exploit – What encryption did Encrochat use, and how was it broken?

On 2nd July, the UK’s national news outlets broke the story of an “unprecedented” 4-year-long, Europe-wide investigation that, in the UK, resulted in the arrest of 746 criminals, including many high-profile “kingpins” of the criminal underworld as well as corrupt police officers. According to The Mirror:

NCA Director of Investigations Nikki Holland, said: “This is the broadest and deepest ever UK operation into serious organised crime. Together we’ve protected the public by arresting middle-tier
criminals and the kingpins, the so-called iconic untouchables who have
evaded law enforcement for years, and now we have the evidence to
prosecute them.”

If these phones were employing a form of encryption, then it stands to reason that the French police and the UK’s National Crime Agency must have been able to break it in some way. Is there any further information on what encryption EncroChat phones were using, and how exactly it was broken?

encryption – Does PGP passphrase necessary if I store private key and passphrase in the same place?

The benefit of a passphrase is an added layer of protection for your keys assuming that the attacker has no way of associating the passphrase and the key.

Let’s assume an attacker gained access to this vault.

If it has both the passphrase and the key, then it matters not if the passphrase was randomly generated or what, they key is essentially (for lack of a better word) ‘breached’.

If it has only the key with no passphrase, then the same result applies. Your keys are ‘breached’.

If this vault has the keys with a passphrase (which isn’t stored in the same vault), then your keys are a lot safe, and if generated properly, secured.

encryption – Solution to User Initial HTTP Requests Unencrypted Despite HTTPS Redirection?

It is my understanding that requests from a client browser to a webserver will initially follow the specified protocol e.g, HTTPS, and default to HTTP if not specified (Firefox Tested). On the server side it is desired to enforce a strict type HTTPS for all connections for the privacy of request headers and as a result HTTPS redirections are used. The problem is that any initial request where the client does not explicitly request HTTPS will be sent unencrypted. For example, client instructs browser with the below URL command.

google.com/search?q=unencrypted-get

google.com will redirect the client browser to use HTTPS but the initial HTTP request and GET parameters were already sent unencrypted possibly compromising the privacy of the client. Obviously there is nothing full-proof that can be done by the server to mitigate this vulnerability but:

  1. Could this misuse compromise the subsequent TLS security possibly through a known-plaintext
    attack (KPA)?
  2. Are there any less obvious measures that can be done to mitigate this possibly through some
    DNS protocol solution?
  3. Would it be sensible for a future client standard to always initially attempt with HTTPS as the default?

cryptography – Is there any encryption mechanism where i can ensure that the decryption can only happen within my data center?

All decryption is only possible if you have the key (or sufficient computing power and time). If you want to be sure that the key never leaves the infrastructure, buy a High Security Module (HSM) (Thales, Utimaco and some others). These are hardware devices that allow you to do the decryption. There are many types, some (many?) including tilt and motion sensors.

But at some point, you might want to rethink your strategy. HSMs are really a niche market, and in my 25+ years experience, I’ve seen just 1 case where they were really necessary.

If you pass data over the Internet, surely the goal of that data sharing would be that the other party can use that data? Then, if the data at the other party is “exposed somehow”, all is lost anyway.

Or do you just not want that the data leaves the data centre? In that case: try using a stand-alone system.

If you’re communicating with a single (or limited number) of partners, symmetric keys would also be an option. Key management would be doable.

key management – Drawback of Multi Level Encryption

From a security perspective, it’s an advantage. From a management perspective, you have to weigh how much extra effort it might be. If you’re worried about losing keys in general, having two (or ten) probably won’t change that risk. Some thought into effective key management will pay dividends. If it’s not a bother, I’d go for it.

Super-encryption significantly reduces that chance that an attacker will gain access vs single encryption. They would have to exploit vulnerabilities in both encryption methods, instead of just one, which also reduces ‘crimes of opportunity’ if a vulnerability becomes known for one of those methods. This only works if using two different encryption methods – using the same one twice might be more or less equivalent to using a larger key.

See the Rule of Two: https://en.wikipedia.org/wiki/Multiple_encryption

appsec – Encryption (not hashing) of credentials in a Python connection string

I would like to know how to encrypt a database connection string in Python – ideally Python 3 – and store it in a secure wallet. I am happy to use something from pip. Since the connection string needs to be passed to the database connection code verbatim, no hashing is possible. This is motivated by:

  • a desire to avoid hard-coding the database connection credentials in a Python source file (bad for security and configurability);
  • avoid leaving them plain-text in a configuration file (not much better due to security concerns).

In a different universe, I have seen an equivalent procedure done in .NET using built-in machineKey / EncryptedData set up by aspnet_regiis -pe, but that is not portable.

Though this problem arises from an example where an OP is connecting via pymysql to a MySQL database,

  • the current question is specific neither to pymysql nor MySql, and
  • the content from that example is not applicable as a minimum reproducible example here.

The minimum reproducible example is literally

#!/usr/bin/env python3

PASSWORD='foo'

Searching for this on the internet is difficult because the results I get are about storing user passwords in a database, not storing connection passwords to a database in a separate wallet.

I would like to do better than a filesystem approach that relies on the user account of the service being the only user authorized to view what is otherwise a plain-text configuration file.

