[HN Gopher] NSA's Backdoor of the PX1000-Cr
___________________________________________________________________
NSA's Backdoor of the PX1000-Cr
Author : sohkamyung
Score : 247 points
Date : 2022-02-17 08:09 UTC (14 hours ago)
(HTM) web link (www.cryptomuseum.com)
(TXT) w3m dump (www.cryptomuseum.com)
| sylware wrote:
| How this would be different of what exists and is in use today?
|
| Not to mention, the "holes"/"bugs" in the silicium and those in
| the running software stack. PPL tend to forget about the SDK too:
| "backdoor injectors for foreign and futur CPUs" aka compilers.
| jacquesm wrote:
| If it were built today you could expect all of the security
| features of the best phones on the market and of course far
| more powerful processors allowing for stronger crypto.
|
| Essentially you'd be looking at a cryptophone.
| tablespoon wrote:
| > In this context it would be interesting to know whether the NSA
| had deliberately weakened the PX-1000's cipher, in order to
| monitor the ANC communications.
|
| Honestly, that seems a little far fetched. This kind of thing
| seems like something that would be smart to do with no particular
| target in mind, with the idea that it could be opportunistically
| exploited later.
|
| Anyone who goes out an buys a specialized encryption device,
| especially in the 80s, probably has a high likelihood of being up
| to things the authorities have an interest in.
| richardfey wrote:
| Somewhere at NSA there must be an equivalent museum with the
| hardware that helps deciphering PX1000-Cr ciphertexts
| Rebelgecko wrote:
| If you're ever in the area, NSA's public museum is 100% worth a
| visit. Not surprisingly they skip over things that make them
| look bad, but it's really cool to be able to play with real
| enigma machines. They do have an exhibit on secure
| telecommunications hardware, although I don't remember if this
| device is included (IIRC it's mostly landlines and more modern
| cell phones)
| jacquesm wrote:
| I knew the director of Textlite, Hugo Krop. He was active as an
| investor as well, a coke junk and went around with a body guard
| with a gun at all times driving a black armored (so he claimed)
| Mercedes.
|
| Textlite was the brand used for the LED light bars which they
| designed and manufactured, and which were a runaway success.
|
| The PX-1000 was his brainchild too, but it never got the market
| adoption that they were hoping for.
|
| More information [1], [2].
|
| Weird but interesting character. Hugo had a bit of a lifestyle
| problem (to put it mildly) and when Textlite cratered he went
| into all kinds of really shady deals, one of which was a fund
| that ostensibly grew trees in Latin America.
|
| Eventually he went to jail [3] because it turned out that those
| forests of trees didn't exist. He died recently (in 2018).
|
| I have a lot of funny and some not so funny stories about Hugo,
| he wasn't the nicest man due to his habit but when sober and
| clean was smart and interesting to talk to and tuned in to trends
| that others only saw much later. You can think of the PX-1000 as
| an early version of what today would be called a cryptophone, a
| mobile way for people to communicate securely.
|
| What is interesting is that in this particular context instead of
| the main use case highlighted being criminals the case of Nelson
| Mandela and his army of supporters is used to exemplify the power
| of such a device.
|
| This was in the age when all information traveled in plaintext
| and to suddenly have someone sell a device that afforded 'pretty
| good privacy' was a thing that the intelligence services found
| hard to deal with.
|
| [1] https://www.groene.nl/artikel/versleuteld-maar-niet-voor-
| ame...
|
| [2]
| https://www.vpro.nl/argos/lees/onderwerpen/cryptoleaks/2020/...
|
| [3] https://www.blikopdewereld.nl/economie/beleggersinfo/de-
| bele...
| silasdavis wrote:
| How did you become acquainted?
| jacquesm wrote:
| That's a very long story, the in-a-nutshell version: walking
| at night in Amsterdam I spotted two guys hauling an Apple II,
| disk drives, a monitor and a bunch of expansion cards out of
| the back of a car, I asked what they were doing and they said
| that they were making some kind of computer vision device
| (this was in 1984, I was 19 at the time, what they were
| building was an eye tracker), I asked if I could tag along
| and they said ok, after an hour or so it was clear they had
| no clue what they were doing (trying to write some basic
| program to talk to their frame grabber) so I coded the whole
| thing up without an assembler by poking the machine code into
| some free RAM. This led to a longer term relationship, the
| one guy was an optics genius called Michiel Kassies, the
| other a guy that knew a lot about hardware, Karl Jungbauer
| who worked for NikHef (the dutch institute for Nuclear
| Physics) in their hardware department and who moonlighted in
| the tech scene in Amsterdam in his free time. Michiel knew
| Hugo, and when Hugo got the proposal to invest in Jan Sloots'
| fake video compressor he asked me to look it over for him,
| which I did.
