Tag: security

Reasons for TR-03116-4 for ciphers and curves from Bundesamts für Sicherheit in der Informationstechnik (BSI)

Posted on by mario

What is the reason that the BSI does not allow Chacha20 / Poly 1305?

The BSI does not allow ChaCha20/Poly1305 in its technical guidelines such as TR-03116-4 because it is primarily based on the NSA’s Suites-B specification and established European or German standards. There are several reasons the Focus is on AES-GCM and CNSA Suites.

1. The BSI relies on AES (Advanced Encryption Standard), especially in AES-GCM (Galois/Counter Mode), because this algorithm is recommended by both the NSA and European standardization bodies such as ENISA and ISO/IEC. AES is highly optimized for modern hardware (e.g. AES-NI in x86 processors), which makes it efficient and secure to implement.

2. FIPS and Common Criteria certification. The BSI prefers algorithms that are certified according to FIPS 140-2/3 or Common Criteria (CC). ChaCha20/Poly1305 is less widely used in these circles than AES, especially for government applications.

3. AES has dedicated hardware acceleration (e.g. AES-NI on Intel/AMD or ARMv8-A Cryptography Extensions), while ChaCha20 was primarily intended for software-side implementations on CPUs without AES hardware. In modern environments, AES-GCM with hardware acceleration is usually faster than ChaCha20.

4. Assessment of security properties. Although ChaCha20 is considered secure, there is less formal security analysis and certification than for AES.
Poly1305 is an efficient MAC (Message Authentication Code), but the BSI prefers GCM because it is already closely coupled with AES.

5. Interoperability and long-term strategy. Government IT infrastructures rely on long-term support. AES has a clearly defined future (e.g. through the CNSA Suite 2.0), while ChaCha20 is not treated equally in official European crypto standards. Future migrations to post-quantum cryptography (PQC) are likely to build on AES-based hybrid approaches.

But why is there an algorithm with CBC? As far as I know, CBC is vulnerable to attacks.

Yes, you are right: CBC (Cipher Block Chaining) has known weaknesses, especially padding oracle attacks, which is why many security guidelines (e.g. TLS 1.3) have abolished it. The BSI continues to list AES-CBC in TR-03116-4 for the following reasons:

Backward compatibility with existing systems. Many older or security-critical systems (e.g. in administration or industry) are based on AES-CBC because it was the standard for a long time. A complete switch to AES-GCM is difficult in some environments because not all systems support GCM (e.g. smart cards or older hardware). AES-CBC is still widely used in IPsec, S/MIME, OpenPGP and other protocols. In some scenarios, CBC can be used safely if additional protection mechanisms are in place (e.g. Encrypt-then-MAC (EtM) instead of MAC-then-Encrypt).
In TLS 1.3, CBC was removed because padding oracle attacks were particularly critical there.
In other applications, especially for offline encryption or fixed protocols, CBC can remain secure under certain conditions.
If the BSI allows AES-CBC, then only with HMAC protection (Encrypt-then-MAC) or in precisely defined areas of use. Usually there are strict guidelines for IV handling and padding checking to prevent attacks.

What is the reason for specifying the brainpoolP256r1 curve?

The BSI’s specification of the brainpoolP256r1 curve (also known as brainpoolP256r1, more precisely brainpoolP256t1 or brainpoolP256r1) has several security and strategic reasons. Here are the most important: Alternative to NIST curves (e.g. secp256r1 / P-256) The NIST curves (e.g. secp256r1, also known as P-256) are widely used, but there has been distrust of the origin of the parameters for years. It is speculated that the choice of parameters for the NIST curves was influenced by the NSA, so that backdoors could possibly exist. Brainpool curves, on the other hand, were developed independently (by the ECC Brainpool group led by German cryptographers). Brainpool curves were designed specifically for European security standards and are preferred by the BSI in German government projects. They are specified in various BSI guidelines, e.g. TR-03111 (Cryptographic specifications for eID applications).
For NIST curves, the parameters are published, but their derivation is unclear. The parameters of the Brainpool curves were generated using an open, traceable process.
Brainpool curves are specified in many European protocols, including eIDAS (electronic identities and signatures in the EU), German smart cards, TR-03110 (security of electronic identities). Brainpool curves were chosen to make certain timing and side-channel attacks more difficult, especially in hardware-based implementations. Their structure is intended to prevent implementation errors from leading to vulnerabilities.

iptables 101

Posted on by mario

How to do things with iptables. Safety first: How to reset everything.

sudo iptables -F
sudo iptables -X
sudo iptables -t nat -F
sudo iptables -t nat -X
sudo iptables -t mangle -F
sudo iptables -t mangle -X
Also, safety first: Don’t just copy something and run it on your server. You better understand what you are doing.
How to block a service?
Instead of using “DROP” you should use “REJECT –reject-with tcp-reset”. If you want to be able to access that service from the inside, you have to add an allow rule first.
sudo iptables -A INPUT -p tcp -s localhost --dport 3306 -j ACCEPT #mysql allow local
sudo iptables -A INPUT -p tcp --dport 3306 -j REJECT --reject-with tcp-reset #mysql

The “REJECT –reject-with tcp-reset” looks to the outside like there is no service running. A “DROP” will show that there is a firewall / iptables working.

