Post on 12-Jul-2015
B
BB
0
Q
Q
Q
1
2
2
2+
2
2
32 bits
2
DD
3
3A
}
2
B
N/22
N/22
N/
N/2
N/2B
B
+222
+33
+
+
Key Bloock ( K L |K R
: 128 bitts )
:
fKff
2
2
DD
D
3++
DD1
N/ +222/
A
fKf
fKff
fKff
K
11
2
3KK }
A
fKff
KKK
KK
{
{ 2 2A
}
N/ +22
++
NKNKK
4KK
45}
,,
,
6K
!"#$%&'()!*+,-.%&'/0%
%1'*'$2#3*452)67"8%98%:8%'/0%;;%<0%$27($)*=>--0?
%@7$1)6%;%*!"#$%&0%A#55B!*52)67"%C%:0?
%1'*'$2#3*@7$1)68%:8%52)67"8%'/0%D;%52)67"0%
%'$22*@7$1)60?
%$27($)*=>--0?
%25@2
%$27($)*@7$1)60?
%1)7%A#1)*1)7%#$6!8%!"#$%&#$6EFG0
%@7$(!7%7!/"3$%&7!/?
%@7$(!7%1/"3$%&1/?
%@7$(!7%/!#/H/I7"3$%"?
%@7$(!7%/!#/%&/!#/H3?
JKK-,LJM,N=%O.L>P,MQ
RRRS,NJLM,T.SLNU
IOActiveCOMPREHENSIVE COMPUTER SECURITY SERVICES
JKK-,LJM,N=HO.L>P,MQHO.PT,L.O
!"#!"#!
$%%#&'$(&)*+,-'./&(0+,-/1&'-,
2345+/-1&-6789:7;5<=343>3?@
87$AA>B2C<B3D7'3457/5EB5F
87(=G5C<7H345>BD?7,5GEB25
87,I#7&D<5?GC<B3D7,5GEB25
87(GCBDBD?7,5GEB25J
About IOActiveEstablished in 1998, IOActive is a professional services consulting firm specializing in information risk management and application security analysis for global organizations and software development companies.
Unlike commoditized network security services and off-the-shelf code scanning tools, IOActive performs gap analysis on information security policies and protocols, and conducts in-depth analysis of information systems, software architecture and source code by using leading information risk management security frameworks and carefully-focused threat models.
As a home for highly skilled and experienced computer security professionals, IOActive has attracted the likes of Dan Kaminsky, Jason Larsen, Darek Milewski, Ward Spangenberg, and Ted Ipsen; key advisors like Steve Wozniak; and a crew of unequivocally talented "white-hat" hackers who, before being asked to host the infamous Capture the Flag at Def Con, owned the competition three years in a row.
Another data-point reflecting the talent of our consultants is the fact that IOActive is one of only three firms in the world that were tasked by Microsoft with the security code review of the Vista client operating system.
Application Security Services87(=G5C<7H345>BD?
87$AA>B2C<B3D7'3457/5EB5F
77777{'9'88K77L*-(K7'MK7NCECK7I5>A=BK7$,HK7%5G>}8765O7$AA>B2C<B3D7'3457/5EB5F7
77777{$,%L*-(K7'MKNCECK7%P%}87Q>C2R7Q3S7$AA>B2C<B3D7%5D:(5J<
87%G34T2<7-EC>TC<B3D7{F=B<57O3S9O>C2R7O3S}
Infrastructure Audit Services871T>D5GCOB>B<@7(5J<BD?
87%5D5<GC<B3D7(5J<BD?
Incident Response Services87)D7'C>>7'3D<GC2<J
87*5<F3GR7U>3F7IC<C7$DC>@JBJ
87IBJR7#5E5>7$DC>@JBJ
87II3,7HB<B?C<B3D7
Advisory & Risk Managment Services87-/H7I5E5>3A;5D<7CD47&;A>5;5D<C<B3D
87&,)7VWXXY797YWWZZ7&;A>5;5D<C<B3D
87,52TGB<@K7%GBEC2@7[7&(7$T4B<7'3:,3TG2BD?
