analysing cryptographic hardware interfaces with tookan
play

Analysing Cryptographic Hardware Interfaces with Tookan Graham - PowerPoint PPT Presentation

Nov 03, 2022 •145 likes •377 views

Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou, M. Bortolozzo, M. Centenaro, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay Graham Steel September 23, 2012 Analysing Security Device

  1. Analysing Cryptographic Hardware Interfaces with Tookan Graham Steel joint work with R. Bardou, M. Bortolozzo, M. Centenaro, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay Graham Steel September 23, 2012

  2. Analysing Security Device Interfaces Cryptographic hardware devices such as smartcards, HSMs, authentication tokens etc. must offer an interface to application programs (API). This API is security critical: no matter what sequence of commands are called, some security properties should hold. Designing such an interface is difficult: many vulnerabilities in deployed APIs have come to light. For the last five years we have been researching the use of formal techniques to analyse such interfaces. Graham Steel - Padding Oracle Attacks September 23, 2012- 2

  3. RSA PKCS#11 ‘Cryptoki’ interface, v1.0 1995, v2.20 2004 Graham Steel - Padding Oracle Attacks September 23, 2012- 3

  4. Graham Steel - Padding Oracle Attacks September 23, 2012- 4

  5. Generating keys A key template is a partial specification of key attributes Used for creating, manipulating, and searching for objects C GenerateKey : T → h ( n , k ); T Graham Steel - Padding Oracle Attacks September 23, 2012- 5

  6. Setting Key Attributes C SetAttributeValue : T , h ( n , k ) → h ( n , k ); T T can specify new values for any attributes, but may cause CKR TEMPLATE INCONSISTENT , CKR ATTRIBUTE READ ONLY Graham Steel - Padding Oracle Attacks September 23, 2012- 6

  7. Wrap and Unwrap Wrap : h ( x 1 , y 1 ) , h ( x 2 , y 2 ); wrap ( x 1 ) , → { y 2 } y 1 extract ( x 2 ) Unwrap : h ( x 2 , y 2 ) , { y 1 } y 2 , T ; unwrap ( x 2 ) → h ( n 1 , y 1 ); extract ( n 1 ) , T Graham Steel - Padding Oracle Attacks September 23, 2012- 7

  8. Graham Steel - Padding Oracle Attacks September 23, 2012- 8

  9. Key Usage Encrypt : h ( x 1 , y 1 ) , y 2 ; encrypt ( x 1 ) → { y 2 } y 1 Decrypt : h ( x 1 , y 1 ) , { y 2 } y 1 ; decrypt ( x 1 ) → y 2 Graham Steel - Padding Oracle Attacks September 23, 2012- 9

  10. PKCS#11 Security Section 7 of standard: “1. Access to private objects on the token, and possibly to cryptographic functions and/or certificates on the token as well, requires a PIN. 2. Additional protection can be given to private keys and secret keys by marking them as “sensitive” or “unextractable”. Sensitive keys cannot be revealed in plaintext off the token, and unextractable keys cannot be revealed off the token even when encrypted” “Rogue applications and devices may also change the commands sent to the cryptographic device to obtain services other than what the application requested [but cannot] compromise keys marked “sensitive,” since a key that is sensitive will always remain sensitive. Similarly, a key that is unextractable cannot be modified to be extractable.” Graham Steel - Padding Oracle Attacks September 23, 2012- 10

  11. Graham Steel - Padding Oracle Attacks September 23, 2012- 11

  12. Graham Steel - Padding Oracle Attacks September 23, 2012- 12

  13. Clulow, CHES 2003 Graham Steel - Padding Oracle Attacks September 23, 2012- 13

  14. Prevent a key from doing decrypt and wrap.. Set wrap: h ( n 2 , k 2 ) → ; wrap ( n 2 ) Set wrap: h ( n 1 , k 1 ) → ; wrap ( n 1 ) Wrap: h ( n 1 , k 1 ) , h ( n 2 , k 2 ) → { k 2 } k 1 Set unwrap: h ( n 1 , k 1 ) → ; unwrap ( n 1 ) Unwrap: h ( n 1 , k 1 ) , { k 2 } k 1 → h ( n 3 , k 2 ) Wrap: h ( n 2 , k 2 ) , h ( n 1 , k 1 ) → { k 1 } k 2 Set decrypt: h ( n 3 , k 2 ) → ; decrypt ( n 3 ) Decrypt: h ( n 3 , k 2 ) , { k 1 } k 2 → k 1 Graham Steel - Padding Oracle Attacks September 23, 2012- 14

