RE: [NTSEC] SKIPJACK / NT4.0 (SP3?) (fwd)
-----BEGIN PGP SIGNED MESSAGE----- Since I've had so many people either ask what s/w was installed on this box, or else claim that "J.A. must be on crack! :-)", here is the breakdown... NT4.0; SP3; Every post SP3 hotfix through the third week of December; NT4.0 Server Resource Kit; I.E. 3.02 with Java VM pkg installed; PGP 5.0 Commercial; Adobe Photoshop 4.0 with a couple of special filter plugins; Adobe Illustrator 4.something, no addons; Adobe Premier with no addons; Micrographics Webtricity; Front Page 97 with assorted HotFixes; Outlook 97 with assorted HotFixes; TCL/TK; J++; Java 1.something with SDK; WordPerfect Suite 7.something. Obviously, this is on a Web Authoring station, so there is absolutely no reason for any of the above programs to be playing around with Skipjack... Never the less... I brought up a testbed system over the Xmas break, using the same install packages that I used to build the workstation in question. No sign of ANY ciphers: Skipjack or anything else! Which makes sense. The question now is just how in the h%@#& did it get here in the first place? And why are my others ciphers explicitly disabled for SSL? This is a really disturbing finding. I am more concerned that Skipjack was *silently* installed than anything else: I have plans to completely reinstall all of the software from scratch on this particular box, and then enable full key ACL logging in an attempt to find out how it got there. I am VERY concerned about this! The ONLY way I can conceive of this machine having this configuration is if it was silently downloaded to the machine during a W3 session. And it would NOT likely have been an SSL session: We do absolutely NO on-line transactions here. If Skipjack is being silently, I want to know by whom, and for what purpose. OK, maybe I'm just paranoid, or smoking crack, but I spent several years in the late '80's working in COMSEC, and the scenario which first comes to mind is not too far-fetched (at least for me) to be believable... It is most definitely an SSL 3 supported cipher but unless you have the token or such, then it is not going to be used for anything, and then only if you try to connect to a Skipjack (ie. fortezza) site. I doubt you have the code as it is classified and available (at this time) only in hardware. Don't sweat it, it looks like it's just a hook or ..... What environment/flavor of stuff are you running? I can help you with this if you want to contact me off the list. At 11:45 AM 12/26/97 -0500, Ray Arachelian wrote:
Now this is interesting! :) (Either that or JA is smoking crack... - no idea on JA's reputation capital though...)
=====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
---------- Forwarded message ---------- Date: Wed, 24 Dec 1997 01:29:07 -0600 From: "J.A. Terranson" <sysadmin@mfn.org> To: 'NT Security Listserv' <ntsecurity@iss.net> Subject: [NTSEC] SKIPJACK / NT4.0 (SP3?)
-----BEGIN PGP SIGNED MESSAGE-----
I was rooting around in the registry tonight, (looking to repair my own stupidity!), and guess what I saw? SKIPJACK is installed, and ENABLED! I have NOT (now would I EVER) installed it voluntarily, and Micro$loth only advertises the "standard" ciphers (which I also found).
Is anyone else aware of this? Is it safe to delete the key (and code? Hopefully this is DLL driven: I'm still looking!).
Also, anyone know what it was put there for? It's certainly not what I would
consider an SSL issue!
J.A. Terranson sysadmin@mfn.org A small fading light in a vast and obscure universe...
PROTECT YOUR RIGHT TO PRIVACY - ENCRYPT! PGP/DSS: 0x12896749 FP: 63F2 1777 BC38 AC1E 3359 0B0E C6C0 ED6B 1289 6749 PGP/RSA: 0x9D85DF05 FP: 810C 25E9 7DD3 C157 3081 A202 DDFD 4245 If Government wants us to behave, it should set a better example!