87'3;A>BCD257$JJ5JJ;5D<J
87%'&7IC<C7,52TGB<@7,<CD4CG4
87(=BG4:ACG<@7IT57IB>B?5D257/5EB5FJ
Training Services87$4ECD2547$JAL*5<7-SA>3B<J7CD47'3TD<5G;5CJTG5J
876GB<BD?7,52TG57'345\7L*-(7CD47NCEC
87/CAB47$AA>B2C<B3D7(=G5C<7H345>BD?
87(=57,52TGB<@7I5E5>3A;5D<7#B]52@2>5
87P3F7<37/5JA3D47<37C7,52TGB<@7QG5C2=
87,52TGB<@7&D2B45D<7/5JA3DJ57,5;BDCG
SECURE@IOACTIVE.COMHTTP://WWW.IOACTIVE.COMTOLL FREE (866) 760-0222
PMS 877
!""#$%!&$'()*+%,-$&.)*+-/$%+*
01.2!""#$%!&$'(2*+%,-$&.2*+-/$%+*3Secure software is a subset of quality software and reliable
software. At IOActive we are committed to helping our clients
produce better quality software through our holistic approach of
enabling competitve and efficient business through the adoption
of secure software programming practices. IOActive was chosen
by Microsoft as one of three firms in the world to perform source
code security review for the Vista operating system.
While it is impossible to prevent every attack, it is estimated that
nearly half of all application security vulnerabilities are completely
preventable—if security is considered as a normal part of the
development process. Whether you are an IT manager, developer,
program manager, CIO, CISO, or CTO, your organization, users,
and customers depend on you to protect the privacy and integrity
of their information, and to ensure system availability.
Engaging IOActive provides you access to industry-leading
software security expertise and an experienced, mature firm
that is committed to the success of your project and organization.
4567898:8;<
IOActive delivers customized application security services based on our clients’ development process and
deployment or product-ship requirements. We believe that through a Security Development Lifecycle (SDL),
security considerations and protective measures should be incorporated into all phases of a project, from
design review through development, testing, and into deployment. By embedding security measures into the
overall development process in this way, organizations can help ensure that software vulnerabilities are
detected and addressed before they result in lasting damage. To assist our clients in this process, IOActive
offers the following services:
*5=>?@6<2@AB5C6D5A6C2DE952@A2
=?5E6@A;2C5=>?52=89@A;2
F?E=6@=5C22G@::2?56>?A22HIJIHK2
8L28B5?E::2F?8M5=62=8C6CN22
*5=>?@6<2@AB5C6D5A62DE952
9>?@A;295C@;A2F7EC52G@::2<@5:92
8?;@A@OE6@8AC2E2IHK2-'$N22$L2
C5=>?@6<2@C2A862@A=8?F8?E6592
>A6@:267522@DF:5D5A6E6@8A2
F7EC5P28?;EA@OE6@8AC2G@::2
Q5A5L@62L?8D2E2HRK2-'$N22$L2
8?;EA@OE6@8AC27EB52F7EC592
C5=>?@6<2@A682675@?265C62=<=:5P2
HIK2-'$28L2686E:2F?8M5=62
=8C6CN2J2*6>9<2=8A9>=6592Q<2
S5B@A2*88218824$&P2!A9?5G20N2
*>9Q>?<P22!A9?5G2TEU>@67
8 out of 10 internet security attacks are using port 80/HTTP to compromise system security. (Source - Information Security)
*5=>?@6<2V5B5:8FD5A62#@L5=<=:52$A65;?E6@8A2
IOActive manually audits client source code to identify
vulnerabilities. We then document the location and nature
of each problem we find, and advise developers on how to
address the immediate problem, and avoid similar problems
in the future. Because software development is evolutionary
and iterative, IOActive recommends that the code audit
function reflects the structure of the development process
and includes audit checkpoints for each of the major product
stages: alpha, beta, and release-candidate. In addition to
source code review, IOActive examines vulnerable points in
design (such as legacy interoperability) for design flaws that
may result in a security compromise. IOActive works with
client development teams to help them ensure that their
products are demonstrably hardened against attack; designed
and built based on relevant analysis of risks, threats, and
exposures; and appropriately tested to meet their defined
security criteria and functionality requirements.