|
| Hugo ended up investing in DadaData, a company founded by
| Jungbauer, a guy called Peter Domela-Nieuwenhuis and myself,
| after three weeks I realized these guys were more interested
| in their drugs than in running a business so I bailed out and
| founded MCS, which still continues today (though it has been
| renamed).
|
| Over the years Hugo would come up with all kinds of weird
| ideas and occasionally he'd call. We lost touch prior to
| Greenmix, by which time his drug use became so bad that there
| we no more normal times.
|
| It's pretty weird to see someone you respect initially slide
| off like that, I have always hated drugs and it made it
| pretty hard for me to be exposed to it without commenting on
| it and getting into arguments. Hugo _really_ was a nice guy
| that lost it, his addiction to his dope and lifestyle eroded
| every sense of what was right and what wasn 't. The path of
| destruction he left behind is a mile wide and even though he
| spent 12 months in jail I'm pretty sure there are lots of
| people around here that would happily piss on his grave.
|
| Of course I'm sorry for all the investors that lost their
| money in his harebrained schemes, but I mostly pity his kid
| who saw his father slide down like that.
|
| One of the funnier stories about Hugo: he was very much
| overweight and the doctor told him to get some exercise or
| that he'd die of a heart attack in short order. So he went
| bike shopping and picked out a very fancy racing bike. After
| 6 months of dutifully disappearing each day for two hours on
| his bike he complained that he didn't lose any weight. So I
| offered to ride with him to see what was going on. Hugo lived
| in Loosdrecht at the time, and from his house made a beeline
| to a pancake restaurant in Vreeland (a couple of km away from
| his house), where he ate two _enormous_ pancakes, consumed
| copious amounts of expensive alcohol and then cycled
| leisurely back. So at least I understood why the weight loss
| program was a failure :), but he swore me to secrecy (which I
| am now breaking, but I don 't think he'd mind).
| mstef wrote:
| fascinating details, happy to have stirred up these
| memories!
| jacquesm wrote:
| I've been reading for a couple of hours on all of the
| stuff you guys have dug up on the pocket telex (and other
| interesting bits and pieces), very impressive. So much
| detail, this must have been a lot of work, and other than
| a couple of typos I can't find anything that doesn't
| match what I already knew about the device. It would be
| interesting to know who formed the software team from
| those days, I wished I recalled more names.
|
| Above the offices in Amsterdam Zuidoost (Hogehilweg) they
| had this insanely extravagant bar. Looking back I think
| that the armed bodyguard must have been either coke-
| induced paranoia shining through or a sign that there was
| already more afoot that could not stand the light of day.
| jacquesm wrote:
| By the way, doesn't this page need an update now?
|
| https://cryptomuseum.com/crypto/philips/index.htm
|
| "The Philips version with encryption (PX-1000Cr)
| contained a much improved cryptographic algorithm."
| cryptopaul wrote:
| Hi, Paul from Crypto Museum here. Thanks for bringing
| this to my attention. I missed that one when updating the
| stories.
| Daniel_sk wrote:
| Wow, very interesting - thanks for sharing. There are so
| many moments like these and they get lost in history...
| jacquesm wrote:
| What really bothers me - even after all those years - is
| that if not for the drugs these guys would have gone so
| much further than they did. They had every opportunity,
| the tools, the brains, the timing and they fucked it all
| up.
| bitwize wrote:
| Kind of reminds me of Phil Katz. Brilliant guy, but a
| raging drunk. When he died, Wired or somebody interviewed
| the strippers at the strip club he used to go to, who
| said that he was very lonely and looking for someone to
| talk to.
| bredren wrote:
| Possibly. For some, substance abuse is one escape--one
| way of dealing with inner demons. There are other
| destructive, occupying things than substances that can
| stop talent and productive potential from yielding much
| at all
| tmnstr85 wrote:
| This story made my day. Thank you!
| gzer0 wrote:
| There is good reason to believe the weaknesses introduced by the
| NSA with the PX1000-cr algorithm were introduced as part of a
| series of multiple backdoors that cooperate together [2][3].
|
| The equation system to be solved is rather huge (~20 megabytes
| when shown as ASCII text), therefore it is logical to assume the
| NSA required more efficient techniques to break it in the 1980s.
|
| The fact that the first and last character, as well as the top
| bits in between, leak the keystream makes for an easy and cheap
| attack that amortizes the algebraic attack costs. Detection of
| key re-use is therefore trivial.
