[Cryptlib] Dealing with Microsoft's broken SCEP implementation

Discussion:

Peter Gutmann

2017-04-25 07:48:36 UTC

Microsoft's NDES implementation of SCEP has been broken in various ways for
many years, to the point where cryptlib fingerprints the server it's
connecting to and enables various workarounds for the different bugs to deal
with it.

However in Server 2012 there's a new, pretty major bug that can't be
transparently worked around: If you send in a message secured with modern
crypto, AES and SHA-2, it sends back an invalid response that can't be
decrypted. If you fall back to the twenty-year-old SHA-1 and the forty-year-
old DES/3DES, it works OK, or at leas as OK as NDES has ever worked.

There are two possible options to deal with this problem:

1. If Server 2012 is detected, quietly switch to the obsolete crypto
algorithms in order to connect.

2. Stay with the modern crypto and report an error.

What would people prefer for cryptlib? Silently switching to obsolete crypto
will make things work, and probably won't introduce any practical vulns
because to carry out an attack you'd need to be able to perform a real-time
break of SHA-1, and even then I can't imagine anyone bothering for SCEP, but
it does violate the implied contract that if you're set up for AES and SHA-2
you expect to actually use AES and SHA-2.

On the other hand reporting an error and stopping isn't terribly useful, it
just means you need to add an additional manual step of falling back to SHA-1
and DES yourself before continuing anyway.

The code currently reports an error and exits, but I'm trying to get a feel
for whether people think I should switch to the fall-back-to-old-crypto
behaviour.

Peter.
_______________________________________________
Cryptlib mailing list
***@mbsks.franken.deAdministration via Mail: cryptlib-***@mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please

SQUILLACE MASSIMO

2017-04-26 06:39:31 UTC

Permalink

I'd switch the default behaviour to option 1 but would allow for option 2 via e.g. a compile time parameter.

Massimo

-----Messaggio originale-----
Da: Cryptlib [mailto:cryptlib-***@mbsks.franken.de] Per conto di Peter Gutmann
Inviato: martedì 25 aprile 2017 09:49
A: ***@mbsks.franken.de
Oggetto: [Cryptlib] Dealing with Microsoft's broken SCEP implementation

Microsoft's NDES implementation of SCEP has been broken in various ways for many years, to the point where cryptlib fingerprints the server it's connecting to and enables various workarounds for the different bugs to deal with it.

However in Server 2012 there's a new, pretty major bug that can't be transparently worked around: If you send in a message secured with modern crypto, AES and SHA-2, it sends back an invalid response that can't be decrypted. If you fall back to the twenty-year-old SHA-1 and the forty-year- old DES/3DES, it works OK, or at leas as OK as NDES has ever worked.

There are two possible options to deal with this problem:

1. If Server 2012 is detected, quietly switch to the obsolete crypto
algorithms in order to connect.

2. Stay with the modern crypto and report an error.

What would people prefer for cryptlib? Silently switching to obsolete crypto will make things work, and probably won't introduce any practical vulns because to carry out an attack you'd need to be able to perform a real-time break of SHA-1, and even then I can't imagine anyone bothering for SCEP, but it does violate the implied contract that if you're set up for AES and SHA-2 you expect to actually use AES and SHA-2.

On the other hand reporting an error and stopping isn't terribly useful, it just means you need to add an additional manual step of falling back to SHA-1 and DES yourself before continuing anyway.

The code currently reports an error and exits, but I'm trying to get a feel for whether people think I should switch to the fall-back-to-old-crypto behaviour.

Peter.
_______________________________________________
Cryptlib mailing list
***@mbsks.franken.deAdministration via Mail: cryptlib-***@mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please subscribe in order to post messages.
________________________________

Le informazioni contenute in questo messaggio di posta elettronica sono da considerarsi riservate e confidenziali. Il loro utilizzo è consentito esclusivamente al destinatario in indirizzo e ne è vietata la diffusione in qualunque modo eseguita, salvo che ne sia data espressa autorizzazione dal mittente. Nel caso in cui il messaggio Le fosse pervenuto per errore, La invitiamo gentilmente ad eliminarlo in modo permanente dopo averne dato tempestiva comunicazione al mittente e a non utilizzare in alcun caso il suo contenuto. Qualsivoglia utilizzo non autorizzato di questo messaggio e dei suoi eventuali allegati espone il responsabile alle relative conseguenze civili e penali.