IOActive consultants have years of code auditing experience,
and routinely assist organizations with highly complex and
advanced application security challenges.
+ Application Code Review
{C/C++, .NET, JEE, Delphi, ASM, Perl}
+ Web Application Code Review
{ASP.NET, C#, JEE, PHP}
+ Black Box Application Pen-Test
+ Product Evaluation and Recommendation {white/black}
+ Reverse Engineering Software and Protocols
+ DRM Testing
+ Fuzz Testing // Application and Protocol
+ M&A due diligence
IOActive’s SDL integration service is designed to help
organizations integrate security into all phases of the
software development process. Our consultants work
alongside an organization’s project managers, security
architects, and coders to identify efficient methods for
integrating security into the overall development process.
Covering the complete lifecycle of software development,
from conception to deployment, IOActive reviews practices
and tasks, providing strategic recommendations for the
implementation of a security-focused development lifecycle,
and identifying opportunities to increase the effectiveness of
risk management for the enterprise.
For more information about our services please contact:
SECURE@IOACTIVE.COMTOLL FREE (866) 760-0222
!""#$%&'$()*+(,-*.-/$-0
+&1-*2$1'(34
5)*3-1"()1-*'(*'6-*#&37-1'*
8)(0)*%(9"3(9$1-*(:*
:$)&)%$&#*,&'&*'(*,&'-;*
+&3,<41'-91*<(#='$()1*6&1*
&73--,*'(*1-''#-*>-,-3&#*
?3&,-*+(99$11$()*%6&37-1*
'6&'*+&3,<41'-91@*:&$#=3-*
'(*'&8-*&""3("3$&'-*
1-%=3$'4*9-&1=3-1*'(*
"3('-%'*'6-*1-)1$'$/-*
$):(39&'$()*(:*'-)1*(:*
9$##$()1*(:*%()1=9-31*0&1*
&)*=):&$3*"3&%'$%-*'6&'*
/$(#&'-,*:-,-3&#*#&0A*
!%%(3,$)7*'(*'6-*>?+;*'6-*
1-%=3$'4*B3-&%6*3-1=#'-,*
$)*9$##$()1*(:*,(##&31*$)*
:3&=,=#-)'*"=3%6&1-1A*?6-*
1-''#-9-)'*0$##*3-C=$3-*
+&3,<41'-91*'(*$9"#-9-)'*
&)*$)D,-"'6*$):(39&'$()*
1-%=3$'4*"3(73&9*&),*
(B'&$)*&=,$'1*B4*&)*
$),-"-),-)'*'6$3,D"&3'4*
-/-34*('6-3*4-&3*:(3*'6-*
)-E'**FG*4-&31A**
!,,$'$()&##4;*H5<!*&),*
!9-3$%&)*IE"3-11*)('$:$-,*
+&3,<41'-91*'6&'*'6-4*
0$##*)(*#()7-3*,(*B=1$)-11*
0$'6*'6-9A*
<'&'$1'$%1
Software Analysis tools are useful but they are no replacement for human
beings performing manual code reviews. No tool will replace humans.
Michael Howard / David LeBlanc Writing Secure Code 2nd Edition
?3&$)$)7*<-3/$%-1
IOActive believes that education is critical to delivering
secure software. Our training helps developers understand
how to design, build, test, and deploy secure systems. With
years of real-world experience, IOActive’s instructors craft
customized curricula presented in an engaging classroom
environment to maximize learning potential.
+ Advanced Asp.Net Exploits and Countermeasures
+ Writing Secure Code: .NET and Java
+ Rapid Application Threat Modeling
+ The Security Development Lifecycle
?63-&'*J(,-#$)7*<-3/$%-
IOActive’s threat modeling service is designed to occur early
in the project lifecycle and can be used to find security
design issues before a single line of code is written.
Organizations leveraging this service have found that it often
leads to significant project cost savings because issues are
resolved early in the development lifecycle.
