Author Topic: Nspire OS Risk/Weakness  (Read 19122 times)

0 Members and 4 Guests are viewing this topic.

Offline fb39ca4

  • LV10 31337 u53r (Next: 2000)
  • **********
  • Posts: 1749
  • Rating: +60/-3
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #30 on: November 14, 2010, 08:54:20 pm »
So how much work is it to compute a hash compared to doing a trial division?

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #31 on: November 14, 2010, 09:09:44 pm »
Probably around the same. Of course, an extremely similar file would be much easier to compute than an extremely difficult one, and if we made the boot2 simply accept our own OS's key (which could be an extremely close semiprime number, but one we know the factors of :P) it would boot the OS just fine, since it would operate the same from there on.

Offline fb39ca4

  • LV10 31337 u53r (Next: 2000)
  • **********
  • Posts: 1749
  • Rating: +60/-3
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #32 on: November 14, 2010, 10:02:01 pm »
Probably around the same. Of course, an extremely similar file would be much easier to compute than an extremely difficult one, and if we made the boot2 simply accept our own OS's key (which could be an extremely close semiprime number, but one we know the factors of :P) it would boot the OS just fine, since it would operate the same from there on.
Huh? I don't get the similar semiprime thing.

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #33 on: November 14, 2010, 10:52:03 pm »
Well, the idea they're saying is that you make a boot2 that has an RSA key (which is a semiprime, the product of two primes) that you know the two prime factors of. This allows you to make your own OS. I was simply stating that a semiprime that is closer would be easier to make a hash match than one farther away from the original.

Example:
17*11=187 original key
11*11=121 as a replacement would not match the hash as easily as, say, 17*13 which = 221. You can get closer with larger numbers.

Offline calc84maniac

  • eZ80 Guru
  • Coder Of Tomorrow
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2912
  • Rating: +471/-17
    • View Profile
    • TI-Boy CE
Re: Nspire OS Risk/Weakness
« Reply #34 on: November 14, 2010, 10:56:09 pm »
"Closeness" doesn't make any difference, it's pass or fail.
"Most people ask, 'What does a thing do?' Hackers ask, 'What can I make it do?'" - Pablos Holman

Offline willrandship

  • Omnimagus of the Multi-Base.
  • LV11 Super Veteran (Next: 3000)
  • ***********
  • Posts: 2953
  • Rating: +98/-13
  • Insert sugar to begin programming subroutine.
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #35 on: November 14, 2010, 10:58:15 pm »
Eh, guess I'll defer to the more knowledgeable. I don't exactly have a degree on the subject :P

Offline DJ Omnimaga

  • Clacualters are teh gr33t
  • CoT Emeritus
  • LV15 Omnimagician (Next: --)
  • *
  • Posts: 55943
  • Rating: +3154/-232
  • CodeWalrus founder & retired Omnimaga founder
    • View Profile
    • Dream of Omnimaga Music
Re: Nspire OS Risk/Weakness
« Reply #36 on: November 14, 2010, 11:02:36 pm »
(Note, for discussion about the actual key factoring issue, we should use that thread, to make sure we do not confuse users in this one.)

Offline AngelFish

  • Is this my custom title?
  • Administrator
  • LV12 Extreme Poster (Next: 5000)
  • ************
  • Posts: 3242
  • Rating: +270/-27
  • I'm a Fishbot
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #37 on: November 14, 2010, 11:05:19 pm »
So, could we attack boot2 by writing our own code, and appending more data to the end until we find something with the same hash as boot2?

SHA-256, and SHA-512 (SHA-384 is essentially the same as SHA-512) are both cryptographic Hashes. They currently have no known weaknesses. In other words, no one has ever cracked the algorithms themselves. The ONLY known way to do it is with brute force methods. As has been mentioned, that's not going to happen anytime soon. There's a reason why the SHA-256 is still widely used. I believe the NSA still recommends it, actually. However, if (and this is a big if) someone discovered a way to reliably make collisions in SHA-256, then we could conceivably launch a successful birthday attack in reasonable time using Chabaud-Joux techniques (basically testing weak versions of the hash until you have an algorithm that can short circuit the real one) that would theoretically allow us to install another OS. That's probably not going to happen in the next decade. At the very best, we'll see hints that the hash has the possibility of compromising collisions.
∂²Ψ    -(2m(V(x)-E)Ψ
---  = -------------
∂x²        ℏ²Ψ

Offline fb39ca4

  • LV10 31337 u53r (Next: 2000)
  • **********
  • Posts: 1749
  • Rating: +60/-3
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #38 on: November 15, 2010, 03:31:06 pm »
I'd like to know, how much work is it brute forcing a collision say, compared to factoring a 512 bit key? Also, I found this: http://eprint.iacr.org/2004/304.pdf, which has an algorithm to reduce the number of steps before a collision occurs.

Offline calcforth

  • LV3 Member (Next: 100)
  • ***
  • Posts: 62
  • Rating: +4/-4
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #39 on: November 15, 2010, 04:07:53 pm »
However, if (and this is a big if) someone discovered a way to reliably make collisions in SHA-256, then we could conceivably launch a successful birthday attack in reasonable time using Chabaud-Joux techniques (basically testing weak versions of the hash until you have an algorithm that can short circuit the real one) that would theoretically allow us to install another OS.
How the collision attack will help us? I can imagine just one scenario: if we'll have friend at TI who will produce two images (one legitimate update and one with non-checking boot2, for example) and will submit the legitimate update using education.ti.com ... But it's probably will be easier for him to just sign non-checking boot2 directly? What we need is called second preimage attack - and it's quite different kettle of fish!

