Mercurial > dropbear
view libtomcrypt/notes/tech0002.txt @ 1930:299f4f19ba19
Add /usr/sbin and /sbin to default root PATH
When dropbear is used in a very restricted environment (such as in a
initrd), the default user shell is often also very restricted
and doesn't take care of setting the PATH so the user ends up
with the PATH set by dropbear. Unfortunately, dropbear always
sets "/usr/bin:/bin" as default PATH even for the root user
which should have /usr/sbin and /sbin too.
For a concrete instance of this problem, see the "Remote Unlocking"
section in this tutorial: https://paxswill.com/blog/2013/11/04/encrypted-raspberry-pi/
It speaks of a bug in the initramfs script because it's written "blkid"
instead of "/sbin/blkid"... this is just because the scripts from the
initramfs do not expect to have a PATH without the sbin directories and
because dropbear is not setting the PATH appropriately for the root user.
I'm thus suggesting to use the attached patch to fix this misbehaviour (I
did not test it, but it's easy enough). It might seem anecdotic but
multiple Kali users have been bitten by this.
From https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=903403
| author | Raphael Hertzog <hertzog@debian.org> |
|---|---|
| date | Mon, 09 Jul 2018 16:27:53 +0200 |
| parents | 1b9e69c058d2 |
| children |
line wrap: on
line source
Tech Note 0002 How to avoid non-intrusive timing attacks with online computations Tom St Denis Introduction ------------ A timing attack is when an attacker can observe a side channel of the device (in this case time). In this tech note we consider only non-intrusive timing attacks with respect to online computations. That is an attacker can determine when a computation (such as a public key encryption) begins and ends but cannot observe the device directly. This is specifically important for applications which transmit data via a public network. Consider a Diffie-Hellman encryption which requires the sender to make up a public key "y = g^x mod p". Libtomcrypt uses the MPI bignum library to perform the operation. The time it takes to compute y is controlled by the number of 1 bits in the exponent 'x'. To a large extent there will be the same number of squaring operations. "1" bits in the exponent require the sender to perform a multiplication. This means to a certain extent an attacker can determine not only the magnitude of 'x' but the number of one bits. With this information the attacker cannot directly learn the key used. However, good cryptography mandates the close scrutiny of any practical side channel. Similar logic applies to the other various routines. Fortunately for this case there is a simple solution. First, determine the maximum time the particular operation can require. For instance, on an Athlon 1.53Ghz XP processor a DH-768 encryption requires roughly 50 milliseconds. Take that time and round it up. Now place a delay after the call. For example, void demo(void) { clock_t t1; // get initial clock t1 = clock(); // some PK function // now delay while (clock() < (t1 + 100)); // transmit data... } This code has the effect of taking at least 100 ms always. In effect someone analyzing the traffic will see that the operations always take a fixed amount of time. Since no two platforms are the same this type of fix has not been incorporated into libtomcrypt (nor is it desired for many platforms). This requires on the developers part to profile the code to determine the delays required. Note that this "quick" fix has no effect against an intrusive attacker. For example, power consumption will drop significantly in the loop after the operation. However, this type of fix is more important to secure the user of the application/device. For example, a user placing an order online won't try to cheat themselves by cracking open their device and performing side-channel cryptanalysis. An attacker over a network might try to use the timing information against the user.