News: CFTIRC Online Bulletin Board Launched (Pentesting & DFIR Miner).
Please register an account to access our community's posts.

Login  |  Register
« previous next »
Pages: [1]

Author Topic: Cracking Phobos UUID  (Read 700 times)

BigBrother

  • Administrator
  • Sr. Member
  • *****
  • Posts: 408
  • Karma: 2000
  • You Posted! You Posted! : Earned for posting at least 1 time.
    Have something to say! Have something to say! : Earned for posting at least 10 times.
    Talkative! Talkative! : Earned for posting at least 100 times.
Cracking Phobos UUID
« on: September 01, 2020, 06:00:36 pm »
tl;dr for busy people
  • Contrary to other languages, D's current standard implementation of UUID4 isn't cryptographically secure and shouldn't be used to generate secrets This is supported by the RFC which discourages people to use UUIDs for secrets.
  • Of course lots of people, projects and frameworks use them to generate secrets such as session cookies, password reset token and more because it's easy, looks like it should work and does work in virtually any other language.
  • Legitimately, people will ask "OK, it's bad in theory, but how hard is it in practice". I show in this article that it is possible to guess the next UUID to be generated with a maximum of 8192 requests after having gathered 156 UUIDs: a very practical attack indeed compared to the original 2¹²⁸ possibilities.
  • This should be viewed as a call for action: Phobos must provide a secure random number generator. It's too basic and important a component not to provide it in a standard way.
  • If your project uses randomUUID(), make sure its value isn't supposed to be secret. Otherwise change for a token built from cryptographically secure randomness.
Context

Some time ago I had a nice chat with a library's maintainer about Random Number Generation and their relation to security. It reminded me that the topic is not obvious and I decided to have a look at the state of things in D since that's become my topic of open-source research these last years.

In particular, I knew that D's standard library, Phobos, does not currently propose any standard way to get cryptographically secure random numbers. Not too many projects use the default and insecure uniform() to generate secrets such as session tokens. However I decided to have a look at UUIDs since they are often for security purpose. And sure enough, many projects that I will not list use insecure UUIDs.

The thing is, while they should not do so, I cannot fault them for thinking that it is correct. In most languages UUIDs are generated from secure randomness and are a reasonable way to generate secure secrets. But that is not the case in D and this means that these projects are vulnerable.

Read the full article @ https://breakpoint.purrfect.fr/article/cracking_phobos_uuid.html
--
Best Regards
CFTIRC Admin
https://www.acfti.org/cftirc-community
Pages: [1]
« previous next »