Toutes nos publications
Breaking Python's PRNG with a few values and no bruteforce
Python’s random module utilizes the Mersenne Twister PRNG, specifically MT19937. It’s a well-known fact that this PRNG is not cryptographically secure, as with access to 624 outputs from this PRNG it becomes possible to predict subsequent outputs. On the same subject, Ambionics Security demonstrated that it is possible to recover the Mersenne Twister seed knowing only two outputs of PHP’s mt_rand()
function, without any bruteforce.
In this post, our focus will be on Python’s random implementation, drawing comparisons to PHP’s approach. We’ll cover the similarities and differences, particularly in how seeding is performed. Furthermore, we’ll demonstrate that even with a small number of outputs (as few as 6 for a 32-bit seed, akin to PHP), it’s feasible to deduce Python’s original seed.
Locking the Vault: The Risks of Memory Data Residue
Most of today’s applications handle sensitive data like passwords, cryptographic keys or any other confidential information. Managing these secrets is a fundamental responsibility of any application. However, what happens to them when they’re no longer needed? Their disposal becomes a non-negotiable aspect of data security as leaving traces can open a door for potential attackers.
In this post we will delve into the technical aspects of securely erasing sensitive data from memory, outlining why it’s essential and how to do it correctly. We’ll explore the often-underestimated risks associated with leaving remnants of such information in volatile memory and provide practical methods to ensure they are eradicated completely.
Remote Buffer Overflow in StrongSwan + TKM
The TKM-backed version of the charon IKE daemon (charon-tkm
) doesn’t check the length of received Diffie-Hellman public values before copying them to a fixed-size buffer on the stack, causing a buffer overflow that could potentially be exploited for remote code execution by sending a specially crafted and unauthenticated IKE_SA_INIT message.
All strongSwan versions since 5.3.0, up to and including 5.9.11 are affected.
Setups that don’t use charon-tkm
as IKE daemon are not vulnerable.
The charon-tkm
version that supports multiple key exchanges (tkm-multi-ke
branch on GitHub) is not vulnerable either.
Initialization vector mishandling
To encrypt data, one needs to choose a suitable encryption algorithm and generate a key, but most of the time additional parameters are required. In this blog post, we will focus on the initialization vector (IV), which is a parameter used by the most common symmetric encryption algorithms (AES-CBC, AES-CTR and AES-GCM). The majority of vulnerabilities I encounter during cryptographic reviews come from mishandling of this IV.
In this post we will look at what an IV is, why it is important and how to handle it safely depending on the chosen algorithm.