ИСТИНА |
Войти в систему Регистрация |
|
Интеллектуальная Система Тематического Исследования НАукометрических данных |
||
It’s no surprise that a typical hackers professional path hits against custom crypto protocols from time to time. There are lots of application-specific crypto-hardened protocols written from scratch which could be found in banking, SCADA, and other types of not-so-common hardware and software systems. In this presentation, we propose a methodology for cracking such systems using a top-down approach with GOST-hardened banking applications as an example. We show how easy it is to break complex crypto because of developers having inconsistent knowledge of modern application level protocols. Federal Law in Russia states that an electronic document becomes legally valid only after proper digital signing (GOST R 34.10-2001, RFC 5832). Online banking applications are no exсeption: only GOST digitally signed payment orders should be accepted and processed by online banking apps. That said, every bank that is willing to provide online services (be it domestic or an international entity) has to consider two options: - Buy a “typical” online banking solution from a well-known vendor (BSS, Bifit) and customize it - Develop or outsource its own banking solution. The first option implies that the bank will receive all the necessary shiny crypto out of the box. The second option leaves the crypto- question for the bank to handle and this is where numerous crypto solutions and crypto providers come into play. Through our research, we have managed to submit fully trusted requests from “malicious” clients to the banking server as if they were generated by a legitimate client.