I'd like to know, how much work is it brute forcing a collision say, compared to factoring a 512 bit key?
They are lightyears apart. Facts:
1. MD4 was perceived weak 20 years ago, was replaced with MD4 in 1992 and broken in 1995 (few seconds on typical computer).
1. MD5 was perceived weak 15 years ago, was replaced with SHA1 in early 2000th and finally "totally broken" in 2009 (few seconds on typical computer).
2. SHA1 was perceived weak 5 years ago, was replaced with SHA-256 closer to 2010 - still unbroken.
Given these facts and the claims about "utter failure" of MD4, MD5 and SHA1 you should expect that second preimage attack is now easy too, right? Wrong: only MD4 is "kinda broken" (can be theoretically broken using million computers and about thousand years... hundred years if you are lucky).

Also, I found this: http://eprint.iacr.org/2004/304.pdf, which has an algorithm to reduce the number of steps before a collision occurs.
This is good algorythm, but it does not buy us much: successor to Deep Thought is still not powerful enough to solve this problem... and sadly, it's already busy trying to solve another problem.

I'm pretty sure cryptographers will eventually solve this problem (I mean: they already can break MD4... kinda), but I doubt it's good idea to bet everything on this outcome.

P.S. Collision attack has it's uses - but sadly they lie very far from the need to sign Nspire ROM. Better to try to find some kind of programming error... at least for now.

Offline AngelFish

  • Is this my custom title?
  • Administrator
  • LV12 Extreme Poster (Next: 5000)
  • ************
  • Posts: 3242
  • Rating: +270/-27
  • I'm a Fishbot
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #40 on: November 15, 2010, 04:50:37 pm »
How the collision attack will help us?

Because they let you use your own file instead of the original message without changing the hash. As I said, it would only allow the theoretical possibility of installing an OS. In practice, it would be next to useless. I only mentioned it because it's a lot easier to launch a birthday attack than a preimage attack. Reducing the computation time for a preimage to a reasonable time would require exploiting the algorithm. That's just not going to be possible anytime in the next few years, at the very least.

@fb39ca4, your link does describe a way to reduce computation time, but the result is still in the realm of near impossible.
∂²Ψ    -(2m(V(x)-E)Ψ
---  = -------------
∂x²        ℏ²Ψ

Offline calcforth

  • LV3 Member (Next: 100)
  • ***
  • Posts: 62
  • Rating: +4/-4
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #41 on: November 15, 2010, 05:07:50 pm »
How the collision attack will help us?
Because they let you use your own file instead of the original message without changing the hash.
How? I think you are confusing collision attack and second preimage attack. Collision attack: Alice sends message A to Bob and when Bobs does as it says Alice shows another message B (with the same hash!) in court and says: sorry, this is what I meant, blame Bob for his poor judgment. Second preimage attack: Alice sends message A to Bob but Bob replaces it without another message B and when Alice complains shows that other message (with the same hash!) in court and says: sorry, this is what I've got. Nleash developers play Bob here, not Alice!

As I said, it would only allow the theoretical possibility of installing an OS. In practice, it would be next to useless.
What use will it have? Even theortical? The boot2 hash one particular hash and this is the only hash we know how to present to boot1. We can not change it thus we can not use collision attack. It's as simple as that.

Offline AngelFish

  • Is this my custom title?
  • Administrator
  • LV12 Extreme Poster (Next: 5000)
  • ************
  • Posts: 3242
  • Rating: +270/-27
  • I'm a Fishbot
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #42 on: November 15, 2010, 05:18:42 pm »
Oops, you're right. Thank you for pointing that out.

However, if we could generate an OS with the same Hash as the current OS (a collision), then we could install that OS and the boot code wouldn't realize it. The problem is that any collision is likely to be complete gibberish codewise.
∂²Ψ    -(2m(V(x)-E)Ψ
---  = -------------
∂x²        ℏ²Ψ

Offline calcforth

  • LV3 Member (Next: 100)
  • ***
  • Posts: 62
  • Rating: +4/-4
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #43 on: November 15, 2010, 06:03:44 pm »
However, if we could generate an OS with the same Hash as the current OS (a collision), then we could install that OS and the boot code wouldn't realize it. The problem is that any collision is likely to be complete gibberish codewise.
No, no - this is not how it works. For MD5 there are so-called "chosen-prefix collisions": files with predermined content and only few bytes of garbage at the end. But still both files are produced by "Alice" - and it does not help us any. And for second preimage attack (this is what we need)... it's not realy practical even for MD4, let alone MD5... and SHA256 is much harder then these!

Only proprietary "tip-sikrit" algorythms (like GSM's A5/X) are easily exploited... but it looks like industry finally learned to use public well-test cryptoalgorithms. So instead of direct attack we are left only with possible bugs in OS... but it sure is a big attack vector still :)

Offline AngelFish

  • Is this my custom title?
  • Administrator
  • LV12 Extreme Poster (Next: 5000)
  • ************
  • Posts: 3242
  • Rating: +270/-27
  • I'm a Fishbot
    • View Profile
Re: Nspire OS Risk/Weakness
« Reply #44 on: November 15, 2010, 06:07:59 pm »
The OS is only checked at boot. It's well known how to wipe and replace data. Thus, an OS that has the same hash *could* be replaced. As I said, it will never work in real life.
∂²Ψ    -(2m(V(x)-E)Ψ
---  = -------------
∂x²        ℏ²Ψ