  15. ‘Tool for cryptoKi Analysis’ http://tookan.inria.gforge.fr/ Graham Steel - Padding Oracle Attacks September 23, 2012- 15

  16. Graham Steel - Padding Oracle Attacks September 23, 2012- 16

  17. Device Supported Functionality Attacks found Brand Model s as cobj chan w ws wd rs ru su Tk Aladdin eToken PRO � � � � � � � wd Athena ASEKey � � � Bull Trustway RCI � � � � � � � wd Eutron Crypto Id. ITSEC � � Feitian StorePass2000 � � � � � � � � � rs Feitian ePass2000 � � � � � � � � � rs Feitian ePass3003Auto rs � � � � � � � � � Gemalto SEG � � MXI Stealth MXP Bio � � � RSA SecurID 800 rs � � � � � � � SafeNet iKey 2032 � � � � Sata DKey � � � � � � � � � � rs ACS ACOS5 � � � � Athena ASE Smartcard � � � Gemalto Cyberflex V2 � � � � � � wd Gemalto SafeSite V1 � � Gemalto SafeSite V2 rs � � � � � � � � � � Siemens CardOS V4.3 B ru � � � � � Graham Steel - Padding Oracle Attacks September 23, 2012- 17

  18. Manufacturer Reaction All were notified at least 5 months before publication. We offered to publish responses on project website RSA sent response, registered vulnerability with Mitre (CVE-2010-3321), issued security advisory 6 Oct 2010 Aladdin (now Safenet) and Gemalto sent a response for website Minimal response from anyone else (e.g. requests to know who else is vulnerable) Tookan now used by Boeing and a major UK-based bank. Graham Steel - Padding Oracle Attacks September 23, 2012- 18

  19. Padding Oracles A padding oracle returns true just when a ciphertext contains a correctly padded plaintext. Padding oracle attacks send a number of chosen ciphertexts to the oracle to reveal the original plaintext. Tookan detects these oracles using the C UnwrapKey function - attack here reveals the imported key. Asymmetric case (RSA PKCS#1.5) - make Bleichenbacher’s ‘Million message attack’ in 15 000 messages (our paper at CRYPTO ’12). In the symmetric case (CBC-PKCS#5) attacks are already highly efficient. Graham Steel - Padding Oracle Attacks September 23, 2012- 19

  20. Improvements to the Million Message Attack Want to attack ciphertext c and discover m = c d mod n Choose integers s , send c ′ = c · s e mod n , to the padding oracle. We showed that much can be learned about the plaintext by sending c ′ = c · u e · t − e This allows us to search for s values much more efficiently: factor ten improvement in median over original algorithm Graham Steel - Padding Oracle Attacks September 23, 2012- 20

  21. Ongoing Developments ◮ Executable attacks in C ◮ Man-in-the-middle analysis of PKCS#11 use ◮ Verification of fixes (PKCS#11 v2.2, 2.3, ACLs,..) ◮ Reverse-engineering at driver level (CCID, PKCS#15) ◮ Other APIs (Thales 8000, MSCAPI, Minidriver, Java APIs,..) Graham Steel - Padding Oracle Attacks September 23, 2012- 21

  22. What Role for Formal Analysis of APIs? Currently interfaces are not part of e.g. FIPS certification. Many devices for which Tookan found vulnerabilities have CC certifications. Formal tools like Tookan make analysis of interfaces practical, in particular because devices such as HSMs have rich configuration languages, not one static API. Need to be able to state a policy, check the policy is what we want and check the device implements that policy. Perhaps NIST Key Management Device standard will help? tookan.gforge.inria.fr @TookanTool Graham Steel - Padding Oracle Attacks September 23, 2012- 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes,

