Microsoft has released a new security bulletin
(http://www.microsoft.com/technet/security/bulletin/ms00-024.asp)
about a vulnerability in the NT registry permission setting for a
functionality called OffloadModExpo. I thanks Microsoft and Scott Culp for
the Acnowledgments.
This is the full story:
I have checked the CSPs shipped with W2K international edition and with the
High encryption pack for W2K, I have also checked lots of CSPs shipped with
W95, W98, NT SP3-4-5 and with the IE High encryption for 98 and NT and I
have found what I am going to reveal only in the following CSPs of the W2K
OS:
Microsoft Base Cryptographic Provider v1.0 implemented in rsabase.dll W2K
Microsoft Base DSS and Diffie-Hellman Cryptographic Provider implemented in
dssbase.dll W2K
Microsoft Base DSS Cryptographic Provider implemented in dssbase.dll W2K
Microsoft DH SChannel Cryptographic Provider implemented in dssenh.dll W2K
Microsoft Enhanced Cryptographic Provider v1.0 implemented in rsaenh.dll
W2K
Microsoft Enhanced DSS and Diffie-Hellman Cryptographic Provider
implemented
in dssenh.dll W2K
Microsoft Exchange Cryptographic Provider v1.0 implemented in exchcsp.dll
W2K
Microsoft RSA SChannel Cryptographic Provider implemented in rsaenh.dll W2K
Microsoft Strong Cryptographic Provider implemented in rsaenh.dll W2K
And also in the rsaenhs.dll W2K
Before we start I need to clarify that what I am reporting here are both
facts and hypotesys, where the hypothesis were derived from factual
observation. I want also to emphatyze that I am not saying that someone
not
authorized has activated the vulnerability I am going to illustrate, but I
am suggesting to check it out.OK, now we can start.
We know that modular exponentiation is one of the basic matematical
operation in public key cryptography. We know that an RSA key pair has a
public modulus “n”, a public exponent “e” and a private exponent d
(we don’t
consider here inessential private key components like p, q etc.). If we
have
a message “m”, padded to the modulus byte len, then its private
encryption
is
c = m^d mod n
and the public decription of “c” is
m = c^e mod n
same thing for public encryption
c = m^e mod n
and private decryption
m = c^d mod n
Normaly Microsoft CSPs use the RSA Bsafe library to calculate modular
exponentiation for public and private encryption and decryption, but in W2K
(I repeat that I’ve found this functionality only in W2K but I have not
checked all possible distributions and updates for others OS) something has
been changed.
When a client calls the CryptAquireContext CryptoAPI function, the
implementation of this function in advapi32.dll calls the CPAquireContext
function of the desired provider. In the case of the the W2K CSPs
implementation, this function tries to open a registry key named
“HKEY_LOCAL_MACHINE\software\microsoft\cryptography\Offload”, quering
for
the value “ExpoOffload”, which, if present, must be a dll full path
name.
The W2K CSPs loads the dll and queries the dll for the address of a
function
called “OffloadModExpo” saving the address in a structure associated
with
the returned handle.
If any error occurs (registry key, value, dll or function are not found)
the
function continues without any error notification. But, if a
“OffloadModExpo” function is found, then the CSP calls it every time
it
needs to calculate a power or a modulus, passing the base (in our example
“m” or “c”) the exponent (in our example “e” or “d”) the
modulus (in our
example “n”) as input parameters and the result (in our example
“c” or “m”)
as output parameter. ”OffloadModExpo” must return true ( not 0) or
false
(0). This functionlity is documented in
http://msdn.microsoft.com/library/psdk/cryptcsp/cspref_9lnz.htm. What is
not documented is that if OffloadModExpo returns false then its caller in
the CSP continues without any error notification and calls the normal
Bsafe
implementation, If OffloadModExpo returns true the caller assumes that
the returned result is valid and does not call the normal Bsafe
implementation.
If no “OffloadModExpo” is available (the structure holding the
address is
NULL) then the CSPs call the normal Bsafe implementation.
To clarify what this really means we can examine what happens in some well
known use of public key cryptography (security related parameters are
capitalized):
Digital signature: Used in SSL authentication (client and server) or in a
digital Certificate signature done by a Certification Autority or in
documents and e-mails autentication and integrity protection, ecc.