PMS 877
!""#$%!&$'()*+%,-$&.)*+-/$%+*
01.2!""#$%!&$'(2*+%,-$&.2*+-/$%+*3Secure software is a subset of quality software and reliable
software. At IOActive we are committed to helping our clients
produce better quality software through our holistic approach of
enabling competitve and efficient business through the adoption
of secure software programming practices. IOActive was chosen
by Microsoft as one of three firms in the world to perform source
code security review for the Vista operating system.
While it is impossible to prevent every attack, it is estimated that
nearly half of all application security vulnerabilities are completely
preventable—if security is considered as a normal part of the
development process. Whether you are an IT manager, developer,
program manager, CIO, CISO, or CTO, your organization, users,
and customers depend on you to protect the privacy and integrity
of their information, and to ensure system availability.
Engaging IOActive provides you access to industry-leading
software security expertise and an experienced, mature firm
that is committed to the success of your project and organization.
4567898:8;<
IOActive delivers customized application security services based on our clients’ development process and
deployment or product-ship requirements. We believe that through a Security Development Lifecycle (SDL),
security considerations and protective measures should be incorporated into all phases of a project, from
design review through development, testing, and into deployment. By embedding security measures into the
overall development process in this way, organizations can help ensure that software vulnerabilities are
detected and addressed before they result in lasting damage. To assist our clients in this process, IOActive
offers the following services:
*5=>?@6<2@AB5C6D5A6C2DE952@A2
=?5E6@A;2C5=>?52=89@A;2
F?E=6@=5C22G@::2?56>?A22HIJIHK2
8L28B5?E::2F?8M5=62=8C6CN22
*5=>?@6<2@AB5C6D5A62DE952
9>?@A;295C@;A2F7EC52G@::2<@5:92
8?;@A@OE6@8AC2E2IHK2-'$N22$L2
C5=>?@6<2@C2A862@A=8?F8?E6592
>A6@:267522@DF:5D5A6E6@8A2
F7EC5P28?;EA@OE6@8AC2G@::2
Q5A5L@62L?8D2E2HRK2-'$N22$L2
8?;EA@OE6@8AC27EB52F7EC592
C5=>?@6<2@A682675@?265C62=<=:5P2
HIK2-'$28L2686E:2F?8M5=62
=8C6CN2J2*6>9<2=8A9>=6592Q<2
S5B@A2*88218824$&P2!A9?5G20N2
*>9Q>?<P22!A9?5G2TEU>@67
8 out of 10 internet security attacks are using port 80/HTTP to compromise system security. (Source - Information Security)
*5=>?@6<2V5B5:8FD5A62#@L5=<=:52$A65;?E6@8A2
IOActive manually audits client source code to identify
vulnerabilities. We then document the location and nature
of each problem we find, and advise developers on how to
address the immediate problem, and avoid similar problems
in the future. Because software development is evolutionary
and iterative, IOActive recommends that the code audit
function reflects the structure of the development process
and includes audit checkpoints for each of the major product
stages: alpha, beta, and release-candidate. In addition to
source code review, IOActive examines vulnerable points in
design (such as legacy interoperability) for design flaws that
may result in a security compromise. IOActive works with
client development teams to help them ensure that their
products are demonstrably hardened against attack; designed
and built based on relevant analysis of risks, threats, and
exposures; and appropriately tested to meet their defined
security criteria and functionality requirements.
IOActive consultants have years of code auditing experience,
and routinely assist organizations with highly complex and
advanced application security challenges.
+ Application Code Review
{C/C++, .NET, JEE, Delphi, ASM, Perl}
+ Web Application Code Review
{ASP.NET, C#, JEE, PHP}
+ Black Box Application Pen-Test
+ Product Evaluation and Recommendation {white/black}
+ Reverse Engineering Software and Protocols
+ DRM Testing
+ Fuzz Testing // Application and Protocol
+ M&A due diligence
IOActive’s SDL integration service is designed to help
organizations integrate security into all phases of the
software development process. Our consultants work
alongside an organization’s project managers, security
architects, and coders to identify efficient methods for
integrating security into the overall development process.