Analysing privacy-type properties in cryptographic protocols Stphanie Delaune Univ Rennes, CNRS, IRISA, France Thursday, July 12th, 2018 Cryptographic protocols everywhere ! Cryptographic protocols small programs designed to secure

849 views • 80 slides
Factorizing the Work - Towards a Technical Proposal David Cussans DAQ Hardware and Interfaces

Factorizing the Work - Towards a Technical Proposal David Cussans DAQ Hardware and Interfaces

Factorizing the Work - Towards a Technical Proposal David Cussans DAQ Hardware and Interfaces Working Group 26 th October 2017 Introduction Define and Document interfaces to SP and DP sub detectors Where no currently agreed interface

487 views • 9 slides
Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak

Suggestions for Hardware Evaluation of Cryptographic Algorithms Frank K. G urkaynak Microelectronics Design Center, ETH Z urich 6 July 2012 My Goal To improve the quality of hardware evaluations for crypto algorithms. Microelectronics

798 views • 51 slides
Does gate count matter? Hardware efficiency of logic-minimization techniques for cryptographic

Does gate count matter? Hardware efficiency of logic-minimization techniques for cryptographic

Does gate count matter? Hardware efficiency of logic-minimization techniques for cryptographic primitives Shashank Raghuraman and Leyla Nazhandali Abstract Logical metrics such as gate count have been extensively used in estimating the hardware

401 views • 12 slides
Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions

4/1/2018 Resources, Services, and Interfaces Services: Hardware Abstractions CPU/Memory abstractions 2A. OS Services, Layers and Mechanisms processes, threads, virtual machines 2B. Service Interfaces virtual address spaces, shared

134 views • 10 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Network Interfaces & ifconfig what is a network interface? Associated with a hardware

Network Interfaces & ifconfig what is a network interface? Associated with a hardware

Network Interfaces & ifconfig what is a network interface? Associated with a hardware device device fxp0 - Intel EtherExpress Pro Practical Networking Sometimes not loopback interface lo0 - pseudo-device Interfaces

154 views • 3 slides
CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded

CACHE-TIMING ATTACKS ON RSA KEY GENERATION Conference on Cryptographic Hardware and Embedded Systems (CHES) 2019 Alejandro Cabrera Aldaya 1 , Cesar Pereida Garca 2 , Luis Manuel Alvarez Tapia 1 , Billy Bob Brumley 2 , {aldaya,

371 views • 21 slides
Summary Introduction & Cryptographic Background Hardware Support for Physical Security

Summary Introduction & Cryptographic Background Hardware Support for Physical Security

Summary Introduction & Cryptographic Background Hardware Support for Physical Security Side Channel Attacks Arnaud Tisserand Fault Injection Attacks CNRS, Lab-STICC laboratory CRiSIS 2017, Dinard, France Protections Examples

266 views • 15 slides
Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J. Kai-Tsay CRYPTO August 2012 BLUF (Bottom Line Up

584 views • 42 slides
Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15

Efficient Padding Oracle Attacks On Cryptographic Hardware or The Million Message Attack in 15 000 Messages Graham Steel joint work with R. Bardou, R. Focardi, Y. Kawamoto, L. Simionato, J.-K. Tsay CRYPTO August 2012 BLUF (Bottom Line Up

602 views • 19 slides
White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to

White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to

White-Box Cryptography Matthieu Rivain CARDIS 2017 How to protect a cryptographic key? How to protect a cryptographic key? Well, put it in a smartcard of course! ... or any piece of secure hardware But... Secure hardware is expensive

1.6k views • 98 slides
CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven,

9/9/2012 CHES Tutorial Cryptographic hardware: how to make it cool, fast and secure Junfeng Fan KULeuven, ESAT/SCD-COSIC CHES 2012 Crypto hardware 9/9/2012 CHES Tutorial: Crypto hardware design 3 1 9/9/2012 Smart card SoC (NXP P60C080)

826 views • 54 slides
The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve

The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve

The IBM 4758 Secure Cryptographic Coprocessor Hardware Architecture and Physical Security Steve Weingart Senior Engineer (561) 392 6100 c1shw@us.ibm.com Secure Systems and Smart Cards IBM T.J. Watson Research Center Hawthorne, NY 4758 PCI