Blocking an IP range

sudo iptables -A bannedDownloader -s 14.120.0.0/16 -j DROP

Disallow NTP queries

sudo iptables -A INPUT -p udp -s localhost --dport 123 -j ACCEPT #ntp allow local
sudo iptables -I INPUT -p udp --dport 123 -j REJECT #ntp

Block timestamp

sudo iptables -I INPUT 1 -p ICMP --icmp-type timestamp-request -j DROP
sudo iptables -I INPUT 1 -p ICMP --icmp-type timestamp-reply -j DROP
sudo iptables -A INPUT -p icmp --icmp-type 13 -j DROP

Influxdb 2.0 lessons learned

Posted on by mario

I played a bit with influxdb version 2.0.0, telegraf client and two of my raspberry pies.
On my oldest pi  a 1 B+ the telegraf client caused too much performance issues on that light weight single CPU and 480 MB of usable RAM. So I chose a simple bash script with curl to send the CPU temperature to influxdb.

#!/bin/bash
timestamp=$(date +%s)
temp=$(vcgencmd measure_temp)
curl -XPOST \
"https://flux.example.com/api/v2/write?org=none&bucket=pihole&precision=s" \
--header "Authorization: Token asas==" \
--data-raw "cpu-temperature,host=pihole ${temp//\'C/} ${timestamp}"

At first I was running influxdbd by hand. But I didn’t want the usual port of 9999 of the alpha version and I also wanted SSL encryption when I log into the backend. Pretty easy with the already running apache on that server.

<VirtualHost *:443>
	ServerName flux.example.com
	DocumentRoot /var/www/empty

	<Directory /var/www/empty>
		Options Indexes FollowSymLinks
		AllowOverride None
		Require all granted
	</Directory>

	ProxyPass / http://localhost:9999/
	ProxyPassReverse / http://localhost:9999/

	SSLEngine on
	SSLCertificateFile  fullchain.pem
	SSLCertificateKeyFile privkey.pem
</VirtualHost>

so far so good. Starting the influxdb by hand after a reboot or failing isn’t an option.  So I created by on systemd service file

sudo $EDITOR /lib/systemd/system/influxdb2.service

[Unit]
Description=InfluxDB 2.0 service file.
Documentation=https://v2.docs.influxdata.com/v2.0/get-started/
After=network-online.target

[Service]
User=influx
Group=influx
ExecStart=/usr/local/bin/influxd
Restart=on-failure

[Install]
WantedBy=multi-user.target

Do not forget to enable it :D sudo systemctl enable influxdb2

 

So far I made one observation. The telegraf client is doing a lot of DNS requests through the network. If I’m not wrong it does it for every request. If you look at the graphic you see that the bottom a big blue line. That is the DNS requests from telegraf. At some point around 20:00 You see a drop. Well there I change the flush interval to 120 seconds. Later at round 7:30 I wrote the IP and host name into /etc/hosts and the “noise” was gone. That is something you maybe want to do in your devices, too to save some bandwidth and energy.

CISCO router password recovery

Posted on by mario

– Attach a terminal or PC with terminal emulation to the console port of the router.
Use these terminal settings:

* 9600 baud rate
* No parity
* 8 data bits
* 1 stop bit
* No flow control
– If you can access the router, type show version at the prompt, and record the configuration register setting. See Example of Password Recovery Procedure in order to view the output of a show version command
Note: The configuration register is usually set to 0x2102 or 0x102. If you can no longer access the router (because of a lost login or TACACS password), you can safely assume that your configuration register is set to 0x2102.

 

– Press **Break** (**Ctrl-Break** Windows XP) on the terminal keyboard within 60 seconds of power up in order to put the router into ROMMON.
– Type **confreg 0x2142** at the rommon 1> prompt in order to boot from Flash. This step bypasses the startup configuration where the passwords are stored.
– Type **reset** at the rommon 2> prompt. The router reboots, but ignores the saved configuration.
– Type **no** after each setup question, or press **Ctrl-C** in order to skip the initial setup procedure.
– Type **enable** at the Router> prompt. You are in enable mode and should see the Router# prompt.
– Type **configure memory** or **copy startup-config running-config** in order to copy the nonvolatile RAM (NVRAM) into memory. **Important**: Do not type **copy running-config startup-config** or **write**. These commands erase your startup configuration.
– Type **show running-config**. The **show running-config** command shows the configuration of the router. In this configuration, the **shutdown** command appears under all interfaces, which indicates all interfaces are currently shut down. In addition, the passwords (enable password, enable secret, vty, console passwords) are in either an encrypted or unencrypted format. You can reuse unencrypted passwords. You must change encrypted passwords to a new password.
– Type **configure terminal**.
– The hostname(config)# prompt appears.
– Type **enable secret <password>** in order to change the enable secret password. For example: hostname(config)#**enable secret cisco**
– Issue the **no shutdown** command on every interface that you use. If you issue a **show ip interface brief** command, every interface that you want to use should display up up.
– Type **config-register <configuration_register_setting>**. Where **configuration_register_setting** is either the value you recorded in step 2 or **0x2102** . For example: hostname(config)#**config-register 0x2102**
– Press **Ctrl-z** or **end** in order to leave the configuration mode. The hostname# prompt appears.
– Type **write memory** or **copy running-config startup-config** in order to commit the changes.