Covering the complete lifecycle of software development,
from conception to deployment, IOActive reviews practices
and tasks, providing strategic recommendations for the
implementation of a security-focused development lifecycle,
and identifying opportunities to increase the effectiveness of
risk management for the enterprise.
For more information about our services please contact:
SECURE@IOACTIVE.COMTOLL FREE (866) 760-0222
!""#$%&'$()*+(,-*.-/$-0
+&1-*2$1'(34
5)*3-1"()1-*'(*'6-*#&37-1'*
8)(0)*%(9"3(9$1-*(:*
:$)&)%$&#*,&'&*'(*,&'-;*
+&3,<41'-91*<(#='$()1*6&1*
&73--,*'(*1-''#-*>-,-3&#*
?3&,-*+(99$11$()*%6&37-1*
'6&'*+&3,<41'-91@*:&$#=3-*
'(*'&8-*&""3("3$&'-*
1-%=3$'4*9-&1=3-1*'(*
"3('-%'*'6-*1-)1$'$/-*
$):(39&'$()*(:*'-)1*(:*
9$##$()1*(:*%()1=9-31*0&1*
&)*=):&$3*"3&%'$%-*'6&'*
/$(#&'-,*:-,-3&#*#&0A*
!%%(3,$)7*'(*'6-*>?+;*'6-*
1-%=3$'4*B3-&%6*3-1=#'-,*
$)*9$##$()1*(:*,(##&31*$)*
:3&=,=#-)'*"=3%6&1-1A*?6-*
1-''#-9-)'*0$##*3-C=$3-*
+&3,<41'-91*'(*$9"#-9-)'*
&)*$)D,-"'6*$):(39&'$()*
1-%=3$'4*"3(73&9*&),*
(B'&$)*&=,$'1*B4*&)*
$),-"-),-)'*'6$3,D"&3'4*
-/-34*('6-3*4-&3*:(3*'6-*
)-E'**FG*4-&31A**
!,,$'$()&##4;*H5<!*&),*
!9-3$%&)*IE"3-11*)('$:$-,*
+&3,<41'-91*'6&'*'6-4*
0$##*)(*#()7-3*,(*B=1$)-11*
0$'6*'6-9A*
<'&'$1'$%1
Software Analysis tools are useful but they are no replacement for human
beings performing manual code reviews. No tool will replace humans.
Michael Howard / David LeBlanc Writing Secure Code 2nd Edition
?3&$)$)7*<-3/$%-1
IOActive believes that education is critical to delivering
secure software. Our training helps developers understand
how to design, build, test, and deploy secure systems. With
years of real-world experience, IOActive’s instructors craft
customized curricula presented in an engaging classroom
environment to maximize learning potential.
+ Advanced Asp.Net Exploits and Countermeasures
+ Writing Secure Code: .NET and Java
+ Rapid Application Threat Modeling
+ The Security Development Lifecycle
?63-&'*J(,-#$)7*<-3/$%-
IOActive’s threat modeling service is designed to occur early
in the project lifecycle and can be used to find security
design issues before a single line of code is written.
Organizations leveraging this service have found that it often
leads to significant project cost savings because issues are
resolved early in the development lifecycle.
PMS 877
B
BB
0
Q
Q
Q
1
2
2
2+
2
2
32 bits
2
DD
3
3A
}
2
B
N/22
N/22
N/
N/2
N/2B
B
+222
+33
+
+
Key Bloock ( K L |K R
: 128 bitts )
:
fKff
2
2
DD
D
3++
DD1
N/ +222/
A
fKf
fKff
fKff
K
11
2
3KK }
A
fKff
KKK
KK
{
{ 2 2A
}
N/ +22
++
NKNKK
4KK
45}
,,
,
6K
!"#$%&'()!*+,-.%&'/0%
%1'*'$2#3*452)67"8%98%:8%'/0%;;%<0%$27($)*=>--0?
%@7$1)6%;%*!"#$%&0%A#55B!*52)67"%C%:0?
