Software Implementation

As famous computer scientist Donald Knuth once quipped, "software is hard." Security specialist Ross Anderson added further: "security is hard." What of security software? It is a bad idea to have non-specialized developers writing secure and/or cryptographic code - even specialists get it wrong sometimes. We intend to address this by taking the matter into our own hands - we have the know-how required to not only implement, but also audit cryptographic and protection code, to assess its security and correct behavior.

Cryptography

At Kryptos Logic we research and keep track of the best possible cryptographic primitives that ensure the safety of our clients' data in the long run, but also provide strategic advantages. One of the best ways to provide and ensure authenticity, integrity, and to secure data is through cryptography. Digital signatures are often used to authenticate licenses, binaries, and other important data files. For more conservative applications, like network traffic encryption, we employ tried and tested algorithms for cryptographic applications such as NSA's Suite B to protect our clients' intellectual property with a high level of confidence.

Cryptographic software, in particular, is very sensitive to bad implementations. Implementation flaws have plagued RSA and other public key schemes for years. Naive AES implementations are vulnerable to cache-timing attacks. Cryptographic random number generators are another big can of worms. Generally, side-channel attacks aren't easy to thwart, and are applicable to both AES, RSA and Elliptic Curve cryptosystems. We offer fast and secure side-channel resistant implementations for a multitude of platforms at the customer's request.

We are also aware of the threat that quantum computing poses to cryptography, particularly asymmetric cryptography. Should a large enough quantum computer be built, most authentication methods such as the ubiquitous RSA, DSA and ECDSA would simply become obsolete by Shor's algorithm and variants. AES security would also be reduced by Grover's algorithm. Thus, we also research and develop methods that resist to possible advances in quantum computing, such as coding theory (e.g., McEliece) and lattice based asymmetric cryptographic algorithms.

Despite our commitment to employ secure and fast cryptographic algorithms, these are just a small part of a secure system. A secure system is dependent not only on its cryptographic strength, but also on a good design that takes security into account, a quality bug-free implementation and a good understanding of security by the teams involved. We know how easy it is to "get it wrong." For this reason, we can assist in software implementation services for sensitive routines that simply cannot fail security-wise.

We can implement the custom secure software solutions at several levels:

Cryptography
Software protection
Vulnerability prevention

Zero Day Vulnerabilities and Exploit Development

Taking the leap from a crash to exploitable code is not easy or transparent. Kryptos Logic provides the highest level of experience in coding real world shellcode for clients who are in need of real world exploits. We start by identifying potential holes on a case by case basis, while considering the diverse range of architectures and exploit options. Whether it is an operating system or service for a local privilege escalation or remote code execution, we will determine if it is feasible.

These vulnerabilities are realized through reverse engineering efforts and internal parallel fuzzing techniques. To complement existing man power, “fuzz farms” are created. This can be thought of a numerous computers running multiple instances of the same attack to generate a desired hole from a crash.

Either by utilizing existing vulnerabilities or a newly discovered vulnerability, we can produce exploits with a relatively fast turnaround depending on the application and its requirements. Our capabilities include:

- Self reliant and self-contained exploits
- Customized payloads within difficult environments, mitigations, and restrictions
- Development of all exploits in house
- Stable and easy to administrator
- Any target application or service
- Any client requested exploit development framework or language