Cryptography, Grehack and PGP

In a few weeks, I'm going on a 2-month trip back to Japan and South Korea. It will mostly be a vacation as I will stay there with some friends, but I will also try to find some time to work on my projects.

Last week was also more about thinking about what I told you in the previous post. I already knew where I would like to go and in which field I would like to specialize. It was more about, is it the right decision or not.

I think there are no good or bad decisions, and always take time to think about the consequences doesn't help doing actions. I was doing that a lot in the past, and now I try more to just do the stuff and see later if it was worth it or not. And in the end, it's always rewardful as you learn a new bunch of stuff that can be useful later in another part of your life.

As I told you, I thought first going to javascript stuff and client-side vuln. I tried to be interested in it, making tools and looking a lot at this type of vulns, but I wasn't very hyped. I'm sure it's very interesting and rewarding as a lot of websites have these types of vulns. But I'm simply not interested in being an expert on that.

A few months ago, when I was in Asia, I told you that I loved cryptography, the math behind and how to create cryptographic systems. Since I was young, I have always been fascinated by this field. So let's dig into it.

Cryptography

Even if I have quite a strong background in maths due to my studies, I'm not a pro in cryptography, especially the modern one. But I'm still interested in digging into it.

Understanding how the system works and how the secrets are kept is what I love to look. But here is the thing: does it fit with my current position as a bug hunter? Can I find cryptographic vulnerabilities in bug bounty programs? That was my main issue when thinking about it.

Of course, it can have cryptographic issues in some bug bounty programs, but is it enough? The plan is not to only focus on this but to keep it as an expertise zone when I know I can be better than someone else.

To confirm that I wanted to go through it, I decided to give it a try, even without a lot of expertise at the moment. I just started looking more into stuff I didn't look at before like how the authentication is made, and what type of token is used. Is this JWT secure? Can I tamper with something else? And I finally saw that even if I'm not an expert, there's a lot of new stuff to look into that was not widely looked at.

As a sign, I received a random password reset email from an old program I hunted in. And the reset token was a UUIDv1 token. I was like damn it's the moment to understand how to break it.

I was finally able to break it using a sandwich attack and recover the token of someone else which is a 0click account takeover. I was helped by the new great tool reset-tolkien.

I was going to report it, and I just saw that it wasn't in scope and it was a 3rd party, without a bug bounty program. But I didn't care, I found my first bug related to some cryptography stuff.

I know that it's not common, but not a lot of people are looking into them, and I'm sure I can make a difference in the long term. Looking in the very long term, I can also make some pentest crypto/web-oriented, so it will not be a loss of time for me.

GreHack

At the end of the year, there is this conference at Grenoble, the city where I made my engineering school. I went there 2 years ago and it was very great.

This year, I also plan to go there as I know many more people and to see some friends.

They launch the prechall to win a ticket for the conference: https://chartreuse-and-ski.grehack.fr/

I was very hyped by this chance as there was some crypto challenge and I wanted to challenge myself. I needed 3 flags to win the ticket. I first started doing the web chall as I'm better into them. That was quite easy and I got the 2 first flag quickly.

I then decided to go on a crypto flag. I'm not going to make a writeup as the prechall is not over ( I will then when it is done ). One of the chall was about signature, PGP, and a CVE. The way to solve the chall was quite straightforward. But it was very long and hard for me as I didn't know how to convert some data or some type of key.

I struggled a lot just to find ways to translate a key into another key. Even with my friend chatgpt, it was not helpful. So I started really digging into how the format was made. I went to the RFC of the PGP packet, and I found very interesting stuff.

How PGP really works, how it was made, etc ... I knew what PGP was, but I never dig into it. I found a lot of interesting blog posts about PGP and it was finally a huge rabbit hole as I wasn't in the chall.

I finally came back into it and was able with the help of a friend to get all the data needed and then get the flag and my ticket for the conference. But I was so hyped by PGP that I came back into my blog posts.

PGP

I learned so much stuff about that, the utility, how it works, how to use it, etc... I read a lot of posts about it, and how to set up everything. I also discovered the full utility of using Yubikey, and it's not only for 2FA. So I also decided to give them a try, and I took two of them, to secure my digital life :

I'm going to see how I can use them to secure more of my stuff, my SSH keys, how I connect to my servers, and how I access my passwords.

I was very hyped by PGP and then, after looking into a lot of cryptographer blogs, I discovered that it's not a very nice solution. The way they made it in the 90s' was not that good, and nowadays, there are a lot of issues like :

The way public keys are handled like using key servers
The use of long-term keys
No one sends encrypted emails using PGP finally

And also a lot of other issues and if you want to know more about that, there are a lot of blog posts talking about it better than me.

So yes, that past week was more about discovering a bunch of new cool stuff to dig into. If you are interested in how I will set up my Yubikey and my setup to stay safe, tell me and I can make a blog post about that.