The operation is private encryption and parameters are an hash value padded
to the modulus length in bytes, the PRIVATE EXPONENT, the modulus, and the
result is the digital signature.
Session key encryption: Used in SSL keys exchange or in secret documents or
e-mails protection, ecc.
The operation is public encryption and the parameters are the SESSION KEY
padded to modulus length, the public exponent, the modulus, while the
result
is the encrypted session key.
Session key decryption: Used in SSL keys exchange or to read protected
secret documents or e-mails, ecc.
The operation is private decryption and parameters are the encrypted
session
key, the PRIVATE EXPONENT, the modulus, the result is the SESSION KEY
padded
to modulus length.
It is clear that by registering in a system a dll providing an
implementation of OffloadModExp a malicious user can intercept all users’
private key, confidential documents, and session keys as soon as they are
used in a cryptographic operation.
It may be noted that by default W2K grants write access to the registry key
“HKEY_LOCAL_MACHINE\software\microsoft\cryptography” only to
administrator
users. This can partially protect from unauthorized access to the
“OffloadModExpo” functionality. However, we must consider that
1. normally Microsoft’s Operating Systems users use a single account
with
adminitrator privileges.
2. NT, W95, W98 by default don’t protect the registry key, so anyone
with a
guest account can insert the “OffloadModExpo” functionality and then
wait
for a system upgrade to automatically activate it.
3. Microsoft says that this functionality is present also in NT OS, if it
is
so, there are lots of other vulnerabilities to consider.
4. In any case in my opinion it is completely unacceptable that a system
administrator can access users’s private keys without the user knowledge
and
assent. Microsoft apparently knows this very well: their operating systems
protect private keys with logon independent mechanisms, and they also ask
the users which level of protection they choose.
Due to my personal relations with the _NSAKEY (see the mailing list
http://remus.prakinf.tu-ilmenau.de/ssl-users/archive28/0151.html, where I
publicized the presence of the NSA key one year before Cryptonym
http://www.cryptonym.com/hottopics/msft-nsa/msft-nsa.html), I choose to
investigate more the presence of this feature in relation with the use of
the _NSAKEY and I found out that there is a strange coincidence: when the
“OffloadModExpo” functionality is present the _NSAKEY is not used and
when
the “OffloadModExpo” functionality is absent the _NSAKEY is used.
This is
clearly not a proof of anything, but increases our doubts as to why it is
there.
In detail, what I found is
the W2K advapi32.dll still have the _NSAKEY but DOES NOT USE IT
the W2K CSPs use the “OffloadModExpo” functionality
the W2K beta candidate release still has the _NSAKEY but DOES NOT USE IT
the W2K beta candidate release CSPs use the “OffloadModExpo”
functionality
the W2K beta 3 still has the _NSAKEY but DOES NOT USE IT
the W2K beta 3 CSPs use the “OffloadModExpo” functionality
the NT5-W2K beta 2 still has the _NSAKEY and USES IT
the NT5-W2K beta 2 CSPs DO NOT HAVE the “OffloadModExpo” functionality
Appendix: Cryptonym was partialy wrong when wrote about three keys used in
W2K beta, yes the keys are three but only two are used, the _NSAKEY is not
used.
I’ve presented all these considerations to the Microsoft Security
Response
Center, a very interesting discussion followed my signaling. If someone is
interested I can make it public.
I have a small program and an autogenerated “OffloadModExpo” dll that
can
demonstrate what I am sayng, the program simply registers and installs the
“OffloadModExpo” dll, and generates a new key, then signs an MD5 Hash
with
the CryptSignHash and verifies the result with the CryptVerifySignature.
The
OffloadModExpo dll displays the parameters and if the modulus length is
equal to the exponent length (private encrypt or decrypt) calculates the
result (using the bn library from SSLeay) and returns true, otherwise
returns false.
If someone wants the demonstration code, needs more details or wants to
privately ask me something can sends e-mails to [EMAIL PROTECTED],
[EMAIL PROTECTED] or [EMAIL PROTECTED]
Sergio Tabanelli
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
