Security Conference Explores New Crypto Algorithm

by paco on Friday, April 25, 2014

The 2014 InfoSec Security Conference in London has put the name and affiliation of every attendee in an easy to scan QR code on every badge. They have protected that data with a cipher we’ve never seen in the wild before. For simplicity we’ve nicknamed it Rarely Observed Technique 1 (ROT-1). Let’s take a look at the data. (Update: My badge arrived with some weird data encoded into it. Find me around booth O94 and scan my badge.)

Here’s a badge (thanks James!).

InfoSecurity Europe Badge

Notice the QR code right there for easy scanning. If you scan it, you get the following:
“DO”;”Djhjubm Fvspqf”,
“Nbobhjoh Ejsfdups”,”T”;

After painstaking cryptanalysis, we have decoded this to be:

“CN”;”Cigital Europe”,
“Managing Director”,”S”;

The time we spent reverse engineering this cipher is nearly immeasurable. It is safe to say that it was so complicated that writing a blog post describing it takes substantially longer than the cryptanalysis.

At this point the story gets darker. Although ROT-1 has virtually never been observed in the wild, the industry standard ROT-13 cipher is well known and well understood. An InfoSec conference is an impressive gathering of people with deep knowledge of security and an obvious target for nation-state spies. The cipher is protecting the attendees’ names and affiliations. This cipher, however, runs only 1 of the 13 standard rotations. It is 92% weaker than the industry standard and this makes us suspicious. We can only conclude what the evidence shows: some government spy agency has tampered with the algorithm, weakening it so that spies can trivially decrypt the data. They haven’t counted on the cleverness of Cigital cryptographers, however, many of whom are so intelligent they can perform this cryptanalysis in their heads!

What takeaway lessons can we learn from this sad situation?

First: We learn that Cigital are pragmatic security consultants who don’t make a mountain out of a molehill. Anyone with enough technology to scan a QR code has enough technology to take a picture of the badge and use OCR to recover the printed text. Nothing is at risk that wasn’t already at equal risk.

Second: Security theatre is not free. Somebody somewhere probably set a pretty low bar: “Just don’t make it obvious”. I’m not sure this passes that bar. But consider software development: this is a bad idea. More code is more bugs. It is a no-value security illusion that just creates more code that has to tested and can potentially create bugs. How many ROT-1 encoders and decoders were created? How do we handle non-English, non-ASCII character sets? All of that is code that, if it breaks, has a material impact on the people who use this software (e.g., the event managers, vendors, advertisers, etc.). Yet its value in “security” is illusory. So skip it entirely. Save development time, save costs, save complications, and don’t pretend you’re securing something when you’re not.

Paco Hope’s InfoSec Badge
Paco Hope Badge
This just in: my InfoSec badge came in. Now we can see how they handle accents and funny things. I entered my title as Prîncïpál Consultant. You can see that on my badge.

When I scan it with my QR code scanner, I get the following:

“Qs綷d疥 Dpotvmubou”,”T”;

Good luck. I’m not sure how to decode Qs綷d疥 with ROT-1. Haven’t bothered dusting off my UNICODE or other texts to figure it out. I think it works out to this:

00 7b 22 43 4a 65 22 3b 22 42 49 44 48 35 44 53 22 {“CJe”;”BIDH5DS”
10 2c 22 44 4f 22 3b 22 44 6a 68 6a 75 62 6d 22 2c ,”DO”;”Djhjubm”,
20 22 47 22 3b 22 51 62 64 70 22 2c 22 4b 55 22 3b “G”;”Qbdp”,”KU”;
30 22 51 73 e7 b6 b7 64 e7 96 a5 20 44 70 6f 74 76 “Qs…d… Dpotv
40 6d 75 62 6f 75 22 2c 22 54 22 3b 22 49 70 71 66 mubou”,”T”;”Ipqf
50 22 7d “}

I hope this encourages people to scan my badge at InfoSec! See you there at booth O94.

Comments are closed.