4. ID-CERT
• Indonesia Computer Emergency Response Team
• 1998 – Dr. Budi Rahardjo
• Community based
• Incident Handling
• Malware Lab
• Research & Training about Malware
• Tools: Malware Scanner
• Founder AP-CERT: JP-CERT & AusCERT
www.cert.or.id/
5. Indonesia
• South East Asia
• 7th largest Country –
• 1,904,569 square km2
• Archipelago
• 13000 Islands
• 4th: Population; 261 million
• 700 local language
7. AES
• Advanced Encryption Standard (AES) was published by the
National Institute of Standards and Technology (NIST) in
2001.
• NIST is a Agency in USA; measurement standard Laboratory
• replace DES (Data Encryption Standard) – 1977 (IBM)
• have theoretical attacks that can break it
• have demonstrated exhaustive key search attacks
• slow
www.cert.or.id
8. Selection Process
• US NIST issued call for ciphers in 1997
• Open Competition
• 15 candidates accepted in Jun 98
• investigated by cryptographers;
• Security,
• performance in different PC architecture
• Implementation in limited environment (smart cards
limited memory, low gate count implementations, FPGAs)
9. Finalist
• 1999: 5 Finalist
• MARS, RC6, Rijndael, Serpent, and Twofish.
• 2000: Rijndael
• official standard by publishing an announcement in the Federal
Document
• Positive comment for opennes from the community
• Bruce Schneier (Twofish) “I have nothing but good things to say about
NIST and the AES process“
www.cert.or.id
10. Rijndael
• developed by two Belgian cryptographers,
• Vincent Rijmen and Joan Daemen,
• all operations are performed on 8-bit
• Finite Field Arithmetic
• each with a block size of 128 bits, but three different key lengths: 128,
192 and 256 bits
• Substitution & Permutation
• Repetition 10 round for 128 bit keys, 12 à 192; 14 à256
11. Encryption process
1. Plaintext data to be encrypted
2. Static bytes that are part of the algorithm (lookup table)
3. The key used for encryption
www.cert.or.id
12. Encryption process
• Substitution & Permutation
• Add key
• Shift rows
• Substituting bytes
• Mix columns
• Repetition 10 round for 128 bit keys, 12 à 192; 14 à256
www.cert.or.id
13. Implementation
• RAR, Winzip, 7z
• NTFS
• Bitlocker, Truecrypt
• IEEE 802.11 Wireless
• Whatsapp, Facebook Messenger
• IPSec à VPN
• GPG à
• Intel & AMD Processor
• Grand Theft Auto
15. Bruteforce
• Trying all possible combination
• =exhaustive key search
• Needs big computing power & energy
• 128 bit key AES à1,02 x1018 years
• 256-bit à 3,31 x 1056 years
• billions of years to brute force
• Supercomputer
www.cert.or.id
16. Attack - Cryptanalyst
• 2002; XSL attack;
• Theoretical attack ; Courtois and Pieprzyk à unworkable
• 2009: Alex Biryukov, Dmitry Khovratovich, and Ivica Nikolić,
• 2011; Bogdanov, Khovratovich, and Rechberger,
• Snowden; NSA doing research on attack based on TAU
statistic
• Without key à No success (if AES correctly implemented)
17. Side Channel Attack
• Not on cipher text
• find a weakness in the implementation
• Hardware/software
• measure power consumption, electromagnetic emissions,
and heat generation
• requires physical access to the target device.
www.cert.or.id
18. Success story
• 2005: Bernstein ; cache-timing attackà OpenSSL
• number of machine cycles taken by the encryption operation
• 2009: DFA (Differential Fault Analysis) à hardware (key
recovery)
• Smart Card à embedded processor ;
• Overclocking, high temperature à false output
24. Custom crypto
• Algorithm to encrypt the file
• XOR the file
• Algorithm is the key
• Reverse the steps
www.cert.or.id
25. MBR rewriting
• Master Boot Record
• Rewrite MBR à require password or number
• Force reboot a computer à before windows load à ransom
message
• reversing the serial or password validation algorithm: MBR
• Keygen
26. Asymmetric – modern ransomware
1. dynamically generates the keys locally
• Sends to C&C server à client ID
• Keys are not identical
2. Keys are generated by author
• Preloaded in the ransomware
• Key are static
• Someone get the key,
• Share the key
www.cert.or.id
27. Dynamic generated keys
• Analyse memory dump for file recovery
• cryptanalyst
• Intercept the transfer and generation of the keys
29. Shione Ransomware case
• C#
• Keys are embedded in the ransomware
• RSA & AES
• AES à encrypt victim files
• AES Key à RSA
• Public Key RSA embedded in the malware