386 views • 11 slides
SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna

SIDE-CHANNEL ATTACKS ON HARDWARE IMPLEMENTATIONS OF CRYPTOGRAPHIC ALGORITHMS Sddka Berna Ors Yal cn Istanbul Technical University Department of Electronics and Communication Engineering Introduction A side-channel analysis attack

1.81k views • 99 slides
Summary Security: Applications & Aspects Part I Cryptographic Features Introduction

Summary Security: Applications & Aspects Part I Cryptographic Features Introduction

Summary Security: Applications & Aspects Part I Cryptographic Features Introduction Software vs Hardware Support Hardware Acceleration Solutions Processor Extensions for Security Basic Cyphering Part II Symmetric vs Asymmetric

1.14k views • 21 slides
Agenda Introductions Facilitator Participants Expectations Why are we

Agenda Introductions Facilitator Participants Expectations Why are we

www. ITSec .org.za Your IT Audit and Information Security Partner CISA Exam Preparation June 2015 Session 1 : 10 March 2015 Agenda Introductions Facilitator Participants Expectations Why are we all here? CISA

418 views • 17 slides
6/10/2002 Motivation Motivation Tradable properties (ilities Tradable properties

6/10/2002 Motivation Motivation Tradable properties (ilities Tradable properties

6/10/2002 Motivation Motivation Tradable properties (ilities Tradable properties ( ilities) in system design: functionality, ) in system design: functionality, usability, maintainability, performance, portability,

330 views • 4 slides
IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE

LECTURE IT SECURITY INTRODUCTION OVERVIEW Device Connected Devices Connected Networks DEVICE Program Runtime Attacks Wireless Security Side Channels CONNECTED DEVICES Thread Intelligence Secure Group Communication

1.04k views • 6 slides
How Electronics Started! And JLab Hits the Wall! In electronics, a vacuum diode or tube is a

How Electronics Started! And JLab Hits the Wall! In electronics, a vacuum diode or tube is a

How Electronics Started! And JLab Hits the Wall! In electronics, a vacuum diode or tube is a device used to amplify, switch, other- wise modify, or create an electrical sig- nal by controlling the movement of elec- trons in a low-pressure

568 views • 25 slides
00-12-14 Skerhet i Disposition distribuerade system IT-skerhet Skerhet i

00-12-14 Skerhet i Disposition distribuerade system IT-skerhet Skerhet i

00-12-14 Skerhet i Disposition distribuerade system IT-skerhet Skerhet i distribuerade system Elektronisk identitet Torbjrn Wiberg Krypteringsteknik Ume universitet PKI Infrastruktur fr certifikat

465 views • 12 slides
Development of a Database for Electronically Supported Examination Jonas Andre April 27, 2016

Development of a Database for Electronically Supported Examination Jonas Andre April 27, 2016

Chair of Network Architectures and Services Department of Informatics Technical University of Munich Development of a Database for Electronically Supported Examination Jonas Andre April 27, 2016 Chair of Network Architectures and Services

422 views • 8 slides
Secure Pairing Getting from nothing to something Johannes Gilger

Secure Pairing Getting from nothing to something Johannes Gilger

Secure Pairing Getting from nothing to something Johannes Gilger <Gilger@UMIC.RWTH-Aachen.de> RWTH Aachen University Smart Object Security Workshop, 23 March 2012 Introduction Definition / Terminology Secure Pairing:

711 views • 4 slides
ST. GABRIEL MERCY CENTER MOUND BAYOU MISSISSIPPI P.O. BOX 824 PHONE: 662 741-3255 FAX:

ST. GABRIEL MERCY CENTER MOUND BAYOU MISSISSIPPI P.O. BOX 824 PHONE: 662 741-3255 FAX:

ST. GABRIEL MERCY CENTER MOUND BAYOU MISSISSIPPI P.O. BOX 824 PHONE: 662 741-3255 FAX: 662-741-3494 E-MAIL: moundbayou@tecinfo.com MISSION STATEMENT Rooted in the mission of Jesus, and being faithful to the service tradition of the

342 views • 13 slides

More recommend