%1'*'$2#3*@7$1)68%:8%52)67"8%'/0%D;%52)67"0%
%'$22*@7$1)60?
%$27($)*=>--0?
%25@2
%$27($)*@7$1)60?
%1)7%A#1)*1)7%#$6!8%!"#$%&#$6EFG0
%@7$(!7%7!/"3$%&7!/?
%@7$(!7%1/"3$%&1/?
%@7$(!7%/!#/H/I7"3$%"?
%@7$(!7%/!#/%&/!#/H3?
JKK-,LJM,N=%O.L>P,MQRRRS,NJLM,T.SLNU
IOActiveCOMPREHENSIVE COMPUTER SECURITY SERVICES
JKK-,LJM,N=HO.L>P,MQHO.PT,L.O
!"#!"#!
$%%#&'$(&)*+,-'./&(0+,-/1&'-,
2345+/-1&-6789:7;5<=343>3?@
87$AA>B2C<B3D7'3457/5EB5F
87(=G5C<7H345>BD?7,5GEB25
87,I#7&D<5?GC<B3D7,5GEB25
87(GCBDBD?7,5GEB25J
About IOActiveEstablished in 1998, IOActive is a professional services consulting firm specializing in information risk management and application security analysis for global organizations and software development companies.
Unlike commoditized network security services and off-the-shelf code scanning tools, IOActive performs gap analysis on information security policies and protocols, and conducts in-depth analysis of information systems, software architecture and source code by using leading information risk management security frameworks and carefully-focused threat models.
As a home for highly skilled and experienced computer security professionals, IOActive has attracted the likes of Dan Kaminsky, Jason Larsen, Darek Milewski, Ward Spangenberg, and Ted Ipsen; key advisors like Steve Wozniak; and a crew of unequivocally talented "white-hat" hackers who, before being asked to host the infamous Capture the Flag at Def Con, owned the competition three years in a row.
Another data-point reflecting the talent of our consultants is the fact that IOActive is one of only three firms in the world that were tasked by Microsoft with the security code review of the Vista client operating system.
Application Security Services87(=G5C<7H345>BD?
87$AA>B2C<B3D7'3457/5EB5F
77777{'9'88K77L*-(K7'MK7NCECK7I5>A=BK7$,HK7%5G>}8765O7$AA>B2C<B3D7'3457/5EB5F7
77777{$,%L*-(K7'MKNCECK7%P%}87Q>C2R7Q3S7$AA>B2C<B3D7%5D:(5J<
87%G34T2<7-EC>TC<B3D7{F=B<57O3S9O>C2R7O3S}
Infrastructure Audit Services871T>D5GCOB>B<@7(5J<BD?
87%5D5<GC<B3D7(5J<BD?
Incident Response Services87)D7'C>>7'3D<GC2<J
87*5<F3GR7U>3F7IC<C7$DC>@JBJ
87IBJR7#5E5>7$DC>@JBJ
87II3,7HB<B?C<B3D7
Advisory & Risk Managment Services87-/H7I5E5>3A;5D<7CD47&;A>5;5D<C<B3D
87&,)7VWXXY797YWWZZ7&;A>5;5D<C<B3D
87,52TGB<@K7%GBEC2@7[7&(7$T4B<7'3:,3TG2BD?
87'3;A>BCD257$JJ5JJ;5D<J
87%'&7IC<C7,52TGB<@7,<CD4CG4
87(=BG4:ACG<@7IT57IB>B?5D257/5EB5FJ
Training Services87$4ECD2547$JAL*5<7-SA>3B<J7CD47'3TD<5G;5CJTG5J
876GB<BD?7,52TG57'345\7L*-(7CD47NCEC
87/CAB47$AA>B2C<B3D7(=G5C<7H345>BD?
87(=57,52TGB<@7I5E5>3A;5D<7#B]52@2>5
87P3F7<37/5JA3D47<37C7,52TGB<@7QG5C2=
87,52TGB<@7&D2B45D<7/5JA3DJ57,5;BDCG
SECURE@IOACTIVE.COMHTTP://WWW.IOACTIVE.COMTOLL FREE (866) 760-0222
PMS 877