Update Socat is the latest open source tool to come under suspicion that it is backdoored.
Socat is a versatile command line utility that builds bi-directional communication streams and moves data between channels, including files, network pipes, serial connected devices, sockets or a combination of any of these.
A security advisory published Monday warned that the OpenSSL address implementation in Socat contains a hard-coded Diffie-Hellman 1024-bit prime number that was not prime.
“The effective cryptographic strength of a key exchange using these parameters was weaker than the one one could get by using a prime p,” the advisory said. “Moreover, since there is no indication of how these parameters were chosen, the existence of a trapdoor that makes possible for an eavesdropper to recover the shared secret from a key exchange that uses them cannot be ruled out.”
Socat said it has generated a new prime that is 2048 bits long; versions 126.96.36.199 and 2.0.0-b8 are affected. The advisory adds that a temporary workaround would be to disable the Diffie-Hellman ciphers.
A post to a technical forum discovered that the non-prime parameter was introduced more than a year ago. A note in the commit indicates that Socat was not working in FIPS mode because it requires a 1024 Diffie-Hellman prime, and added that a developer named Zhiang Wang provided a patch with the new prime. The poster revealed that Wang works at Oracle and contributes to Socat.
A request for comment to Socat was not returned in time for publication; The big question is whether the non-prime prime was introduced intentionally or in error.
“I cannot for sure rule out the possibility of a backdoor,” said Gerhard Rieger, a Socat maintainer. “But personally I do not believe that the contributor has a backdoor because he uses an email address at a well known and reputated company, and if someone wants to install such a backdoor he would not use a parameter that can easily be proven as non prime.”
While it’s unknown how Wang chose the prime, other commenters on the post said that checks in OpenSSL and other tools used to generate primes cannot be sure if the numbers are prime. Rieger told Threatpost: “I do not know if a quick way exists to check this definitely. No attempts were made at all.”
“I’m pretty sure that when you generate a prime you’re using the Miller–Rabin primality test in which case you only probabilistically choose a prime,” the post said. “In fact, the is_prime functions in openssl don’t check if a number is prime. They only check that a number is prime within 1-2^-80 probability. I’m not sure what the implications are though.”
Regardless, since last January Socat has been vulnerable to attackers listening and stealing keys.
The news comes less than a week after OpenSSL patched two vulnerabilities, the more serious of which addressed a flaw introduced in OpenSSL 1.0.2 providing support for generating X9.42 style Diffie-Hellman parameters. Previously, these parameters were generated using only “safe” prime numbers, but OpenSSL said today in its advisory that primes used in X9.42 parameter files may not be safe.
Weak Diffie-Hellman crypto has also been suspected as the NSA’s top target in its efforts to break crypto implementations. A paper published last October by a laundry list of crypto and security experts said weaknesses in the publicly available prime numbers used as input to compute the encryption key in D-H exchanges could be the answer.
Government intelligence agencies such as the NSA or GCHQ have the resources needed to build custom hardware that would derive an output that would give an attacker enough information to take further steps to eventually break individual encrypted connections.
“It’s not arriving at the key, instead it’s telling you something about the mathematical structure about that particular choice of the prime number when used in Diffie-Hellman,” said J. Alex Halderman associated professor computer science and engineering at the University of Michigan and one of the authors of the paper. “The analogy is sort of cracking the prime. After you crack the prime, breaking individual Diffie-Hellman connections that use that prime is easy.”
The prime numbers are the most likely target, he said, because they’re usually not generated from scratch, instead are plucked from previous work or taken from recommendations in established standards. Halderman told Threatpost that an intelligence agency of the NSA’s caliber would need to spend hundreds of millions of dollars to build the custom hardware required for such a large computation.
This article was updated Feb. 3 with comments from Gerhard Rieger.