a while :-). Today I found this little gem while auditing an obscure security system. Please identify any weaknesses. You can post your solution as a comment or email me at thaidn@gmail.com. Enjoy!
Notation:
* E(K, bytes) is 3DES in CBC mode with zero padding and zero IV.
Client and server share two 3DES keys K1 and K2, each has 24 bytes.
1/ Client sends hello.
2/ Server randomly generates and caches 8-byte RAND_S. Denote the first 4 bytes of RAND_S as S1, and the next 4 bytes as S2.
Server sends RAND_S.
3/ Client randomly generates and caches 8-byte RAND_C. Denote the first 4 bytes of RAND_C as C1, and the next 4 bytes as C2.
Client sends E(K1, RAND_S) || RAND_C.
At this point the client computes the session key. It computes T = E(K2, C1 || S1 || C2 || S2). Denote the first 8 bytes of T as T1, and the next 8 bytes as T2. The session key KM is T1 || T2 || T1.
4/ Server computes E(K1, RAND_S) and compares with the value it receives from client. If it doesn't match, the connection is rejected. Otherwise it sends E(K2, RAND_C).
At this point the server computes the session key KM.
5/ Client computes E(K2, RAND_C) and compares with the value it receives from server. If it doesn't match, the connection is rejected. Otherwise it starts sending commands.
Commands are not encrypted, but only authenticated using CBC-MAC with zero padding and zero IV, with KM as the key.
It's been a while :-). Today I found this little gem while auditing an obscure security system. Please identify any weaknesses. You can post your solution as a comment or email me at thaidn@gmail.com. Enjoy!
Notation:
* E(K, bytes) is 3DES in CBC mode with zero padding and zero IV.
Client and server share two 3DES keys K1 and K2, each has 24 bytes.
1/ Client sends hello.
2/ Server randomly generates and caches 8-byte RAND_S. Denote the first 4 bytes of RAND_S as S1, and the next 4 bytes as S2.
Server sends RAND_S.
3/ Client randomly generates and caches 8-byte RAND_C. Denote the first 4 bytes of RAND_C as C1, and the next 4 bytes as C2.
Client sends E(K1, RAND_S) || RAND_C.
At this point the client computes the session key. It computes T = E(K2, C1 || S1 || C2 || S2). Denote the first 8 bytes of T as T1, and the next 8 bytes as T2. The session key KM is T1 || T2 || T1.
4/ Server computes E(K1, RAND_S) and compares with the value it receives from client. If it doesn't match, the connection is rejected. Otherwise it sends E(K2, RAND_C).
At this point the server computes the session key KM.
5/ Client computes E(K2, RAND_C) and compares with the value it receives from server. If it doesn't match, the connection is rejected. Otherwise it starts sending commands.
Commands are not encrypted, but only authenticated using CBC-MAC with zero padding and zero IV, with KM as the key.
Comments