Friday, March 30, 2012

Software Tamper Resistance

One of the methods to provide tamper resistance capabilities to a software is code obfuscation. It is a process designed to change the software in order to make the software more difficult to reverse engineering while semantically equivalent to the original program. The technique is used both by “white hat” security specialist to protect Intellectual Property and to “deter the cracking of licensing and DRM schemes” (Victor, D 2008), as well as “black hat” as a protection technique to avoid detection (signature based) by anti-virus engines. Victor D. (2008) lists a number of techniques used to obfuscate the code including just-in-time decryption, polymorphic encryption, timing check, layer anti-debugging logic and binary code morphing. Moreover, Bai Zhongying and Quin Jiancheng (2009) successfully applied obfuscation principals in web environment creating prototypes of JavaScript and HTML obfuscation tools. An additional advance technique, self-modifying code, was proposed by Nokos Mavgoriannopoilos (n.d.) whereby the software mutates its own code in order to make it difficult to “make attacks [on the code] more expensive” (Nikos Mavrogiannopoulos, Nessim, K, & Bart, P n.d.).
While usage of obfuscation techniques become widely acceptable, Preda, M, & Giacobazzi, R (2009) raise a question of effectiveness of code obfuscation techniques - “it is hard to compare different obfuscating transformations with respect to their resilience to attacks and this makes it difficult to understand which technique is better to use in a given scenario” (Preda, M, & Giacobazzi, R. 2009) due to absence of theoretical research to formalize the metric of code obfuscation.
ProGuard “is a free Java class file shrinker, optimizer, obfuscator, and preverifier” (Eric Laforune, 2011). While advantages of the tool are easy integration into commonly used Integrated Development Environments (IDE) as well as ant tasks, and additional functionality such as optimizer and code shrieker, its obfuscation capabilities are limited to code morphing. More advance techniques, or combination of a number of obfuscation techniques such as flow obfuscation and string encryption could potentially (see previous paragraph discussing the lack of metric to measure the effectiveness of code obfuscation) exponentially increase the effort required to reverse engineer the code.


  • Bai Zhongying; Qin Jiancheng; 2009 , "Webpage Encryption Based on Polymorphic Javascript Algorithm," Information Assurance and Security, 2009. IAS '09. Fifth International Conference on , vol.1, no., pp.327-330, 18-20 Aug. 2009
    doi: 10.1109/IAS.2009.39
  • Eric Lafortune, 2011. “ProGuard” [online]. Available from: (accessed: March 30, 2012).
  • Nikos Mavrogiannopoulos, Nessim, K, & Bart, P n.d., 'A taxonomy of self-modifying code for obfuscation', Computers & Security, ScienceDirect, EBSCOhost, viewed 29 March 2012.
  • Preda, M, & Giacobazzi, R 2009, 'Semantics-based code obfuscation by abstract interpretation', Journal Of Computer Security, 17, 6, pp. 855-908, Academic Search Complete, EBSCOhost, viewed 29 March 2012.
  • Ross J. Anderson, 2008. “A Guide to Building Dependable Distributed Systems”. 2nd Edition. Wiley Publishing.
  • Victor, D 2008, 'Obfuscation: Obfuscation – how to do it and how to crack it', Network Security, 2008, pp. 4-7, ScienceDirect, EBSCOhost, viewed 29 March 2012.

Saturday, March 17, 2012

Cracking AES/3-DES

In 2002, a distributed network ( was successfully recovers a DES encryption key within 2.25 days. In order to estimate if 3-DES or AES keys can be recovered using a brute-force attack, this paper calculates the number of encryption operations and the (potentially) available processing power.
One of the largest distributed computing projects, folding@home estimates that with utilization of modern hardware such as Graphic Processing Unit (GPU), it is possible to achieve an acceleration of up to forty times (x40) over CPU due to its ability to perform “an enormous number of Floating Point OPerations (FLOPs) “ (Vijay Pande, 2010). Therefore, by using 200,000 actively processing computers, it is possible to surpass the 10 Petaflop level. As such, it is safe to assume that one average each participating machine contributes:


or 50 billion calculations per second.
To amass the required computing power to brute force 3-DES or AES encryption, a bot network could be use to “harvest” idle CPU/GPU cycles. One of the most advance malware today, TDL-4, controls over 4.5 million infected computers in 2011 (Sergey Golovanov and Igor Soumenkov, 2011). Therefore, using previous assumption that zombie (infected computer) is capable of processing 50 billions calculations per seconds, the total computing power of a bot-net network such as TDL-4 is:


or 225 quadrillion (short scale) operations per second.
S. Kelly (2006) note that because in 3DES encryption scheme, the encryption keys relationship is C = E_k3(D_k2(E_k1(p))), in order to brute force a 3DES encryption a total of 2^168 cryptographic operation will be required. Assuming that a single 3DES decryption takes a microsecond (10^-6), it will take:


1.66286409 × 10^27 second, or 5.26941088 × 10^19 years. This is far longer than the universe exist (4.339×10^17 seconds). The reader should note that the figure is by far smaller than what was estimated by S. Kelly (2006) and this is due to increased computing power of moder CPU and GPU devices. Regardless, it is safe to assume that 3DES can withstand a brute force attack.


  • Kaur, G, & Kumar, D 2010, 'Performance and Analysis of AES, DES and Triple DES against Brute Force Attack to protect MPLS Network', International Journal Of Advanced Research In Computer Science, 1, 4, p. 420, EDS Foundation Index, EBSCOhost, viewed 17 March 2012.
  • Ross J. Anderson 2008, “Security Engineering: A Guide to Building Dependable Distributed Systems”. 2nd Edition. Wiley.
  • Sergey Golovanov, Igor Soumenkov 2011, “TDL4 – Top Bot” [online]. Kaspersky Lab ZAO. Available from: (accessed: March 17, 2012).
  • S. Kelly, 2006, Security Implications of Using the Data Encryption Standard (DES) [online]. Network Working Group. Available from: (accessed: March 17, 2012).
  • Vijay Pande, 2010. “Folding@home high performance client FAQ” [online]. Available from: (accessed: March 17, 2012).