Return-Path: <sentto-279987-3842-1005488435-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Sun, 11 Nov 2001 06:24:12 -0800 (PST) Received: (qmail 31786 invoked by uid 510); 11 Nov 2001 14:21:03 -0000 Received: from n8.groups.yahoo.com (216.115.96.58) by all.net with SMTP; 11 Nov 2001 14:21:03 -0000 X-eGroups-Return: sentto-279987-3842-1005488435-fc=all.net@returns.groups.yahoo.com Received: from [10.1.4.52] by n8.groups.yahoo.com with NNFMP; 11 Nov 2001 14:20:36 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 11 Nov 2001 14:20:34 -0000 Received: (qmail 39881 invoked from network); 11 Nov 2001 14:20:34 -0000 Received: from unknown (216.115.97.167) by m8.grp.snv.yahoo.com with QMQP; 11 Nov 2001 14:20:34 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 11 Nov 2001 14:20:34 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fABEL1x13042 for iwar@onelist.com; Sun, 11 Nov 2001 06:21:01 -0800 Message-Id: <200111111421.fABEL1x13042@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Sun, 11 Nov 2001 06:21:01 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Extracting.a.3DES.key.from.an.IBM.4758] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Extracting a 3DES key from an IBM 4758 The IBM 4758 is an extremely secure crytographic co-processor. It is used by banking systems and in other security conscious applications to hold keying material. It is designed to make it impossible to extract this keying material unless you have the correct permissions and can involve others in a conspiracy. We are able, by a mixture of sleight-of-hand and raw processing power, to persuade an IBM 4758 running IBM's ATM (cash machine) support software called the "Common Cryptographic Architecture" (CCA) to export any and all its DES and 3DES keys to us. All we need is: * about 20 minutes uninterrupted access to the device * one person's ability to use the Combine_Key_Parts permission * a standard off-the-shelf $995 FPGA evaluation board from Altera * about two days of "cracking" time The attack can only be performed by an insider with physical access to the cryptographic co-processor, but they can act alone. The FPGA evaluation board is used as a "brute force key cracking" machine. Programming this is a reasonably straightforward task that does not require specialist hardware design knowledge. Since the board is pre-built and comes with all the necessary connectors and tools, it is entirely suitable for amateur use. Besides being the first documented attack on the IBM 4758 to be run "in anger", we believe that this is only the second DES cracking machine in the open community that has actually been built and then used to find an unknown key! Until IBM fix the CCA software to prevent our attack, banks are vulnerable to a dishonest branch manager whose teenager has $995 and a few hours to spend in duplicating our work. <a href="http://www.cl.cam.ac.uk/~rnc1/descrack/">http://www.cl.cam.ac.uk/~rnc1/descrack/> -- Elias Levy SecurityFocus <a href="http://www.securityfocus.com/">http://www.securityfocus.com/> Si vis pacem, para bellum ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/r9F0cB/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST