Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
A Copy-Paste Bug That Broke PSpice AES-256 Encryption(jtsylve.blog)
62 points by jtsylve 4 days ago | 13 comments
jtsylve 4 days ago | parent | next [-]

I posted SpiceCrypt (https://github.com/jtsylve/spice-crypt) a few days ago for decrypting LTspice models. It now supports all six PSpice encryption modes as well.

PSpice is Cadence's SPICE simulator. Vendors encrypt component models with it, which locks them to PSpice and prevents use in NGSpice, Xyce, etc. Modes 0-3 and 5 derive keys entirely from constants in the binary, so those are straightforward once you extract them.

Mode 4 is the interesting one. It's the only mode with user-supplied key material and uses AES-256 in ECB mode. The key derivation has two base keys: a 4-byte short key (originally for DES) and a 27-byte extended key (intended for AES). The code passes only the short key to the AES engine -- it looks like a copy-paste from the DES path that was never corrected. The short key gets null-terminated and zero-padded to 32 bytes, so 28 of 32 AES key bytes are known. Effective keyspace is 2^32, brute-forceable in seconds with AES-NI.

The first encrypted block after every marker is a metadata header with a known plaintext prefix, which gives you a crib for validation. Once you recover the 4-byte short key, the full user key is also recoverable from the decrypted header.

This has likely been shipping since PSpice 16.6 in 2014. Fixing it would break every encrypted model created in the last twelve years.

The blog post linked above walks through the full details. The repo also has specifications documenting all the encryption schemes: https://github.com/jtsylve/spice-crypt/tree/v2.0.1/SPECIFICA...

Polizeiposaune 8 hours ago | parent [-]

The key sizing seems very odd - 4 bytes for DES? Even in the bad old days of 40-bit export crypto you'd get at least 5 bytes. For full-strength single-DES I'd expect either 7 or 8 bytes (56 bits of key used by the algorithm, but there's an quirk around key parity that means keys are commonly represented in 8 bytes).

And a 27-byte key for AES-256 is also slightly undersized. Far from catastrophic but, like brown M&M's in the green room of a Van Halen concert venue, it's a strong signal that something is off...

CodesInChaos 6 hours ago | parent | next [-]

I think they concatenate a 4-byte key and a 4 byte versions string to get the full 8-byte DES key.

And the idea for the AES key seems to have been: 27-byte key, 4-byte version, 1 byte null terminator for a total of 32 bytes.

userbinator 7 hours ago | parent | prev [-]

To me, it's a sign of crypto being used to tick off a box (and perhaps not arouse concerns around export), and not anything resembling a serious security system. "Locks are for keeping honest people honest," as the saying goes.

pseudohadamard 2 days ago | parent | prev | next [-]

TFA says it all in the first sentence describing the problem:

  The Bug

  Mode 4 uses AES-256 in ECB mode ...
ECB is the least secure encryption mode you can use, the one that's warned against in every beginner text. Seeing this is a bit like seeing "We vibe-coded our firewall in PHP...", it's pretty much a written guarantee that the rest of it will be a catalogue of wrong.

They did use AES-256 though, because using keys that go to 11 for your insecure encryption looks good in the marketing materials.

adrian_b 2 hours ago | parent | next [-]

The problem with ECB is that you must know when to use it. It is not recommended only for the people who do not know cryptography, so they are not able to judge when the use of ECB is right and when it is wrong.

ECB is as secure as any other mode of operation if you only encrypt values that are never repeated, e.g. values produced by a counter, or if you encrypt values that have negligible probability of repeating, e.g. random values, such as secret keys. The defect of ECB is that if the adversaries would ever see the encrypted form of 2 identical values, they will know that those values were identical, which may help them to decrypt the message, or not, but such a risk must be avoided.

As another poster has said, here the main problem was the key derivation method used by them, which produced low-entropy keys that can be found by brute-force search.

In general, it is quite rare to be able to break even the weakest methods of encryption that are used today, when they use appropriate secret keys.

The method used for secret key generation is almost always the weakest part, which can frequently be broken.

CodesInChaos 6 hours ago | parent | prev [-]

While ECB is rather insecure, it doesn't enable full decryption of the message unless you have access to a padding oracle or similar. The 32-bit key is the real problem.

userbinator 7 hours ago | parent | prev | next [-]

This "encryption" was arguably never for any security anyway, just obfuscation.

anilakar 6 hours ago | parent [-]

Any crypto that prevents casual tinkering is enough to keep most companies from wasting resources on reverse engineering stuff.

Back in the day we wrote a simple byte-level nonce + delta obfuscator for a terrible Node-RED-like programming environment so that we could tick a "must not be human-readable" requirements checkbox.

If the cryptography, proper or not, has been written for DRM purposes, no legal department is going to permit digging into implementation details even with a ten feet pole.

esnard 4 hours ago | parent | prev | next [-]

Nice find! Have you contacted the vendor to check if they're planning a fix?

alexchengyuli 6 hours ago | parent | prev [-]

A 4-byte key and a 32-byte key both produce output that looks like ciphertext. Unlike most bugs, crypto bugs don't produce visible errors. That's why this one survived 12 years.

woodruffw 5 hours ago | parent [-]

> Unlike most bugs, crypto bugs don't produce visible errors.

TFA mentions that AES is used in ECB mode, which is infamous for being literally visible[1]. It would be interesting to see if the circuit encoding exhibits this.

[1]: https://words.filippo.io/the-ecb-penguin/

adrian_b 2 hours ago | parent [-]

ECB leaks the identity of aligned 16-byte blocks.

An image may have large areas of uniform color, so it will definitely leak through ECB, unless the original image was noisy, which prevents repetition, so nothing is revealed after encryption, even when using ECB.

The famous encrypted penguin works only because the original image is a noiseless drawing. Had it been replaced by a photographic image, the ECB-encrypted image might have looked perfectly random and undecipherable. In general, it is enough to use a very simple non-cryptographic PRNG, e.g. a LFSR, to add white noise to an image before using ECB encryption, to make the encryption unbreakable (a.k.a. indistinguishable from a random string by chosen-plaintext attacks).

On the other hand, normal text, such as SPICE model text, even if it has a lot of words that are repeating, it will seldom have 16-byte sequences aligned at 16-byte boundaries, that are repeated.

Even if you see a few such repetitions, it is extremely unlikely that you will succeed to guess even a small part of the model text.

Here the problem was their key generation method, which produced guessable keys, not the use of ECB.

If you know cryptography, it is easy to use ECB in a perfectly secure way, e.g. when encrypting only values that can never repeat. The reason why it is strongly recommended to not use ECB, is that naive users cannot judge when the use of ECB is appropriate and when it is not.

Moreover, even if ECB can be used in a secure way, its hardware implementation is more expensive than of alternatives, because it must implement both the encryption mode and the decryption mode of the block cipher function. So the reason why there is no need for ECB is that the alternatives (i.e. Vernam encryption a.k.a. binary additive synchronous stream ciphers) have a cheaper implementation, even when using the same block cipher function, and not because one cannot use ECB in a secure way.