Reverse engineering of CHIASMUS from GSTOOL: It hurts.

Presented at 30C3 (2013), Dec. 27, 2013, 2 p.m. (60 minutes).

We reverse-engineered one implementation of the non-public CHIASMUS cipher designed by the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, short BSI). This did not only give us some insight on the cipher, but also uncovered serious implementation issues in GSTOOL which allow attackers to crack files encrypted with the GSTOOL encryption function with very little effort.

In the dark ages of digital cryptography, when ciphers were considered export-controlled munitions and AES was not yet standardized, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, short BSI) decided to invent their own ciphers: CHIASMUS for software implementations and LIBELLE, which would be kept secret and only implemented in hardware.

CHIASMUS is not publicly documented. It is implemented in a software tool of the same name, released by the BSI, which is only available where there is a public interest for its use. However, the GSTOOL, a database application for security audit management also released by the BSI, contains an encryption feature using the CHIASMUS block cipher, and is freely available. This software was developed by a third party, Steria Mummert Consulting, and apparently was not properly reviewed.

We disassembled and analyzed the GSTOOL to obtain the specification for the encrypted files (and thus the CHIASMUS cipher itself), but we got more than we bargained for. While the cipher itself appears to be pretty secure, the implementation is a collection of rookie mistakes and a great example of what can (and will) go wrong if you ask people with little understanding of cryptography to build cryptographic software and don't verify their results.

We invite you to enjoy this thriller full of historic backgrounds, non-public public announcements, legal threats, weapons-grade stupidity, and a very simple solution for complex crypotographic problems. Facepalm with us on the two-year long hunt for the elusive security patch! Have a look at the (not-so-secret-anymore) CHIASMUS block cipher! Learn why you should not build your own crypto tools unless you really know what you are doing, even if you use a known algorithm. And what happens when government contractors attempt to do so. And then attempt to fix it.

(Note: Since this is an implementation issue, the stand-alone Chiasmus software tool is not affected by this issue.)


Presenters:

Links:

Similar Presentations: