A Copy-Paste Bug That Broke PSpice AES-256 Encryption

(jtsylve.blog)

30 points by jtsylve3 days ago

4 comments

  • jtsylve3 days ago
    I posted SpiceCrypt (<a href="https:&#x2F;&#x2F;github.com&#x2F;jtsylve&#x2F;spice-crypt" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jtsylve&#x2F;spice-crypt</a>) a few days ago for decrypting LTspice models. It now supports all six PSpice encryption modes as well.<p>PSpice is Cadence&#x27;s SPICE simulator. Vendors encrypt component models with it, which locks them to PSpice and prevents use in NGSpice, Xyce, etc. Modes 0-3 and 5 derive keys entirely from constants in the binary, so those are straightforward once you extract them.<p>Mode 4 is the interesting one. It&#x27;s the only mode with user-supplied key material and uses AES-256 in ECB mode. The key derivation has two base keys: a 4-byte short key (originally for DES) and a 27-byte extended key (intended for AES). The code passes only the short key to the AES engine -- it looks like a copy-paste from the DES path that was never corrected. The short key gets null-terminated and zero-padded to 32 bytes, so 28 of 32 AES key bytes are known. Effective keyspace is 2^32, brute-forceable in seconds with AES-NI.<p>The first encrypted block after every marker is a metadata header with a known plaintext prefix, which gives you a crib for validation. Once you recover the 4-byte short key, the full user key is also recoverable from the decrypted header.<p>This has likely been shipping since PSpice 16.6 in 2014. Fixing it would break every encrypted model created in the last twelve years.<p>The blog post linked above walks through the full details. The repo also has specifications documenting all the encryption schemes: <a href="https:&#x2F;&#x2F;github.com&#x2F;jtsylve&#x2F;spice-crypt&#x2F;tree&#x2F;v2.0.1&#x2F;SPECIFICATIONS" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;jtsylve&#x2F;spice-crypt&#x2F;tree&#x2F;v2.0.1&#x2F;SPECIFICA...</a>
    • Polizeiposaune2 hours ago
      The key sizing seems very odd - 4 bytes for DES? Even in the bad old days of 40-bit export crypto you&#x27;d get at least 5 bytes. For full-strength single-DES I&#x27;d expect either 7 or 8 bytes (56 bits of key used by the algorithm, but there&#x27;s an quirk around key parity that means keys are commonly represented in 8 bytes).<p>And a 27-byte key for AES-256 is also slightly undersized. Far from catastrophic but, like brown M&amp;M&#x27;s in the green room of a Van Halen concert venue, it&#x27;s a strong signal that something is off...
      • CodesInChaos16 minutes ago
        I think they concatenate a 4-byte key and a 4 byte versions string to get the full 8-byte DES key.<p>And the idea for the AES key seems to have been: 27-byte key, 4-byte version, 1 byte null terminator for a total of 32 bytes.
      • userbinator1 hour ago
        To me, it&#x27;s a sign of crypto being used to tick off a box (and perhaps not arouse concerns around export), and not anything resembling a serious security system. &quot;Locks are for keeping honest people honest,&quot; as the saying goes.
  • userbinator1 hour ago
    This &quot;encryption&quot; was arguably never for any security anyway, just obfuscation.
    • anilakar11 minutes ago
      Any crypto that prevents casual tinkering is enough to keep most companies from wasting resources on reverse engineering stuff.<p>Back in the day we wrote a simple byte-level nonce + delta obfuscator for a terrible Node-RED-like programming environment so that we could tick a &quot;must not be human-readable&quot; requirements checkbox.<p>If the cryptography, proper or not, has been written for DRM purposes, no legal department is going to permit digging into implementation details even with a ten feet pole.
  • TFA says it all in the first sentence describing the problem:<p><pre><code> The Bug Mode 4 uses AES-256 in ECB mode ... </code></pre> ECB is the least secure encryption mode you can use, the one that&#x27;s warned against in every beginner text. Seeing this is a bit like seeing &quot;We vibe-coded our firewall in PHP...&quot;, it&#x27;s pretty much a written guarantee that the rest of it will be a catalogue of wrong.<p>They did use AES-256 though, because using keys that go to 11 for your insecure encryption looks good in the marketing materials.
    • CodesInChaos21 minutes ago
      While ECB is rather insecure, it doesn&#x27;t enable full decryption of the message unless you have access to a padding oracle or similar. The 32-bit key is the real problem.
  • Heer_J3 days ago
    [dead]