-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv
iQEVAwUBNKC5wqAMF5Wdhd8FAQFsDQgAkietW1awMFDE9ZY5d9B+Zc0cGuGxlPC+ XzVy6+RleDngUecSAf8MbZZlTDDyN69liKG2Of0n+pZnlJSbKZWZiG0cRN592bbL xCF/cwgNdJi1/HTA/mDZ7fpRT1phCMi/b2U3XXyV3QG2fv+Z8M5o4LjykYT+u4Lt aEkfedFZKjkURO+artvGFnISfVxAMwpW0TfdbxE2Izw8iSjX2w+4aT0ub+Ck3OA4 X3Bek8ZPhbmsf9lIfBSe38ZPMZGrk7VwTPaMo7JiU5MM58OmCMaodKlwyxfsptKf khLnbWJbwHrlbW2yXL7nh7Ttnxv1WJ6BHaaJhxX/5EWSU4xAc/FjaQ== =jsvV -----END PGP SIGNATURE-----
Attachment Converted: "F:\GDW\Mail\[NTSEC] SKIPJACK NT4.0 (SP3)"
-----BEGIN PGP SIGNATURE----- Version: PGP for Personal Privacy 5.0 Charset: noconv iQEVAwUBNKRqWaAMF5Wdhd8FAQEoawf+PlZlxSUBhsO1Pj37arRPt0YDIiCX0e5K UzKIOyIk82Q3s2py5LQmqUv8hrqIY2NxTcn2DaNYm4yS2UOgKDfgfJbswmWdRlYZ UHOt+ROiUn5P7qJqMThKHxE2EnQKhhtyiRJaUYgilGbgKCAAs/YYtP5uu7XOfd3l u9TNmZwz6GCUv3+QrGXBi3g5+KQkzNZ/4cJLn+LYV5dGBzbGAsnSaAjQ+Kai0Xs9 tNTLZjM2wWvUDU7BNUYu/mHyY+ltiURgaqUSQpz9VV3y6SOlyh/Oef2JMtZtYkVc K8EkebhEQNQ4uECxChyGYsmiuDmnt8yCYeX3moCcu+szHebQ/YyPeA== =KIsG -----END PGP SIGNATURE-----
Actually, a quick browse through several machines' registry revealed this key as well in a list of cyphers. The bitch lives in: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Skipjack Along with shit like the following under Ciphers. Des40/56 Des56/56 Null RC2 128/128 RC2 128/40 RC4 128/128 RC4 40/128 RC4 64/128 Skipjack Tripple DES 168/168 Interestingly all the DES and RC2/RC4's have the same value (0xffffffff) for the enable key (including TrippleDES). Skipjack, and RC4 64/128 have different values (0x30, and 0x3f respectively). Null has an enable value of zero. Adjacent to the ciphers key, there is a key for hashes listing MD5 and SHA, next to that is a KeyEXchangealgorithms key listing: Diffie-Hellman, PKCS, and Fortezza. All of these except Fortezza use 0xffffffff as the enable value. The Fortezza and Skipjack keys have the same "Enabled" key values! Additionally there is a ServerHandshakeTimeout value on the Fortezza key of 60000. Likely this "enabled" value is a link to some DLL that contains their code. There is also a key called Protocols listing: "Multi-Protocol Unified Hello", PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0. All of these have subkeys of "Client" and "Server" with no values set. Adjacent to this key, is a key called Certification Authorities, showing shit like AT&T, GTE, MCI, Keywitness Canada, Thwate, and of course Verisign. I've sniffed around schannel.dll and it is what builds or looks for these registry entries. It also looks for rsabase.dll and crypto32.dll and cryptodlg.dll(?). In schannel.dll there's a string that says: Fortezza (DSS/SHA). So SHA is there. IMHO, From the looks of it, these are just stubbs without any code behind them since the RSA code contains the RC2/RC4, RSA, etc. code. (Though I could be wrong.) It's not SP3. I've got two servers with SP3 and IIS3.0with ASP and no Skipjack keys, so that leaves IE4 or IE3 as possible suspects (or some of the hotfixes.) The non-Skipjack entry machines do have all the other cyphers, so something in ie4 and/or iis4 is what adds them in. Interestingly enough this entire subkey isn't in Nt5Beta1. :)
to a Skipjack (ie. fortezza) site. I doubt you have the code as it is classified and available (at this time) only in hardware. Don't sweat it, it looks like it's just a hook or .....
Yep. Likely what it could be is a hook to a device driver that talks to a PC Fortezza card or some such. =====================================Kaos=Keraunos=Kybernetos============== .+.^.+.| Ray Arachelian |Prying open my 3rd eye. So good to see |./|\. ..\|/..|sunder@sundernet.com|you once again. I thought you were |/\|/\ <--*-->| ------------------ |hiding, and you thought that I had run |\/|\/ ../|\..| "A toast to Odin, |away chasing the tail of dogma. I opened|.\|/. .+.v.+.|God of screwdrivers"|my eye and there we were.... |..... ======================= http://www.sundernet.com ==========================
participants (2)
-
J.A. Terranson -
Ray Arachelian