Related questions

file encryption – ASP.NET Core Data Protection for long term storage

I’m looking into upgrading a .NET software application that encrypts files. At the moment it is doing that by using a fixed key and a specific algorithm in the codebase. Moving the key to a safer place will be my first step.

However, I want to improve the system. Having key rollover and additional algorithms seems like a given these days. Of course I don’t want to write that myself. If it was an ASP.NET web app, I would be using its dataprotection library. However, when looking in the documentation you find this:

The ASP.NET Core data protection APIs are not primarily intended for
indefinite persistence of confidential payloads. Other technologies
like Windows CNG DPAPI and Azure Rights Management are more suited to
the scenario of indefinite storage, and they have correspondingly
strong key management capabilities. That said, there’s nothing
prohibiting a developer from using the ASP.NET Core data protection
APIs for long-term protection of confidential data.

Which leaves me a bit concerned. Should I use it even with this warning for encrypting files? Are there other frameworks/libraries that offer the same functionality? Should I look into something totally different?

encryption – Format for data & symmetric key exchange/storeage

Is there a standard format for storing/exchanging encrypted data along with the key needed to decrypt it (data is encrypted with a single use symmetric key and the symmetric key itself is encrypted with asymmetric key for the receiver)?

We are trying to build an interoperable protocol to exchange large messages between two parties that may not agree on much else besides using asymmetric keys. The best way seems to be using a symmetric single use key to encrypt the data and then encrypt it with the asymmetric key and pass along the whole thing as a package (e.g. RSA wrapped AES). So is there any widely used standard for sharing the encrypted text along with its key, preferably along with some information about the symmetric algorithm used.

The only work that I found in that direction is OpenPGP which is somewhat too implementation specific. I was wondering if there is anything else that has more metadata along with it to describe the alogs and the keys.

OpenVPN faster with encryption than without it

I would’ve expected OpenVPN to achieve higher speeds when encryption is disabled, but the opposite is true.

When setting the cipher to AES-128-GCM, the speed between two of my computers is 580 to 613 Mbit/seconds:

Mon Jun 15 11:46:06 2020 Data Channel: using negotiated cipher 'AES-128-GCM'
Mon Jun 15 11:46:06 2020 Outgoing Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key
Mon Jun 15 11:46:06 2020 Incoming Data Channel: Cipher 'AES-128-GCM' initialized with 128 bit key

When setting the cipher to none, the speed between two of my computers is only 460 – 490 Mbit/seconds.

Mon Jun 15 11:45:11 2020 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING!
Mon Jun 15 11:45:11 2020 Outgoing Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jun 15 11:45:11 2020 Outgoing Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication
Mon Jun 15 11:45:11 2020 Incoming Control Channel Encryption: Cipher 'AES-256-CTR' initialized with 256 bit key
Mon Jun 15 11:45:11 2020 Incoming Control Channel Encryption: Using 256 bit message hash 'SHA256' for HMAC authentication

From what I understand, the “control” channel is just used for really small data packets, while a second “data” channel is used for real information.

I’m trying to reach gigabit speeds through OpenVPN. Even when setting the server’s CPU governor to performance, the maximum speed that I can achieve is 613 Mbit/seconds with the AES-128-GCM configuration. I’m still working through this guide.

When I change my protocol with the AES-128-GCM config to proto udp, the speed drops down to 414 Mbit/seconds…

encryption – Prevent app configuration from modifying

I am looking for a solution that meets the following requirements:

Let’s assume, there are: the Application installed on a computing device and controlling it, Users that use this application, and Maintainers, that provide some support for the application. Application has the Configuration, for example in the file or database. Configuration is updated manually by Maintainers when required, for example weekly. Configuration contains, for example, list of emails, Application sends it’s alerts to. Let’s assume, that it is not possible for Users to modify the Application in any way. Although, Application is written in Java, so it is easy for Users to copy and debug it.

Users shall able to view the Configuration from inside the Application. Users shall be unable to change the Configuration, or to use their own (which is basically the same), for example to change any email or remove existing email or add a new one.

Additional requirement, that is not mandatory: It shall not be possible to directly view the Configuration without the Application. I understand it’s hardly really possible, so, it shall be at least just difficult, like decryption necessary to view the Configuration without the Application.

Question: how to achieve this and is it possible at all?

Possible solutions I can realize, and attacks:

1) To use some signing. To sign each Configuration with some Digest and to check the Digest in the Application then. Attack: as I understand, App shall calculate the Digest using the public key stored in it. Then the Application shall compare calculated Digest with the one provided with the Configuration. So, attack is simple : Users will modify the Configuration, then debug the Application, put a breakpoint on the place where Application has already calculated Digest for comparing it with the stored one, then Users could dump the calculated Digest and replace provided Digest with this calculated one.

2) To use hybrid encryption. In this case the attack is the same: breakpoint in the place where decrypted symmetric key is available, dump this key, then to use it for the new Configuration encryption.

3) To use asymmetric encryption. maintainers encrypt Configuration with the public key, then Application decrypts the Configuration with the private key. Attack is simple : Users could dump private key from the Application and derive a new public key, then use it for encryption.

Is there a solution, like “encrypt with the public key, then decrypt with private” or maybe any else possible way to achieve that?

Thank you