http/2.0 sslciphersuites with 256 bit alias crypto wars part seven meeting Canada

Posted on by mario

Some weeks ago canada released a document for offical / public websites. No longer is TLS 1.0 nor TLS 1.1 allowed, but TLS 1.2 and TLS 1.3

Until this writing apache does not support TLS 1.3 yet, but it will come soon. This is because Apache does not work 100% with OpenSSL 1.1.1 yet. Soon it will do.

This brings an updated SSL config for apache webserver

 

<If "%{SERVER_PORT} == '443'">
<IfModule mod_headers.c>
Header always set Strict-Transport-Security "max-age=15553000; preload"
</IfModule>
</If>
SSLUseStapling On
SSLSessionCache shmcb:/opt/apache2/logs/ssl_gcache_data(512000)
SSLStaplingCache shmcb:/opt/apache2/logs/ssl_stapling_data(512000)
SSLOptions +StrictRequire +StdEnvVars -ExportCertData
SSLProtocol -all +TLSv1.2
SSLCompression Off
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA

SSLOpenSSLConfCmd ECDHParameters secp384r1
SSLOpenSSLConfCmd Curves sect571r1:sect571k1:secp521r1:sect409k1:sect409r1:secp384r1:sect283k1:sect283r1:secp256k1:prime256v1

H2Direct On

Some old clients including older Android versions are not longer supported, unless you install a newer browser like current Firefox.

Internet = Internet!

Posted on by mario

Woooow! So etwas hatte ich lange nicht mehr. Ich bin seit ein paar Tagen bei einem Kunden vor Ort so weit nichts außergewöhnliches. Laptop ans LAN angeklemmt und dann Firmennetzwerk ausgewählt als mein Win7 danach fragte. Ich bin ja immer ein wenig neugierig was neue Netze angeht. Deshalb habe ich erst mal das gute ipconfig /all angeguckt. Als ich dann auf wieistmeineip de geguckt habe, mußte ich erst ein mal schlucken. Internet = im Internet. Meine lokale LAN IP war gleich der IP die im Internet war. Kurz beim Admin nachgefragt, der konnte das so bestätigen. Danach habe ich erst mal schnell das Netzwerk auf öffentliches Netzwerk gestellt. Kurz vorher habe ich noch einen Blick auf das Windowsnetzwerk geworfen. Wow, viele tolle PCs ohne Firewall und auch direkt aus dem Internet zu erreichen! Win Win Situation. Also für potenzielle Hacker von außen, aber auch für mich, da hier wohl keiner den Netzwerkverkehr so einfach mitschneiden kann oder doch? Ein schnelles tracert zeigte dann aber doch, dass die Route ins Internet dann doch über 2 Router oder 2 Level-3 switche geht. Lieber Admin, wie wäre es mit NAT?!?! O_o Und einer schönen Firewall inklusive? Zu mindest könnte ich jetzt wenn ich denn wollte dort direkt einen server meine Wahl betreiben.

Nach dem ich meine Netzwerkkonfiguration geändert hatte, hatte ich mich gleich noch mal per SSH auf einem meiner server eingeloggt und von dort aus einen nmap scan gemacht. Alles zu :) Zum test noch mal kurz auf Firmemnetzwerk zurück geändert. Autsch, da waren sie die schönen offennen Port. Und wieder öffentliches Netzwerk eingestellt. Da soll mal einer sagen, dass die Windows Firewall unnütz ist. Zu mindest bei meinem Win7 ultimate kann ich hier nicht klagen.

social engineering leicht gemacht mit dem MAC und einem USB Stick

Posted on by mario

Es ist in einer Firma in der die meisten einen MAC benutzen sehr leicht an Daten heranzukommen. Einfach mal dem Mac Kollegen den USB Stick für ausleihen. Wenn der jenige dann die Daten auf dem USB Stick löscht, aber den Mülleimer nicht leert, dann findet man später auf dem Windows / Linux PC, vorausgesetzt man lässt sich versteckte und Systemdateien anzeigen, auf dem USB Stick einen Ordner mit dem Namen .Trashes . Da vorneweg ein “.” ist, ist der Ordner auf dem MAC nicht zu sehen. Und genau in diesem Ordner finden man dann die gelöschten Daten ;-)

Posts Tagged security

Archives by Month: