[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [NTSEC] SKIPJACK / NT4.0 (SP3?) (fwd)





Actually, a quick browse through several machines' registry revealed this
key as well in a list of cyphers. 

The bitch lives in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers\Skipjack

Along with shit like the following under Ciphers.

Des40/56
Des56/56
Null
RC2 128/128
RC2 128/40
RC4 128/128
RC4 40/128
RC4 64/128
Skipjack
Tripple DES 168/168

Interestingly all the DES and RC2/RC4's have the same value (0xffffffff)
for the enable key (including TrippleDES).  Skipjack, and RC4 64/128 have
different values (0x30, and 0x3f respectively).  Null has an enable value
of zero. 

Adjacent to the ciphers key, there is a key for hashes listing MD5 and
SHA, next to that is a KeyEXchangealgorithms key listing:
Diffie-Hellman, PKCS, and Fortezza.  All of these except Fortezza use
0xffffffff as the enable value.

The Fortezza and Skipjack keys have the same "Enabled" key values! 
Additionally there is a ServerHandshakeTimeout value on the Fortezza key
of 60000. 

Likely this "enabled" value is a link to some DLL that contains their
code.

There is also a key called Protocols listing: "Multi-Protocol
Unified Hello", PCT 1.0, SSL 2.0, SSL 3.0, TLS 1.0.  All of these have
subkeys of "Client" and "Server" with no values set.

Adjacent to this key, is a key called Certification Authorities, showing
shit like AT&T, GTE, MCI, Keywitness Canada, Thwate, and of course
Verisign.


I've sniffed around schannel.dll and it is what builds or looks for these
registry entries.  It also looks for rsabase.dll and crypto32.dll and
cryptodlg.dll(?).  In schannel.dll there's a string that says: Fortezza
(DSS/SHA).  So SHA is there.

IMHO, From the looks of it, these are just stubbs without any code behind
them since the RSA code contains the RC2/RC4, RSA, etc. code.  (Though I
could be wrong.)


It's not SP3.  I've got two servers with SP3 and IIS3.0with ASP and no
Skipjack keys, so that leaves IE4 or IE3 as possible suspects (or some of
the hotfixes.)  The non-Skipjack entry machines do have all the other
cyphers, so something in ie4 and/or iis4 is what adds them in.
Interestingly enough this entire subkey isn't in Nt5Beta1. :)


> to a Skipjack (ie. fortezza) site.  I doubt you have the code as it is
> classified and available (at this time) only in hardware.  Don't sweat it,
> it looks like it's just a hook or .....

Yep.

Likely what it could be is a hook to a device driver that talks to a PC
Fortezza card or some such.
 
=====================================Kaos=Keraunos=Kybernetos==============
.+.^.+.|  Ray Arachelian    |Prying open my 3rd eye.  So good to see |./|\.
..\|/..|[email protected]|you once again. I thought you were      |/\|/\
<--*-->| ------------------ |hiding, and you thought that I had run  |\/|\/
../|\..| "A toast to Odin,  |away chasing the tail of dogma. I opened|.\|/.
.+.v.+.|God of screwdrivers"|my eye and there we were....            |.....
======================= http://www.sundernet.com ==========================