|
| And since this is a stream cipher key reuse, it is
| cryptographically disastrous; an excellent illustration of this
| is the Venona project [1].The NSA has spent decades trying to
| recover plaintext from two-timepads, but in the Venona case they
| did not know which two messages shared the same key. This is
| significantly simpler with the PX1000-cr.
|
| For Venona, it is a safe guess that the NSA developed a
| significant amount of HW capable of recovering plaintext from two
| plaintexts that have been XOR-ed together. This implies they may
| employ more costly algebraic or other attacks only on cryptograms
| with unique keys. This, I feel, is a critical insight: there is
| not a single backdoor here, but numerous ones that cooperate.
|
| [1] https://en.wikipedia.org/wiki/Venona_project
|
| [2] https://www.alchemistowl.org/pocorgtfo/pocorgtfo21.pdf
|
| [3]
| https://www.ctrlc.hu/~stef/blog/posts/pocorgtfo_21_12_apocry...
| djmips wrote:
| Fascinating person. This device really does feel ahead of it's
| time. What was his story for the period after the tree scam
| till his death?
| jacquesm wrote:
| I suspect you are in the wrong part of the thread so I'll
| answer you here.
|
| I do not know, I lost contact with him and only read about
| him in the paper after that period.
|
| He had some _really_ unsavory characters hanging around him
| and that plus the drugs were the main reason for me to stop
| interaction with him. There are some rumors that the funds
| raised with Greenmix were used to finance drug transports, I
| have no clue if these are true or not but if they were it
| wouldn 't surprise me even a little bit.
| mstef wrote:
| nice summary of my post! thank you very much
| mhh__ wrote:
| Venona dumps are apparently still embarrassing enough that
| they're only being drip published still even today. I don't
| think the original Russian is declassified at all.
| akira2501 wrote:
| > The equation system to be solved is rather huge (~20
| megabytes when shown as ASCII text), therefore it is logical to
| assume the NSA required more efficient techniques to break it
| in the 1980s.
|
| I would assume they're far more capable of building custom
| hardware to accomplish these attacks than needing to do all of
| them in software, especially in the 1980s.
| nonrandomstring wrote:
| The algorithm itself looks pretty strong for time but weaker than
| DES having a 16 byte non-linear function in a cipher feedback
| loop without chaining. Due to the way the registers aren't
| randomised and the key is entered it leaks plain-text quite
| badly. The story here is that Stefan Marsiske studied the
| algorithm and wrote a cracker that can break a PX-1000Cr message
| in 4 seconds on a modern laptop, with just 17 characters of
| cipher-text. Some of the story speculates on the effect this
| backdoor may have had on anti-apartheid in the 80s and an
| anecdotal conclusion that a developer had tipped-off the movement
| about weakened cryptography and helped them revert to a secure
| version of the PX-1000.
| Cryptanalyse wrote:
| marrold wrote:
| A few of us have bought rebadged versions of these recently and
| we're looking to create a backend for them that accepts a call
| (probably via SIP / VoIP) and then demodulates the v.23 and does
| something useful with it.
|
| Are you aware of anyone thats done this already?
|
| Thanks
| throwaway4good wrote:
| Good thing that they don't do this sort of thing anymore.
| nimbius wrote:
| for those willing to discount the revelation as cold-war era
| chicanery, a more recent example exists in the SPECK cipher
| fiasco where the community, frustrated by statist stonewalling
| and theatrical bloviation, basically told the NSA to pound sand
| down a rat hole and refused to incorporate the cipher into the
| kernel.
|
| https://en.wikipedia.org/wiki/Speck_%28cipher%29
| jacquesm wrote:
| Yes, the NSA is fantastic at cryptography but doesn't
| understand the concept of broken trust.
| axiosgunnar wrote:
| > Although he hasn't found the smoking gun (yet)
|
| So the author is admitting to the title being fake news?
| mstef wrote:
| actually since large parts of my addendum blog post were quoted
| here, here is another quote:
|
| > lets me conclude that the PX1000cr algorithm is indeed a
| confirmed backdoor.
|
| I guess, me and the cryptomuseum people had a misunderstanding
| about this.
| mstef wrote:
| i mean an algebraic full key recovery out of 17 ciphertext
| chars is nothing else but catastrophic. and i'm sure this can
| be done much more efficiently.
| axiosgunnar wrote:
| Oh hi! And thanks for the clearup!
| drzaiusapelord wrote:
| This is also a great commentary on the inherit untrustworthiness
| of for-profit corporations. From a capitalist perspective trading
| the security of your users for some early commercial advantage
| like those 1977 algos from the NSA is "worth it," and the cost is
| unseen (allowing backdoors) and never disclosed to the customer
| (dishonesty). There's no one watching this, no rules, and people
| like Nelson Mandela were victimized because of this. Whenever I
| meet someone who refuses to run secure systems on anything but
| FOSS, I respect that they accept that capitalism is a failure in
| this regard, and a huge one at that.
