Attacking Network Protocols

To complete this hierarchy, valid certificates must contain at least four pieces of information:

• The subject, which specifies the identity for the certificate

• The subject’s public key

• The issuer, which identifies the signing certificate

• A valid signature applied over the certificate and authenticated by the issuer’s private key

X.509 certificates are used to verify web servers, sign executable programs, or authenticate to a network service. Trust is provided through a hierarchy of certificates using asymmetric signature algorithms, such as RSA and DSA.

For a hashing algorithm to be suitable for cryptographic purposes, it has to fulfill three requirements:

Pre-image resistance Given a hash value, it should be difficult (such as by requiring a massive amount of computing power) to recover a message.

Collision resistance It should be difficult to find two different messages that hash to the same value.

Nonlinearity It should be difficult to create a message that hashes to any given value.

A number of hashing algorithms are available, but the most common are members of either the Message Digest (MD) or Secure Hashing Algorithm (SHA) families. The Message Digest family includes the MD4 and MD5 algorithms, which were developed by Ron Rivest. The SHA family, which contains the SHA-1 and SHA-2 algorithms, among others, is published by NIST.

The purpose of hashing in signature algorithms is to generate a relatively unique value to verify the integrity of a message and to reduce the amount of data that needs to be signed and verified.

Diffie–Hellman Key Exchange
RSA isn’t the only technique used to exchange keys between network participants. Several algorithms are dedicated to that purpose; foremost among them is the Diffie–Hellman Key Exchange (DH) algorithm.

The DH algorithm was developed by Whitfield Diffie and Martin Hellman in 1976 and, like RSA, is built upon the mathematical primitives of exponentiation and modular arithmetic. DH allows two participants in a network to exchange keys and prevents anyone monitoring the network from being able to determine what that key is. Figure 7-12 shows the operation of the algorithm.

AES
A far more modern encryption algorithm is AES, which is based on the algorithm Rijndael. AES uses a fixed block size of 128 bits and can use three different key lengths: 128, 192, and 256 bits; they are sometimes referred to as AES128, AES192, and AES256, respectively.

XOR Encryption
The XOR encryption algorithm is a very simple technique for encrypting and decrypting data. It works by applying the bitwise XOR operation between a byte of plaintext and a byte of the key, which results in the cipher text. For example, given the byte 0x48 and the key byte 0x82, the result of XORing them would be 0xCA.

Because the XOR operation is symmetric, applying that same key byte to the cipher text returns the original plaintext. Figure 7-2 shows the XOR encryption operation with a single-byte key.

Reverse Engineering Resources

The application binary interface (ABI) is an interface defined by the operating system to describe the conventions of how an application calls an API function.

Some requirements of a modern executable format include:

• Memory allocation for executable instructions and data

• Support for dynamic linking of external libraries

• Support for cryptographic signatures to validate the source of the executable

• Maintenance of debug information to link executable code to the original source code for debugging purposes

• A reference to the address in the executable file where code begins executing, commonly called the start address (necessary because the program’s start address might not be the first instruction in the executable file)