[Cryptography] Cryptolocker
Glenn Willen
gwillen at nerdnet.org
Thu Nov 21 21:21:27 EST 2013
On Nov 21, 2013, at 6:08 PM, Greg Broiles wrote:
> According to Steve Gibson at https://www.grc.com/sn/sn-427.txt, when CryptoLocker contacts the central server(s), the servers generate a unique (per victim) 2048-bit RSA keypair; the public key is sent from the server to the infected machine. The infected machine generates a random 256 bit AES key, which is then encrypted with the public key and sent to the server, and used locally to encrypt the ransomed files. The key stored in the infected machine's registry is the public half of the RSA key.
He calls their cryptography 'perfect', but he makes no mention of what block cipher mode they're using, or how they're handling IVs/nonces. Off the top of my head, it seems to me like you could do it securely -- given his description of the trojan's observed behavior -- using AES-CTR or AES-CBC, using a hash of the file's full path for the CTR nonce or the CBC IV. (Alternatively you could use random or sequential nonces, but then you'd have to store the nonce <-> file mapping somewhere, and I didn't see him mention any evidence of that.) If they don't do that, it's probably reusing nonces/IVs, which would make it vulnerable.
(Of course, the effort required to use the hypothetical vulnerability to recover a single valuable file probably already exceeds the price they're charging for the key. And forget about using it to recover the entire filesystem.)
Glenn
More information about the cryptography
mailing list