|
| I have no idea what commercial products are secure now, and
| neither do you. That's a problem.
| mstef wrote:
| author of the break here, ama.
| marrold wrote:
| A few of us have bought rebadged versions of these recently and
| we're looking to create a backend for them that accepts a call
| (probably via SIP / VoIP) and then demodulates the v.23 and
| does something useful with it.
|
| Are you aware of anyone thats done this already? We're not
| desperate to support the encryption initially but I guess it
| would be nice too.
|
| Thanks
| flyinghamster wrote:
| The SpanDSP library has low-speed FSK modem implementations
| (including Bell 202 and V.23). I've employed the 202
| demodulator to listen in to some radio-based telemetry.
|
| https://github.com/freeswitch/spandsp
| mstef wrote:
| sorry, no. but there is an emulator[1], so you can test the
| roms, or you can write your own code and test it without
| having the hw.
|
| [1] https://github.com/iddq/sim68xx/tree/px1000
| marrold wrote:
| Nice, thanks
| sounds wrote:
| I'm curious whether there is any info on the dev team who
| created the PX-1000 (where PC-1000Cr is implemented). Any more
| info on how the NSA got a backdoor inserted? There's [1] which
| gives a general overview.
|
| This seems like a fascinating story, would be happy to read
| more!
|
| [1] https://www.cryptomuseum.com/crypto/philips/px1000/nsa.htm
| mstef wrote:
| afaik the firmware was developed by philips ufsa[1] based on
| directions (test vectors?) by the NSA, lots of effort was put
| into making the algo run efficiently on the CPU in the
| px1000.
|
| [1] https://www.cryptomuseum.com/crypto/philips/usfa.htm
| mstef wrote:
| also interesting might be this generic link unrelated to the
| NSA backdoor: https://cryptomuseum.com/crypto/philips/px1000/
| classichasclass wrote:
| I've got a pair of these somewhere, acquired domestically (USA)
| AFAIR. Assuming these are crypto-enabled, any easy way to tell
| what firmware is in them?
|
| Edit: These are Text-Tells.
| mstef wrote:
| see the section "Different Versions" on this page:
| https://cryptomuseum.com/crypto/philips/px1000/
| [deleted]
| jacquesm wrote:
| Cool job, that brought back a lot of memories.
| mperham wrote:
| What the heck is PX1000Cr???
|
| I've been in tech for decades and have never heard of this. The
| link offers no actual explanation. Could you supply some
| background?
|
| Edit: found this
| https://www.cryptomuseum.com/crypto/philips/px1000/nsa.htm
| 1024core wrote:
| For those of us not really plugged into the crypto world: what is
| PX-1000Cr? Why is it important? Where is it used?
| mstef wrote:
| it's a pocket telex from the early 80ies, you can read more
| about the device here:
| https://www.cryptomuseum.com/crypto/philips/px1000/index.htm
| dmix wrote:
| I love the design of these products
| https://cryptomuseum.com/crypto/philips/index.htm
| jacquesm wrote:
| Once upon a time Philips was a world renowned brand in
| electronics, extremely innovative and their gear was top notch.
| How it all went to hell I still don't fully understand, but in
| the late 80's or so their quality started going downhill and
| they seemed to make one bad move after another.
|
| This stuff is from various eras but not all of the designs are
| theirs (though all the gear prior to and including the 'spendex
| 50' was in house design work.
| hyper_reality wrote:
| This is fascinating and a great bit of work by Stefan Marsiske.
| Loved the technical writeup in PoC||GTFO too. This quote from the
| TFA really shows just how difficult it was for the public to
| access decent cryptography at the time:
|
| > In her book Operatie Vula, Conny Braam explains how one of her
| people met a guy, by the name of Floris, in a pub in Amsterdam,
| who allegedly had developed the PX-1000 [5]. From him they
| learned that the device had been taken off the market as its
| encryption was too strong. It had been replaced by a calculator
| but he suggested to find the older version with built-in crypto.
|
| In all I would say it was a pretty good backdoor for the early
| 80s, showing how far ahead the NSA's internal understanding of
| cryptography was. I wonder if they would have anticipated the
| world we live in today where state-of-the-art cryptography is
| available and used by everyone on the Internet.
| mstef wrote:
| thank you! may i return the compliments? i love playing on
| cryptohack.org so many fun and educational challenges! kudos!
___________________________________________________________________
(page generated 2022-02-17 23:01 UTC)