This is a follow up of my previous JSP Shell post. This JSP shell has the following functionality:
- Signed Diffie-Hellman key exchange
- Blowfish Encrypted commands
- Blowfish Encrypted result
However the way I implemented the crypto part is as far as i know flawed, this because I’ll maybe try to break my own implementation. It’s on my todo list to understand more about cryptographic attacks. To my knowledge the following flaws are present(there are probably more, feel free to point them out in the comments). Thanks to the people of #crypto on freenode for answering my questions and having me realize the flaws listed below:
- Non-authenticated exchange of encrypted messages
- The derivation of the Blowfish key from the Diffie-Hellman output isn’t hashed sufficiently
So just to be clear, ONLY the initial key exchange is authenticated using DSA signatures, after which the secret key is established to encrypt the rest of the communication using Blowfish. Let’s take a closer look at the usage and deployment of the shell. If you just want the code, it’s available on my github page. The bin directory contains everything you need for a grab&go usage.