This communication is confidential and the use of the contained information is allowed solely for the intended recipient. Its disclosure, distribution or copying is prohibited, unless expressly authorized by the sender. If you receive this communication by mistake please notify us and delete the message and its attachments. Anyone responsible for the unauthorized use of this message and its attachments is liable to face legal consequences.
_______________________________________________
Cryptlib mailing list
***@mbsks.franken.deAdministration via Mail: cryptlib-***@mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent s

Peter Gutmann

2017-04-26 22:47:45 UTC

Permalink

Ralf Senderek <***@senderek.ie> writes:

>I don't see much of a problem falling back to 3DES, but your original posting
>suggested that under some circumstances even a DES-fallback can happen. If
>that isn't the case and I misread it, then there is no need for a change
>IMHO.

The problem is that I don't know how far it's necessary to fall back, 2008 had
one set of broken behaviour, 2008R2 another, and 2012 yet another (and I
haven't had a chance to play with 2016 yet). The de facto baseline for SCEP
is single DES + MD5, which I hope I never have to fall back to. On the other
hand with a strict interpretation of the spec Microsoft's servers can't even
do SHA-1 or 3DES, although in practice they do, you just have to establish it
via trial and error and then fingerprint the servers to try and figure out
which ones do it. Even that will break if the server admin uses URL rewriting
to block reporting of the server version.

What I'd really need is access to a bunch of Microsoft/NDES servers running
different versions of the server software to try some test messages with.
Ideally it'd be 2008, 2008R2, 2012, 2012R2, and 2016 because they all have
different bugs. So if anyone's running any of these servers with SCEP/NDES
that I can bounce a few test messages off, let me know...

Peter.
_______________________________________________
Cryptlib mailing list
***@mbsks.franken.deAdministration via Mail: cryptlib-***@mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscrib

Jeffrey Walton

2017-04-29 00:17:47 UTC

Permalink

On Tue, Apr 25, 2017 at 3:48 AM, Peter Gutmann
<***@cs.auckland.ac.nz> wrote:
> Microsoft's NDES implementation of SCEP has been broken in various ways for
> many years, to the point where cryptlib fingerprints the server it's
> connecting to and enables various workarounds for the different bugs to deal
> with it.

Somewhat related, Apple has a SCEP server too. It looks like they just
made the leap from DES to 3DES. From
https://support.apple.com/en-gb/HT207617:

Support for the 3DES cryptographic algorithm was added to
the SCEP client and DES was deprecated.

CVE-2017-2380: an anonymous researcher

Jeff

_______________________________________________
Cryptlib mailing list
***@mbsks.franken.deAdministration via Mail: cryptlib-***@mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
s

Peter Gutmann

2017-05-01 02:13:23 UTC

Permalink

Jeffrey Walton <***@gmail.com> writes:

>Somewhat related, Apple has a SCEP server too. It looks like they just made
>the leap from DES to 3DES. From https://support.apple.com/en-gb/HT207617:
>
> Support for the 3DES cryptographic algorithm was added to
> the SCEP client and DES was deprecated.
>
> CVE-2017-2380: an anonymous researcher

I think Apple only has the client, and they use Windows Server for
provisioning, or at least that's how all the corporate environments I've seen
do it. The fact that they use obsolete, insecure crypto is also why they
haven't run into this bug in Windows Server yet, it's only when you use modern
algorithms that you run into problems.

Who needs the NSA's TAO when you've got Microsoft doing it for them?

Peter.

_______________________________________________
Cryptlib mailing list
***@mbsks.franken.deAdministration via Mail: cryptlib-***@mbsks.franken.de
Archive: ftp://ftp.franken.de/pub/crypt/cryptlib/archives/
http://news.gmane.org/gmane.comp.encryption.cryptlib
Posts from non-subscribed addresses are blocked to prevent spam, please
subscribe in order to post messa